Taking out ConnectWise sites

https://trhelp.top/
https://mgbhelp.top/
https://ppl.help9.top/

1 Like

https://mghelp.top/

1 Like

12/18/24 mzcare.help 188.114.96.3 Cloudflare/Namesilo - 40715

Same URL download

2 Likes

12/18/24 uwcare.help 188.114.97.3 Cloudflare/Namesilo - 23051

Same URL for download

2 Likes

https://djhelp.top/?__cf_chl_rt_tk=0u9YsC06_L58Cy94Sbq9CMw.pGiUxhrnFiU93h9XYpE-1734539625-1.0.1.1-N4mGXATgN9y3aicBC4erdlVoL5iI40h2N0_EckAR5Zs

3 Likes
12/18/24 dcrcare.help 78.40.117.18 Alexhost/Namesilo - 10278
12/18/24 sftre-tr.top 37.221.64.49 Alexhost/Namesilo
1 Like

hehelp.top
xuhelp.top

2 Likes

https://pkmd.link/

2 Likes

https://hehelp.top/
reversed their proxy
links back to
https://molatoriline.cyou/ -
37.221.65.128

here is some active codes
00066
00143
00236
00191
00227
00289

1 Like

associated hosts
https://plphelp.top/
https://tgvhelp.top/

1 Like

here is some notable information i collective from the connectwise sites you provided:
please reply or contact me in some way if you find a dynamic connectwise site loading the connectwise server(enter code page) once you visit it (so i can gather more information on the site)

https://ppl.help9.top/data.php?id=1|https://bortra0907.chelokipotleify.icu/guest|cloudflare
https://ppl.help9.top/data.php?id=5|https://pn3699.jigisekar.cyou/guest|176.123.1.201|pn6back63.site
https://ppl.help9.top/data.php?id=6|https://gajrokerist.cyou/guest|cloudflare

https://trhelp.top/data.php?id=1|https://molatoriup.cyou:8443/guest|offline
https://trhelp.top/data.php?id=2|https://gajrokeron.cyou:8443/guest|offline
https://trhelp.top/data.php?id=3|https://gajrokercast.icu:8443/guest|offline
https://trhelp.top/data.php?id=4|https://molatoriline.icu:8443/guest|offline
https://trhelp.top/data.php?id=6|https://cp3699.jigisekar.cyou/guest|offline
https://trhelp.top/data.php?id=7|https://cshelp.site/guest|offline
https://trhelp.top/data.php?id=8|https://cm0819.chelokipotleia.icu:8443/guest|cloudflare reversed:https://molatoriist.icu/guest|91.208.184.187|extra: cm369back6.site
https://trhelp.top/data.php?id=10|https://lf3699.jigisekar.cyou:8443/guest|offline
https://trhelp.top/data.php?id=11|https://bw4927.chelokipotleus.icu/guest|offline
https://trhelp.top/data.php?id=12|https://fn3699.kafinora.cyou/guest|offline
https://trhelp.top/data.php?id=13|https://qc3699.kafinora.cyou/guest|94.103.188.29|qc96back6.site

notice the similarity between cm369back6.site,pn6back63.site,qc96back6.site
in fact, there can be a regex-“^[a-z]{2}\d+back\d+\.site$”-to identify similar sites like this:
if someone actively observes recent registered domains then they should look out for sites similar to the ones seen above.
mentioning these sites before they are fully set up can help us identify connectwise servers that may go unnoticed

we can probably guess what https://fn3699.kafinora.cyou/guest used to be based on the information collected from https://qc3699.kafinora.cyou/guest
the result: fn96back6.site

hope this helps link past scam sites or future
note: not sure if these sites are active but i know they are online and are associated in some way with scamming people

1 Like

https://eopcare.help/ ive reversed the cloudflare proxy back to https://elioua5.top/

https://hrhcare.live/
their connect wise site is obrm-h4.top|37.221.64.118
here is some active codes
00126
00078
00063
00198
00250
00271
00306
00307
00391
00399
00405
00408
00432
00469
00497
00523
00556
00572

gajrokerist.cyou seems to be associated with molatoriby.cyou

perfect! another dynamic site-https://securemyaccount.top

https://securemyaccount.top/data.php?id=1|https://bortra0907.chelokipotleify.icu/guest|cloudflare
https://securemyaccount.top/data.php?id=2|https://tshelp.site/|offline
https://securemyaccount.top/data.php?id=3|https://mcthelp.site/guest|offline
https://securemyaccount.top/data.php?id=4|https://qc3699.gropler.loginlink2.org/guest|offline
https://securemyaccount.top/data.php?id=5|https://pn3699.jigisekar.cyou/guest|176.123.1.20|pn6back63.site
https://securemyaccount.top/data.php?id=6|https://gajrokerist.cyou/guest|cloudflare

the sites seem to have almost the exact same structure as the one i previously posted about
looks like we can tie this paypal domain back to the others

McAfee
using cwcare.help

1 Like

https://oihelp.top/?__cf_chl_rt_tk=jGQ3ZDEwo0K5cxHRqELnNzCRCEQGINNJn1Virz3Z1ys-1734550047-1.0.1.1-P7tBs2QW_nn.g1WPfRlovzEzYtX5qag8nJQETNMznx4

1 Like

I can now safely confirm that these recent *care.help domains you have posted recently are all tied to one call center operating multiple scams-PayPal malware crypto Apple & Microsoft support and a bunch of tech support scams.
Good work on what you have found.
I might post further details on it once I decide what I’m doing with it

1 Like

Hey @pertobe , I found something similar I think (it’s from my post on tsu but I’ll copy some here as well)

While downloading another CW installer via https://trhelp.top/ (12345 worked there) I saw this:

so I looked up molatoriist.icu and found these reports:

https://urlquery.net/report/298ef1bb-ee9f-4132-8667-51021bca4edb
https://urlquery.net/report/d38cdf7e-bee7-4579-9c99-022e2de21c80
image

the files in this report match the downloaded ScreenConnect installer folder later found in: C:\Users\XXX\AppData\Local\Apps.… (so I assume they are all hosted there)

I think they are reported on that site for some kind of certificate (maybe the digital signatures)

interesting, under related reports/screenshot there’s another .top site (maybe fetching the files from molatoriist.icu as well), I tried some of the others they look similar

My (simple) summary of the CW/SC game is:

  • go to a .top site
  • enter code and download the installer from there (installer includes the code for them to connect)
  • by installing it grabs the rest of the exe/dll files from sites like molatoriist.icu

If that’s correct is it helpful to report molatoriist.icu as well? (no clue how and which reason to use). The registrar for trhelp.top and molatoriist.icu is Gname.com Pte. Ltd.

1 Like

It has also helped me uncover 100s of different scam operations running currently that I will be taking action against and uploading an update in the future about it

1 Like