{ "id": "124a6d42-9972-4c5b-b14f-53c985aabd4e", "created_at": "2026-04-06T00:13:40.687443Z", "updated_at": "2026-04-10T13:12:44.932324Z", "deleted_at": null, "sha1_hash": "473e1359881549ee762bc6ae283125c7b0c03e93", "title": "Seychelles, Seychelles, on the C(2) Shore", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2470201, "plain_text": "Seychelles, Seychelles, on the C(2) Shore\r\nBy Team Cymru\r\nPublished: 2025-04-08 · Archived: 2026-04-05 15:00:23 UTC\r\nAn overview of a bulletproof hosting provider named ELITETEAM.\r\nIntroduction: What is “Bulletproof Hosting” (BPH)?\r\nBulletproof hosting (BPH) is a type of service offered by hosting providers that allows operators unrestricted and\r\nunregulated use of their paid infrastructure. Usually, these providers ignore abuse complaints, giving threat actors\r\nan ideal platform to conduct various malicious activities.\r\nBPH providers prefer to operate in jurisdictions that have lenient laws against such conduct. Due to the different\r\nlaws in different countries, this creates a significant gray area that allows BPH providers to claim immunity to\r\nwhat their customers (threat actors) host.\r\nIn addition to malicious activities, some of the other services enabled / hosted by BPH providers include online\r\ngambling, the sharing of copyrighted materials, misinformation, etc.\r\nA number of online monikers are associated with individuals involved in the provision of BPH services, and\r\ninclude; Yalishanda, BraZZZerS, MoreneHost, and Vicetemple.\r\nExecutive Summary\r\nELITETEAM, a bulletproof hosting provider registered in the Republic of Seychelles, is associated with\r\nmultiple malicious campaigns.\r\nMultiple distinct clusters of threat activity were noted, operating from IP addresses within a netblock\r\nassociated with ELITETEAM.\r\nEach threat cluster had seemingly different “goals”, from directly stealing banking information to\r\ndeploying ransomware and crypto miners. With a diverse range of targets, and notable differences in\r\nattacker TTPs.\r\nEvidence was identified, based on AS announcements, linking ELITETEAM to another known Russian\r\nbulletproof hosting provider.\r\nELITETEAM Netblock Summary\r\nELITETEAM owns four different ASNs as “1337TEAM LIMITED”: AS39770, AS60424, AS56873, and\r\nAS51381, but mainly operates from AS51381, which is associated with netblock 185.215.113.0/24.\r\nLooking at the WHOIS data related to this netblock, an address in Seychelles is provided:\r\nhttps://www.team-cymru.com/post/seychelles-seychelles-on-the-c-2-shore\r\nPage 1 of 18\n\nFigure 1: ELITETEAM WHOIS Data\r\nThe address “Global Gateway 8, Rue de la Perle office “1337TEAM LIMITED”, Seychelles” was previously\r\ndisclosed in documents commonly referred to as the Panama Papers and Offshore Leaks, indicating that\r\nELITETEAM may use Seychelles as a front for their operations, whilst controlling them from another location.\r\nInfrastructure Summary\r\nThe identified malicious infrastructure, hosted via ELITETEAM and discussed in this blog post, is divided into\r\nthree different clusters, as follows:\r\nCluster 1: Malvertising and info-stealing\r\nCluster 2: Phishing\r\nCluster 3: Skimming\r\nCluster 1\r\nThe first cluster, and currently the most active one, was previously observed (since December 2020), targeting\r\nvictims through exploitation of the Log4Shell (CVE-2021-44228) vulnerability. However, since around February\r\n2022, we have observed a switch to the use of malvertising campaigns, using ‘fake’ software as a lure, leading to\r\nthe installation of the Amadey malware on victim machines.