BleepingComputer has independently confirmed these binaries establish a connection to a Tokyo-based IP address, 188.8.131.52, that appears to be hosted with Alibaba. The same IP also hosts the illicit domain, infoamanewonliag[.]online associated with this incident. Security research group, MalwareHunterTeam further analyzed these binaries, and stated that these contain Windows botnets written in PHP — a fact that the research group mocked. Additionally, the group called out eFile.com for leaving the malicious code on its website for weeks: “So, the website of [efile.com]… got compromised at least around middle of March & still not cleaned,” writes MalwareHunterTeam.
Read more of this story at Slashdot.