{
	"id": "2fbcc440-582c-44f1-9034-f1d3a08d3c60",
	"created_at": "2026-04-06T00:19:09.005913Z",
	"updated_at": "2026-04-10T13:11:30.636251Z",
	"deleted_at": null,
	"sha1_hash": "81eaf0f606b4e5290f66d9b5c60f3ec533eef844",
	"title": "Void Balaur | The Sprawling Infrastructure of a Careless Mercenary",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5066269,
	"plain_text": "Void Balaur | The Sprawling Infrastructure of a Careless\r\nMercenary\r\nBy Tom Hegel\r\nPublished: 2022-09-22 · Archived: 2026-04-05 16:37:29 UTC\r\nExecutive Summary\r\nThe cyber mercenary group known as Void Balaur continues to expand their hack-for-hire campaigns into\r\n2022 unphased by disruptions to their online advertising personas.\r\nNew targets include a wide variety of industries, often with particular business or political interests tied to\r\nRussia. Void Balaur also goes after targets valuable for prepositioning or facilitating future attacks. Their\r\ntargets span the United States, Russia, Ukraine, and various other countries.\r\nAttacks are often very generic in theme, may appear opportunistic in nature, and account for targets\r\nmaking use of multi-factor authentication. The group seeks access to well-known email services (Gmail,\r\nOutlook, Yahoo), social media (Facebook, Instagram), messaging (Telegram), and corporate accounts.\r\nA unique and short-lived connection links Void Balaur’s infrastructure to the Russian Federal Protective\r\nService (FSO), a low-confidence indication of a potential customer relationship or resource sharing\r\nbetween the two.\r\nOverview\r\nVoid Balaur is a highly active hack-for-hire / cyber mercenary group with a wide range of known target types\r\nacross the globe. Their services have been observed for sale to the public online since at least 2016. Services\r\ninclude the collection of private data and access to specific online email and social media services, such as Gmail,\r\nOutlook, Telegram, Yandex, Facebook, Instagram, and business emails.\r\nVoid Balaur was first reported in 2019 (eQualitie), then again in 2020 (Amnesty International). In November\r\n2021, our colleagues at Trend Micro profiled the larger set of malicious activity and named the actor “Void\r\nBalaur” based on a monster of Eastern European folklore. Most recently Google’s TAG highlighted some of their\r\nactivity earlier this year. Building on top of analysis from each of our above colleagues, the purpose here is to\r\nshare our analysis of interesting findings based on newer activity and the large scale set of attacker infrastructure.\r\nDuring our inaugural LABScon event today I presented on this very topic – a careless mercenary group known as\r\nVoid Balaur. Attendees of the conference were given a more detailed overview of the content shared here,\r\nincluding specific details on attribution to individuals in Latvia. In the spirit of LABScon, I look forward to\r\nfurther tracking of this actor alongside our industry colleagues to better protect society.\r\nThe Hack-for-Hire Business\r\nhttps://www.sentinelone.com/labs/the-sprawling-infrastructure-of-a-careless-mercenary/\r\nPage 1 of 27\n\nThe hack-for-hire service offering linked to Void Balaur has been advertised through various brand names, as also\r\nnoted by previous reporting. These are only two early examples of likely others run by the same entity.\r\nFirst is Hacknet, or “Hackernet-Service”, which began operating in late 2016. In these early years of activity, the\r\ngroup advertised their “Professional Hacking to Order” service for good and to help meet the needs others can not\r\nmeet. The name can be found advertising across many darkweb forums.\r\nThe section on legality of their service provides insight into the mindset and justification of the attacker.\r\nHacknet-Service legality section – Original\r\nhttps://www.sentinelone.com/labs/the-sprawling-infrastructure-of-a-careless-mercenary/\r\nPage 2 of 27\n\nHacknet-Service legality section – Translated\r\nServices first offered for hacking at the time included Yandex, Rambler, Mail.ru, Gmail, UKR.net, Yahoo,\r\nOutlook, corporate email, Instagram, VK.com, OK.ru, Facebook, and Skype, in addition to “Hacking Training”.