11 July 2024
– Exposing The Evil Empire of Doppelganger Disinformation
Executive summary
In September 2022 Qurium in collaboration with EU DisinfoLab exposed for the first time a Russia-based influence operation network that had been operating in Europe since at least May 2022, that later became known as “Doppelganger“.
Two years after the release of the investigation, the campaign is still active as well as the network and server infrastructure responsible for the content distribution. Astonishingly, Doppelganger does not operate from a hidden data center in a Vladivostok Fortress or from a remote military Bat cave but from newly created Russian providers operating inside the largest datacenters in Europe.
But it is even more surprising to discover that Doppelganger operates in close association with cybercriminal activities and affiliate advertisement networks. Disinformation is a sad example of a broken advertising industry.
For the past nine months Qurium has closely monitored the infrastructure used by Doppelganger and the location of the different stages of their domain redirection, coined to FI-KE-D. Doppelganger has established operating infrastructure inside of Europe using UK registered companies to constantly set up new Internet providers (Autonomous Systems) peering with a few upstream providers with presence in Germany.
The ecosystem of Doppelganger has its hub in a Russian provider with European presence: Aeza (International). The provider has presence in Moscow M9 and in two data centers in Frankfurt to access international upstream capacity from Czech provider CDN77/Datacamp and German provider Aurologic GmbH.
The modus operandi of Aeza and its fast growth can be explained by the recruitment of young developers affiliated to bullet proof hosting providers in Russia offering shelter to cybercrime. During the last six months we have identified a dozen of bullet proof hosting providers accepting cryptocurrency closely related to Aeza where Doppelganger operate in coexistence with other cybercriminal activities such as data exfiltration, phishing or the distribution of scams using affiliate marketing.
Legal entities set up in the United Kingdom are used to channel the necessary volatile digital resources to the constant creation of new providers (autonomous systems) that share a few common international upstreams. Other elements of the architecture include the use of Lithuanian provider Hostinger for manage the domain names, the use companies to obtain digital resources as:
- LIR services from Belgium provider Servperso/Sarah Rossius or Swiss iFog-GmbH
- IP networks and LIR services from Russian company IP4market or newly created LIR operators as Oner Investments registered in Cyprus or Axiom Services registered in Singapore.
The report provides a detailed description of the Doppelganger modus operandi and its infrastructure. Doppelganger FIKED relays on the constant establishment around Aeza International of new autonomous systems with presence in Europe that are quickly advertised as new bullet proof hosting providers accepting cryptocurrency.
It is within the general cybercriminal ecosystem present in these providers that Doppelganger operators run their specific infrastructure.
Introduction
The main strategy of Doppelganger is to disseminate false articles making use of websites that reassemble the design of a real newspaper. The fake outlets run using domain names with different top level domains and are hidden behind Cloudflare CDN.
We have looked specifically into how thousands of articles are being distributed inside Twitter since October 2023. The distribution of the fake articles is done using the same techniques used for the distribution of malware or phishing websites. The main idea is to advertise the content using hundreds of expendable domain names that will redirect to a chain of other domains to ultimately ensure that the reader arrives to the intended content.
The goal of this research is to describe the architecture and design of Doppelganger with special emphasis in attributing those services providers that make it possible. To achieve its goals Doppelganger makes use of several technical and physical infrastructure elements common in cyber crime operations.
The four stage architecture
To attribute each of the building blocks we have decided to break-down Doppelganger in four major blocks, each of these blocks is analyzed separately in detail in the next sections.
Doppelganger makes use of multiple domain redirects that can be divided in:
- Front domains (F): These are the domains that are advertised in social media. The structure of these domains takes the form subdomain.expendable_root_domain/some_string. The main goal of these domains is to redirect to an intermediary domain name.
- Intermediary domains (I): These domain names are responsible to redirect the visitor to a set of domain names that run Keitaro: an advertisement tracker.
- Keitaro domains (KE): These domain names operate an advertisement tracker that ensures that the content is only reachable from certain locations. The Keitaro is responsible of the final step of the chain that is to redirect the viewer to the fake clone site.
- Doppelganger domains (D): These are the final destination of the traffic, the cloned websites with fake articles.
We have coined this strategy FIKED. In the next picture we can see the first three steps of the redirection chain:
elxtbm.taigamebaisung.com/8vkthn (F) ->
711ggr.com/gren3878317 (I) ->
ggspace.space/DE-31-10_grenzezank (KE) ->
grenzezank.com (D)
To understand better the strategy and who is operating each of these building blocks, we have looked into several specific elements of each of them including:
- The website technology they operate
- The origin of the domain names
- The suppliers of IP space
- The RIPE objects associated to autonomous systems and associated organizations
- The autonomous systems and their network prefixes
- The (bullet) hosting providers
- The upstream providers
- The typical activity found in their hosting providers
- The historical relationships of the different elements of the supply chain
- The social media presence of the identified providers
The Front domain (F)
The Front Domains are the most expendable part of the FIKED1 model. To have a sense of the numbers, for 1,000 front domains, only 50 domains are used as intermediaries (I).
The Front Domains operate in an infrastructure that uses openresty. The technology is a web platform that integrates a webserver (Nginx) and Lua programming language.
The redirection of this first step is done using a HTML meta header of the style:
<meta http-equiv='refresh' content='0; url=http://beecontrolparadisevalleyaz.com/rrn9838681'>
Where are the F domains hosted?
From late 2023 to March 2024 the domains were advertised by the following providers:
AS216309 EVILEMPIRE-AS/TNSECURITY2
AS207713 GIR-AS
AS63949 Akamai Connected Cloud (GiantPanda Balancer)
AS16509 Amazon.com, Inc.
From late March 2024, the F-domains have been advertised from:
AS216309 EVILEMPIRE-AS/TNSECURITY2
AS215590 DPKGSOFT-AS4
AS215428 MYKYTASKOROB
AS198981 NETSHIELD 1CENTHOST
AS207957 SERVHOST
AS216127 NUXTCLOUD
EVILEMPIRE aka TNSECURITY5 also hosts phishing websites and malware67 . It is registered in the name of 19 years-old “Dorector” ANASTASIJA, Berezina8. The provider is responsible of serving hundreds of F domains at 185.172.128{.}161.
GIR ООО “ГЛОБАЛ ИНТЕРНЕТ РЕШЕНИЯ” is already flagged9 as a provider for Gamaredon10. Owner of GIR МАРИНКО ЕВГЕНИЙ ВАЛЕНТИНОВИЧ (dimetr801{@}mail.ru) has been flagged11 in connection with ransomware operations.
Giant Panda (Site Matrix LLC) provides commercial domain parking services using a traffic balancer in Akamai.
DPKGSOFT/MYKYTASKOROB 1CentHost provides new front-end infrastructure for F-domains from March 28th 2024.
GIR
During early 2024, F-domains of Doppelganger were distributed from servers of the Russian Global Internet Solutions LLC network (AS207713) aka gir{.}network.
Global Internet Solutions LLC (GIR) and Global Connectivity Solutions LLP12 (AS215540) are run by Marinko Evgeni Valentinovich (1999) aka “dimetr50”13,14 or Rustam Yangirov. “Dimetr50” started his dark career in Armyansk in Crimea. With Igor Dekhtyarchuk “Floraby” (1998), they operated shopsn{.}su an online shop used to trade with stolen credentials.
One of the sites operating in their marketplace since 2018 included bayacc{.}store (vk.com/shopsn_ru). “Bayacc” competed with account shop giants as SlilPP for the criminal market share.
In March 2022, the FBI announced that Dekhtyarchuk is wanted for allegedly operating a cyber-criminal marketplace. Dekhtyarchuk is currently indicted in East Texas for Cyber Hacking.
During 2021-2022, shopsn{.}su run infrastructure inside of the WebDC Network Operations webdc{.ru} part of the Skolkovo Innovation Center (JSC IOT). Several other
bullet proof hosting providers operated in servers of WedDC including MskHost or Plexus{.}host.
In January 2023, several shops associated to shopsn{.}su moved to 45.15.159{.}67 at Aeza International LTD.
Site Matrix LLC
We analyzed where the Front domains were hosted we found the following patterns:
- 12 IP addresses serving almost 150 domain names are associated to Giant Panda domain monetization service from Site Matrix LLC.
- The domain of the form ww2#, cname# or cname-#.mytrafficmanagement{.}com from Giant Panda is also served from the same IP addresses.
- SiteMatrix owns a product called GiantPanda{.}com which is a software-as-a-service (SAAS) offering that optimizes domain name parking page.
Example of such domains include:
alushi-kariz-ag15[.]buzz
growinstagram[.]services
kaz-kariz-ag17[.]buzz
kaz-kariz-mx19[.]buzz
nesie-kred-ad17[.]buzz
nesie-kred-mx20[.]buzz
nesie-kred-mx8[.]buzz
sienpencliar[.]shop
supe-nesie-ad17[.]buzz
zaksi-kred-ad27[.]buzz
zaksi-kred-mx23[.]buzz
.Buzz TLD domains promoted by Site Matrix LLC.
- The domains mostly use the name servers of Lithuanian Hostinger (dns-parking) to point them to external hosting infrastructure.