\r\nhttps://www.team-cymru.com/post/seychelles-seychelles-on-the-c-2-shore\r\nPage 2 of 18\n\nFigure 2: Malvertising Campaign\r\nFollowing the initial installation of Amadey, depending on the version number of the malware, (3.08 through to\r\n3.21 was observed in this cluster) one of two payloads are then dropped; Redline stealer, or Smokeloader. It\r\nappears the initial goal of the threat actors is the theft of victim information / credentials, however further\r\npayloads were also observed being dropped, including Djvu ransomware and crypto miners.\r\nDuring this investigation, we focused our research on five Amadey C2 servers:\r\nhttps://www.team-cymru.com/post/seychelles-seychelles-on-the-c-2-shore\r\nPage 3 of 18\n\nFigure 3: Amadey C2 Servers\r\nNote: For reasons unknown, this cluster hosts multiple different versions of Amadey, all of which are\r\ncurrently in use in attacks.\r\nPivoting on URL strings associated with the Amadey C2 servers (Figure 2), we were able to identify a list of tasks\r\nhosted on 185.215.113.92 (Amadey version 3.21).\r\nFigure 4: Tasks Hosted on 185.215.113.92\r\nThe payloads associated with these tasks appeared to be hosted on a Bitbucket account named\r\n‘USASoftwareDevelopment’.\r\nFigure 5: USASoftwareDevelopment Bitbucket Account\r\nAnalysis of these payloads identify them as Redline stealer executables (botnet: IMHOTEP), which are likely\r\nloaded onto victim systems to facilitate data theft and systems reconnaissance. Data from victim systems is then\r\nexfiltrated to 185.215.113.217.\r\nNote: The number of downloads recorded against each payload provides a further indication to the scale of\r\nthis activity.\r\nhttps://www.team-cymru.com/post/seychelles-seychelles-on-the-c-2-shore\r\nPage 4 of 18\n\nFigure 6: Data Exfiltration to 185.215.113.217\r\nSimilar findings were also observed for 185.215.113.205, which was not initially identified as an Amadey C2\r\nserver.\r\nFigure 7: Tasks Hosted on 185.215.113.205\r\nIn this case, the payloads were hosted on a different Bitbucket account (‘Alex’), but again all of the samples\r\nanalyzed were identified as Redline stealer. Of note, data exfiltration for these payloads was to 65.21.133.231\r\n(assigned to AS24940 - Hetzner Online GmbH).\r\nFigure 8: Data Exfiltration to 65.21.133.231\r\nhttps://www.team-cymru.com/post/seychelles-seychelles-on-the-c-2-shore\r\nPage 5 of 18\n\nExamining threat telemetry for 65.21.133.231:47430, it is apparent that this particular campaign became active on\r\n20 August 2022, and to date has seen at least 500 victims. The observed victims were dispersed globally, with the\r\nhighest concentrations in Brazil, India, and South Africa, based on IP geo-location data.\r\nFinally, a third Bitbucket account (named ‘mrssoprano666’) was identified, again associated with 185.215.113.92.\r\nFigure 9: ‘mrssoprano666’ Bitbucket Account\r\nIn this case, we pay witness to a potential “career” change. We identified a user called ‘mrssoprano666’ on an\r\nunderground Russian-language forum, offering ‘physical’ services associated with fraudulent activity. These\r\nservices included answering telephone calls, making calls to victims (posing as a bank or shop), and the rerouting\r\nof parcels.