\r\nA year later in 2017 the group removed the services of hacking Outlook, Facebook, and UKR.net while adding\r\nICQ messages. In 2018, the group updated their legality pitch noting that corporate email and other requests\r\noutside of their advertised list would be considered. Additionally, the group began offering services around\r\ncontent modification/uploading to email and social media networks.\r\nhttps://www.sentinelone.com/labs/the-sprawling-infrastructure-of-a-careless-mercenary/\r\nPage 3 of 27\n\nhttps://www.sentinelone.com/labs/the-sprawling-infrastructure-of-a-careless-mercenary/\r\nPage 4 of 27\n\nHacknet-Service Offerings Section – Translated\r\nUltimately, the Hacknet persona and their service ended around early 2020 following bans across services and\r\nbrand collapse after failing to follow through with hacking services they were paid for.\r\nThe second example is “RocketHack”, which became active in early 2018, acting as a second persona operated by\r\nthe same entity.\r\nThe RocketHack persona and offerings were thoroughly documented in the TrendMicro report. Interestingly, in\r\nour screenshot of their landing page, they used a quote from Nikolay Kononov’s book Kod Durova, a story on the\r\ncreation of the Russian VK social network.\r\nAround 2019, Hacknet and RocketHack began offering services through various hacker forums to provide\r\ninformation on individuals, including banking and government documents. The personas also begin to offer\r\nservices for:\r\nRemote access or perform requested actions on target PCs\r\nRemove content from any blogs, forums, YouTube Channels, news sites or databases “of any institution”.\r\nhttps://www.sentinelone.com/labs/the-sprawling-infrastructure-of-a-careless-mercenary/\r\nPage 5 of 27\n\nCleanup information online, and manipulate search engine results.\r\nRemote access to iPhones, mobile tracking, manulating associated data.\r\nSMS historical records of targets.\r\nReal time location tracking through mobile networks.\r\nVoid Balaur Infrastructure\r\nAs of this blog, Void Balaur has operated over 5,000 unique domains used against individual targets. With a\r\nquantity of actor controlled domains in the thousands, each provides us an opportunity for the attacker to make\r\nmistakes and lead us to a new set of useful clues. Focusing on the most recent activity from Void Balaur, the set of\r\ndomains follow a repeating generic set of patterns.\r\nFree Email Services\r\nE.g., mail-my-accounts-gmail[.]com\r\nEmail Security / Privacy\r\nE.g., security-my-account[.]ru\r\nEmail Authentication / OAuth\r\naccounts-oauth-gmail[.]com\r\nPassports / Local Government (Limited, often Russian focus)\r\nE.g., no-reply-gosuslugi[.]ru\r\nThe collection of associated attacker infrastructure, such as domains and non-shared IPs, is quite large and\r\nrequires automated methods of tracking to keep up.\r\nSynapse Visual Representation of Domain Scale\r\nBased on our collection of all known Void Balaur domains, we can determine the creation time of each based on\r\nyear for an estimate of actor campaign activity. While early years activity was generally a very small set of\r\ninfrastructure, we can note the explosion of activity in 2019. Around this time is when the group was gaining a\r\nhttps://www.sentinelone.com/labs/the-sprawling-infrastructure-of-a-careless-mercenary/\r\nPage 6 of 27\n\nbad reputation and abandoning brands (Hacknet). This indicates that the group remained highly active without a\r\nwell known brand, potentially fulfilling requests for customers without the need to publicly advertise anymore.\r\nIt’s worth noting that the 2022 quantity is lower than expected at this time. However, the group historically has\r\nregistered domains in bulk rather than evenly throughout the year. Additionally, we have observed a new set of\r\ninfrastructure and campaigns we believe may be Void Balaur; however, technical links are not yet confident\r\nenough to publicly share at this time. Such activity could be an entirely unique group, or a new phase of Void\r\nBalaur attempting to evade further tracking.