The following example for the domain zaksi-kred-ad27{.}buzz shows DNS parking services have been used for this first stage redirection. Hostinger (dns-parking) and Giantpanda{.}com are used.
EVILEMPIRE – GIR – AEZA
A network of bullet proof providers
We looked specifically into the network prefix 185.172.128.0/24 of EVILEMPIRE/TNSECURITY where many of the F-domains are hosted, this is a summary of our findings:
- The network prefix was originally announced by OOO Nadym Svyaz Service, an Internet provider from the energy city of Novy Urengoy (Okrug). The prefix was transferred in September 2023 using the company “Network Management Ltd” as intermediary (LIR).
- “Network Management Ltd15” (lir-sc-netman-1-MNT) is a LIR registered in the Seychelles associated to Russian LIR ip4market.
- TNSECURITY appears as a new hosting provider of a network of new entities registered in the United Kingdom. After its creation it immediately joined a cluster of bullet proof hosting providers that frequently exchange network resources to operate.
- Network prefixes are often exchanged between the members extending their online presence when the autonomous systems are flagged as malicious.
- The Autonomous Systems also change their name “as-name” frequently, in many cases as a result of a company re-branding.
- The shared resources can be tracked when looking at their peering and the mobility of their network prefixes in time among members of the as-set groups AS-WAICORE16 and AS-AEZA as shown in17 18.
- While their European operations are linked to AEZA INTERNATIONAL LTD19 that is run by 25 years old Kazakh Marat Timurov, its Russian origin links back to the Aeza Group20 (ООО “Аеза Групп”) that is registered in the name of three Russian nationals:
- Bozoyan Yuriy Meruzhanovich (Бозоян Юрий Меружанович) that formerly run another bullet proof hosting providers MskHost OOO “Облачные решения“21 and
- Penzev-Arseniy-Alexandrovich (Пензев Арсений Александрович) that run MskHost with Bozoyan MskHost and Enotcloud.
- (Князев Игорь Анатольевич)
- Yuriy and his business partner Aristarkhova Ekaterina Sergeevna (Аристархова Екатерина Сергеевна22) are directly connected to Aeza’s peering client Shelter LLC23 (aka AS211409 Galaxy) where bullet proof hosting zerohost/areasoft can be found.
- According to the company registry the Aeza Group was known as Enotcloud (until Nov 2021) (enot{.}cloud) and Partner LLC (until Nov 2022).
- TNSECURITY, Aeza and other members of the cluster as GIR has already been flagged24 for hosting the command and control of several families of malware including Mystic, Lumma or Meduza Stealers.
- AS216309 TNSECURITY LTD is not only hosting command and control of several malware families and dozens of F domains of Doppelganger 185.172.128{.}161. but it does also host services that allow to buy stolen credit cards or paypal or bank accounts as darkpass{.}pro.
- TNSECURITY provides bullet proof services advertised25 as lethost{.}co. SBL reports26 about its services that include carding and phishing sites.
These key findings strongly suggest that TNSECURITY forms part of larger network of bulletproof providers27 that include GIR, AEZA/MSKHOST, SHELTER. The members of the network are notoriously known for their connections to ransomware and phishing cybercrime operations. Their newly created satellite operator TNSECURITY was the choice for operating the F-domains of Doppelganger.
20240724:
DPKGSOFT et al.
Starting the 28th of March 2024 a new location to the F-domains has been added. The location has deployed a new cluster of VPSs and have started serving domains from the IP address 147.45.67.40 from AS215590 DPKGSOFT-AS, GB4
The new autonomous system follows the default strategy of using newly UK registered companies rather their Russian equivalent. The companies are NETSHIELD LTD (Konstantin Muskafidi, Pavo Misiura), DPKGSOFT INTERNATIONAL LIMITED (Eduard Ilin) and INTERNATIONAL HOSTING COMPANY LIMITED (Konstantin Muskafidi). The companies are used to operate NUXT.CLOUD29, OOO “EKS FSP30”, 1CENT Hosting and Xorek Hosting.
As in previous setups, bullet proof hosting portals has been registered and the prefix 147.45.67.0/24 is allocated to CENTHOST-MNT (1Cent Host).
DPKGSOFT/XorekCloud is run by young Russian Eduard Ilin31. In his website edwardcode{.}net provides this insightful information. In this code repository in github, it can be found that Eduard Ilin wrote the looking glass code for Aeza32.
The connections with the Aeza Group can be found in the historical data of the domain dpkgsoft.com and the peering agreements of the autonomous numbers. As in the case of TNSECURITY, DPKGSOFT-AS has chosen as one of their upstream German provider combahton /aurologic GmbH33 (AS3082334).
Morningstars-AS Werner Group
During January 2024, the government computer emergency response team of Ukraine CERT-UA recorded the mass distribution of e-mails with the subject “Requests” with the objective of installing the RemcosRAT. In that time the event UAC-005035 included some IOCs with Command and Control servers in Werner Group AS215939.
During January, 2024 the prefix 77.105.132.0/24 was used to host the command in AS215939 (Werner Group/Morningstars), the prefix was then transferred to Aurologic peer Silence AS215481 that is now no longer visible. Finally after a couple of months, the prefix made its way to Evilempire/Tnsecurity (AS216309) announced by Aeza International as its upstreams.
AS42031 PLUSTELECOM-AS Dynamic Network Technolodgies LLC., RU
AS215939 WERNER-AS Valery Smoliar, IL (MORNINGSTARS) → UAC050
AS215481 Silence ORG-DL574-RIPE (Silence) Aurologic Peer (RIP)
AS216309 EVILEMPIRE-AS TNSECURITY LTD, GB → Announced by upstream AEZA
MYKYTASKOROB
In April 2024, 1Cent Host has expanded its presence by announcing a new network prefix in the newly established AS215428 (MYKYTASKOROB) registered in the name of Mykyta Skorobohatko from Ukraine. Soon after the provider went online, F-domains started to be announced at 77.91.66{.}3436
Lethost.co and “bla bla bla 4444”
We looked into the resources exchanged between the peering groups (as-sets) AS-WAICORE and AS-AEZA associated to TNSECURITY. We found several ASN (Waicore-AS202973, Partner LLC-AS204603, server4-as AS210352) with obvious fake contact details:
organisation: ORG-SER1-RIPE
org-name: AEZA Group LLC
country: RU
org-type: OTHER
address: bla bla bla 4444
last-modified: 2024-03-05T16:01:13Z
These autonomous systems have in common that they share servers operated by lethost.network and they decided to use creative names as bla bla bla, abuse-server cyberhub international, 4Services (FourS) or Evil Empire. Several autonomous systems also exhibit very non-descriptive names as Partner or Partner Hosting.
We also found that TNSECURITY and its associated LIR Network Management Ltd37 made an initial mistake when creating the organization objects ORG-LA1857-RIPE and ORG-TL874-RIPE. Looking at historical data of these records we found that the first versions of the objects show that NETWORK-SUPPORT-MNT (ip4market{.}ru) created the object for TNSECURITY LTD and in turn TNSECURITY registered the organization as LETHOST and to later on deleted this entry and replaced it for EVIL EMPIRE.
Lethost.co as other bullet hosting providers have their billing server hosted inside Aeza International.
organisation: ORG-LA1857-RIPE
org-name: LETHOST
country: GB
org-type: OTHER
abuse-c: ACRO54038-RIPE
mnt-ref: tnsecurity-mnt
mnt-by: tnsecurity-mnt
created: 2023-09-13T16:28:37Z
last-modified: 2023-09-13T16:28:37Z
source: RIPE # Filtered
organisation: ORG-TL874-RIPE
org-name: TNSECURITY LTD
country: GB
org-type: OTHER
abuse-c: ACRO54038-RIPE
mnt-ref: NETWORK-SUPPORT-MNT
mnt-by: tnsecurity-mnt
mnt-by: EVILEMPIRE-MNT
created: 2023-09-12T13:44:49Z
last-modified: 2023-09-13T18:08:42Z
source: RIPE # Filtered
AEZA, a hub for bulletproof hosting
The next step in our research looked at the downstream clients of AEZA International (AS216246) that not surprisingly gave us a list of associated autonomous systems that also provide bulletproof hosting:
AS210352 Partner LLC
AS210644 AEZA INTERNATIONAL LTD
AS211409 Shelter LLC
AS209224 CYBERHUB-AS
AS216319 CHROMIS IT LTD
In the group we find Lethost.co (AS210352), Shelter LLC of Aristarkhova Ekaterina Sergeevna (AS211409) operating zerohost/areasoft or Chromis IT Ltd38 (AS216319) running sunhost. As we will show in the next section, AEZA and its clients not only share that they shelter cyber criminal activities but also common infrastructure building suppliers.
According to historical data AS210352 changed name from 4Services Network to Partner LLC and aezanet-as in May 2024.
The origins of Aeza are likely connected to the “hack” of MskHost in September 2021. Back in that time the Aeza Group (INN: 7813654490) was named “ЕНОТКЛАУД” (Enotcloud) a name that was used for just a few months and was changed for “ПАРТНЕР” in November 2021. Finally in November 2022, “ПАРТНЕР” changed name to “АЕЗА ГРУПП”.
