{ "id": "0b4990f8-cffd-4637-9d15-dc91057204ae", "created_at": "2026-04-06T00:09:57.34555Z", "updated_at": "2026-04-10T03:34:18.752931Z", "deleted_at": null, "sha1_hash": "1446ecf9d96fbfa30bf6616e2f783afe2a132899", "title": "HostingHunter Series: CHANG WAY TECHNOLOGIES CO. LIMITED", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 9609693, "plain_text": "HostingHunter Series: CHANG WAY TECHNOLOGIES CO. LIMITED\r\nBy Joshuapenny\r\nPublished: 2023-11-14 · Archived: 2026-04-05 12:38:31 UTC\r\nPress enter or click to view image in full size\r\nIntroduction\r\nWelcome to my first post. I’ve decided to create a new series of blogs, called ‘HostingHunter’. I will document personal\r\nresearch attempts to uncover malicious or interesting activity conducted on various hosting providers on the internet. I will\r\nstart with as little knowledge as possible, focusing on the unusual and lesser known providers.\r\nThis idea was spawned as a result of regularly finding myself looking at IP addresses at work and wondering what other\r\nstuff is on the same hosting provider. Normally, I’m looking for more malware C2s from a single IP, or more phishing\r\ninfrastructure related to an incident for example. However. in this blog, I will look to target my research on a single session\r\nand just record and present whatever I find.\r\nI’m looking forward to writing in a more casual format, and share the enjoyment I get in conducting this research. I will\r\nbreak the blog down in to two parts:\r\n1. The Hosting Provider, and\r\n2. Activity linked with Hosting Provider.\r\nSo where to start? Well, the first hosting provider that caught my eye is:\r\nChang Way Technologies Co. Limited.\r\nPart 1 — The Hosting Provider\r\nChang Way Technologies Co. Limited was incorporated on 23rd September 2020 as a Private company limited by shares\r\nregistered in Hong Kong. This seems to be a very common registered address for many companies (2.7k Google results):\r\nhttps://medium.com/@joshuapenny88/hostinghunter-series-chang-way-technologies-co-limited-a9ba4fce0f65\r\nPage 1 of 22\n\nChang Way was assigned Autonomous System Number: AS57523 and allocated 13 IPv4 prefixes in June 2021 — totaling\r\n3,328 unique IPv4 addresses:\r\nPress enter or click to view image in full size\r\nThe IP addresses are distributed between Saint Petersburg and Moscow with a small number located in Hong Kong.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@joshuapenny88/hostinghunter-series-chang-way-technologies-co-limited-a9ba4fce0f65\r\nPage 2 of 22\n\nchangway.hk\r\nThe domain is visible on the registration information for the company. I first looked at the WHOIS information to uncover\r\nany other connections. Using Virus Total and DomainTools I found two interesting observations:\r\n1. The registration email on the domain: bernard.webmail@gmail.com.\r\n2. The name of the individual/company: Victor Zaycev.\r\nThe hosting provider “Cat Technologies Co. Limited” is also registered under the same Victor Zaycev name and at the same\r\nHong Kong address.\r\nThis email is used on a number of other domains, most no longer active, however it gives a nice timeline of activity\r\nassociated with this email address. Through the use of Google, Yandex \u0026 VirusTotal, I identified the following domains:\r\nTaking a look at the DNS records for the Chang Way domain also lists an SOA record RNAME which looks like another\r\nemail address — processor.webmail.gmail.com. This record is used for the email address of the admin responsible for the\r\ndomain:\r\nPress enter or click to view image in full size\r\nSo to summarise the findings so far:\r\nOf the domains associated with bernard.webmail@gmail.com, all are expired except for changway.hk and 31337.hk. I’ve\r\ncovered the first, so let’s look at 31337.hk.