\r\nhttps://www.team-cymru.com/post/seychelles-seychelles-on-the-c-2-shore\r\nPage 6 of 18\n\nFigure 10: Forum Post by ‘mrssoprano666’\r\nBased on the timeline of activity on this forum, it appears that the user ‘mrssoprano666’ disappeared in 2020\r\n(having advertised their services since 2018) before subsequently re-appearing as a cybercrime affiliate this year.\r\nCluster 2\r\nThe second cluster is mainly used to conduct phishing campaigns, with a particular focus on the spoofing of\r\ninvestment and cryptocurrency platforms. This cluster is highly active, particularly considering AS51381 only\r\naccounts for 256 IP addresses, ranking 8th place in Interisle’s Phishing Landscape 2021 behind much larger ASs.\r\nFigure 11: Phishing Landscape 2021 Rankings\r\nThree IPs are used to host phishing sites:\r\n185.215.113.100\r\nObserved most recently in a campaign targeting Polish Credit-Agricole users.\r\n185.215.113.201\r\nUsed as a Redline Stealer C2 until April 2022\r\nSwitched to phishing purposes in June 2022\r\n185.215.113.206\r\nhttps://www.team-cymru.com/post/seychelles-seychelles-on-the-c-2-shore\r\nPage 7 of 18\n\nAs noted previously, there is a financial flavor to this cluster, in one campaign we observed the targeting of\r\nFidelity customers, in an attempt to steal credentials.\r\nFigure 12: Phishing Page Targeting Fidelity\r\nInterestingly, there was also a second stage to this attack; usually attackers are simply seeking credentials, but in\r\nthis case it appears the attackers wanted to double up on the opportunity. Once a user had entered their credentials,\r\nthey were directed to download a file called ‘Fidelity Protect Services’. This is a completely fictitious product\r\noffering from Fidelity, but continues to be a highly convincing part of the scam.\r\nFigure 13: Fidelity Protect Services\r\nhttps://www.team-cymru.com/post/seychelles-seychelles-on-the-c-2-shore\r\nPage 8 of 18\n\nThe file (hosted at cv19alert[.]com/fidelityprotect.exe) was not available for download at the time of our\r\ninvestigation. However, a copy was uploaded to Virustotal on 28 June 2022 by a user in the United States (MD5:\r\n4532b0d0ca6330bf73e0d6f76f8cf35b).\r\nAnalysis of the sample identifies it as a Raccoon Stealer V2 payload, with the timeline aligning with the malware\r\nfirst being spotted in the wild (and initially referred to as RecordBreaker based on User Agent strings).\r\nIn the first stage, the malware pushes the ‘machineId’ and username to the C2 server, along with the ‘configId’\r\n(RC4 key).\r\nFigure 14: Initial POST Request\r\nThe RC4 key is used to decrypt the location of the C2 server, in this case 104.193.255.48 (AS14576 - HOSTING\r\nSOLUTIONS).\r\nFigure 15: Decrypted C2 Server\r\nUnfortunately the C2 was offline at the time of our investigation, so we were not able to retrieve the full\r\nconfiguration of the malware.\r\nCluster 3\r\nThe third cluster is connected to credit and debit card skimming activity, with the earliest observations occurring\r\nin November 2021.\r\nA campaign associated with this cluster was previously reported on by the Sucuri research team, which noted:\r\nCompromise of the victim website, with an attempt to load a malicious JavaScript file.\r\nWebsite visitors met with an unwarranted prompt for credit card information.