The collaboration of Aeza with 4sever.su responsible of the commercialization of stolen credentials can be traced in the origin of one of the autonomous systems operated by Aeza.
Just after the MskHost was hacked, the AS210352 was created by FourS-mnt (4Services.network) run by Marinko Evgeni Valentinovich (4server{.}su) responsible with Igor Dekhtyarchuk “Floraby” of the Bayacc marketplace. The autonomous system changed to Partner LLC in December 2022 and finally to AEZA Group LLC in March 2024.
A Russian LIR with European presence
(20240724 – Clarifications of the role of the LIR IP4MARKET has been added to this section)
A vast pool of network resources operated by the AEZA Group and its partners including TNSECURITY can be traced to IP4Market (ООО “МЕДИАСЕРВИСПЛЮС39) a Russian LIR that has branches in the Seychelles “Network Management Ltd40” and in the United Arab Emirates (IP MARKET – FZCO).
The network decided to obtain the allocations using IP4MARKET LLC (Russia) and Network Management Ltd (Seychelles).
For example IP4MARKET created the AS210352 for Partner/Aeza Group associated with ORG-SER1-RIPE with address: bla bla bla 444
organisation: ORG-SER1-RIPE
org-name: Partner LLC
country: RU
org-type: OTHER
address: bla bla bla 4444
admin-c: FN3463-RIPE
tech-c: FN3463-RIPE
address: 197198, St. Petersburg, Kronverksky pr-kt, 65 letter B, room. 2n, office 1, room 5
Our “bla bla bla” organization (ORG-SER1-RIPE) is associated to two autonomous systems: AS210352 (server4-as) and AS202973 (Waicore) where TNSECURITY is included.
The following table shows marked with (*) how many of the network resources managed by this cluster of autonomous systems have been channeled via “IP4MARKET / Network Management Ltd41” (ООО “МЕДИАСЕРВИСПЛЮС42”) and its IP brokering service. A common pattern is that when the records are initially created and the autonomous system is active there are quickly edited to remove the original client-supplier connection.
We decided to look into the 15 network prefixes that have been allocated by Network Management Ltd (sc.netman) to Aeza Group and Aeza International from late 2021. A total of 4096 IP addresses
185.106.93{.}0/24
185.106.94{.}0/24
185.112.83{.}0/24
185.17.0{.}0/24
185.174.136{.}0/24
185.174.137{.}0/24
185.217.197{.}0/24
185.229.65{.}0/24
185.229.66{.}0/24
194.67.201{.}0/24
45.138.74{.}0/24
45.142.122{.}0/24
5.252.118{.}0/24
91.103.252{.}0/23
94.142.138{.}0/24
In the last two years the prefixes have been announced by the Aeza Group (RU) and International (GB) and previously by bullet proof ASNs Galaxy-as/Shelter LLC or server4-as/Partner LLC.
More than half of the prefixes were previously used by Hosting providers SuperServersDatacenter NTX Technologies s.r.o. (CZ) and FIRST SERVER LIMITED (GB).
Both hosting projects are registered in the name of Mr Iurii Bogdanov who also operates the LIRs associated to IP4MARKET.
Fake geolocation as a service
As many other malicious actors that we have documented43 previously, Aeza International and its partners also tampers with geolocation and publishes a geolocation feed https://aeza{.}net/static/ipv4_f.csv to be able to provide services as located in FI, AT, FR, TR, US or SE.
Similary Altagw (Daniil Yevchenko) advertises fake geolocation for Scandinavia.
More than 100.000 IP address
At the time of this writing the ecosystem of the “Evil Empire” includes a total of 20 ASNs that are announcing more than 300 network prefixes. The market value of owning these IP addresses is 5 MEUR. Leasing this volume of IP addresses have an approximate cost of 50.000 EUR/month.
We look into the 300 network prefixes and the major Local Internet Registries that have allocated the IP space and found four main suppliers:
- Network Management Ltd / IPV4MARKET (sc.netman/ru.ip4market)
- Axiom Services PTE. LTD (sg.axiom-asia). A newly created LIR that received large pools of IP space from Russian company OOO National Telecommunications (Infobox) now Rusonyx. Axiom is currently in strick-off phase in the company registry.
- OOO FREEnet Group (ru.freenet).
- CJSC Kolomna-Sviaz TV (ru.kstv) and Rost LLC (ru.rostllc). IP space transfered from Kolomna and Garantia.tv Group via two LIRs to Aeza
- Onerinvestments (ru.mainacc). Company registered in Cyprus associated to Ivan Bulavkin and Igor Artemenko. The company is behind the SEO product: Seopult (now Promopult).
- Sergey Aleksandrovich Miroshkin (ge.fast): Sergey A. Miroshkin sales from Foton Telecom CJSC received the allocation 77.91.64{.}0/20 into his new LIR. The IP space was then allocated to Aeza, 1Cent (Netshield), DpkgSoft or Start Industries
Freenet and Onerinvestments are also the main suppliers of IP space of Russian Fineproxy, a re-known bulletproof proxy provider.
ASN | ASN Name | IPv4 Addresses | Percentage of Total | Cost (EUR) |
---|---|---|---|---|
210644 | AEZA-AS | 47872 | 47.34% | 2393600.00 |
215540 | GCS-AS | 18688 | 18.48% | 934400.00 |
207713 | GIR-AS | 16384 | 16.20% | 819200.00 |
215590 | DPKGSOFT-AS | 7680 | 7.59% | 384000.00 |
216246 | RU-AEZA-AS | 2304 | 2.28% | 115200.00 |
216319 | SUNHOST-AS | 1536 | 1.52% | 76800.00 |
203727 | ALTAWK | 1280 | 1.27% | 64000.00 |
216309 | EVILEMPIRE-AS | 1280 | 1.27% | 64000.00 |
49418 | AS-NETSHIELD | 1280 | 1.27% | 64000.00 |
209224 | CYBERHUB-AS | 768 | 0.76% | 38400.00 |
210281 | WAICORE | 512 | 0.51% | 25600.00 |
215730 | H2NEXUS-AS | 512 | 0.51% | 25600.00 |
210352 | aezanet-as | 256 | 0.25% | 12800.00 |
206425 | WAI-AS | 256 | 0.25% | 12800.00 |
202973 | RIPENCC | 256 | 0.25% | 12800.00 |
215939 | MORNINGSTARS-AS | 256 | 0.25% | 12800.00 |
211409 | Galaxy-as | 0 | 0.00% | 0.00 |
204603 | PARTNER-AS | 0 | 0.00% | 0.00 |
199868 | DPKG-AS | 0 | 0.00% | 0.00 |
215443 | ECODE-AS | 0 | 0.00% | 0.00 |
LIR | Allocations | Receiver |
---|---|---|
ru.freenet | 10 | DpkgSoft |
ru.freenet | 14 | GIR |
ru.freenet | 15 | Aeza |
ru.freenet | 1 | Altawk |
ru.freenet | 1 | ServShell |
ru.freenet | 1 | WAIcore |
ru.freenet | 2 | Apex |
ru.freenet | 6 | PROXY6 |
ru.mainacc | 1 | GIR |
ru.mainacc | 1 | GIR |
ru.mainacc | 28 | GIR-PROXY6 |
sc.netman | 11 | Aeza |
sc.netman | 11 | AEZA |
sc.netman | 1 | Aliaksei |
sc.netman | 1 | CHROMIS |
sc.netman | 1 | TNSECURITY |
sc.netman | 1 | WAIcore |
sc.netman | 2 | H2NEXUS |
sg.axiom-asia | 1 | H2NEXUS |
sg.axiom-asia | 21 | Aeza |
ru.kstv | 8 | Aeza |
ru.dinet | 6 | Aeza |
A German upstream provider for F-domains
The most surprising part of our research was to find out that TNSECURITY seems to obtain upstream connectivity from German provider combahton /aurologic GmbH44 (AS3082345) (routed via ae1-core01.core04.ffm3.de.aurologic.net – Interxion Frankfurt)
TNSECURITY is not the only bullet host that uses aurologic46 in Germany as upstreams, a member of the cluster WAIHOSTING (AS210281) and ALTAWK (AS203727) are also using Frankfurt for its upstreams as being geolocated in Sweden and Finland.
The physical infrastructure of TNSECURITY and ALTAWK is being located in Frankfurt at the Tornado Datacenter47 in Langen.
Combahton/Aurologic started business relationship in 2022 with different members of the network: WAI (2022-04-09), AEZA (2022-07-07), ALTAWK (2022-07-07) and all the ASNs distributing F-domains since 2024.
Aurologic currently configured a new fresh peering WAICORE Hosting LTD, a company that is currently disolved in the company registry in the UK. As many of the ASNs of the Evil Empire ecosystem, WAICORE HOSTING LTD ASN (AS210281) is currently announced behind custom DDOS protection service Netshield.
An example of how one single ASN was frequently renamed can be found in AS202973 that in less than one year took nine different names: AS202973, L3-TRANSIT, LowPrice-Systems, Partner-As, PartnerLLC, PARTNER-LLC, Partner-LLC-AS, WAICORE or WAICORE-TRANSIT.