\r\nLooks like its been marked as a payload delivery host and sits behind Cloudflare. Some of the files include Amadey and\r\nSystemBC:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@joshuapenny88/hostinghunter-series-chang-way-technologies-co-limited-a9ba4fce0f65\r\nPage 3 of 22\n\nInteresting subdomains here, notably bearhost and billing (will become clear later):\r\nBack to processor.webmail@gmail.com. Remember, this was used on the DNS records for changway.hk. Utilising Group-IB’s Threat Intelligence Platform and Graph Tool, I’m able to connect the domains registered with\r\nbernard.webmail@gmail.com to the processor email address. A new persona: “processor”. This user, on a number of forums,\r\nappears to be selling bulletproof hosting servers called “UNDERGROUND” and “BearHost”. On these posts, the contact\r\ninformation includes Telegram accounts: underground31337, billing31337 and bear31337. These names match the\r\nsubdomains and domains linked to the bernard email address:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@joshuapenny88/hostinghunter-series-chang-way-technologies-co-limited-a9ba4fce0f65\r\nPage 4 of 22\n\nAfter collating the accounts and email addresses associated with the “processor” persona, we can make some connections\r\nbetween the processor email from DNS and the bernard email from WHOIS:\r\nIf we run a similar search on the newly identified addresses we can see some interesting results. For example, the jabber\r\ncontact information linked to processor relates to a post on the website crdpro.cc for “UNDERGROUND — Bulletproof\r\nservers” on March 2022. The second result, is a recent dump from a security researcher of Jabber IDs linked to various\r\nindividuals. Included in this dump are email addresses linked to Alphv, BlackByte, Vice Society, Mallox \u0026 No_Escape to\r\nname a few. I contacted the researcher and he mentioned that these addresses were mined from cyber crime forums.\r\nPress enter or click to view image in full size\r\nRansomware-linked emails included in the same dataset:\r\nalphv@01337.ru\r\navos@thesecure.biz\r\nblackbytesupp0rt@onionmail.org\r\nmallox@exploit.im\r\nNo_ESCAPE@exploit.im\r\nstormouss21@dnmx.org\r\nvicesociety@onionmail.org\r\nv-society.official@onionmail.org\r\nContinuing the Yandex searches, we can see what other forums these processor accounts have advertised on:\r\nhttps://medium.com/@joshuapenny88/hostinghunter-series-chang-way-technologies-co-limited-a9ba4fce0f65\r\nPage 5 of 22\n\nTo summarise some of the findings after part 1 (The Hosting Provider):\r\nThrough WHOIS and DNS, we can connect two Gmail addresses to both domains registered and hosted on Chang\r\nWay.\r\nBernard is used for new domain registrations. Notably changway.hk and 31337.hk, which contains subdomains\r\nlinked to processor.\r\nprocesser is used for the persona “processor”, advertising Bulletproof hosting named BearHost/Underground.\r\nprocessor is a persona of an individual conversing on forums and via Jabber channels with accounts linked to\r\nransomware groups.\r\nPart 2 — Activity linked with the Hosting Provider.\r\nSummary of the findings below:\r\nThreat Actors exploiting CVE-2023–3519 to implant webshells on Citrix Netscaler Gateways\r\nNational Crime Records Bureau (India) Credit Card phishing\r\nAndroid Malware: Hydra, Hookbot, aXedroid, Rusty Droid\r\nWindows Malware: SectopRAT\r\nMetaSploit, Nessus and Cobalt Strike\r\n404 TDS\r\nUNDERGROUND/BearHost Bulletproof hosting\r\nBlackByte\r\nTacticalRMM\r\nTools used: urlScan, Shodan, Maltego, VirusTotal \u0026 Greynoise.\r\nBefore I look at traffic coming in to the network, e.g. looking for phishing pages, malware C2s, etc. I thought I would start\r\nlooking at what sort of traffic is coming out of the network via Greynoise.\r\nGreynoise\r\nGreynoise is fantastic for helping to understand whether IP addresses have been classified as potentially malicious from\r\nconducted activity such as scanning or being observed exploiting a particular vulnerability. In this case, we can enter the\r\nsubnets for Chang Way and observe what types of activity has been observed from this network.