IBM Security X-Force identified a sample of the malware that communicates with domains registered to drake.lampado777[at]gmail[.]com. Both domains appeared to be down at the time of publishing its blog post, however, Damballa noted.
The same IP address also evidently registered a new domain in July, btcshop[dot]cc. The domain serves up an online shop to buy lists of Socket Secure proxies and personally identifiable information. Primarily listed on the site are infected machines turned into proxies for “further malicious activity,” the blog post stated.
The post also draws a connection between the email address and a TVSPY Command & Control (C&C) server. Although it appears this one person might be using Corebot and TVSPY to collect personal information, it's possible it's just a single group.