Netshield a DDOS protection service
During 2023 two new ASNs (AS198981) and (AS49418)48 started to establish peering agreements with carriers from Russia and Germany offering DDOS protection. The ASNs are associated to Netshield, yet another 71-75 Shelton Street UK registered company in the name of Ukranian Pavlo Misiura (1998). The ASNs offer DDOS protection services from the non working webpages netshield{.}ltd and netshield{.}pro.
The list of the DDOS protection services include:
Inetcom (AS35598)
VirtualDC (AS48108)
Castles (AS43278)
DDoS-Guard (AS49612)
StormWall (AS59796)
GlobalNet (AS31500)
CDN77/DataPacket (AS60068)
AUROLOGIC (AS30823)
IX_DATAIX (AS50952)
Soon after its creation two dozens members joined the peering agreement1. Some of the members provide protection to bullet proof hosting providers as AS210546 that runs the waf{.}group and protects zerohost or Waicore or Dpkgsoft that are associated to the hosting of front proxies for disinformation.
REF: https://bgp.tools/as-set/RIPE::AS49418:AS-NETSHIELD
Tracing the origin of Evil Empire
EVILEMPIRE that hosts a large part of the F-domains was registered in September 2023 associated to the UK-based legal entity Tnsecurity Ltd49 registered a few days before the 29th August 2023. The website of the company redirects to Tnsecurity{.}ca in Canada, an organization not associated to tnsecurity{.}ltd.
EVILEMPIRE used the e-mail address exoma{.)in as its contact address. Exoma (EXOMA-MNT) is solely associated to another member of the cluster CYBERHUB INTERNATIONAL LTD (AS209224) associated to a second UK-based legal entity50 incorporated in July 2023.
CYBERHUB organization in the RIPE database was created by Renets-mnt that uses the contact email Info@ru2w.ru.
Finally r2w{.}ru is associated to online services salenames.ru, coloded.ru, deephost.pw and kvmka.ru. The domain ru2w{.}ru is used to serve geofeeds for hosting providers Coloded LLC and Alex Host LLC.
Both Coloded LLC (ООО “КОЛОДЕД” ИНН 5040151580) and Alex Host LLC (ООО “АЛЕКС ГРУПП” ИНН 504010624866) are companies registered in the name of Fedorov Alexander Nikolaevich (1988).
The origin of TNSECURITY hosting service is traced back to Alex Group LLC in late July 2023.
TNSECURITY is closely connected to bullet proof hosting provider Lethost.co and was the first bullet proof hosting provider created after the launch of Aeza International Ltd. After months advertising one single network, in June 2024, TNSECURITY started to announce new IP space but instead of using German Aurologic as upstreams, the new networks are currently advertised from Aeza International Ltd. One of the networks was previously used by AS215939 in January 2024 to conduct targeted attacks against Ukranian institutions.
F-domains – The Jigsaw
The following tables provides in a glimpse a timeline of the creation of three bullet proof hosting providers: Lethost, Zerohost and 1Centhost. The three hosting providers are closely connected persons and infrastructure from Aeza Group and Aeza International.
We also show the list of all ASNs investigated.
Sponsoring-org | Name | ASN | ASN Name | Country |
---|---|---|---|---|
ORG-IML25-RIPE | (*) IP MARKET LLC | 202973 | AS202973 Partner LLC | RU |
ORG-IML25-RIPE | (*) IP MARKET LLC | 210352 | server4-as Partner LLC | RU |
ORG-IML25-RIPE | (*) IP MARKET LLC | 211409 | Galaxy-as Shelter LLC | RU |
ORG-IML25-RIPE | (*) IP MARKET LLC | 216246 | RU-AEZA-AS Aeza Group Ltd. | RU |
ORG-IML25-RIPE | (*) IP MARKET LLC | 216309 | EVILEMPIRE-AS TNSECURITY LTD | GB (NO SPONSOR) |
ORG-IML25-RIPE | (*) IP MARKET LLC | 215730 | H2NEXUS LTD | GB (added 20270723) |
ORG-NML10-RIPE | (*) Network Management Ltd -> (*) IP MARKET LLC | 216309 | EVILEMPIRE-AS TNSECURITY LTD | GB (NO SPONSOR) |
ORG-NML10-RIPE | (*) Network Management Ltd | 216319 | SUNHOST-AS CHROMIS IT LTD | SC (NO SPONSOR) |
ORG-AGL35-RIPE | kvmka / Alex Group LLC | 209224 | CYBERHUB-AS CYBERHUB INTERNATIONAL LTD | GB |
ORG-AGL35-RIPE | WAIcore Hosting | 210281 | WAIcore Hosting LTD | GB |
ORG-QL19-RIPE | QWARTA LLC | 210644 | AEZA-AS AEZA INTERNATIONAL LTD | GB |
ORG-PMAV1-RIPE | STK LLC Alexander Valerevich Mokhonko | 215590 | DpkgSoft International Limited | GB |
ORG-DNL17-RIPE | DIVERGENT NETWORKS LTD | 215443 | ECODE-AS (Edward Code) | GB |
ORG-AA2942-RIPE | Apex Universe Networks LTD | 215281 | Apex Universe Networks LTD (xorek/nuxtcloud) | GB |
ORG-QL19-RIPE | QWARTA LLC | 199868 | DpkgSoft Ru | RU |
ORG-PMAV1-RIPE | STK LLC, Alexander Valerevich Mokhonko | 49418 | NETSHIELD LTD | GB |
ORG-ZHL2-RIPE | Zappie Host LLC | 216127 | INTERNATIONAL HOSTING COMPANY LIMITED | GB |
ORG-CR158-RIPE | Sarah Rossius/SERVPERSO->Dynamic Network Technolodgies LLC (20240717) | 215939 | MORNINGSTARS-AS | BE |
ORG-CR158-RIPE | Sarah Rossius/SERVPERSO | 215428 | MYKYTASKOROB, UA | BE (NO SPONSOR) |
ORG-CR158-RIPE | Sarah Rossius/SERVPERSO | 203727 | ALTAWK Daniil Yevchenko, UA | BE (NO SPONSOR) |
ORG-CR158-RIPE | Sarah Rossius/SERVPERSO | 207957 | ServHost-AS | UA |
ORG-CR158-RIPE | Sarah Rossius/SERVPERSO | 206425 | WAI Aliaksei Bolbas BY | BE (NO SPONSOR) |
ORG-LT104-RIPE | LLC “Internet Tehnologii” | 204603 | PARTNER-AS AEZA GROUP LLC | RU |
ORG-LT104-RIPE | LLC “Internet Tehnologii” | 207713 | GIR-AS GLOBAL INTERNET SOLUTIONS LLC, RU | RU |
ORG-LT104-RIPE | LLC “Internet Tehnologii” | 215540 | GLOBAL CONNECTIVITY SOLUTIONS LLP, GB | GB |
ORG-IG165-RIPE | iFog-GmbH | 215826 | Partner-Hosting-LTD / ALTAGW | GB |
ORG-IG165-RIPE | iFog-GmbH | 34927 | iFog-GmbH, CH | CH |
ORG-CISU3-RIPE | Aurologic | 30823 | Aurologic GmbH | DE |
whois_date | domain |
---|---|
2021-10-04T17:28:31Z | aeza.net |
2022-04-01T12:08:36Z | lethost.co |
2022-05-10T11:23:36Z | zerohost.io |
2023-10-15T12:04:13.0Z | 1cent.host |
From date | To date | Record | IP address | ASN | ASN name |
---|---|---|---|---|---|
2022-04-17 | 2022-04-17 | ns1.aeza.net. | 194.26.229.0 | AS210644 | Aeza International Ltd |
2022-05-01 | 2024-06-24 | ns1.aeza.net. | 185.112.83.228 | AS210644 | Aeza International Ltd |
2022-05-08 | 2022-09-02 | ns1.lethost.co. | 193.124.22.21 | AS26383 | ASNET LV Latvia |
2022-05-08 | 2022-09-02 | ns2.lethost.co. | 193.124.22.21 | AS26383 | ASNET LV Latvia |
2022-05-14 | 2024-06-24 | ns1.aezadns.com. | 185.112.83.228 | AS210644 | Aeza International Ltd |
2022-05-14 | 2024-06-24 | ns1.aezadns.com. | 185.112.83.228 | AS210644 | Aeza International Ltd |
2022-05-14 | 2024-06-22 | ns1.aezadns.com. | 185.112.83.228 | AS210644 | Aeza International Ltd |
2022-06-01 | 2022-06-01 | ns1.aezadns.com. | 194.26.229.2 | AS210644 | Aeza International Ltd |
2022-08-10 | 2024-05-21 | ns1.lethost.network. | 185.112.83.228 | AS210644 | Aeza International Ltd |
2022-08-10 | 2024-05-21 | ns2.lethost.network. | 65.21.183.233 | AS24940 | Hetzner Online GmbH |
2022-08-15 | 2022-11-27 | ns2.aeza.net. | 65.21.183.233 | AS24940 | Hetzner Online GmbH |
2022-09-02 | 2022-09-28 | ns1.lethost.co. | 79.137.192.10 | AS210352 | AEZA Group LLC |
2022-09-02 | 2022-09-28 | ns2.lethost.co. | 79.137.192.10 | AS210352 | AEZA Group LLC |
2022-10-14 | 2022-10-14 | ns1.lethost.co. | 185.112.83.228 | AS210644 | Aeza International Ltd |
