Krebs on Security

JUNE 21, 2023

ru , which for many years was a place to download pirated e-books. ru was originally registered to a Sergey U Purtov. ru and thelibrary[.]ru ru , both of which were registered to a Sergey Y Purtov. antivirusxp09[.]com). One of the domains registered in 2006 to the address unforgiven57@mail.ru was thelib[.]ru

Malware 208

Malware Antivirus Cybercrime Hacking 208

Krebs on Security

MARCH 10, 2020

ru — wasn’t working at the time. ru , a cybercrime forum in its own right that called itself “ The Antichat Mafia.” .” In another thread from June 2019, an Antichat user asks if anyone has heard from Isis recently, and Isis pops up a day later to inquire what he wants. Image courtesy archive.org.

Accountability 289

Accountability Advertising Hacking Cybercrime 289

Security Boulevard

JANUARY 24, 2022

Sample portfolio of pay per install rogue fraudulent and malicious affiliate network domains known to have been in operation in 2008 include: vipsoftcash[.]com. iframevip[.]com. softmonsters[.]biz. iframepartners[.]com. installsforyou[.]biz. cashcodec[.]com. go-go-cash[.]com. 3xl-cash2[.]com. 3xlpartnership[.]com. installs4sale[.]com. profitclick[.]org.

Adware 104

Adware Software Accountability Cybercrime 104

SecureList

APRIL 2, 2021

An example of such a domain is mvd-ru[.]tech. Example of a fraudulent domain: 0402mpa21[.]ru. We also saw domain names composed of topic-based words, such as “police” or “mvd” Cybercriminals use them to mimic the addresses of the legitimate sites of law enforcement agencies. Mobile version of fake MVD websites.

Encryption 126

Encryption Mobile Ransomware Government 126

Security Boulevard

OCTOBER 28, 2022

hxxp://http-mshop-metro-cc-ru-shop-authloading.ru. hxxp://http-mshop-metro-cc-ru-shop-authloading.ru. hxxp://http-mshop-metro-cc-ru-shop-authloading.ru. hxxp://http-mshop-metro-cc-ru-shop-authloading.ru. Related domains known to have been involved in the campaign include: hxxp://stdumps.com. hxxp://shopcvvonline.ru.

Marketing 73

Marketing Cyber Attacks Accountability 73

Security Boulevard

APRIL 6, 2023

ru - hxxp://realstatistics[.]info; Related Genesis Market domains: hxxp://sync[.]genesis-update[.]net genesis-update[.]net net hxxp://sync[.]genesis-security[.]net genesis-security[.]net net hxxp://g3n3sis[.]pro pro hxxp://xmpp[.]genesis[.]market market hxxp://genesis[.]marjet marjet hxxp://g3n3sis[.]org org hxxp://sync[.]gsconnects[.]com

Marketing 52

Marketing Cybercrime Internet Internet 52

Security Boulevard

AUGUST 13, 2023

ru hxxp://2sync.co ru hxxp://artmotion.eu hxxp://rockhoster.com hxxp://ru-tld.ruen hxxp://rusonyx.ru ru hxxp://2sync.co ru hxxp://artmotion.eu hxxp://rockhoster.com hxxp://ru-tld.ruen hxxp://rusonyx.ru Sample bulletproof hosting provider domains include: hxxp://1984hosting.com hxxp://2X4.ru hxxp://avk-com.ru

52

52

Krebs on Security

MAY 16, 2023

.” In January 2022, KrebsOnSecurity published Who is the Network Access Broker ‘Wazawaka,’ which followed clues from Wazawaka’s many pseudonyms and contact details on the Russian-language cybercrime forums back to a 33-year-old Mikhail Matveev from Abaza, RU (the FBI says his date of birth is Aug. 17, 1992).

Ransomware 241

Ransomware Cybercrime VPN Healthcare 241

Security Affairs

APRIL 20, 2022

ru/guov-gs[.]ru ru the General Dept. JUST IN: #Anonymous released via #DDoSecrets 426,000 new emails (160 GB) from Tendertech, a firm specializing in processing financial and banking documents on behalf of businesses and entrepreneurs. OpRussia #StandWithUkraine #FckPutin [link] — Anonymous TV (@YourAnonTV) April 19, 2022.