\r\nDomain Count by Year\r\nIntriguing Relationships\r\nA potential indicator of the careless OPSEC in the Void Balaur infrastructure is a low confidence connection to the\r\nRussian Federal Protective / Guard Service (FSO). The FSO institution operates with a range of capabilities,\r\nincluding the right to conduct surveillance, monitor communications, and operate clandestine activities. Was this a\r\ncustomer-confidentiality oversight by Void Balaur? Perhaps a mistake in the workflow of expanding their\r\ninfrastructure? The meaning and exact technical reason behind this connection is unclear; however, based on our\r\nattribution to technical operators outside of Russia, it is potentially a clue that Russian intelligence agencies are\r\nsomehow involved with Void Balaur and the FSO is either directly using the services or supporting the use of the\r\nservices internally.\r\nSpecifically, one domain in the thousands of those created and operated by Void Balaur over the years was seen\r\nimmediately resolving to the Russian FSO network after it was registered. In early 2022 the domain accounts-my-mail-gmail[.]com resolved to 95.173.132[.]1 for four days following its registration, then quickly shifting\r\nto the traditional Void Balaur cluster of infrastructure. The IP 95.173.132[.]1 is owned and operated by the\r\nRussian FSO, typically reserved for official .ru government websites. To reiterate, this connection is only\r\nobserved once in the entirety of Void Balaur infrastructure.\r\nhttps://www.sentinelone.com/labs/the-sprawling-infrastructure-of-a-careless-mercenary/\r\nPage 7 of 27\n\nVisualization of link between Void Balaur Infrastructure and FSO\r\nTargeting\r\nVoid Balaur continues their known targeting of a wide variety of individuals and organizations across the globe.\r\nThe vast majority of known 2022 targets hold a special interest or involvement in business and political situations\r\nrelevant to organizations inside Russia. Examples include individuals heavily involved in geopolitics, legal,\r\nbusiness transactions, technology, human rights and more. Locations of these individuals include:\r\nRussia\r\nUnited States\r\nUnited Kingdom\r\nTaiwan\r\nBrazil\r\nKazakhstan\r\nUkraine\r\nMoldova\r\nGeorgia\r\nSpain\r\nCentral African Republic\r\nSudan\r\nhttps://www.sentinelone.com/labs/the-sprawling-infrastructure-of-a-careless-mercenary/\r\nPage 8 of 27\n\n2022 Target Map\r\nWe observed continued targeting in 2022 making use of generic, highly reproducible, phishing emails to lure\r\ntargets into providing account credentials. Based on thousands of phishing domains we collected, Google owned\r\nservices are the most common targets and attack themes.\r\nHowever, in most cases the phishing emails are somewhat more relevant to the target of choice. For example, this\r\nincludes emails designed to mimic local government services, or online websites common to a particular target,\r\nsuch as banking or social media. Void Balaur has made use of this approach for much of its existence. Examples\r\ninclude a 2016 attempt at phishing on the Moscow motorcycle road racing Youtuber Alexey Naberezhny, and in\r\n2017 the Russian journalist and social media personality Ilya Varlamov. These individuals were targeted by Void\r\nBalaur with phishing emails spoofing Russian Public Services traffic fines.\r\nhttps://www.sentinelone.com/labs/the-sprawling-infrastructure-of-a-careless-mercenary/\r\nPage 9 of 27\n\nVoid Balaur Traffic Fine Phishing Message Targeting Ilya Varlamov\r\nhttps://www.sentinelone.com/labs/the-sprawling-infrastructure-of-a-careless-mercenary/\r\nPage 10 of 27\n\nVoid Balaur Traffic Fine Phishing Message Targeting Alexey Naberezhny\r\nIn this case, the payment link goes to srv-gm[.]ru , accountc-gooogle.com , and others, which returns an illicit\r\nGoogle login page.