2022-10-14 | 2022-10-14 | ns2.lethost.co. | 65.21.183.233 | AS24940 | Hetzner Online GmbH |
2022-11-28 | 2024-06-24 | ns2.aeza.net. | 78.153.130.34 | AS210644 | Aeza International Ltd |
2023-03-18 | 2023-03-18 | ns2.k.aeza.net. | 85.192.56.0 | AS216246 | Aeza Group Ltd. |
2023-03-18 | 2023-03-18 | ns1.a.aeza.net. | 85.192.56.0 | AS216246 | Aeza Group Ltd. |
2023-08-01 | 2023-08-01 | ns1.i.aeza.net. | 85.192.56.1 | AS216246 | Aeza Group Ltd. |
2023-08-01 | 2023-08-01 | ns2.i.aeza.net. | 85.192.56.1 | AS216246 | Aeza Group Ltd. |
2023-10-15 | 2023-10-15 | 1cent.host. | 194.36.177.231 | AS210281 | WAIcore Hosting LTD. |
2024-05-11 | 2024-06-01 | ns2.lethost.org. | 65.21.183.233 | AS24940 | Hetzner Online GmbH |
2024-05-11 | 2024-06-01 | ns1.lethost.org. | 185.112.83.228 | AS210644 | Aeza International Ltd |
ASN | ASN Name | Creation date | Former names |
---|---|---|---|
AS44477 | STARK-INDUSTRIES | 2020-03-17T10:10:52Z | |
AS210644 | AEZA-AS | 2021-10-13T07:14:36Z | was aeza |
AS210352 | aezanet-as | 2021-12-16T14:22:25Z | was server4-as |
AS206425 | WAI-AS | 2022-04-04T14:39:10Z | was AliakseiB |
AS211409 | Galaxy-as | 2022-05-09T14:29:49Z | |
AS207713 | GIR-AS | 2022-05-24T11:13:15Z | |
AS204603 | PARTNER-AS | 2022-06-17T06:56:01Z | |
AS203727 | ALTAWK | 2022-07-25T13:30:41Z | |
AS202973 | Multiple-Names | 2022-09-06T08:34:35Z | was Waicore/Partner... |
AS199868 | DPKG-AS | 2023-02-14T14:01:42Z | was dpkg DPKGSOFT |
AS210281 | WAICORE | 2023-05-24T08:44:05Z | |
AS209224 | CYBERHUB-AS | 2023-07-31T09:46:59Z | |
AS216319 | SUNHOST-AS | 2023-09-11T13:23:58Z | was Chromis |
AS216309 | EVILEMPIRE-AS | 2023-09-13T14:02:20Z | was TNSECURITY-AS/LETHOST-AS |
AS216246 | RU-AEZA-AS | 2023-09-27T06:53:34Z | |
AS215939 | MORNINGSTARSLTD-AS | 2023-11-27T08:11:10Z | was WERNER-AS ValerySmoliar |
AS49418 | NETSHIELD-AS | 2023-12-29T14:01:03Z | was AS-NETSHIELD |
AS215730 | H2NEXUS-AS | 2024-01-11T15:08:54Z | was H2-AS |
AS215540 | GCS-AS | 2024-02-09T12:26:32Z | |
AS215443 | ECODE-AS | 2024-02-21T13:41:55Z |
The F-domains providers
During May and June 2024, we analyzed 1500 F-domains and while EVILEMPIRE accounts for more than half of them, other providers (ASNs) helped in the distribution:
- NETSHIELD (AS198981) – 1CENTHOST with several F-proxies at 77.91.66{.}0/24)
- SERVHOST SevasteevA (AS207957) (with serveral F-proxies at 217.119.129{.}0/24)
- NUXTCLOUD (AS216127) (with F-proxy at 185.78.76{.}42)
- EVILEMPIRE – TNSECURITY (AS216309) (with F-proxy at 185.172.128{.}161)
Key findings
These organizations play an important role in this part of the architecture:
- Hostinger (Lithuania) providing DNS services with DNS-PARKING for the F-domains
- Tnsecurity (United Kingdom), DpkgSoft (United Kingdom), MYKYTASKOROB, NETSHIELD, NUXTCLUD and SERVHOST provides hosting of first redirection services (F-domains).
- GIR/GCS (Russia) provides hosting of first redirection services (F-domains).
- Combahton/Aurologic (Germany) provides peering for Altawk, Waicore Hosting and Tnsecurity and all ASNs distributing F-domains. Combahton started business relationship with WAI, AEZA and ALTAWK in 2022.
- Altawk (UA): Provides bullet proof hosting services as geolocated in Finland and Sweden
- LIR Servperso (Belgium): Provides LIR services to Altawk, DpkgSoft and Morningstars Ltd.
- SiteMatrix LLC / Giant Panda (Puerto Rico) provides domain redirection with their service Giant Panda.
- AEZA and associates (GB/RU): Provide hosting services (lethost{.}co).
- Network Management Ltd (CZ/RU): Provides LIR services and IP leasing.
- Alex Host LLC (RU): Provided LIR servicer for CYBERHUB and TNSECURITY.
The Intermediary domains (I)
The technology that runs the I domains (Stage 2) is Express Node.JS, the domains contain an obfuscated JavaScript using the encoder “Hunter”. This obfuscated JavaScript is responsible to redirect the visitors to the Keitaro domains (aka stage 3). An example of the obfuscated JavaScript code shows in variable R_PATH the redirection to the Keitaro domain: ggspace.space.
The vast majority of the I-domains are hosted in one single provider BL Networks GB51 (AS399629) that runs Bitlaunch.io, a provider of infrastructure accepting Bitcoins. BL Networks is registered in Wyoming, as yet another company of Registered Agents Inc.
Although the owners of BL Networks made a deliberate effort to remain anonymous, peering information of their infrastructure at psychz.net points to UK company Liber Systems Ltd52 run by PHILLIPS, Alan James53 and MILLER, Jack Leslie.54
rwhois V-1.0,V-1.5:00090h:00 portal.psychz.net (Ubersmith RWhois Server V-4.6.1)
autharea=108.181.66.0/23
xautharea=108.181.66.0/23
network:Class-Name:network
network:Auth-Area:108.181.66.0/23
network:ID:NET-181685.108.181.67.104/30
network:Network-Name:108.181.67.104/30
network:IP-Network:108.181.67.104/30
network:IP-Network-Block:108.181.67.104 – 108.181.67.107
network:Org-Name:Liber Systems Ltd
network:Street-Address:Kemp House, 152-160 City Road
network:City:London
network:State:London
network:Postal-Code:EC1V 2NX
Routing information for Level3 Tier-1 also shows that in fact BL Networks’ route is allocated to legal entity Liber Systems Ltd.
Although at the time of this writing the intermediary domains are hosted inside BL Networks (Blnwx), the domains have been frequently moved between hosting providers including Hostinger, GIR, AEZA or SCALAXY/3NT Solutions/ISPRIA.
Key findings
- BL Networks/Liber System Ltd (GB) hosts the intermediary I-domains.
- In the past BL Networks has been flagged as hosting the command and control of Lorenz Ransomware55 or Cobalt Strike56 RAT.
The Keitaro domains (KE)
After the two initial domains redirects: F + I, the traffic arrives to a very limited set of domains at Hetzner VPS at the address 65.108.158{.}243
cheekss[.]click
ggspace[.]space
gooddefr[.]com
sdgqaef[.]site
In this server, an advertisement tracking software from the Estonian company Apliteni57 known as Keitaro is used to drive the requests to the correct Doppelganger hidden server. The software is responsible of redirecting to the final Doppelganger clone websites and its article from specific geolocations.
For example, the Intermediary domains will make a request to the Keitaro server of the form:
https://sdgqaef.site/DE-29-01_rrn? return=js.client& se_referrer=...& default_keyword=...& landing_url=...& name=...& host=https%3A%2F%2Fsdgqaef.site& sub_id=..._sub_id& token=..._token
In this example the string “DE-29-01_rrn” acts as a redirection key inside of Keitaro to determine which media and from which location the content should be available.
Key findings
- Keitaro software from Estonian company Apliteni58 is used to drive traffic to final destination and to provide geofencing services.
- The Keitaro instance runs four different domains in a VPS in Hetzner in Finland (Hetzner Data Center Park, Tuusula)
The Doppelganger domains (D)
Finally, we have discovered the hidden hosting location of several fake websites promoted in the last month via FIKED in Twitter. The websites are hosted in two providers: Shinjiru Technology Sdn in Malaysia and Hostinger in Singapore. Hostinger is also used for centralized DNS control for announcement of D-domains.
