The Panels Left Open: Mapping Nine Exposed Malware Operations in a Single Sweep | Intercept Cell

A single Shodan hunting session turned up nine distinct malware operations with their control panels exposed to the internet: a PoisonX stealer on Swiss bulletproof hosting leaking PHP paths, a custom RAT called Whack with its full binary protocol recoverable from exposed JavaScript, a Turkish RAT with an open FastAPI Swagger endpoint, twin stealer servers on a phishing-linked ISP, a Brazilian Portuguese Steam account stealer on Google Cloud, a Korean payment card operation with OTP authentication and business hours, and more. Several had no authentication at all.

We ran a structured Shodan sweep targeting known stealer and RAT panel fingerprints. Within hours, we had nine distinct operations mapped across five continents, several with their guts spilled to the open internet. The approach was straightforward: query Shodan for HTTP titles and body content matching known stealer panel patterns, then pivot from each hit to enumerate APIs, extract JavaScript, and fingerprint the operator's infrastructure. The queries ranged from direct name matches (http.title:"Lumma", http.title:"Amadey") to behavioral patterns (http.html:"stealer" http.html:"dashboard" http.html:"bots", http.html:"/api/gate" http.html:"token"). Most of the noise was legitimate businesses whose names collided with malware families. The signal, when it appeared, was unmistakable. The first serious find was 179[.]43[.]176[.]30, hosted on PRIVATE LAYER INC (AS51852) in Lugano, Switzerland. PRIVATE LAYER is a well-known bulletproof hosting provider. The server announces itself plainly: > PoisonX Stealer The login page uses the Orbitron font, a Matrix-style animated background, and green-on-black theming. It runs Apache 2.4.58 on **Windows Server** with PHP 8.0.30, XAMPP stack, MariaDB 10.4.32. The RDP certificate leaks the hostname: WIN-8OA3CCQAE4D.