{
	"id": "b96af101-48c9-4402-b2c1-39703d199e4d",
	"created_at": "2026-04-10T03:20:58.012366Z",
	"updated_at": "2026-04-10T03:22:18.917183Z",
	"deleted_at": null,
	"sha1_hash": "111a6d9294c5d762da36c87f4908f7b3330d1d20",
	"title": "Operation TA505: network infrastructure. Part 3",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 580774,
	"plain_text": "Operation TA505: network infrastructure. Part 3\r\nBy Positive Technologies\r\nPublished: 2024-08-19 · Archived: 2026-04-10 02:17:30 UTC\r\nNetwork infrastructure analysis plays an important role in the study of malware distribution campaigns. Data on\r\nwhich IP addresses corresponded to a given domain name over time facilitate the identification of new malicious\r\nservers. In turn, retrospectively determining which domains were resolved to a given IP address provides new\r\ndomains, for which the search procedure can be repeated, leading the process further. This information can be\r\nimmensely helpful in establishing the geography of nodes, identifying \"favorite\" hosts and registrars, and\r\ndetermining which values an attacker characteristically enters into fields when registering domains.\r\nMetainformation that appears useless at first glance may very well prove its worth after a period of a days, weeks,\r\nor months. In the course of malware analysis, sooner or later the question of attribution inevitably arises, and\r\nindirect identifiers such as network indicators can go a long way in determining which criminal group a certain\r\ntool belongs to.\r\nThis article examines the most characteristic network infrastructure indicators of the TA505 group, as well as\r\nintersections between TA505 and another hacker group, Buhtrap.\r\nDomain name registrars\r\nIn total, we analyzed 372 domains belonging to TA505 and identified 22 organizations that facilitated the\r\nacquisition of these domains. The resources most frequently used were the following:\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part3/\r\nPage 1 of 10\n\nWhoisGuard, Inc. — 28 domain names\r\nEranet International Limited — 26 domain names\r\nWhoisGuard, an organization based in Panama, offers the service of concealing domain owners' registration data\r\nfrom public access. This is not the first time we have seen their services used by hackers to establish anonymity\r\nand hinder investigations.\r\nTA505 domains registered through WhoisGuard, sorted by malware family\r\nTA505 has utilized other, similar services, though to a lesser extent. These include PROTECTSERVICE LTD,\r\nWhois Privacy Protection Foundation, and Domains by Proxy LLC.\r\nEranet International Limited is one of the largest registrars in Hong Kong. It should be noted that members of\r\nTA505 tended to use dynamic DNS when registering domains with this provider. As a result, the IP addresses that\r\ntheir domain names were resolved to changed frequently, making them difficult to track.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part3/\r\nPage 2 of 10\n\nTA505 domains registered through Eranet International Limited, sorted by malware family\r\nDomain name registrants\r\nWhile investigating the WHOIS data of various domain names, we were able to obtain unique values for certain\r\nfields in a number of cases.\r\nWHOIS data for TA505 domain names\r\nDomain\r\nWHOIS\r\nfield\r\nValue Malware\r\nkentona[.]su Email ctouma2@gmail.com\r\nSmoke\r\nLoader/RMS RAT\r\nkoppepan[.]app Email nox1u9bruzgg@contactprivacy.email\r\nFlawedAmmyy\r\nloader\r\n0141koppepan[.]com Email 0141.koppe.pan@gmail.com\r\nFlawedAmmyy\r\nloader\r\nelast[.]pw\r\nCity hai dian hai dian\r\nServHelper RAT\r\nName Lei Sun Lei\r\nPhone +86.15810310076\r\nEmail std3199@163.com\r\nmakosoft[.]hu Email takagimeister@gmail.com EmailStealer\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part3/\r\nPage 3 of 10\n\nDomain\r\nWHOIS\r\nfield\r\nValue Malware\r\nbigpresense[.]top\r\nFax +1.7246992079\r\nEmailStealer\r\nEmail armstrongdom@slimemail.com\r\nsolsin[.]top\r\nOrganization Brandon P. Thurman\r\nFlawedAmmyy\r\nloader\r\nFax +1.3084575035\r\nEmail