MY| Shinjiru Technology Sdn Bhd|faz.ltd
MY| Shinjiru Technology Sdn Bhd|fox-news.top
MY| Shinjiru Technology Sdn Bhd|fox-news.in
MY| Shinjiru Technology Sdn Bhd|leparisien.re
MY| Shinjiru Technology Sdn Bhd|obozrevatel.ltd
MY| Shinjiru Technology Sdn Bhd|rbk.media
MY| Shinjiru Technology Sdn Bhd|spiegel.ltd
MY| Shinjiru Technology Sdn Bhd|sueddeutsche.ltd
MY| Shinjiru Technology Sdn Bhd|unian.pm
MY| Shinjiru Technology Sdn Bhd|washingtonpost.pm
MY| Shinjiru Technology Sdn Bhd|lemonde.ltd.
SG| AS-HOSTINGER|news.walla.re
SG| AS-HOSTINGER|theliberal.in
Key findings
- The hosting location of the fake websites can be found in Shinjiru Technology Sdn Bhd (MY) and Hostinger (SG).
Cybercrime and disinformation
What is hosted at Evil Empire along the Disinformation domains?
URLhaus59 provides a great summary of what kind of activities are taking place in the 185.172.128{.}0/24 network prefix.
The list of malware families found include Stealc60, Amadey61, zgRat/AgentTesla62, Glupteba63, RaccoonStealer64, RiseProStealer65, RedLineStealer66, RevengeRAT67, Lumma68 etc.
More information about the malware hosted can be found in Gi7w0rm69 repository, The network of partners associated to Aeza that includes Evilempire-Tnsecurity are closely associated to the distribution70 of several malware families including Raccoon and Aurora Stealer71.
Taegeted malware distribution
During June 2024, the domain name davepz{.}top made its way from Netshield 1Centhost address 77.91.66{.}45 to 185.172.128{.}161, the main IP address used for the distribution of F-domains. In late June, the URL y5l.davepz{.}top/qjt was configured to distribute malware PAX_AKT_11_06_2024p.zip from domain ukr-net-files-download-redirection-manager-ukr-net{.}ru
3254530cabb943d9093562add069136 PAX_AKT_11_06_2024p.zip
76f055abb7830f6bbfe50b60b3377779 АктЗвiркиФГUA213225400000026009101095964.pdf.hta 76f055abb7830f6bbfe50b60b3377779 Платiжна_iнструкцiяФГ4712вiд_11_06_2024р.pdf.hta
The malware hidden inside invoices found in an Ukranian accounting website delivered the Smokeloader malware. Ukraine’s computer emergency response team, CERT-UA, tracks the group behind Smokeloader as UAC-0006.
This is just one example that shows how first stage proxies used for the distribution of Doppelganger are also used as a traffic distribution system (TDS) of other malicious campaigns.
The supply chain
Stage | Country | Company | Contacts | Service |
---|---|---|---|---|
F | LT Lithuania | Hostinger | Arnas Stuopelis Daugirdas Jankus | DNS services for F-Domains |
F | GB United Kingdom | Tnsecurity / Evilempire | “Dorector” ANASTASIJA, Berezina | Hosts first stage redirection |
F | DE Germany | Combahton / Aurologic ornado Datacenter in Langen | Joseph Maximilian Hofmann Michael Phillipp Sattel | Provides Peering – Cohosting to Aeza Itl and Tnsecurity |
F | PR Puerto Rico | Sitematrix LLC/Giant Panda | Rick Latona | Provides Domain Redirections |
F | RU/SC | IP4MARKET Network Management Ltd | - - - | Provides network resources and owner anonymity |
F | RU | AEZA Group MSK.Host Lethost.co Zerohost | Bozoyan Yuriy Meruzhanovich Aristarkhova Ekaterina Sergeevna Arseny Alexandrovych Penzev Bozoyan Yury Meruzhanovych | Provides bullet proof hosting |
F | RU | AlexHost LLC | Fedorov Alexander Nikolaevich | Provides LIR services (anonymity) |
F | RU | DpkgSoft LLC/1CentHost | Edward Ilin | Provides bullet-proof hosting |
F | RU | GIR/GCS/4Services | Marinko Evgeni Valentinovich | Provides bullet-proof hosting F-domains |
F | BE | SERVPERSO | Sarah Rossius | Provides LIR services |
I | GB | BL Networks Liber Systems | PHILLIPS Alan James MILLER Jack Leslie | Provides I-domains |
KE | EE/RU | Keitaro/Apliteni OU | Artur Sabirov | Provides KE-domains |
KE | DE/FI | Hetzner | Martin Hetzner Joonas Terhivuo (FI) | Provides KE Hosting |
D | MY/SG/LT | Shinjiru Technology Sdn Bhd (Piradius) Hostinger | Terence Choong | Provides D Hosting |
APPENDICES
AS number 207713
aut-num: AS207713
person: Evgenii M.
address: Russian Federation
phone: +7 (978) 643-46-76
remarks: -----info-----
remarks: abuse: abuse@gir.network
remarks: support: support@gir.network
domain: 4SERVER.SU
nserver: ed.ns.cloudflare.com.
nserver: gina.ns.cloudflare.com.
e-mail: dimetr801@mail.ru
registrar: REGRU-SU
created: 2019-06-22T21:37:50Z
paid-till: 2020-06-22T21:37:50Z
domain: 4DEDIC.SU
nserver: ed.ns.cloudflare.com.
nserver: gina.ns.cloudflare.com.
e-mail: admin@4server.su
registrar: REGRU-SU
created: 2020-08-13T14:33:51Z
paid-till: 2024-08-13T14:33:51Z
domain: 4VPS.SU
nserver: paloma.ns.cloudflare.com.
nserver: quinton.ns.cloudflare.com.
e-mail: support@gir.network
registrar: REGRU-SU
created: 2023-01-10T10:17:11Z
paid-till: 2025-01-10T10:17:11Z
Online resilience by moving network prefixes
Our research found that several network prefixes are frequently exchanged between providers and those prefixes are known to operate malware, ransomware and in the case of TNSECURITY host disinformation infrastructure.
If the review the peering agreements of EVILEMPIRE-TNSECURITY we found two large groups of providers cluster under AS-AEZA and AS-WAICORE
aut-num: AS216309
as-name: EVILEMPIRE-AS
org: ORG-TL874-RIPE
sponsoring-org: ORG-IML25-RIPE
import: from AS210644 accept ANY (AEZA INTERNATIONAL)
export: to AS210644 announce AS216309
import: from AS59796 accept ANY (StormWall s.r.o.)
export: to AS59796 announce AS216309
import: from AS210281 accept ANY (WAIcore Hosting LTD)
export: to AS210281 announce AS216309
import: from AS30823 accept ANY (aurologic GmbH)
export: to AS30823 announce AS216309
import: from AS-AEZA accept ANY
export: to AS-AEZA announce AS216309
In AS-AEZA we find:
AS202973 AS202973 Partner (blablabla)
AS204603 PARTNER-AS AEZA GROUP
AS206425 WAI-AS Aliaksei Bolbas, BY
AS207713 GIR-AS GLOBAL INTERNET SOLUTIONS
AS210352 server4-as Partner (blablabla)
AS210644 AEZA-AS AEZA INTERNATIONAL LTD, GB
AS211409 Galaxy-as Shelter
AS216246 RU-AEZA-AS Aeza Group Ltd., RU
AS216319 SUNHOST-AS CHROMIS IT LTD, GB
AS51538 tekcom Lavrentyev Alkesandr Arkadievich, RU
and in AS-WAICORE:
(*)AS209224 CYBERHUB INTERNATIONAL LTD (Anton Afanasev 2000)
(*)AS206425 Aliaksei Bolbas (Aliaksei Bolbas 2004)
(*)AS210281 WAIcore Hosting LTD. (Aliaksei Bolbas 2004)
(*)AS199868 DpkgSoft Computers, Ltd. - Ilyin Eduard Alekseevich
AS203727 Daniil Yevchenko - Altafw72
AS210644 AEZA INTERNATIONAL LTD (Kazakh Marat Timurov 1999)
AS59796 StormWall s.r.o.
AS202973 Partner LLC
AS216309 TNSECURITY LTD
AS199417 Oleksii Namiatov
AS30823 aurologic GmbH
AS60068 Datacamp Limited (CDN77 / DataPacket
AS174 Cogent Communications
(*) 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ
Threat intelligence suppliers often suggest the full block of an autonomous system once large malicious activity has been detected in the network prefixes that an autonomous system advertises.
Autonomous systems that are hosting malware, phising or other forms of cybercrime and do not address abuse cases are included in black-lists that are used by Internet providers to block their activites from their online services.
Malicous actors ensure that their IP networks can be still used by transfering the to a friendly autonomous system.