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@joshuapenny88/hostinghunter-series-chang-way-technologies-co-limited-a9ba4fce0f65\r\nPage 6 of 22\n\nAfter entering the results in to the visualiser, I analysed all of the subnets together:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@joshuapenny88/hostinghunter-series-chang-way-technologies-co-limited-a9ba4fce0f65\r\nPage 7 of 22\n\n62.122.184.0/24 appears to contain the most IP addresses tagged as malicious and associated with a variety of scanning\r\nactivity.\r\nFinding 1 — Threat Actors exploiting CVE-2023–3519 to implant webshells on Citrix Netscaler Gateways\r\nUsing urlScan, we can get an idea of the types of domains hosted on the ASN and potentially malicious activity. The ASN\r\nfeature shows latest scans, incoming hits, recent screenshots, related screenshots and recently observed hostnames.\r\nhttps://urlscan.io/asn/AS57523\r\nWithin related screenshots, some interesting images of CitrixVPN gateways for various companies appear to be\r\ncommunicating with addresses on this ASN. That definitely requires further investigation.\r\nDigging further we can identify the offending IP address:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@joshuapenny88/hostinghunter-series-chang-way-technologies-co-limited-a9ba4fce0f65\r\nPage 8 of 22\n\nBased on this information we’ve found some domains: cloud-js.cloud \u0026 jscript.club.\r\nPress enter or click to view image in full size\r\nLooking at the cloud-js.cloud domain returns a lot of company Citrix Gateways.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@joshuapenny88/hostinghunter-series-chang-way-technologies-co-limited-a9ba4fce0f65\r\nPage 9 of 22\n\nAdditionally, looks like some JavaScript files hosted on the domain. Initial looks like POST authentication credentials to this\r\ndomain on logon.\r\nA quick search on this domain returns two interesting articles:\r\nThis looks like ongoing activity relating to “Threat Actors Exploiting Citrix CVE-2023–3519 to Implant Webshells”.\r\nUsing this URLScan query:\r\nGet Joshuapenny’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nfilename:”citrix.js” OR filename:”citrix2.js” OR filename:”citrix3.js” AND page.url:”/vpn/index.html”\r\nWe can identify the domains used for credential exfiltration. From here we can run FOFA queries for domains found in\r\nwebpages of Citrix logon pages:\r\n((“jscloud.ink” || “jscloud.biz” || “cloudjs.cloud” || “cloud-js.cloud” || “cloudjs.live”)) \u0026\u0026 server!=”cloudflare”\r\nProviding us with a view of global victims:\r\nhttps://medium.com/@joshuapenny88/hostinghunter-series-chang-way-technologies-co-limited-a9ba4fce0f65\r\nPage 10 of 22\n\nPress enter or click to view image in full size\r\nTo note, the threat actors placed these domains behind Cloudflare to evade detection of their backend server but through\r\nthese tools we’ve identified it:\r\nPress enter or click to view image in full size\r\nAdditionally, the CISA report mentions the use of NPS:\r\n• Deployed the NPS tunneller [6] to victim networks to the /tmp directory. NPS is an open source tunneller written in Go.\r\nWe can also verify that by checking port 8081 for this IP address:\r\nhttps://medium.com/@joshuapenny88/hostinghunter-series-chang-way-technologies-co-limited-a9ba4fce0f65\r\nPage 11 of 22\n\nPress enter or click to view image in full size\r\nGlobal view of servers with the same header fingerprint:\r\nPress enter or click to view image in full size\r\nNPS: https://github.com/ehang-io/nps\r\nAppears to be written by a Chinese developer and has over 2 million downloads. Predominant distribution of servers using\r\nNPS are located in China.