Hacking 127

Hacking Banking Surveillance Engineering 127

Security Boulevard

OCTOBER 22, 2023

ru ventas[.]informatic.cl ru ventas[.]informatic.cl In this analysis which I did in less than two hours time I'll expose the entire domain portfolio of North Korea's IT workers that are busy franchising across the glove potentially funding North Korea's WMD program at least according to the U.S group/ hxxp://fts77.ru/ gmail.com info[.]chinacapital.com

Government 62

Government Accountability Banking Mobile 62

Malwarebytes

MAY 13, 2021

ru muhtarpashatashanov@yandex[.]ru ru nikola-az@rambler[.]ru. Indicators of Compromise. host pathc[.]space space predator[.]host host google-statik[.]pw pw recaptcha-in[.]pw pw sexrura[.]pw space predator[.]host host gooogletagmanager[.]online online imags[.]pw ms autocapital[.]pw pw myicons[.]net net qr202754[.]pw pw thesun[.]pw

Malware 108

Malware Hacking Software Cybercrime 108

Krebs on Security

APRIL 16, 2024

A Google-translated version of Shtazi dot ru. A week after those sanctions were put in place, KrebsOnSecurity published a deep dive on Ermakov , which found that he co-ran a Moscow-based IT security consulting business along with Mikhail Shefel called Shtazi-IT. Image: Archive.org.

Identity Theft 217

Identity Theft Banking Cybercrime Hacking 217

Security Affairs

JULY 23, 2021

According to court documents, Pavel Tsurkan (33) operated a criminal proxy botnet composed of more than 1,000 devices. The IoT botnet was tracked as the “Russian2015” because it was using the domain Russian2015.ru.

Computers and Electronics 121

Computers and Electronics IoT Cybercrime Internet 121

Malwarebytes

AUGUST 3, 2022

org microsoft-ru-data[.]ru ru 194.36.189.179 microsoft-telemetry[.]ru ru oakrussia[.]ru. ru/main.css (edited) . C2s: kurmakata.duckdns[.]org Follina Doc: ???????.docx docx ffa22c40ac69750b229654c54919a480b33bc41f68c128f5e3b5967d442728fb Follina html file: garmandesar.duckdns[.]org:444/uoqiuwef.html

Malware 107

Malware Encryption Antivirus Architecture 107

Krebs on Security

FEBRUARY 20, 2024

In January 2022, KrebsOnSecurity published Who is the Network Access Broker ‘Wazawaka,’ which followed clues from Wazawaka’s many pseudonyms and contact details on the Russian-language cybercrime forums back to a 31-year-old Mikhail Matveev from Abaza, RU. An FBI wanted poster for Matveev.

Ransomware 259

Ransomware Cybercrime Encryption Insurance 259

Malwarebytes

FEBRUARY 15, 2023

ru , which redirects to changing sites that are seen hosting a file named Hogwarts_Legacy_Setup.exe. This is what happens when you try and download a "free" version of Hogwarts Legacy (Source: Malwarebytes | Stefan Dasic) Dasic said the sites from the above screenshot all resolve to gameportpc[.]ru

Adware 79

Adware Scams Malware Risk 79

Krebs on Security

JANUARY 8, 2024

ru , and icamis[.]biz. ru: Andrey Skvortsov. Historic domain ownership records from DomainTools.com reveal that many of the email addresses and domains connected to Icamis invoke the name “ Andrew Artz ,” including icamis[.]w w s, icamis[.]ru Icamis promoted his services in 2003 — such as bulk-domains[.]info

Cybercrime 198

Cybercrime Banking Computers and Electronics DDOS 198

Krebs on Security

AUGUST 2, 2022

The UpWork profile page for the Angry Coders programming team from Omsk, RU. A review of the Internet addresses historically used by Super-socks[.]biz biz and SocksEscort[.]com com reveals that these domains at various times over the years shared an Internet address with a small of other domains, including angrycoders[.]net net , iskusnyh[.]pro