BrandonPThurman@grr.la\r\nnewfolder2-service[.]space\r\nState smolenskaya oblast\r\nPhone +7.9385040686 Smoke Loader\r\nEmail ssserviceshop1@yandex.ru\r\nwindows-several-update[.]com\r\nStreet NO.1111 Chaoyang Road\r\nFlawedAmmyy\r\nloader\r\nName Wiet Lee\r\nPhone +86.86756381050\r\nEmail whois-protect@hotmail.com\r\nwindows-update-02-\r\nen[.]com\r\nStreet Shinararneri str. 43\r\nFlawedAmmyy\r\nloader\r\nName Artak Gasparyan\r\nPhone +374.37494527465\r\ntest-service012505[.]com\r\nStreet Mangilik yel, 52, 102\r\nName Askar Dyussekeyev Smoke Loader\r\nPhone +7.71727172\r\nmicrosoftsyncservice[.]biz Organization zhuhaiyingxunkejiyouxiangongsi Smoke Loader\r\noffice365onlinehome[.]com\r\nOrganization Internet Invest, Ltd. dba Imena.ua\r\nServHelper RAT\r\nStreet Gaidara, 50 st.\r\nNaturally, not all this information can be taken at face value. There are, however, certain values particularly worth\r\nnoting. For instance, a search on the email address ctouma2@gmail.com leads to a list of additional domains\r\nregistered to the same address. Another email address, 0141.koppe.pan@gmail.com, is linked with a variety of\r\nresources—an account on Github, Steam, the Japanese hacker forum Qiita (with a link to a malicious domain in\r\nthe profile), a YouTube channel, an account in Skype (live: 141.koppe.pan), and so forth.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part3/\r\nPage 4 of 10\n\nPage on the Quiita hacker forum linked with suspicious domain registrant\r\nWe will refrain from delving into a deep analysis of these WHOIS data, as it lies outside the scope of this article.\r\nWe will, however, note that hackers often utilize legitimate resources that have been compromised to host the first\r\nstage of their malware campaigns. The following domains are cases in point:\r\ngreenthumbsup[.]jp\r\nfakers.co[.]jp\r\nnanepashemet[.]com\r\nnagomi-753[.]jp\r\niluj[.]in\r\nAutonomous systems (AS)\r\nFor the sake of completeness, here are the top autonomous systems to which the IP addresses of C\u0026C servers used\r\nby TA505 belong. Of course, a single autonomous system serves many hosts, both legitimate and non-legitimate,\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part3/\r\nPage 5 of 10\n\nincluding various malware families of disparate origins. The following statistics should simply be viewed as an\r\noverview of the attacker's preferences. Taken with other data, they can be used for attribution.\r\nAutonomous systems frequently used by TA505\r\nAutonomous system number (ASN) AS name Number of IP addresses\r\n39798 MivoCloud SRL 21\r\n61138 Zappie Host LLC 14\r\n51852 Private Layer INC 8\r\n13335 Cloudflare, Inc. 5\r\n199524 G-Core Labs S.A. 5\r\n21100 ITL LLC 5\r\n45102 Alibaba (US) Technology Co., Ltd. 5\r\nTA505 and Buhtrap\r\nOn July 11, 2019, specialists from ESET released an article about a recent attack carried out by the Buhtrap group\r\nusing a zero-day vulnerability in the Win32k component of Windows. The article described a so-called 'grabber'\r\nmodule used to harvest user passwords from email clients, browsers, and other sources. Later, we unearthed\r\nanother similar module (MD5: c6e9d7280f77977a6968722e8124f51c) with the same C\u0026C server in its body\r\n(redmond.corp-microsoft[.]com).\r\nC\u0026C server in the Buhtrap grabber module\r\nRunning a query through the PaSiveTotal resource reveals that this host has been rendered to the IP address\r\n95[.]179.159.170 since June 6, 2019.\r\nSeveral days earlier, on July 2, 2019, specialists from Proofpoint released a report regarding new tools used by the\r\nTA505 group, one of which is called Andromut (also known as Gelup). Andromut is a downloader for the\r\nFlawedAmmyy RAT. One of the variations of the downloader that we encountered (MD5:\r\n0cbeb424d96e5c268ec2525d603f64eb) uses the domain compatexchange-cloudapp[.]net as its C\u0026C server.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part3/\r\nPage 6 of 10\n\nC\u0026C server in Gelup from TA505, after decryption\r\nThe PaSiveTotal resource shows us that this host has been resolved to the IP address 95[.]179.159.170 since June\r\n8, 2019.