\r\nhttps://www.sentinelone.com/labs/the-sprawling-infrastructure-of-a-careless-mercenary/\r\nPage 11 of 27\n\nGoogle Phishing Page\r\nIn 2022, we observed cases in which Void Balaur sought to compromise Google accounts with multi-factor\r\nauthentication enabled as well. For example, some phishing pages would ask the target to enter backup codes\r\nGoogle provides during the initial 2-Step verification setup process.\r\nhttps://www.sentinelone.com/labs/the-sprawling-infrastructure-of-a-careless-mercenary/\r\nPage 12 of 27\n\nllicit 2-Step Verification Backup Code Request\r\nConclusion\r\nhttps://www.sentinelone.com/labs/the-sprawling-infrastructure-of-a-careless-mercenary/\r\nPage 13 of 27\n\nVoid Balaur remains a highly active and evolving threat to individuals across the globe. From the targeting of well\r\nknown email services to the offering of hacking corporate networks, the group represents a clear example of the\r\nhack-for-hire market. We expect this type of actor to be increasingly common to observe in the wild.\r\nRecent IOCs\r\naccount-mail-passport[.]ru\r\naccount-my-mail-gmail[.]com\r\naccount-my-oauths-mail[.]ru\r\naccount-oauth-gmail[.]com\r\naccounts-mail-passport[.]ru\r\naccounts-my-mail-gmail[.]com\r\naccounts-my-oauth-mail[.]ru\r\naccounts-oauth-gmail[.]com\r\ncloud-account-mail[.]ru\r\ncloud-accounts-goglemail[.]com\r\ncloud-accounts-mail[.]ru\r\ncloud-my-accounts-mail[.]ru\r\ncloud-myaccount-goglemail[.]com\r\ncloud-myaccount-mail[.]ru\r\ncommunity-experience-manager[.]ru\r\ncommunity-experience-my-community[.]ru\r\ncommunity-experience-permission[.]ru\r\ncommunity-experience-preference[.]ru\r\ncommunity-experience-types[.]ru\r\ncommunity-experience[.]ru\r\ncommunity-manager-experience[.]ru\r\ncommunity-manager-place[.]ru\r\ncommunity-manager-preference[.]ru\r\ncommunity-manager-safety[.]ru\r\ncommunity-manager-smartlink[.]ru\r\ncommunity-manager-types[.]ru\r\ncommunity-manager[.]ru\r\ncommunity-my-permission[.]ru\r\ncommunity-my-place[.]ru\r\ncommunity-my-safe[.]ru\r\ncommunity-my-safety[.]ru\r\ncommunity-my-source[.]ru\r\ncommunity-my-types[.]ru\r\ncommunity-online-experience[.]ru\r\ncommunity-online-manager[.]ru\r\ncommunity-online-permission[.]ru\r\ncommunity-online-place[.]ru\r\ncommunity-online-types[.]ru\r\ncommunity-permission-experience[.]ru\r\ncommunity-permission-manager[.]ru\r\nhttps://www.sentinelone.com/labs/the-sprawling-infrastructure-of-a-careless-mercenary/\r\nPage 14 of 27\n\ncommunity-permission-preference[.]ru\r\ncommunity-permission-source[.]ru\r\ncommunity-permission[.]ru\r\ncommunity-place-community[.]ru\r\ncommunity-place-manager[.]ru\r\ncommunity-place-permission[.]ru\r\ncommunity-place-preference[.]ru\r\ncommunity-place-types[.]ru\r\ncommunity-place[.]ru\r\ncommunity-preference-manager[.]ru\r\ncommunity-preference-permission[.]ru\r\ncommunity-preference-place[.]ru\r\ncommunity-safe-manager[.]ru\r\ncommunity-safe-permission[.]ru\r\ncommunity-safe-place[.]ru\r\ncommunity-safe-types[.]ru\r\ncommunity-safety-manager[.]ru\r\ncommunity-safety-my-experience[.]ru\r\ncommunity-safety-permission[.]ru\r\ncommunity-safety-place[.]ru\r\ncommunity-safety-preference[.]ru\r\ncommunity-safety-types[.]ru\r\ncommunity-smartlink-experience[.]ru\r\ncommunity-smartlink-manager[.]ru\r\ncommunity-smartlink-permission[.]ru\r\ncommunity-smartlink-types[.]ru\r\ncommunity-source-manager[.]ru\r\ncommunity-source-permission[.]ru\r\ncommunity-source-place[.]ru\r\ncommunity-source-preference[.]ru\r\ncommunity-types-experience[.]ru\r\ncommunity-types-manager[.]ru\r\ncommunity-types-permission[.]ru\r\ncommunity-types[.]ru\r\nexperience-community-manager[.]ru\r\nexperience-community-my-smartlink[.]ru\r\nexperience-community-permission[.]ru\r\nexperience-community-preference[.]ru\r\nexperience-manager-community[.]ru\r\nexperience-manager-permission[.]ru\r\nexperience-manager-place[.]ru\r\nexperience-manager-safety[.]ru\r\nexperience-manager-smartlink[.]ru\r\nexperience-manager-types[.]ru\r\nexperience-manager[.]ru\r\nexperience-my-community-smartlink[.]ru\r\nexperience-my-manager[.]ru\r\nhttps://www.sentinelone.com/labs/the-sprawling-infrastructure-of-a-careless-mercenary/\r\nPage 