Malware 242

Malware Cybercrime Internet Internet 242

Krebs on Security

MARCH 8, 2022

ru) from the Internet. Ukrainian leaders petitioned the Internet Corporation for Assigned Names and Numbers (ICANN) — the nonprofit organization charged with overseeing the global domain name system — to disconnect Russia’s top-level domain (.ru)

Internet 292

Internet Internet Government Technology 292

Security Boulevard

FEBRUARY 21, 2024

ru support[.]ProxyWins.com Sample personally identifiable XMPP/Jabber and email address accounts obtained by data mining a publicly accessible cybercrime-friendly forum community: 112233[.]exploit.im 1ntersect[.]mail.ru richim.org 492962059[.]xmpp.ru activemoney[.]jabba.biz jabba.biz adm[.]likeboss.biz likeboss.biz admin[.]multi-vpn.biz

Cybercrime 62

Cybercrime Advertising Media Accountability 62

Security Boulevard

SEPTEMBER 26, 2023

ru micheal1717[.]yahoo.com gmail.com ru 94[.]mail.ru ru Big.brownpg[.]yahoo.com ru wdye8yd23d[.]mailforspam.com ru micheal1717[.]yahoo.com gmail.com ru 94[.]mail.ru ru Big.brownpg[.]yahoo.com ru wdye8yd23d[.]mailforspam.com ru micheal1717[.]yahoo.com yahoo.com kerrybarness[.]gmail.com

Accountability 57

Accountability 57

Malwarebytes

JULY 13, 2022

We were able to identify 7 different samples with that theme, including one ( 258a9665af7120d0d80766c119e48a4035ee3b68676076bf3ed6462c644fe7d0 ) that has some similarities with a previous attack: Figure 5: Similarities between different versions. Also, in the past we have found comments regarding to a domain named ExcelVBA[.]ru.

Government 122

Government Cyber Attacks Phishing Malware 122

Malwarebytes

AUGUST 3, 2022

microsoft-ru-data[.]ru. ru/main.css (edited). Woody Rat : 982ec24b5599373b65d7fec3b7b66e6afff4872847791cf3c5688f47bfcb8bf0. 66378c18e9da070629a2dbbf39e5277e539e043b2b912cc3fed0209c48215d0b. b65bc098b475996eaabbb02bb5fee19a18c6ff2eee0062353aff696356e73b7a. 43b15071268f757027cf27dd94675fdd8e771cdcd77df6d2530cb8e218acc2ce. oakrussia[.]ru.

Malware 61

Malware Encryption Antivirus Architecture 61

Security Affairs

MAY 23, 2022

ru to 0day[.]llc. One, involving comments around a squirrel statue in Almaty, Kazakhstan may have affected the reporting on a BBC story. As of April 2022, 0day technologies has changed its domain from 0day[.]ru An instance of the SANA system appears to be up at [link]. ” continues the report.

DDOS 117

DDOS Media Hacking Engineering 117

Krebs on Security

SEPTEMBER 18, 2023

The homepage for Jcubegroup[.]com com lists an address and phone number that Moldovan business records confirm is tied to Mr. Kolev. The posts on the Twitter account for Mr. Kolev (@andrewkolev) are all written in Russian, and reference several now-defunct online businesses, including pluginspro[.]ru. “They [aren’t] my clients.

Ransomware 229

Ransomware Accountability Encryption Internet 229

Security Affairs

JANUARY 5, 2020

ru email address, a Russian phone number, and the gameshack [. ] ru website. Files names and paths observed in numerous campaigns conducted by the operator revealed a link to the scat01 and SoftEgorka nicknames, the vitasa01 [ @ ] yandex.

Encryption 69

Encryption Ransomware Malware Scams 69

Krebs on Security

NOVEMBER 2, 2023

ru/stuffer/login.php bashar[.]cc/stuffer/login.php Each of the domains below that end in “/user/login.php” are sites for active and prospective drops, and each corresponds to a unique fake company that is responsible for managing its own stable of drops: lvlup-store[.]com/stuffer/login.php com/stuffer/login.php personalsp[.]com/user/login.php

Cybercrime 256

Cybercrime Marketing Scams Retail 256

Krebs on Security

MAY 4, 2023

As the government noted in its search warrant, Nordex exchanged messages with forum users at the time identifying himself as a then-24-year-old “Denis” from Samara, RU. In 2017, U.S.