\r\nSo the first observed activity. The offending IP address behind these domains is: 85.209.11.134\r\nUtilising this information, we’ve mapped other servers running NPS and used urlScan/FOFA to identify possible global\r\ncompromised Citrix Gateway servers. We’ve also identified the backend server masked by Cloudflare used for credential\r\nexfiltration from the gateways.\r\nFinding 2 — National Crime Records Bureau (India) Credit Card phishing\r\nhttps://medium.com/@joshuapenny88/hostinghunter-series-chang-way-technologies-co-limited-a9ba4fce0f65\r\nPage 12 of 22\n\nThis finding definitely entertained me and my teenage step-daughter as I ran her through the part of victim. I asked her to\r\nfigure out what was wrong and why the PC had claimed she’d been blocked until she’d entered credit card details. I asked\r\nher to exit off this page and I had great enjoyment watching the resulting confusion.\r\nPress enter or click to view image in full size\r\nThis page if impersonating a page from the National Crime Records Bureau in an attempt to demand payment from victims\r\nvisiting “pornographic and illegal sites”. The interesting part is that when you first load the page, you are presented with a\r\npopup box asking you to reload the page:\r\nPress enter or click to view image in full size\r\nUpon reloading, the screen enters “Full screen mode” and impersonates the browser bar. Resulting attempts to cross the\r\nscreen off will fail, likely adding to the anxiety of any victims and increasing the likelihood of eventual payment. Interesting\r\nsocial engineering tactics that are likely effective. Utilising the favicon hash of the webpage we can identify 9 more servers\r\ndedicated to this scam, hosted on Chang Way:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@joshuapenny88/hostinghunter-series-chang-way-technologies-co-limited-a9ba4fce0f65\r\nPage 13 of 22\n\nURLScan link to reload page results:\r\nhttps://urlscan.io/search/#hash%3A13b787fc7df5bd583e50c3f159fc16296757aa3e3efeaefe954cf33273e58504\r\nExample FOFA search based on a Base64 encoded string found on the webpage: https://en.fofa.info/result?\r\nqbase64=UEdneElHTnNZWE56UFNKaGJHVnlkQzFrWVc1blpYSWlQand2YURFK0RRb2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJRHh3U\r\n— this returns more results outside of just Chang Way.\r\nFinding 3 — Android Malware: Hydra, Hookbot, aXedroid, Rusty Droid\r\nHydra.\r\nI previously wrote an article on Hydra Android banking trojan: https://www.bridewell.com/insights/blogs/detail/hydra-new-campaign-targeting-android-banking-in-spain-and-latin-america\r\nHere I found 4 servers running C2s for the malware. .apk files are named Chrome.apk and PlatStore.apk. Also found were\r\nlogin panels for Hookbot, aXedroid and Rusty droid:\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@joshuapenny88/hostinghunter-series-chang-way-technologies-co-limited-a9ba4fce0f65\r\nPage 14 of 22\n\nFinding 4 — Windows Malware: SectopRAT\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.sectop_rat\r\nPress enter or click to view image in full size\r\nFinding 5 — Metasploit, Nessus and Cobalt Strike\r\nNessus: “Take advantage of the industry’s most trusted vulnerability assessment solution to assess the modern attack\r\nsurface.”\r\nhttps://medium.com/@joshuapenny88/hostinghunter-series-chang-way-technologies-co-limited-a9ba4fce0f65\r\nPage 15 of 22\n\nUse any combination of the following red boxes to find many many many more Nessus servers on the internet:\r\nPress enter or click to view image in full size\r\nQuick Description of Metasploit and Cobalt Strike:\r\nMetaSploit: “The Metasploit Project is a computer security project that provides information about security vulnerabilities\r\nand aids in penetration testing and IDS signature development. It is owned by Boston, Massachusetts-based security\r\ncompany Rapid7.