5.42.64.0/22|210644|210644 AEZA-AS AEZA INTERNATIONAL LTD, GB
5.42.64.0/22|204603|204603 PARTNER-AS AEZA GROUP LLC, RU
5.42.64.0/22|210352|210352 server4-as Partner LLC, RU
5.42.64.0/22|210644|210644 AEZA-AS AEZA INTERNATIONAL LTD, GB
Lethost VPS
The following table shows the locations of Lethost VPSs. (March 2024)
Country | City | Org | Net | Upstream-Level2 name | Names |
---|---|---|---|---|---|
Austria AT | Vienna | ADCDATA.COM huize-telecom | huize-telecom | 135330 ADCDATACOM-AS-AP ADCDATA.COM, HK | ns3. ns4. web.au. web.at. |
Austria AT | Vienna | AEZA-AS Aeza-Network | Aeza-Network | 60068 CDN77 Datacamp Limited, GB | web.au. ns3. ns4. |
Austria AT | Vienna | GIR-AS NET-134 | NET-134 | 44477 STARK-INDUSTRIES STARK INDUSTRIES SOLUTIONS LTD, GB | web.at. ns4. ns3. at1. at2. |
Finland FI | Helsinki | HETZNER-AS CLOUD-HEL1 | CLOUD-HEL1 | 24940 HETZNER-AS Hetzner Online GmbH, DE | ns2. |
Germany DE | Mauern | GIR-AS inettech-311022 | inettech-311022 | 44477 STARK-INDUSTRIES STARK INDUSTRIES SOLUTIONS LTD, GB | web.fi. fi2. fi1. |
Germany DE | Kassel | GIR-AS NET-133 | NET-133 | 44477 STARK-INDUSTRIES STARK INDUSTRIES SOLUTIONS LTD, GB | web.de. de1. de2. |
Germany DE | Frankfurt am Main | yy-as server21-v4 | server21-v4 | 35196 IH-TRANSIT-AS Network Management Ltd, SC | web.de2. de3. de4. de1. de2. web.de. |
Netherlands NL | Amsterdam | Cloudflare, Inc. Cloudflare, Inc. | CLOUDFLARENET | 3257 GTT-BACKBONE GTT Communications Inc., US | my. lethost.co. |
Netherlands NL | Amsterdam | GIR-AS Internet_Technologies | Internet_Technologies | 44477 STARK-INDUSTRIES STARK INDUSTRIES SOLUTIONS LTD, GB | web.nl. nl1. nl2. |
Poland PL | Warsaw | Baxet Group Inc. BG-NETWORK | BG-NETWORK | 56630 MELBICOM-EU-AS Melbikomas UAB, LT | ns1. ns2. web.ru. |
Poland PL | Warsaw | Baxet Group Inc. BG-NETWORK | BG-NETWORK | 56630 MELBICOM-EU-AS Melbikomas UAB, LT | bill. |
Poland PL | Warsaw | SUNHOST-AS NNHOST-NL | NNHOST-NL | 216246 RU-AEZA-AS Aeza Group Ltd., RU | web.sw. web.se. se1. se2. |
Russian RU | Moscow | AS-REGRU RU-REGRU-940712 | RU-REGRU-940712 | 39134 UNITEDNET EDINAYA SET LIMITED LIABILITY COMPANY, RU | nl2. |
Russian RU | Moscow | AS-REGRU RU-REGRU-940712 | RU-REGRU-940712 | 39134 UNITEDNET EDINAYA SET LIMITED LIABILITY COMPANY, RU | lethost.co. |
Russian RU | Moscow | AS-REGRU RU-REGRU-940712 | RU-REGRU-940712 | 39134 UNITEDNET EDINAYA SET LIMITED LIABILITY COMPANY, RU | my. |
Russian RU | Moscow | AS-REGRU RU-REGRU-940712 | RU-REGRU-940712 | 39134 UNITEDNET EDINAYA SET LIMITED LIABILITY COMPANY, RU | de1. |
Russian RU | Moscow | AS-REGRU RU-REGRU-940712 | RU-REGRU-940712 | 39134 UNITEDNET EDINAYA SET LIMITED LIABILITY COMPANY, RU | de1. ru2. |
Russian RU | Moscow | AS-REGRU RU-REGRU-940712 | RU-REGRU-940712 | 39134 UNITEDNET EDINAYA SET LIMITED LIABILITY COMPANY, RU | nl1. |
Russian RU | Moscow | AS-REGRU RU-REGRU-940712 | RU-REGRU-940712 | 39134 UNITEDNET EDINAYA SET LIMITED LIABILITY COMPANY, RU | my. |
Russian RU | Moscow | AS-REGRU RU-REGRU-940712 | RU-REGRU-940712 | 39134 UNITEDNET EDINAYA SET LIMITED LIABILITY COMPANY, RU | at2. |
Russian RU | Moscow | AS-REGRU RU-REGRU-940712 | RU-REGRU-940712 | 39134 UNITEDNET EDINAYA SET LIMITED LIABILITY COMPANY, RU | at1. |
Russian RU | Moscow | AS-REGRU RU-REGRU-940712 | RU-REGRU-940712 | 39134 UNITEDNET EDINAYA SET LIMITED LIABILITY COMPANY, RU | ru1. |
Russian RU | Moscow | AS-REGRU RU-REGRU-940712 | RU-REGRU-940712 | 39134 UNITEDNET EDINAYA SET LIMITED LIABILITY COMPANY, RU | at1. |
Russian RU | Moscow | AS-REGRU RU-REGRU-940712 | RU-REGRU-940712 | 39134 UNITEDNET EDINAYA SET LIMITED LIABILITY COMPANY, RU | at1. |
Russian RU | Moscow | AS-REGRU RU-REGRU-940712 | RU-REGRU-940712 | 39134 UNITEDNET EDINAYA SET LIMITED LIABILITY COMPANY, RU | fi2. |
Russian RU | Moscow | AS-REGRU RU-REGRU-940712 | RU-REGRU-940712 | 39134 UNITEDNET EDINAYA SET LIMITED LIABILITY COMPANY, RU | ru1. |
Russian RU | Moscow | AS-REGRU RU-REGRU-940712 | RU-REGRU-940712 | 39134 UNITEDNET EDINAYA SET LIMITED LIABILITY COMPANY, RU | ru2. |
Russian RU | Moscow | AS-REGRU RU-REGRU-940712 | RU-REGRU-940712 | 39134 UNITEDNET EDINAYA SET LIMITED LIABILITY COMPANY, RU | de2. |
Russian RU | Moscow | AS-REGRU RU-REGRU-940712 | RU-REGRU-940712 | 39134 UNITEDNET EDINAYA SET LIMITED LIABILITY COMPANY, RU | at2. |
Russian RU | Moscow | AS-REGRU RU-REGRU-940712 | RU-REGRU-940712 | 39134 UNITEDNET EDINAYA SET LIMITED LIABILITY COMPANY, RU | nl1. |
Russian RU | Rostov-na-Donu | DDOS-GUARD RU-LLCDDOS-GUARD-20151201 | RU-LLCDDOS-GUARD-20151201 | 57724 DDOS-GUARD DDOS-GUARD LTD, RU | web.ru. |
Russian RU | Rostov-na-Donu | DDOS-GUARD RU-LLCDDOS-GUARD-20151201 | RU-LLCDDOS-GUARD-20151201 | 57724 DDOS-GUARD DDOS-GUARD LTD, RU | my. lethost.co. |
Russian RU | Rostov-na-Donu | DDOS-GUARD RU-LLCDDOS-GUARD-20151201 | RU-LLCDDOS-GUARD-20151201 | 57724 DDOS-GUARD DDOS-GUARD LTD, RU | my. |
Russian RU | Rostov-na-Donu | DDOS-GUARD RU-LLCDDOS-GUARD-20151201 | RU-LLCDDOS-GUARD-20151201 | 57724 DDOS-GUARD DDOS-GUARD LTD, RU | vm. |
Russian RU | Pangody | EVILEMPIRE-AS EVILEMPIRE-MNT | EVILEMPIRE-MNT | 30823 AUROLOGIC aurologic GmbH, DE | de1. de2. web.de. web.de-epyc. |
Russian RU | Moscow | HLL-AS Obshchestvo s ogranichennoy otvetstvennostyu Oblachnii Technologii | QRATOR-22257 | 197068 QRATOR HLL LLC, RU | lethost.co. |
Russian RU | Moscow | RU-AEZA-AS AEZAGROUP | AEZAGROUP | 216246 RU-AEZA-AS Aeza Group Ltd., RU | bill. |
Russian RU | Moscow | RU-AEZA-AS aeza-net-4 | aeza-net-4 | 216246 RU-AEZA-AS Aeza Group Ltd., RU | my. lethost.co. |
Russian RU | Moscow | RU-AEZA-AS aeza-net-6 | aeza-net-6 | 216246 RU-AEZA-AS Aeza Group Ltd., RU | ns1. |
Russian RU | Moscow | server4-as AEZA GROUP Ltd | NL-AEZA-NETWORK | 216246 RU-AEZA-AS Aeza Group Ltd., RU | ns1. ns2. web.ru. ru1. ru2. |
Russian RU | Moscow | server4-as AEZA GROUP Ltd | NL-AEZA-NETWORK | 216246 RU-AEZA-AS Aeza Group Ltd., RU | my. |
Russian RU | Moscow | server4-as Lethost-LLC | Lethost-LLC | 210644 AEZA-AS AEZA INTERNATIONAL LTD, GB | at1. at2. web.at. |
Russian RU | Moscow | server4-as Lethost-LLC | Lethost-LLC | 210644 AEZA-AS AEZA INTERNATIONAL LTD, GB | web.nl. nl2. nl1. |
Russian RU | Moscow | server4-as Lethost-LLC | Lethost-LLC | 210644 AEZA-AS AEZA INTERNATIONAL LTD, GB | fi2. fi1. web.fi. |
Russian RU | Moscow | server4-as Lethost-LLC | Lethost-LLC | 210644 AEZA-AS AEZA INTERNATIONAL LTD, GB | web.se. se1. se2. |
Russian RU | Moscow | server4-as Lethost-LLC | Lethost-LLC | 210644 AEZA-AS AEZA INTERNATIONAL LTD, GB | web.fr. fr1. fr2. |
United States of America US | San Francisco | Cloudflare, Inc. Cloudflare, Inc. | CLOUDFLARENET | 1299 TWELVE99 Arelion Sweden AB, SE | my. |
United States of America US | San Francisco | Cloudflare, Inc. Cloudflare, Inc. | CLOUDFLARENET | 1299 TWELVE99 Arelion Sweden AB, SE | my. |
United States of America US | San Francisco | Cloudflare, Inc. Cloudflare, Inc. | CLOUDFLARENET | 1299 TWELVE99 Arelion Sweden AB, SE | lethost.co. my. |
United States of America US | San Francisco | Cloudflare, Inc. Cloudflare, Inc. | CLOUDFLARENET | 1299 TWELVE99 Arelion Sweden AB, SE | lethost.co. my. |
Acknowledgments
This investigation was possible thanks to the access of thousands of domain names distributed in social media by Doppelganger. During the past six months we have received daily updates from the “Antibot4Navalny” collective that tracks Russia-related influence operations on X, formally known as Twitter. Since January 2024, the “Antibot4Navalny” collective has been one of our main data sources tracking Doppelganger domains.
