Security researchers identify an active C2 infrastructure linked to a known remote access trojan, raising fresh monitoring alerts for defenders.
Malicious Infrastructure Identified
Threat intelligence monitoring has identified a new command-and-control (C2) endpoint associated with Xtreme RAT, a well-known remote access trojan frequently used in targeted cyber espionage and cybercrime operations.
Researchers flagged the malicious indicator:
- IOC: 150.139.132.8:10001
- Threat Type: Botnet Command-and-Control
- Confidence Level: High (100%)
- First Observed: February 5, 2026
The indicator was reported through collaborative threat intelligence monitoring and verified using infrastructure scanning telemetry. Analysts have not yet confirmed that the host is compromised, but detection confidence remains extremely high.
Why Xtreme RAT Remains Dangerous
Xtreme RAT, also known as ExtRat, provides attackers with full remote control over infected systems. Once attackers gain access, they can steal credentials, capture keystrokes, deploy additional malware, and exfiltrate sensitive data.
Threat actors often use this RAT to build botnets and maintain long-term persistence inside victim environments. Additionally, attackers frequently disguise the malware inside phishing attachments, malicious downloads, or trojanized software packages.
The newly detected IP and port combination suggests active command infrastructure that may coordinate infected endpoints or support data exfiltration operations.
Infrastructure and Threat Intelligence Signals
Security telemetry linked the infrastructure to Autonomous System AS136195, which has appeared in previous malware infrastructure mapping. Analysts also observed reconnaissance and indexing activity through external scanning platforms, strengthening attribution confidence.
C2 infrastructure often shifts quickly. Therefore, early IOC distribution plays a critical role in preventing lateral movement and stopping outbound malicious communication.
Defensive Actions Organizations Should Consider
Security teams should immediately review network telemetry for connections to the flagged endpoint. Monitoring outbound traffic patterns often reveals early-stage compromise.
Organizations should also:
- Update firewall and EDR block lists
- Inspect endpoint logs for suspicious RAT behaviors
- Strengthen phishing detection and email filtering
- Review privileged access activity for anomalies
Early detection significantly reduces the risk of credential theft and data exfiltration. Meanwhile, continued monitoring will help identify whether attackers expand this infrastructure into a broader botnet campaign.