15 of 27\n\nexperience-my-online-smartlink[.]ru\r\nexperience-my-permission[.]ru\r\nexperience-my-place[.]ru\r\nexperience-my-preference-smartlink[.]ru\r\nexperience-my-preference[.]ru\r\nexperience-my-safe-smartlink[.]ru\r\nexperience-my-safe[.]ru\r\nexperience-my-safety[.]ru\r\nexperience-my-source-smartlink[.]ru\r\nexperience-my-source[.]ru\r\nexperience-online-manager[.]ru\r\nexperience-online-my-smartlink[.]ru\r\nexperience-online-permission[.]ru\r\nexperience-online-place[.]ru\r\nexperience-online-preference[.]ru\r\nexperience-online-smartlink[.]ru\r\nexperience-online-types[.]ru\r\nexperience-permission-community[.]ru\r\nexperience-permission-manager[.]ru\r\nexperience-permission-place[.]ru\r\nexperience-permission-preference[.]ru\r\nexperience-permission-smartlink[.]ru\r\nexperience-permission-source[.]ru\r\nexperience-permission[.]ru\r\nexperience-place-smartlink[.]ru\r\nexperience-place-types[.]ru\r\nexperience-place[.]ru\r\nexperience-preference-manager[.]ru\r\nexperience-preference-my-smartlink[.]ru\r\nexperience-preference-permission[.]ru\r\nexperience-preference-place[.]ru\r\nexperience-preference-smartlink[.]ru\r\nexperience-safe-manager[.]ru\r\nexperience-safe-my-smartlink[.]ru\r\nexperience-safe-permission[.]ru\r\nexperience-safe-place[.]ru\r\nexperience-safe-preference[.]ru\r\nexperience-safe-smartlink[.]ru\r\nexperience-safe-types[.]ru\r\nexperience-safety-manager[.]ru\r\nexperience-safety-my-smartlink[.]ru\r\nexperience-safety-permission[.]ru\r\nexperience-safety-place[.]ru\r\nexperience-safety-preference[.]ru\r\nexperience-safety-smartlink[.]ru\r\nexperience-safety-types[.]ru\r\nexperience-smartlink-manager[.]ru\r\nhttps://www.sentinelone.com/labs/the-sprawling-infrastructure-of-a-careless-mercenary/\r\nPage 16 of 27\n\nexperience-smartlink-permission[.]ru\r\nexperience-smartlink-preference[.]ru\r\nexperience-source-my-smartlink[.]ru\r\nexperience-source-place[.]ru\r\nexperience-source-preference[.]ru\r\nexperience-source-smartlink[.]ru\r\nexperience-types-place[.]ru\r\nexperience-types-smartlink[.]ru\r\nexperience-types[.]ru\r\nlogin-account-cloud-mail[.]ru\r\nlogin-accounts-mail[.]ru\r\nlogin-auth-account-mail[.]ru\r\nlogin-auth-accounts-mail[.]ru\r\nlogin-cloud-account-mail[.]ru\r\nlogin-cloud-myaccount-mail[.]ru\r\nlogin-my-acounts-mail[.]ru\r\nlogin-myaccount-cloud-mail[.]ru\r\nlogin-oauth-mail[.]ru\r\nmail-auth-account[.]ru\r\nmail-auth-myacount[.]ru\r\nmail-ems[.]ru\r\nmail-login-auth[.]ru\r\nmail-login-oauth[.]ru\r\nmail-my-acounts-mail[.]ru\r\nmail-my-passport-account[.]ru\r\nmail-security-myaccount[.]ru\r\nmail-security-myaccounts[.]ru\r\nmanager-community-permission[.]ru\r\nmanager-community-place[.]ru\r\nmanager-community-types[.]ru\r\nmanager-experience-permission[.]ru\r\nmanager-experience-place[.]ru\r\nmanager-experience-preference[.]ru\r\nmanager-experience-types[.]ru\r\nmanager-my-community[.]ru\r\nmanager-my-experience[.]ru\r\nmanager-my-preference[.]ru\r\nmanager-my-safe[.]ru\r\nmanager-my-smartlink[.]ru\r\nmanager-my-source[.]ru\r\nmanager-online-community[.]ru\r\nmanager-online-permission[.]ru\r\nmanager-online-place[.]ru\r\nmanager-online-preference[.]ru\r\nmanager-online-smartlink[.]ru\r\nmanager-online-types[.]ru\r\nmanager-permission-place[.]ru\r\nhttps://www.sentinelone.com/labs/the-sprawling-infrastructure-of-a-careless-mercenary/\r\nPage 17 of 27\n\nmanager-permission-preference[.]ru\r\nmanager-permission-source[.]ru\r\nmanager-permission-types[.]ru\r\nmanager-place-community[.]ru\r\nmanager-place-experience[.]ru\r\nmanager-place-permission[.]ru\r\nmanager-place-preference[.]ru\r\nmanager-place-smartlink[.]ru\r\nmanager-place-types[.]ru\r\nmanager-preference-community[.]ru\r\nmanager-preference-permission[.]ru\r\nmanager-preference-place[.]ru\r\nmanager-preference-smartlink[.]ru\r\nmanager-preference-types[.]ru\r\nmanager-safe-community[.]ru\r\nmanager-safe-experience[.]ru\r\nmanager-safe-permission[.]ru\r\nmanager-safe-place[.]ru\r\nmanager-safe-preference[.]ru\r\nmanager-safe-smartlink[.]ru\r\nmanager-safe-types[.]ru\r\nmanager-safety-community[.]ru\r\nmanager-