01/09/25 lzsupport.help 172.67.219.197 Cloudflare/namesilo - 78372
Same URL is the download
They then proceeded to install this one in the background. Not sure about the PIN or download.
01/09/25 qzhelp.top 172.67.213.135 Cloudflare/gname.com
| 01/10/25 | pkmd.link | 104.21.32.1 | Cloudflare/Namesilo - 64993 |
|---|---|---|---|
| 01/10/25 | pkbm.xyz | 144.126.156.55 | Contabo-Nubes/Namesilo |
This one is a frame
01/10/25 izsupport.help 188.114.97.3 Cloudflare/Namesilo - 44959
Same URL download
https://fgsupport.help/,
ConnectWise ScreenConnect Remote Support Software,
and,
https://ekhelp.top/?__cf_chl_rt_tk=fCU5gce33pmaJQYfVuZUSZnPHbMtTsjSL2Uok2SXwH4-1736522469-1.0.1.1-Xs5dxaGiOLTZc4xQKVMgOxvgIYvBqM8zRUnszCIyNrU,
and,
https://dnhelp.top/?__cf_chl_tk=rHA4QQePV4DqgtHF2kPxushaMtykYa865Hv_eHNw8Io-1736350562-1.0.1.1-Ri9N1G4aHpruGPinmhxuqeAcr5cNS05tITSX1DD.M9U
https://fpsupport.help/,
Fake PayPal site using ConnectWise.,
and,
https://absupport.help/
https://amsupport.help/
https://bisupport.help/
https://cesupport.help/ Fake Norton Site using ConnectWise site.
https://cpsupport.help/
https://crsupport.help/?__cf_chl_tk=dwZORv5ZYJl5MHUug2TRQeFuYAWpIyCacvaxxLaDGtE-1736620278-1.0.1.1-5RNlJJjak9EdQo2CnUj4Fg8wN0vRHmsHR.OsBbxyMuA,
verification succsessful, then a time out.
and,
https://disupport.help/,
https://ersupport.help/ (another fake PayPal site using ConnectWise,
https://evsupport.help/
https://fwsupport.help
https://gesupport.help
https://gisupport.help
https://gnsupport.help
https://htsupport.help
https://izsupport.help
https://jdsupport.help, works, but returned a 403 error (access forbidden or denied)
https://kwsupport.help/,
and,
https://lysupport.help/
https://lzsupport.help/
https://misupport.help/
https://mpsupport.help/
https://pusupport.help/ (an apt name for these sites)
https://rksupport.help/
https://spsupport.help/(another fake geek squad site)
| 01/14/25 | xlhelp.top | 172.67.144.104 | Cloudflare/Gname - 323134 |
|---|---|---|---|
| 01/14/25 | molatoriora.cyou | 104.21.80.218 | Cloudflare/Gname |
| 01/14/25 | gchelp.top | 188.114.97.3 | Cloudflare/Gname - 89dj580 |
|---|---|---|---|
| 01/14/25 | molatorier.icu | 104.21.80.1 | Cloudflare/Gname |
01/14/25 tgvhelp.top 194.59.31.116 Virtuo Networks France SAS/namesilo - 66798
Same URL for the download
01/14/25 mthelp.top 104.21.74.239 Cloudflare/Gname
01/14/25 ongajroker.icu 91.208.184.7 Alexhost/Gname.com Pte. Ltd.
That download was reported back in December. Looks like they moved IPs
12/17/24 ongajroker.icu 188.114.97.3 Cloudflare/Gname Download of ppl.help9.top
| 01/14/25 | gchelp.top | 188.114.96.3 | Cloudflare/Gname - 27JN50A |
|---|---|---|---|
| 01/14/25 | molatorier.icu | 104.21.16.1 | Cloudflare/Gname |
https://dpsupport.help/, redirecting to,
ConnectWise ScreenConnect Remote Support Software
| 01/15/25 | echelp.top | 104.21.16.1 | Cloudflare/Gname |
|---|---|---|---|
| 01/15/25 | ongajroker.icu | 91.208.184.7 | Alexhost/Gname.com Pte. Ltd. |
We saw this backend yesterday from another URL
01/16/25 bvhelp.top 104.21.96.1 Cloudflare/Gname
| 01/16/25 | dkhelp.top | 188.114.96.3 | Cloudflare/Gname - 83274 |
|---|---|---|---|
| 01/16/25 | molatorier.cyou | 104.21.33.213 | Cloudflare/Gname |
01/16/25 uvhelp.top 104.21.48.1 Cloudflare/Gname - 334587
01/16/25 molatorier.icu 104.21.64.1 Cloudflare/Gname
This backend was seen 2 days ago at a slightly different IP
01/14/25 molatorier.icu 104.21.16.1 Cloudflare/Gname from gchelp.top
01/16/25 mrhelp.top 104.21.88.122 Cloudflare/Gname - 53KK33J
01/16/25 gajrokerring.icu 172.67.155.171 Cloudflare/Gname
This one has come up a lot - first reported in November
11/25/24 mrhelp.top 172.67.178.182 Cloudflare/Gname.com
11/25/24 gajrokerring.icu 172.67.155.171 Cloudflare/Gname.com
| 01/16/25 | dnhelp.top | 172.67.132.187 | Cloudflare/Gname - 86VJ32W |
|---|---|---|---|
| 01/16/25 | molatorila.cyou | 104.21.64.1 | Cloudflare/Gname |