Marketing 222

Marketing Cybercrime Accountability Cryptocurrency 222

CSO Magazine

MARCH 1, 2022

ru, Russian Railways, the State University Dubna, and the Joint Institute for Nuclear Research. AgainstTheWest targeted Russian interests. Another hacktivist group known as AgainstTheWest claims to have hacked a steady stream of Russian websites and corporations, including Russian Government contractor promen48.ru,

DDOS 115

DDOS Media Hacking CSO 115

SecureWorld News

FEBRUARY 5, 2021

ru, Yahoo, Hotmail, Outlook, and iCloud. Microsoft researchers did some analysis on these cases and detected the types of email accounts the cybercriminals are using. The fraudulent emails are sent from attacker-created accounts on free email service providers, such as Gmail, Mail[.]ru,

Scams 89

Scams Accountability Firewall Security Intelligence 89

Malwarebytes

APRIL 4, 2022

ru “) used in this campaign and how this scam campaign itself was formatted, it resembles the Amazon International Women’s Day 2022 Giveaway scam that is said to have gone viral in February. At that point, to claim your “prize”, you’ll be asked to hand over all sorts of personal information.

Scams 90

Scams Media Social Engineering Engineering 90

Malwarebytes

SEPTEMBER 12, 2023

ru 91.199.147[.]226 Indicators of Compromise Cloaking infrastructure monoo3at[.]com com 206.71.149[.]46 46 Decoy site webexadvertisingoffer[.]com com 31.31.196[.]208 208 BatLoader fugas[.]site/debug/Installer90.2.msi site/debug/Installer90.2.msi

Antivirus 110

Antivirus Advertising Malware Engineering 110

Krebs on Security

DECEMBER 14, 2023

ru under the handle “ r-fac1.” ru advertised musictransferonline[.]com The nickname two rungs down from “Babushka” in the ChronoPay org chart is “ Lev Tolstoy ,” which the MegaPlan service showed was picked by someone who used the email address v.zhabukin@freefrog-co-ru. Rusprofile[.]ru

Cybercrime 213

Cybercrime Accountability Advertising Computers and Electronics 213

Security Affairs

JANUARY 26, 2019

Focusing on the most recent folders: “NEW combo semi private” and “MAIL ACCESS combos” and assuming the folder name is explicit, we might observe most of the “recent combos” (please see Part1 ) belong to EU and RU. TOP leaked credentials by folder. Copyright (C) 2014-2015 Media.net Advertising FZ-LLC All Rights Reserved -->.

Data breaches 83

Data breaches Advertising Passwords Government 83

SecureList

NOVEMBER 22, 2023

schtasks" /create /sc DAILY /tn MicrosoftsUpdate /tr "$system32cmd.exe /c $publicJKNLA.bat $publichrserv.dll" /ru system /f The.BAT file accepts the path of a DLL file as an argument. In this instance, the script is provided with the file $publichrserv.dll, which is then copied to the System32 directory.

Malware 102

Malware Government Technology 102

Security Affairs

DECEMBER 9, 2018

. “The threat actors (hackers) use a group of four command and control (C2) servers to send requests to over 14,000 proxy servers provided by a Russian proxy provider called best-proxies[.]ru.” ” reads the analysis published by WordFence. “They use these proxies to anonymize the C2 traffic.

Advertising 99

Advertising Authentication Hacking Accountability 99

Security Affairs

JANUARY 15, 2020

ru ) to the file name of each encrypted file, for example test.txt becomes [5ss5c@mail.ru ] test. The ransom note doesn’t include attackers’email to contact for the payment or a Bitcoin address, instead the ransomware prepends the email address (5ss5c ( at ) mail [. ] Y54GUHKIG1T2ZLN76II9F3BBQV7MK4UOGSQUND7U.

Ransomware 75

Ransomware Cybercrime Architecture Advertising 75