A sprawling network of illicit Internet Protocol Television (IPTV) services has been discovered, operating across more than 1,100 domains and in excess of 10,000 IP addresses.<\/p>\n
This sprawling infrastructure, which has remained active for several years, delivers unauthorized streams of premium content\u2014including major sports leagues, subscription services, and on-demand platforms\u2014without licensing agreements.<\/p>\n
Silent Push analysts noted that this network\u2019s use of both high-volume IP address pools and rapidly rotating domains represents a significant escalation in piracy tactics, making traditional takedown processes nearly futile.<\/p>\n
At its core, the network<\/a> relies on customized IPTV panels built around modified open-source software such as Stalker Portal and Xtream UI.<\/p>\n These panels facilitate automated user authentication and stream distribution, allowing operators to provision hundreds of thousands of simultaneous sessions.<\/p>\n Rather than depending on a single front-end domain, the operators employ a large pool of proxy domains\u2014each resolving to multiple shared IP addresses\u2014to obfuscate the true origin of the streams.<\/p>\n Silent Push researchers identified two companies, XuiOne and Tiyansoft, and an individual, Nabi Neamati of Herat, Afghanistan, as principal beneficiaries of this infrastructure.<\/p>\n The attack vectors begin with server-side exploitation and credential harvesting. Malicious actors compromise under-protected web hosts or exploit outdated control panels to install custom modules that inject backdoors into legitimate streaming control software.<\/p>\n In many cases, operators gain initial access by exploiting default credentials on cPanel, Plesk, and Stalker Portal installations.<\/p>\n Once access is secured, a deployment script\u2014often obfuscated<\/a> via Base64 encoding\u2014pushes modified PHP files and cron jobs to automate the registration of new domains and the rotation of stream endpoints.<\/p>\n Silent Push analysts identified<\/a> one such script that uses the following code snippet to register new virtual hosts:<\/p>\n Despite repeated takedown requests, the network\u2019s agility in rotating both domains and IP addresses allows it to remain operational.<\/p>\n New domains appear almost daily, with each resolving to clusters of dynamic IP addresses provisioned via bullet-proof hosting providers.<\/p>\n This resilient structure poses a formidable challenge to rights holders and law enforcement agencies attempting to disrupt the service.<\/p>\n A particularly insidious aspect of this IPTV piracy network is its infection mechanism, which centers on compromised control panels.<\/p>\n Operators survey the internet for misconfigured or outdated installations of Stalker Portal and Xtream UI, using automated scanners to detect vulnerable endpoints on ports 80, 8080, and 2095.<\/p>\n Upon identifying a target, they deploy a multi-stage payload<\/a> that begins with a low-profile reconnaissance module.<\/p>\n This module enumerates existing user accounts, collects hashed credentials, and exfiltrates configuration files containing API keys.<\/p>\n A second stage installs a persistent backdoor by modifying the The backdoor script, This persistent foothold enables continuous updates to the hosting infrastructure, seamless domain registration, and dynamic IP assignment\u2014ensuring that new entry points replace any that have been taken down.<\/p>\n As a result, the network can sustain large-scale piracy operations<\/a> with minimal interruption.<\/p>\n The post Massive IPTV Hosted Across More Than 1,000 Domains and Over 10,000 IP Addresses<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhp_r3kb0OrHhO55UkFKhbVIbpqQPJc3S_NaTC3_gER7aUYKyJ7ZnKHNSP3wZl9FQQlBycEAgXh2RT9KuPwksDRhia_xaQ69T985GO32n3qlbqgCjuexz-zOc_WB-vRxY1f1qww5T0V6hA-6u5_oIhUGc_6Vh3FQOkt5_jNdYGkZy_Ycq5EjQpehfVRi7k\/s16000\/XUIone%2520website%2520%28Source%2520-%2520Silent%2520Push%29.webp?ssl=1\")
$domain = trim(shell_exec('wp option get siteurl'));\n$ipList = ['158.220.114.199','46.202.197.208'];\nforeach ($ipList as $ip) {\n shell_exec(\"echo '$domain IN A $ip' >> \/etc\/bind\/db.piracy\");\n}\nshell_exec('rndc reload');<\/code><\/pre>\nInfection Mechanism Through Control Panel Exploits<\/strong><\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhWVPucdSEv6vWvPllB7YJB-dz7F1FVv_gEjHXEgkKgcKnTGo3dHZ3k3X-PIal-odkg656yQVzGLkFTpiFWKUoTfycENK8sOgoCVXAuuCOJh8Rx-L17f9WcSPd6PvSeiX5JNVqQztf4wvmULrCL3cshTu2QNyqhvLcfHhMFUSOfHTtOHtF9EJKpz3jqrUY\/s16000\/Xtream%2520UI%2520%28Source%2520-%2520Silent%2520Push%29.webp?ssl=1\")
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjzY0lKtbUHV0vjFw22n0wh1tUnAdze3DHpoZsrccrEWlxsmuZPuTmmTMbC_JsV2UxfNss4YS-AoQCQKuMLSL9h1lNAouwldYdJbbMp-1sO2E0G94tJSBosCujF6m7DjA5ZaHOPL9adD-Hsbgbes8hkQ6qCjj_ET8SBag-XW6IZnAUZhUfej61i_X-OybM\/s16000\/Stalker%2520Portal%2520and%2520Xtream%2520portal%2520%28Source%2520-%2520Silent%2520Push%29.webp?ssl=1\")
config.php<\/code> file within the panel\u2019s directory:-<\/p>\nif (!defined('IPTV_INIT')) {\n define('IPTV_INIT', true);\n require_once __DIR__ . '\/backdoor.php';\n}<\/code><\/pre>\nbackdoor.php<\/code>, establishes a reverse shell to a command-and-control server whenever an administrator logs in, effectively granting the attackers full control over the panel.<\/p>\nBoost\u00a0your\u00a0SOC and help your team protect your business with free top-notch threat intelligence:\u00a0Request TI Lookup Premium Trial<\/a>.<\/code><\/strong><\/p>\n