\r\nIts best-known sub-project is the open-source Metasploit Framework, a tool for developing and executing exploit code\r\nagainst a remote target machine.” — Rapid7\r\nhttps://medium.com/@joshuapenny88/hostinghunter-series-chang-way-technologies-co-limited-a9ba4fce0f65\r\nPage 16 of 22\n\nCobalt Strike: “is a commercial adversary simulation software that is marketed to red teams but is also stolen and actively\r\nused by a wide range of threat actors from ransomware operators to espionage-focused Advanced Persistent Threats\r\n(APTs)”. — Mandiant\r\nThe graph above shows the IP addresses running Cobalt Strike or Metasploit on Chang Way. One IP address, 85.209.11.162,\r\nhas both running on it. A number of the Cobalt Strike servers on Chang Way used the watermark: 1580103824, which is\r\nused to identify the version of Cobalt Strike being used. This is the same watermark as the Cobalt Strike server used in the\r\nrecent Cl0P/SysAid report:\r\nPress enter or click to view image in full size\r\nWe can focus in another step further by using the SSL jarm on the certificate used by the servers. I touched on this in another\r\nrecent post regarding the SysAid report: https://twitter.com/josh_penny/status/1722664249162445078. Using the SSL jarm\r\nwith the watermark version, we can cluster some of the Cobalt Strike servers. Here, we use the ssl jarm from the SysAid IP\r\naddress and we can see that is shares that fingerprint + watermark with 2 servers, one on Chang Way and one on Cat\r\nTechnologies.\r\nFinding 7 — 404 TDS\r\nConsider this one more of a “low confidence” assessment. 404 TDS is not something I’ve really attempted to track before\r\nbut I believe that some part of it runs through Chang Way. What is 404 TDS? TDS stands for Traffic Distribution System.\r\nIt’s a service that is purchasable by a variety of threat actors in order to deliver different malware. The purpose of the TDS is\r\nto redirect traffic through threat actor controlled infrastructure to validate the victim before redirecting to the next in the\r\nchain based on certain criteria. This allows threat actors to conduct things like geo-fencing to filter out unwanted traffic\r\n(such as researchers) and deliver victims to different malware, think infostealers (personal machine) or Cobalt Strike\r\nhttps://medium.com/@joshuapenny88/hostinghunter-series-chang-way-technologies-co-limited-a9ba4fce0f65\r\nPage 17 of 22\n\n(enterprise system). Proofpoint do a great job of tracking this and updating the community on payloads and lures used as\r\npart of this ecosystem. Payloads delivered via 404 TDS include: Truebot, NetSupport RAT, IcedID, AHK Bot,AsyncRAT,\r\nand DarkGate etc.\r\nThis ProofPoint post in October: (https://www.proofpoint.com/uk/blog/threat-insight/security-brief-ta571-delivers-icedid-forked-loader), gave us indicators for 404 and IcedID. Let’s look at the 404 TDS ones:\r\nPress enter or click to view image in full size\r\nAll of these domains resolve to a single IP: 193.3.19.160. Guess which Organisation that sits on…\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@joshuapenny88/hostinghunter-series-chang-way-technologies-co-limited-a9ba4fce0f65\r\nPage 18 of 22\n\nLet’s put this into Maltego and find out what else we can find on Chang Way relating to 404 TDS:\r\nIn total that’s 12 IP addresses. All of which contain a number of domains that don’t resolve to a webpage and have\r\ncommunicating files in VirusTotal all matching what you would expect from typical email attachment lures (in HTML and\r\nPDF formats). I’m confident these IP addresses are all related, however, its interesting to me that my searches only found\r\nthose hosted on Chang Way despite this being a well used Traffic Distribution System.\r\nFinding 8 — UNDERGROUND/BearHost Bulletproof hosting\r\nSo you’ll know what this is from part 1. Looks like processor’s UNDERGROUND/BEARHOST.