\r\nSpoofing of the legitimate domain ‘api.jquery.com’; the attackers used a similar domain\r\n‘apiujquery[.]com’.\r\nC2 server used to serve the secondary payload, allowing for JavaScript injections into pages when certain\r\nkeywords were triggered, e.g., ‘checkout’, ‘my-account’, ‘order’.\r\nhttps://www.team-cymru.com/post/seychelles-seychelles-on-the-c-2-shore\r\nPage 9 of 18\n\nC2 server located at 51.178.8.230 (AS16276 - OVH).\r\nAt some stage after the publication of this blog, the C2 server was moved to 185.215.113.5.\r\nFigure 16: Current Campaign C2 Details\r\nBased on our threat telemetry for 185.215.113.5, we have observed at least 50 unique victims connecting to the C2\r\nserver over the past three months.\r\nReviewing the current campaign, it appears very similar to the one reported on nearly a year ago. The first\r\nJavaScript injection payload sends a unique hash to the C2 to register and identify the victim on the admin side.\r\nHowever, some updates to the second stage payload have been noted. Firstly, the ‘triggered words’ list has been\r\nupdated to include several more keywords.\r\nhttps://www.team-cymru.com/post/seychelles-seychelles-on-the-c-2-shore\r\nPage 10 of 18\n\nFigure 17: Triggered Words List\r\nSecondly, an additional C2 server was identified, hosted on 185.215.113.20. Both the initial and the ‘new’ C2\r\nserver share the same SSH Server Host Key value.\r\nFigure 18: SSH Server Host Key Match\r\nThe current IOCs for this campaign are therefore as follows:\r\napiujquery[.]com | 185.215.113.5\r\nC2: http://apiujquery[.]com/ajax/libs/jquery/3.5.1/jquery-3.12.0.min.js?i\r\napigstatic[.]com | 185.215.113.20\r\nC2: https://apigstatic[.]com/ajax/libs/jquery/5.1.7/jquery-7.41.3.min.js?i\r\nhttps://www.team-cymru.com/post/seychelles-seychelles-on-the-c-2-shore\r\nPage 11 of 18\n\nBig Picture\r\nBig Picture - Summary of Infrastructure\r\nZooming out from the clusters already discussed, a significant number of IPs within the 185.215.113.0/24\r\nnetblock have been linked to malicious activity in the recent past. With 110~ IPs categorized as malicious within\r\nVirusTotal over the past 90 days, and 80~ IPs associated with entries made to ThreatFox within the past year.\r\nFigure 19: Malicious Activity Cluster within AS51381\r\nBig Picture - AS Details\r\nELITETEAM have been highlighted in the past by other researchers, identifying them as malicious / BPH\r\nproviders. To quote Spamhaus in their botnet report from 2021 “[ELITETEAM] is a bulletproof hosting company\r\npurporting to be located in Seychelles. In reality, they more than likely operate out of Russia.”\r\nIn late 2020, when the ASs were first allocated to ELITETEAM, they were initially declared as Russian before\r\nbeing updated to reflect their status as Seychellois, as is the case today.\r\nhttps://www.team-cymru.com/post/seychelles-seychelles-on-the-c-2-shore\r\nPage 12 of 18\n\nFigure 20: ASN Description Information for AS51381 and AS60424\r\nDigging deeper into the details surrounding the ASs assigned to ELITETEAM, looking at information such as\r\nnetblock announcements and peering, we were able to establish further ties to Russia.\r\nFigure 21: ELITETEAM Peers\r\nIndeed, all ASs connected to the ELITETEAM infrastructure are owned by Russian entities:\r\nAS3555 | Crex Fex Pex Internet System Solutions LLC | Announcing AS51381 until January 2021\r\nAS203804 | AS Infolika | Peer until February 2021\r\nDetails of the above activity have been disclosed previously by Valery Reiss-Marchive when discussing the\r\nEgregor ransomware.