After the start of a full -scale invasion of Russia, misinformation campaigns and hacker attacks, coordinated by pro -government groups of the Russian Federation, intensified. PQ.hosting in 2019 - participated in the implementation of such operations . This company specializes in providing hosting services on the Internet and has server equipment in more than 30 countries.
Despite the sanctions, hosting is quite common in Russia, working since 2022 on a network owned by Stark Industries Solutions Limited, registered by John Neculiti in the United Kingdom.
In one of his promotional, Ivan explains what the purpose of the British company: “At the moment, our IP addresses no longer show that they belong to PQ Hosting. There is another, neutral name. " According to him, the British company does not participate in payment transactions at all, but simply to facilitate business. In other words, anyone who runs a business with Stark Industries Solutions is actually conducting a business with PQ Hosting, except that outsiders will not see it immediately.
Masking its corporate network, PQ Hosting has become a refuge for pro -Russian cyberactivists who carry out illegal activities against Ukrainian citizens and help the FSB track of deserters and agents within the country through phishing resources of "Legion Freedom of Russia" and "Russian Volunteers". Infrastructure for DDOS-attacks of European countries.
Specific examples:
- 21.12.2023 The Computer Response Group of Ukraine registered attacks on Ukrainian users with electronic newsletters with the SBU Headline, infecting them with Remcosrat virus, which operates under the AS44477 (Stark Industries Sol.
- Earlier, Cert-UA also reported an attack using 5 different programs, which was initiated by UAC-0082 (Sandworm) group associated with the State Security Service of Ukraine, using Stark Industries Solutions Ltd infrastructure.
- Attack on Ukrainian users with the heading "Subject to Court".
- Artem Tamoyan, a Russian opposition activist and programmer, said on Twitter a story about his observations on Yandex promotion of phishing resources of previously mentioned LSR and RDCs that collect data on Russians who want to join their ranks. Some complaints with requests for Tamoyan's blocking addressed the Cloudflare administration. One of the answers of the service stated that the hosting provider of the fake sites of the Legion "Freedom of Russia" was Stark Industries.
In addition, exploring the Federal Switzerland's Federal Directorate Report, it was mentioned by the line of multi -day DDOS attacks aimed at the infrastructure of the authorities and the large municipalities, which mentions the pro -Russian group Noname057 (16), which uses Stark Injustria servers.
In addition, the Neculiti brothers' infrastructure used the BlueCharlie BlueChroment group and theft of data in Ukraine and NATO countries.
Similarly, PQ Hosting is a frequent "guest" according to the HYAS reports, which investigates cybersecurity incidents. Here's how they described PQ Hosting's activities in the May 6 2024 report:
AS44477, related to Stark Industries, works as a predictable bulletproof host with connections with Russia. The observed activity, in particular, the presence of Redline Stealer and the traffic associated with the botnet indicates a malicious intention aimed at compromising users data and expanding botnet networks. Stark Industries can work as a bulletproof hosting that promotes cybercrime. The presence of Redline Steler involves focusing on data theft and potential monetization of stolen information.
Or in an earlier report:
AS44477 is an Autonomous System (ASN) number assigned to a network -controlled Stark Industries, suspected of a bulletproof host with connections with Russia. Often problematic traffic comes from Stark Industries. According to our data, this traffic is mainly Redline Stealer, which steals the browser personal data and connects the victim devices to the Botnet 'SPOO'.
Harmful activity: AS44477 has been associated with complex cyberattacks, such as deployment of programs and attempts by data exfixing. The malefactors used by this ASN can target organizations in different sectors, using vulnerability to achieve their goals.
The Twitter (X) social network is similar to the references to the organizations that counteract cybercrime
In the thematic forums they are recommended as "abuse -resistant hosting"
or mention in Telegram:
The placement of drug marketers also does not bother the company, and resources such as RR-Seedshop081.xyz are quietly operating on their equipment.
Equal account as a casino:
CasinochansLots.com
bizzocosino.sk
crazytime.eu.com
22-bet.nl
tonybetsourcing.com
dragon-slots.pk
plinkogame.eu.com
bet-amo.bg
bobscasino.de.de
tonybet
Also observed the placement of resources resembling services related to cryptocurrency fraud:
yamga.org
deenair.org
betchan-exclusive.com
Remarkably, for this kind of resources prefer to use the network specifically in the Netherlands.
The Constella Intelligence Data Tracking Service reports that Ivan Neculiti has registered several online accounts at e-mail [Email Protected] . The Intel 471 cyber exploration shows that this e -mail address is related to the DFYZ username on more than half a dozen cybercrime forums in Russian since 2008. The DFYZ user at searchengines.ru in 2008 asked other participants of the forum to watch war.md and said they were part of Mercenaries Teamm.
At that time, DFYZ sold "abusus servers for any purpose", which meant that the hosting company intentionally ignored complaints about the abuse or requests of security for its customers' activity.
Domaintools can also emphasize that at least 33 domain names are registered [Email Protected] Some of these domains have the importance of Ivan Neculiti in their registration records, including Tracker-Free.cn, which was registered with Ivan Neculiti at [Email Protected] and referred to Mercenaries Team in their original registration records.
DFYZ also used Donchicho nickname, which also sold abusa-resistant hosting services and access to broken Internet servers. In 2014, the famous member of the Russian -language community of Antichat filed a complaint against Donchicho, saying that this user had showered them and used e -mail address [Email Protected] .
The complaint said Donchicho registered with Antichat from Transnistria's Internet address 84.234.55. 29.
The search for this address in Constella shows that it has been used to register only five online accounts that have been created over the years, including one on Ask.ru, where the user has registered with the e -mail address [Email Protected] . Constella also returns to the user with the name "Ivan" on Memoraleak.com and 000Webhost.com for this email address.
Constella believes that the password most commonly used by the Email Address [Email Protected] was FileCast, and that this password is associated with more than 90 e -mail addresses. Among them are about two dozen addresses called "Neculiti", as well as address [Email Protected] .
Intel 471 says Donchicho posted on several Russian cybercrime forums that [Email Protected] was his address, and that he was included in cybercrime forums almost exclusively from the Internet address in Tiraspol, Transnistria. An overview of Donchicho posts shows that this person was entertained in several forums in 2014 for fraud with other users.
Casted copies of Donchicho (Donchicho.ru) show that in 2009 it was a spamer who sold fake medicines through RX-Promotion, once one of the largest pharmacy spams for Russian-speaking branches.
Returning to the topic of sanctions mentioned at the beginning, you can note the interesting observations of Correctiv, which emphasized their "toothless" in the case of brothers:
“EU sanctions on Russian companies and individuals behind the misinformation RRN websites prohibit European companies to do business with them. While Stark Industries Solutions as a British company and PQ Hosting as a Moldovan company are not subject to EU legislation. "