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@joshuapenny88/hostinghunter-series-chang-way-technologies-co-limited-a9ba4fce0f65\r\nPage 19 of 22\n\nUNDERGROUND/BEARHOST Login Panel\r\nBelow is a translation from one of the adverts provided for this service:\r\nPress enter or click to view image in full size\r\nFinding 9 — BlackByte\r\nYou can read all about my findings here: https://www.bridewell.com/insights/blogs/detail/bridewell-and-group-ib-uncover-possible-blackbyte-victim-data-notify-victims?utm_source=LinkedIn\u0026utm_medium=Linkedin_Organic\u0026utm_term=cti-blog-blackbyte\u0026utm_content=blackbyte_cti_blog\u0026utm_campaign=cti_bridewell\r\nhttps://medium.com/@joshuapenny88/hostinghunter-series-chang-way-technologies-co-limited-a9ba4fce0f65\r\nPage 20 of 22\n\nTo summarise, I identified a server hosted on Chang Way that appeared to contain victim data from the BlackByte\r\nransomware group. The server was located here:\r\nPress enter or click to view image in full size\r\nWe assessed that this is likely an operational security failure by the owner/ operators of the server. The directory names were\r\nnamed after what appeared to be organisations around the globe. After analysing these directories, Bridewell and Group-IB\r\nwere able to link a large portion of the organisations to the Data Leak Site for the ransomware group BlackByte. The open\r\nserver contained 37 directories, with 19 named after organisations posted to the BlackByte data leak site between January\r\nand September 2023. 15 subdirectories were named after organisations not posted. The organisations are located in the US,\r\nTurkey, Germany and Denmark. It is currently assessed with moderate confidence that these organisations could be victims\r\nof the BlackByte ransomware group and either paid the ransom or are potentially unaware of any compromise.\r\nPress enter or click to view image in full size\r\nBridewell and Group-IB specialists acquired the dataset to allow organisations to verify the plethora of archive files\r\ncontained within the open directory. All files were compressed .zip files named “Archive1”, “Archive 2”, etc. with each file\r\napproximately 1 GB in size.\r\nTotal number of files: 140,135.\r\nTotal Directory size: 1.2TB\r\nFinding 10 — TacticalRMM\r\n“Tactical RMM is a remote monitoring \u0026 management tool built with Django, Vue and Golang. It uses an agent written in\r\nGolang and integrates with MeshCentral.” — https://docs.tacticalrmm.com/\r\nhttps://medium.com/@joshuapenny88/hostinghunter-series-chang-way-technologies-co-limited-a9ba4fce0f65\r\nPage 21 of 22\n\nThis is another RMM tool that has been used before by Threat Actors as a form of persistent remote access into a corporate\r\nnetwork and should be monitored for very closely.\r\nLast year, the DFIR report released an article whereby TacticalRMM was used in the intrusion.\r\nIn this case, I found only one IP address linked to TacticalRMM on Chang Way (there are over 1,000 on the internet). This\r\nIP is interesting as the domain and SSL cert seem to be impersonating “delltechnologies.com”, Dell Inc:\r\nPress enter or click to view image in full size\r\nNow I won’t assume this is set up to use against Dell but if I were them, I’d maybe monitor for this IP address and/or\r\ndomain coming in and out of their network. But, it could easily be used against anyone in an attempt to mask remote support\r\nfrom Dell for example. Doesn’t look like it will be used legitimately that’s for sure.\r\nBonus — Crdpro.cc — Credit Card selling forum\r\nThis forum is littered with links to Credit Card selling sites, fake document services and a forum with links to interact with\r\nbots on Telegram to purchase cards.\r\nConclusion\r\nWell, there was a lot to digest here and next time I might have to pick a top 5 list. However, I feel like a know Chang Way\r\ntechnologies far more intimately now after this. I have a good idea of the sort of criminal activities being conducted on this\r\nASN. There appear to be some interesting connections between the company Chang Way and the users behind it running\r\nsome form of bulletproof hosting. Additionally, it was interesting to find a backend server receiving Citrix VPN credentials.