\r\nAS213254 | OOO RAIT TELECOM | Peer until August 2022\r\nAS49612 | DDOS-GUARD LTD | Current peer as of September 2022\r\nAS3175 | Filanco LLC | Owned by Datahouse.ru, another Russian BPH provider for which ELITETEAM\r\nis an upstream peer\r\nhttps://www.team-cymru.com/post/seychelles-seychelles-on-the-c-2-shore\r\nPage 13 of 18\n\nAS213254 (OOO RAIT TELECOM) was seized by US law enforcement (ICE - Homeland Security\r\nInvestigations) in early September 2022 and is currently no longer visible on the routing table.\r\nFigure 22: US Law Enforcement Takedown of AS213254\r\nIt is possible that at some stage in the chain the operators were aware of the law enforcement action, as there was a\r\nmigration observed in August 2022, where for a period both AS213254 and AS49612 were observed as peers for\r\nAS51381.\r\nConclusion\r\nAs outlined throughout this blog, ELITETEAM enables malicious activity on a significant scale, allowing threat\r\nactors to operate with impunity against global targets, who in some cases appear to be individuals with surplus\r\nfunds with which to invest or experiment with digital currencies, and in others just your average Joe Public. We\r\nhave observed varying campaigns and TTPs, indicating diverse usage of ELITETEAM’s services by threat actors\r\nof varying skill sets. It is not often sound advice to say, ”block all connections to a /24”, but in respect of the\r\ninfrastructure assigned to ELITETEAM, overwhelming evidence compels us to suggest this to be the case.\r\nAll the data and information we have researched points to ELITETEAM being Russian / Russian-speaking,\r\noperating behind a shell organization in Seychelles. We have reason to believe that Datahouse, RU is connected to\r\nELITETEAM and worthy of further investigation.\r\nhttps://www.team-cymru.com/post/seychelles-seychelles-on-the-c-2-shore\r\nPage 14 of 18\n\nFigure 23: Obi Wan Kenobi Encountering ELITETEAM\r\nIOCs\r\nNetblock:\r\n185.215.113[.]0/24\r\nAmadey C2s on 2022/09/21:\r\n185.215.113[.]15\r\n185.215.113[.]92\r\n185.215.113[.]204\r\n185.215.113[.]35\r\n185.215.113[.]114\r\n185.215.113[.]205\r\nPhishing IPs:\r\nhttps://www.team-cymru.com/post/seychelles-seychelles-on-the-c-2-shore\r\nPage 15 of 18\n\n185.215.113[.]100\r\n185.215.113[.]201\r\n185.215.113[.]206\r\nPhishing domains:\r\nagricole-sms[.]org\r\nermac[.]icu\r\nbonus-agricole[.]pl\r\nreleyfi-login.comebien[.]app\r\nreleyfi-login.flipflop[.]app\r\nrelayfi-login.zenquickcash[.]net\r\nscipost-xmeta[.]org\r\ngeekgirlacademy[.]com\r\nicepapers[.]com\r\nhoamelgar[.]com\r\nwilliamsaraujo[.]com\r\nzspacelab[.]net\r\ncv19alert[.]com\r\nSkimmer IPs:\r\n185.215.113[.]5\r\n185.215.113[.]20\r\nSkimmer domains:\r\napiujquery[.]com\r\napigstatic[.]com\r\nFile sharing websites used to drop payloads:\r\nuploadgram[.]me\r\nhttps://www.team-cymru.com/post/seychelles-seychelles-on-the-c-2-shore\r\nPage 16 of 18\n\nmediafire[.]com\r\npu-file[.]com\r\nhero-files[.]com\r\nRedLine Stealer