\r\nThese two domains were registered with the same registrar (Tucows Domains Inc.) within two days of one\r\nanother, and are resolved to the same IP address. Considering that both groups carried out attacks throughout June,\r\nit is reasonable to conclude that Buhtrap and TA505 used the same host as a C\u0026C server.\r\nIt is also worth noting that the domain compatexchange-cloudapp[.]net was used not only in the downloader\r\nearlier discussed, but also in older versions of Buhtrap components.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part3/\r\nPage 7 of 10\n\nFirst intersection of TA505 and Buhtrap found in network infrastructure\r\nWe later discovered another intersection between the two hacker groups. The domains of TA505's Smoke Loader\r\nand a second grabber from Buhtrap displayed a similar congruence: the domain test-service012505[.]com from\r\nSmoke Loader (MD5: 5fc6f24d43bc7ca45a81d159291955d1) and the domain secure-telemetry[.] net from the\r\ngabber (MD5: 79d1a836423c7ee57b6127cf2930a9d9) have been resolved to the IP address 194[.]4.56.252 since\r\nJune 17th and 16th, 2019, respectively.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part3/\r\nPage 8 of 10\n\nSecond intersection of TA505 and Buhtrap found in network infrastructure\r\nConclusions\r\nThis article has examined the network infrastructure of the hacker group TA505. Starting with a look at their\r\npreferred domain name registrars and the hosts of their C\u0026C servers, we unearthed interesting details in the client\r\ninformation provided by the group during domain registration. This could serve as a starting point for further\r\ninvestigations. We then discussed intersections that were discovered between the infrastructure of the TA505 and\r\nBuhtrap hacker groups. The incidence of shared servers between the two groups could have several explanations:\r\nthe groups could have a bilateral agreement to share the servers, they could be managed and coordinated by a\r\nsingle entity, or they could both rent the servers from a third party (thereby economizing on expenditures). Our\r\nwork investigating these groups will not end here. We will continue to monitor their activity and search for new\r\ninformation on their possible connections and collaboration.\r\nAuthors: Alexey Vishnyakov and Maxim Anfinogenov, Positive Technologies\r\nIOCs\r\nTA505 C2:\r\n0141koppepan[.]com\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part3/\r\nPage 9 of 10\n\nbigpresense[.]top\r\nelast[.]pw\r\nfakers.co[.]jp\r\ngreenthumbsup[.]jp\r\niluj[.]in\r\nkentona[.]su\r\nkoppepan[.]app\r\nmakosoft[.]hu\r\nmicrosoftsyncservice[.]biz\r\nnagomi-753[.]jp\r\nnanepashemet[.]com\r\nnewfolder2-service[.]space\r\noffice365onlinehome[.]com\r\nsolsin[.]top\r\ntest-service012505[.]com\r\nwindows-several-update[.]com\r\nwindows-update-02-en[.]com\r\nc6e9d7280f77977a6968722e8124f51c — grabber module Buhtrap\r\nredmond.corp-microsoft[.]com — Grabber C\u0026C\r\n0cbeb424d96e5c268ec2525d603f64eb — Gelup loader of TA505\r\ncompatexchange-cloudapp[.]net — Gelup C\u0026C\r\n95.179.159[.]170 — TA505 and Buhtrap shared host\r\n79d1a836423c7ee57b6127cf2930a9d9 — grabber module Buhtrap\r\nsecure-telemetry[.]net — Grabber C\u0026C\r\n5fc6f24d43bc7ca45a81d159291955d1 — Smoke Loader of TA505\r\ntest-service012505[.]com — Smoke Loader C\u0026C\r\n194[.]4.56.252 — TA505 and Buhtrap shared host\r\nSource: https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part3/\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part3/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part3/"
	],
	"report_names": [
		"operation-ta505-part3"
	],
	"threat_actors": [],
	"ts_created_at": 1775791258,
	"ts_updated_at": 1775791338,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/111a6d9294c5d762da36c87f4908f7b3330d1d20.pdf",
		"text": "https://archive.orkl.eu/111a6d9294c5d762da36c87f4908f7b3330d1d20.txt",
		"img": "https://archive.orkl.eu/111a6d9294c5d762da36c87f4908f7b3330d1d20.jpg"
	}
}