safety-permission[.]ru\r\nmanager-safety-place[.]ru\r\nmanager-safety-smartlink[.]ru\r\nmanager-smartlink-permission[.]ru\r\nmanager-smartlink-place[.]ru\r\nmanager-smartlink-types[.]ru\r\nmanager-source-community[.]ru\r\nmanager-source-permission[.]ru\r\nmanager-source-place[.]ru\r\nmanager-source-preference[.]ru\r\nmanager-source-smartlink[.]ru\r\nmanager-types-community[.]ru\r\nmanager-types-experience[.]ru\r\nmanager-types-permission[.]ru\r\nmanager-types-place[.]ru\r\nmy-account-auth-mail[.]ru\r\nmy-account-mail-passport[.]ru\r\nmy-account-my-cloud-mail[.]ru\r\nmy-account-oauth-mail[.]ru\r\nmy-accounts-mail-passport[.]ru\r\nmy-acount-oauths[.]ru\r\nmy-cloud-accounts-mail[.]ru\r\nmy-community-experience[.]ru\r\nmy-community-manager[.]ru\r\nmy-community-permission[.]ru\r\nhttps://www.sentinelone.com/labs/the-sprawling-infrastructure-of-a-careless-mercenary/\r\nPage 18 of 27\n\nmy-community-place[.]ru\r\nmy-community-smartlink[.]ru\r\nmy-community[.]ru\r\nmy-experience-manager[.]ru\r\nmy-experience-permission[.]ru\r\nmy-experience-place[.]ru\r\nmy-experience-preference[.]ru\r\nmy-mail-account-mail[.]ru\r\nmy-mail-account-yahoo[.]com\r\nmy-mail-accounts-mail[.]ru\r\nmy-manager-community[.]ru\r\nmy-manager-experience[.]ru\r\nmy-manager-place[.]ru\r\nmy-manager-preference[.]ru\r\nmy-manager-safety[.]ru\r\nmy-manager-smartlink[.]ru\r\nmy-oauth-account-gmail[.]com\r\nmy-oauth-account-mail[.]ru\r\nmy-oauth-accounts-mail[.]ru\r\nmy-oauths-account-mail[.]ru\r\nmy-oauths-accounts-mail[.]ru\r\nmy-online-experience[.]ru\r\nmy-online-permission[.]ru\r\nmy-online-place[.]ru\r\nmy-permission-community[.]ru\r\nmy-permission-experience[.]ru\r\nmy-permission-manager[.]ru\r\nmy-permission-place[.]ru\r\nmy-permission-preference[.]ru\r\nmy-permission-smartlink[.]ru\r\nmy-place-smartlink[.]ru\r\nmy-preference-experience[.]ru\r\nmy-preference-manager[.]ru\r\nmy-preference-permission[.]ru\r\nmy-preference-place[.]ru\r\nmy-preference[.]ru\r\nmy-safe-community[.]ru\r\nmy-safe-experience[.]ru\r\nmy-safe-permission[.]ru\r\nmy-safe-place[.]ru\r\nmy-safety-community[.]ru\r\nmy-safety-experience[.]ru\r\nmy-safety-permission[.]ru\r\nmy-safety-place[.]ru\r\nmy-signin-account-gmail[.]com\r\nmy-signin-accounts-gmail[.]com\r\nmy-smartlink-experience[.]ru\r\nhttps://www.sentinelone.com/labs/the-sprawling-infrastructure-of-a-careless-mercenary/\r\nPage 19 of 27\n\nmy-smartlink-manager[.]ru\r\nmy-smartlink-permission[.]ru\r\nmy-smartlink-place[.]ru\r\nmy-smartlink[.]ru\r\nmy-source-community[.]ru\r\nmy-source-place[.]ru\r\nmy-types-community[.]ru\r\nmy-types-permission[.]ru\r\nmy-types-place[.]ru\r\nmyaccount-mail-passport[.]ru\r\nmyaccount-my-mail-gmail[.]com\r\nmyaccount-oauths[.]ru\r\nmyaccounts-auth[.]ru\r\nmyaccounts-mail-passport[.]ru\r\nmyaccounts-my-mail-gmail[.]com\r\nno-reply-gosuslugi[.]ru\r\noauth-login-account-mail[.]ru\r\noauth-login-accounts-mail[.]ru\r\npermission-community-experience[.]ru\r\npermission-community-manager[.]ru\r\npermission-community-place[.]ru\r\npermission-community-preference[.]ru\r\npermission-community-types[.]ru\r\npermission-experience-manager[.]ru\r\npermission-experience-preference[.]ru\r\npermission-manager-community[.]ru\r\npermission-manager-experience[.]ru\r\npermission-manager-place[.]ru\r\npermission-manager-preference[.]ru\r\npermission-manager-smartlink[.]ru\r\npermission-manager-types[.]ru\r\npermission-my-community[.]ru\r\npermission-my-experience[.]ru\r\npermission-my-manager[.]ru\r\npermission-my-place[.]ru\r\npermission-my-preference[.]ru\r\npermission-my-safe[.]ru\r\npermission-my-smartlink[.]ru\r\npermission-my-source[.]ru\r\npermission-my-types[.]ru\r\npermission-online-experience[.]ru\r\npermission-online-manager[.]ru\r\npermission-online-place[.]ru\r\npermission-online-preference[.]ru\r\npermission-online-types[.]ru\r\npermission-place-community[.]ru\r\npermission-place-experience[.]ru\r\nhttps://www.sentinelone.com/labs/the-sprawling-infrastructure-of-a-careless-mercenary/\r\nPage 20 of 