payloads:\r\n00580a4220102211f07bb54041d6f49c6995b86948fbfaf98c720e7fdfd4214c\r\n0258c677f58e13433e8aea350caa1f4643ce4fe24be6d28278915176572af3ca\r\n02b0b5d59068e9f00daa7ee2d4c3027e902c32038868f5de00b710ab7c7e9182\r\n0e29a97e3bb46d462f39ffdaa95e8cd439afbc28c8827a755563e7a0f8c980b9\r\n016da58a917c5aad423db3c50cc75e351e62926c0e0c8e00a5c1de0ec6fc84af\r\n00649bad6081d82108bbde63efaab243b0d5f5f95dc99f9c46fa5ecd74c584b4\r\n02f1627f1a3e2f8531e2217ed28e420b717355ef15ca42bd9734b356f2bb2285\r\n76f4e8c50ece719c504376db8e131a8afcf8307e21ec864439452ac66f1da7ff\r\n09de0dca1123d58508f85013bfd94c764b9d0ba45bd556b7e5b9f81df471eed8\r\n3b4140faaa3828375888ca2ff1152fdf46529175ee49931ad8a20f52e0cdb058\r\n13f672297f1efe6a3eb73b8d3d7f2fa89117feef14a61054ccbde74a07ae2ef0\r\n4f3d55a6d73b630dfae91b89f98643462862a2b0264867752b802d0c1a8729e4\r\nAmadey payloads:\r\ne49833410fea53f166523cc960fc7d60ddfcf60d0fc2024e68dbabab27ce8313\r\n232a7888f79f09c47258df130cbf4e854c7a5e0af0a534e5d918bbe7b4a9cd5a\r\n53463b214577f4ea17e629a8516b21584ceaef323880a7660b2ec6015a0da617\r\n7bc6a9edc592553dcb9250d70816f511d43a998f95f4e0b2a347dc2b66f897c4\r\nb9fa703b80c7d124148f64ae3474f1f2b01a42cd1ed6871be2bb6c9d15ecf871\r\n134ed27da9f9e727a3e6b4c551655d93f4e18969836ae94f0d59ddae09bbd0d1\r\nf6740bc4e0f17e6642dcb7343e768b0ff357c4b62508de0db21553014c3fb231\r\nhttps://www.team-cymru.com/post/seychelles-seychelles-on-the-c-2-shore\r\nPage 17 of 18\n\nDetection mechanisms\r\nIDS Rules:\r\nMALWARE-CNC Win.Trojan.Redline variant outbound request detected\r\nET DROP Spamhaus DROP Listed Traffic Inbound group 22\r\nET DROP Spamhaus DROP Listed Traffic Inbound group 21\r\nET MALWARE Amadey CnC Check-In\r\nET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download\r\nMALWARE-CNC Win.Trojan.Amadey botnet outbound connection\r\nOther Considerations:\r\nMonitor external assets and endpoints for connections to the netblock assigned to ELITETEAM, in addition to the\r\nphishing and C2 IPs provided above.\r\nSource: https://www.team-cymru.com/post/seychelles-seychelles-on-the-c-2-shore\r\nhttps://www.team-cymru.com/post/seychelles-seychelles-on-the-c-2-shore\r\nPage 18 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.team-cymru.com/post/seychelles-seychelles-on-the-c-2-shore" ], "report_names": [ "seychelles-seychelles-on-the-c-2-shore" ], "threat_actors": [ { "id": "c5f79f58-db78-4cd7-88cf-c029a2199360", "created_at": "2022-10-25T16:07:23.325227Z", "updated_at": "2026-04-10T02:00:04.542909Z", "deleted_at": null, "main_name": "APT 12", "aliases": [ "APT 12", "BeeBus", "Bronze Globe", "CTG-8223", "Calc Team", "Crimson Iron", "DNSCalc", "DynCALC", "G0005", "Group 22", "Hexagon Typhoon", "Numbered Panda" ], "source_name": "ETDA:APT 12", "tools": [ "AUMLIB", "ETUMBOT", "Exploz", "Graftor", "HIGHTIDE", "IHEATE", "IXESHE", "RIPTIDE", "RapidStealer", "Specfix", "THREEBYTE", "bbsinfo", "mswab", "yayih" ], "source_id": "ETDA", "reports": null }, { "id": "d18fe42c-8407-4f96-aee0-a04e6dce219a", "created_at": "2023-01-06T13:46:38.275292Z", "updated_at": "2026-04-10T02:00:02.907303Z", "deleted_at": null, "main_name": "APT12", "aliases": [ "Group 22", "Calc Team", "DNSCalc", "IXESHE", "Hexagon Typhoon", "BeeBus", "DynCalc", "Crimson Iron", "BRONZE GLOBE", "NUMBERED PANDA", "TG-2754" ], "source_name": "MISPGALAXY:APT12", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434420, "ts_updated_at": 1775826764, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/473e1359881549ee762bc6ae283125c7b0c03e93.pdf", "text": "https://archive.orkl.eu/473e1359881549ee762bc6ae283125c7b0c03e93.txt", "img": "https://archive.orkl.eu/473e1359881549ee762bc6ae283125c7b0c03e93.jpg" } }