\r\nAnd I definitely didn’t expect to find BlackByte victim data. Ultimately, I definitely learn some new techniques and methods\r\nfor utilising some of these tools and have some more ideas so I enjoyed the exercise personally.\r\nNow that I’ve had a good look at Chang Way, I will look for investigate another Organisation. However, I’d love to hear\r\nfeedback on whether you enjoyed this article and whether you found it interesting. I would certainly like to take the research\r\nfurther with anyone who is interested and willing to assist.\r\nThanks for reading!\r\nJosh\r\nSource: https://medium.com/@joshuapenny88/hostinghunter-series-chang-way-technologies-co-limited-a9ba4fce0f65\r\nhttps://medium.com/@joshuapenny88/hostinghunter-series-chang-way-technologies-co-limited-a9ba4fce0f65\r\nPage 22 of 22\n\nhttps://medium.com/@joshuapenny88/hostinghunter-series-chang-way-technologies-co-limited-a9ba4fce0f65 \nAfter entering the results in to the visualiser, I analysed all of the subnets together:\nPress enter or click to view image in full size \n Page 7 of 22", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://medium.com/@joshuapenny88/hostinghunter-series-chang-way-technologies-co-limited-a9ba4fce0f65" ], "report_names": [ "hostinghunter-series-chang-way-technologies-co-limited-a9ba4fce0f65" ], "threat_actors": [ { "id": "a6814184-2133-4520-b7b3-63e6b7be2f64", "created_at": "2025-08-07T02:03:25.019385Z", "updated_at": "2026-04-10T02:00:03.859468Z", "deleted_at": null, "main_name": "GOLD VICTOR", "aliases": [ "DEV-0832 ", "STAC5279 ", "Vanilla Tempest ", "Vice Society", "Vice Spider " ], "source_name": "Secureworks:GOLD VICTOR", "tools": [ "Advanced IP Scanner", "Advanced Port Scanner", "HelloKitty ransomware", "INC ransomware", "MEGAsync", "Neshta", "PAExec", "PolyVice ransomware", "PortStarter", "PsExec", "QuantumLocker ransomware", "Rhysida ransomware", "Supper", "SystemBC", "Zeppelin ransomware" ], "source_id": "Secureworks", "reports": null }, { "id": "4e453d66-9ecd-47d9-b63a-32fa5450f071", "created_at": "2024-06-19T02:03:08.077075Z", "updated_at": "2026-04-10T02:00:03.830523Z", "deleted_at": null, "main_name": "GOLD LOTUS", "aliases": [ "BlackByte", "Hecamede " ], "source_name": "Secureworks:GOLD LOTUS", "tools": [ "BlackByte", "Cobalt Strike", "ExByte", "Mega", "RDP", "SoftPerfect Network Scanner" ], "source_id": "Secureworks", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "4e7fd07d-fcc5-459b-b678-45a7d9cda751", "created_at": "2025-04-23T02:00:55.174827Z", "updated_at": "2026-04-10T02:00:05.353712Z", "deleted_at": null, "main_name": "BlackByte", "aliases": [ "BlackByte", "Hecamede" ], "source_name": "MITRE:BlackByte", "tools": [ "AdFind", "BlackByte Ransomware", "Exbyte", "Arp", "BlackByte 2.0 Ransomware", "PsExec", "Cobalt Strike", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "7183913d-9a43-4362-96e1-9af522b6ab84", "created_at": "2024-06-19T02:00:04.377344Z", "updated_at": "2026-04-10T02:00:03.653777Z", "deleted_at": null, "main_name": "TA571", "aliases": [], "source_name": "MISPGALAXY:TA571", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "84aa9dbe-e992-4dce-9d80-af3b2de058c0", "created_at": "2024-02-02T02:00:04.041676Z", "updated_at": "2026-04-10T02:00:03.537352Z", "deleted_at": null, "main_name": "Vanilla Tempest", "aliases": [ "DEV-0832", "Vice Society" ], "source_name": "MISPGALAXY:Vanilla Tempest", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434197, "ts_updated_at": 1775792058, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1446ecf9d96fbfa30bf6616e2f783afe2a132899.pdf", "text": "https://archive.orkl.eu/1446ecf9d96fbfa30bf6616e2f783afe2a132899.txt", "img": "https://archive.orkl.eu/1446ecf9d96fbfa30bf6616e2f783afe2a132899.jpg" } }