27\n\npermission-place-manager[.]ru\r\npermission-place-smartlink[.]ru\r\npermission-place-types[.]ru\r\npermission-place[.]ru\r\npermission-preference-manager[.]ru\r\npermission-preference-types[.]ru\r\npermission-safe-experience[.]ru\r\npermission-safe-manager[.]ru\r\npermission-safe-place[.]ru\r\npermission-safe-preference[.]ru\r\npermission-safe-types[.]ru\r\npermission-safety-experience[.]ru\r\npermission-safety-manager[.]ru\r\npermission-safety-place[.]ru\r\npermission-safety-preference[.]ru\r\npermission-safety-smartlink[.]ru\r\npermission-safety-types[.]ru\r\npermission-smartlink-experience[.]ru\r\npermission-smartlink-manager[.]ru\r\npermission-smartlink-preference[.]ru\r\npermission-smartlink-types[.]ru\r\npermission-smartlink[.]ru\r\npermission-source-manager[.]ru\r\npermission-source-preference[.]ru\r\npermission-types-place[.]ru\r\nplace-community-experience[.]ru\r\nplace-community-manager[.]ru\r\nplace-community-permission[.]ru\r\nplace-community-safe[.]ru\r\nplace-community-safety[.]ru\r\nplace-community-smartlink[.]ru\r\nplace-community-source[.]ru\r\nplace-community-types[.]ru\r\nplace-community[.]ru\r\nplace-experience-community[.]ru\r\nplace-experience-manager[.]ru\r\nplace-experience-permission[.]ru\r\nplace-experience-place[.]ru\r\nplace-experience-safe[.]ru\r\nplace-experience-safety[.]ru\r\nplace-experience-source[.]ru\r\nplace-experience-types[.]ru\r\nplace-experience[.]ru\r\nplace-manager-community[.]ru\r\nplace-manager-permission[.]ru\r\nplace-manager-safe[.]ru\r\nplace-manager-safety[.]ru\r\nhttps://www.sentinelone.com/labs/the-sprawling-infrastructure-of-a-careless-mercenary/\r\nPage 21 of 27\n\nplace-manager-smartlink[.]ru\r\nplace-manager-source[.]ru\r\nplace-manager-types[.]ru\r\nplace-manager[.]ru\r\nplace-my-community[.]ru\r\nplace-my-experience[.]ru\r\nplace-my-manager[.]ru\r\nplace-my-permission[.]ru\r\nplace-my-preference[.]ru\r\nplace-my-safe[.]ru\r\nplace-my-smartlink[.]ru\r\nplace-my-types[.]ru\r\nplace-online-community[.]ru\r\nplace-online-experience[.]ru\r\nplace-online-manager[.]ru\r\nplace-online-permission[.]ru\r\nplace-online-safety[.]ru\r\nplace-online-smartlink[.]ru\r\nplace-online-source[.]ru\r\nplace-online-types[.]ru\r\nplace-permission-community[.]ru\r\nplace-permission-experience[.]ru\r\nplace-permission-safety[.]ru\r\nplace-permission-smartlink[.]ru\r\nplace-permission-source[.]ru\r\nplace-permission-types[.]ru\r\nplace-permission[.]ru\r\nplace-preference-community[.]ru\r\nplace-preference-experience[.]ru\r\nplace-preference-manager[.]ru\r\nplace-preference-place[.]ru\r\nplace-preference-safe[.]ru\r\nplace-preference-smartlink[.]ru\r\nplace-preference-source[.]ru\r\nplace-preference-types[.]ru\r\nplace-preference[.]ru\r\nplace-safe-community[.]ru\r\nplace-safe-experience[.]ru\r\nplace-safe-manager[.]ru\r\nplace-safe-permission[.]ru\r\nplace-safe-safety[.]ru\r\nplace-safe-smartlink[.]ru\r\nplace-safe-source[.]ru\r\nplace-safe-types[.]ru\r\nplace-safety-community[.]ru\r\nplace-safety-experience[.]ru\r\nplace-safety-permission[.]ru\r\nhttps://www.sentinelone.com/labs/the-sprawling-infrastructure-of-a-careless-mercenary/\r\nPage 22 of 27\n\nplace-safety-smartlink[.]ru\r\nplace-safety-source[.]ru\r\nplace-safety-types[.]ru\r\nplace-smartlink-community[.]ru\r\nplace-smartlink-experience[.]ru\r\nplace-smartlink-manager[.]ru\r\nplace-smartlink-preference[.]ru\r\nplace-smartlink-safe[.]ru\r\nplace-smartlink-safety[.]ru\r\nplace-smartlink-source[.]ru\r\nplace-smartlink-types[.]ru\r\nplace-smartlink[.]ru\r\nplace-source-community[.]ru\r\nplace-source-experience[.]ru\r\nplace-source-permission[.]ru\r\nplace-source-safety[.]ru\r\nplace-source-smartlink[.]ru\r\nplace-types-community[.]ru\r\nplace-types-experience[.]ru\r\nplace-types-permission[.]ru\r\nplace-types-smartlink[.]ru\r\npreference-community-experience[.]ru\r\npreference-community-manager[.]ru\r\npreference-community-place[.]ru\r\npreference-manager-community[.]ru\r\npreference-manager-experience[.]ru\r\npreference-manager-permission[.]ru\r\npreference-manager-smartlink[.]ru\r\npreference-manager-types[.]ru\r\npreference-my-manager[.]ru\r\npreference-my-permission[.]ru\r\npreference-my-source[.]ru\r\npreference-online-manager[.]ru\r\npreference-online-permission[.]ru\r\npreference-online-place[.]ru\r\npreference-online-types[.]ru\r\npreference-permission-place[.]ru\r\npreference-permission[.]ru\r\npreference-place-community[.]ru\r\npreference-place-smartlink[.]ru\r\npreference-place-types[.]ru\r\npreference-safe-experience[.]ru\r\npreference-safe-manager[.]ru\r\npreference-safe-place[.]ru\r\npreference-safety-permission[.]ru\r\npreference-safety-place[.]ru\r\npreference-smartlink-experience[.]ru\r\nhttps://www.sentinelone.com/labs/the-sprawling-infrastructure-of-a-careless-mercenary/\r\nPage 