We also want to thank to the members of the “Doppelganger Working Group” with whom we share our commitment to expose the disinformation supply chain. Thanks to the EU Disinfo Lab for opening many doors, you are really “A vibrant home for disinformation activists and experts”.
Media Coverage
Le Monde (France) Comment un même écosystème nourrit campagnes de désinformation et cybercriminalité [11/7/24]
Correctiv (Germany) Inside Doppelgänger – Wie Russland EU-Firmen für seine Propaganda nutzt [11/7/24]
EU Disinfo Lab (Belgium) Yet more evidence of Russia’s boundless impunity to spread misinformation in the EU [11/7/24]
The Insider (Russia) В работу кремлевской сети ботов Doppelgänger вовлечены европейские компании — расследование [11/7/24]
La Marea (Spain) “Doppelgänger”, la maquinaria de desinformación rusa, sigue activa a través de varias empresas europeas [11/7/24]
DayFR Euro (France) How the same ecosystem fuels disinformation campaigns and cybercrime [11/7/24]
Footnotes
- https://en.wiktionary.org/wiki/fician#Old_English ↩︎
- https://urlhaus.abuse.ch/asn/216309/ ↩︎
- https://urlhaus.abuse.ch/asn/216309/ ↩︎
- https://urlscan.io/result/48fbf821-33da-4d52-95c9-49e59b43a51e/ ↩︎
- https://find-and-update.company-information.service.gov.uk/company/15103352 ↩︎
- https://www.virustotal.com/gui/file/090e8d8376224c845817f5d635bb8e6021d33c2960cb6c12c7acfb913eee9093/details ↩︎
- https://www.virustotal.com/gui/file/d28582d2173ea756d0e1205058b2d6b24f83b56e435363ffc43cc8d136b17238/detection ↩︎
- https://find-and-update.company-information.service.gov.uk/officers/J0hg9FZ52KaXDLCmUtIikmLwJnU/appointments ↩︎
- https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/Gamaredon_activity.pdf ↩︎
- https://en.wikipedia.org/wiki/Gamaredon ↩︎
- https://medium.com/@danchodanchev/dancho-danchevs-round-up-of-russia-based-high-profile-ransomware-cybercriminals-ed1bf5a38b8f ↩︎
- https://find-and-update.company-information.service.gov.uk/company/OC450701/officers ↩︎
- https://mipped.com/f/threads/4domains-su-registracija-domennyx-imen-200-zon-anonimno.134826/ ↩︎
- https://www.youtube.com/@STUDENT52ful ↩︎
- https://www.rusprofile.ru/person/mamontova-oa-773113011740 ↩︎
- https://bgp.tools/as-set/RIPE::as-waicore ↩︎
- https://www.qurium.org/wp-content/uploads/2024/02/AS-AEZA.evol_.txt ↩︎
- https://www.qurium.org/wp-content/uploads/2024/02/AS-WAICORE.evol_.txt ↩︎
- https://find-and-update.company-information.service.gov.uk/company/15109642/officers ↩︎
- https://www.rusprofile.ru/id/1217800095248 ↩︎
- https://www.rusprofile.ru/id/1217800048795 ↩︎
- https://www.rusprofile.ru/person/aristarkhova-es-504910931806 ↩︎
- https://www.rusprofile.ru/id/1225000043476 ↩︎
- https://www.rusprofile.ru/id/1225000043476 ↩︎
- https://cracked.io/Thread-LetHost-co-Best-BulletProof-Hosting ↩︎
- https://check.spamhaus.org/sbl/listings/lethost.co/ ↩︎
- https://radar.qrator.net/as/210644/ipv4/neighbors/customers?from=2022-01-27&until=2024-06-12&p=1 ↩︎
- https://urlscan.io/result/48fbf821-33da-4d52-95c9-49e59b43a51e/ ↩︎
- https://www.rusprofile.ru/id/7278820 ↩︎
- https://www.rusprofile.ru/id/1237700915407 ↩︎
- https://www.youtube.com/watch?v=X-vRYovZ15c ↩︎
- https://github.com/mraliscoder/aeza-lg ↩︎
- https://ipinfo.io/AS216309/185.172.128.0/24 ↩︎
- https://ipinfo.io/AS30823 ↩︎
- https://cert.gov.ua/article/6277063 ↩︎
- https://urlscan.io/result/c43dda11-5e65-4aa2-8b83-6459c543a564/ ↩︎
- https://www.rusprofile.ru/person/mamontova-oa-773113011740 ↩︎
- https://suite.endole.co.uk/insight/company/15102301-chromis-it-ltd ↩︎
- https://zachestnyibiznes.ru/company/ul/1057749035420_7709643678_OOO-MEDIASERVISPLYuS ↩︎
- https://www.rusprofile.ru/person/mamontova-oa-773113011740 ↩︎
- https://www.rusprofile.ru/person/mamontova-oa-773113011740 ↩︎
- https://zachestnyibiznes.ru/company/ul/1057749035420_7709643678_OOO-MEDIASERVISPLYuS ↩︎
- https://www.qurium.org/weaponizing-proxy-and-vpn-providers/fineproxy-rayobyte/ ↩︎
- https://ipinfo.io/AS216309/185.172.128.0/24 ↩︎
- https://ipinfo.io/AS30823 ↩︎
- https://wiki.combahton.net/network.html ↩︎
- https://www.northdata.com/Tornado+Datacenter+GmbH+%26+Co.+KG,+Langen/Amtsgericht+Offenbach+am+Main+HRA+43241 ↩︎
- https://bgp.tools/as-set/RIPE::AS49418:AS-NETSHIELD ↩︎
- https://find-and-update.company-information.service.gov.uk/company/15103352 ↩︎
- https://find-and-update.company-information.service.gov.uk/company/15027462 ↩︎
- https://opencorporates.com/companies/us_wy/2019-000883496 ↩︎
- https://find-and-update.company-information.service.gov.uk/company/11405895/officers ↩︎
- https://find-and-update.company-information.service.gov.uk/officers/F9h1dVNueMhOoKpBrgidMw8a0js/appointments ↩︎
- https://find-and-update.company-information.service.gov.uk/officers/QPmWFei5q_IR_tZgyQO0x0opEAA/appointments ↩︎
- https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/ ↩︎
- https://www.recordedfuture.com/blog/2022-adversary-infrastructure-report ↩︎
- https://www.inforegister.ee/en/14296961-APLITENI-OU ↩︎
- https://www.inforegister.ee/en/14296961-APLITENI-OU ↩︎
- https://urlhaus.abuse.ch/asn/216309/ ↩︎
- https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc ↩︎
- https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey ↩︎
- https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey ↩︎
- https://malpedia.caad.fkie.fraunhofer.de/details/win.glupteba ↩︎
- https://malpedia.caad.fkie.fraunhofer.de/details/win.raccoon ↩︎
- https://malpedia.caad.fkie.fraunhofer.de/details/win.risepro ↩︎
- https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer ↩︎
- https://malpedia.caad.fkie.fraunhofer.de/details/win.revenge_rat ↩︎
- https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma ↩︎
- https://github.com/Gi7w0rm/MalwareConfigLists ↩︎
- https://github.com/Gi7w0rm/MalwareConfigLists/blob/main/Aurora_Stealer/csv/Aurora_2023-03-30_19-39-39.csv ↩︎
- https://malpedia.caad.fkie.fraunhofer.de/details/win.aurora_stealer ↩︎
- https://blog.eclecticiq.com/redline-stealer-variants-demonstrate-a-low-barrier-to-entry-threat ↩︎