23 of 27\n\npreference-smartlink-permission[.]ru\r\npreference-smartlink-place[.]ru\r\npreference-source-experience[.]ru\r\npreference-source-permission[.]ru\r\npreference-source-place[.]ru\r\npreference-types-place[.]ru\r\nsafe-manager-experience[.]ru\r\nsafe-manager-smartlink[.]ru\r\nsafe-online-experience[.]ru\r\nsafe-permission-experience[.]ru\r\nsafe-permission-source[.]ru\r\nsafe-place-community[.]ru\r\nsafe-place-experience[.]ru\r\nsafe-place-permission[.]ru\r\nsafe-place-preference[.]ru\r\nsafe-place-smartlink[.]ru\r\nsafe-safety-experience[.]ru\r\nsafe-smartlink-experience[.]ru\r\nsafe-source-experience[.]ru\r\nsafety-community-source[.]ru\r\nsafety-manager-source[.]ru\r\nsafety-my-smartlink[.]ru\r\nsafety-permission-community[.]ru\r\nsafety-place-community[.]ru\r\nsafety-place-experience[.]ru\r\nsafety-place-permission[.]ru\r\nsafety-place-preference[.]ru\r\nsafety-place-smartlink[.]ru\r\nsafety-preference-experience[.]ru\r\nsafety-preference-source[.]ru\r\nsafety-smartlink-source[.]ru\r\nsecurity-my-account[.]ru\r\nsecurity-myaccount[.]ru\r\nsecurity-myaccounts[.]ru\r\nsmartlink-communit-safety[.]ru\r\nsmartlink-experience-place[.]ru\r\nsmartlink-experience[.]ru\r\nsmartlink-manager-permission[.]ru\r\nsmartlink-manager-place[.]ru\r\nsmartlink-manager-safety[.]ru\r\nsmartlink-manager-types[.]ru\r\nsmartlink-manager[.]ru\r\nsmartlink-my-manager[.]ru\r\nsmartlink-my-permission[.]ru\r\nsmartlink-my-place[.]ru\r\nsmartlink-my-safe[.]ru\r\nsmartlink-my-safety[.]ru\r\nhttps://www.sentinelone.com/labs/the-sprawling-infrastructure-of-a-careless-mercenary/\r\nPage 24 of 27\n\nsmartlink-my-source[.]ru\r\nsmartlink-online-permission[.]ru\r\nsmartlink-online-place[.]ru\r\nsmartlink-online-safety[.]ru\r\nsmartlink-online-types[.]ru\r\nsmartlink-permission-community[.]ru\r\nsmartlink-permission-experience[.]ru\r\nsmartlink-permission-safety[.]ru\r\nsmartlink-permission-source[.]ru\r\nsmartlink-permission[.]ru\r\nsmartlink-place-community[.]ru\r\nsmartlink-place-manager[.]ru\r\nsmartlink-place-permission[.]ru\r\nsmartlink-place-types[.]ru\r\nsmartlink-place[.]ru\r\nsmartlink-safe-manager[.]ru\r\nsmartlink-safe-permission[.]ru\r\nsmartlink-safe-place[.]ru\r\nsmartlink-safe-safety[.]ru\r\nsmartlink-safe-types[.]ru\r\nsmartlink-safety-place[.]ru\r\nsmartlink-safety-types[.]ru\r\nsmartlink-source-manager[.]ru\r\nsmartlink-source-permission[.]ru\r\nsmartlink-source-place[.]ru\r\nsmartlink-source-safety[.]ru\r\nsmartlink-types-place[.]ru\r\nsmartlink-types[.]ru\r\nsource-community-preference[.]ru\r\nsource-experience-preference[.]ru\r\nsource-place-community[.]ru\r\nsource-place-experience[.]ru\r\nsource-place-permission[.]ru\r\nsource-place-preference[.]ru\r\nsource-place-smartlink[.]ru\r\nsource-safe-preference[.]ru\r\nsource-safety-preference[.]ru\r\nsource-source-preference[.]ru\r\ntypes-community-experience[.]ru\r\ntypes-community-permission[.]ru\r\ntypes-community-place[.]ru\r\ntypes-community-preference[.]ru\r\ntypes-community[.]ru\r\ntypes-experience-place[.]ru\r\ntypes-experience[.]ru\r\ntypes-manager-permission[.]ru\r\ntypes-manager-place[.]ru\r\nhttps://www.sentinelone.com/labs/the-sprawling-infrastructure-of-a-careless-mercenary/\r\nPage 25 of 27\n\ntypes-manager-preference[.]ru\r\ntypes-manager-smartlink[.]ru\r\ntypes-my-permission[.]ru\r\ntypes-my-place[.]ru\r\ntypes-my-smartlink[.]ru\r\ntypes-online-community[.]ru\r\ntypes-online-experience[.]ru\r\ntypes-online-permission[.]ru\r\ntypes-online-place[.]ru\r\ntypes-online-preference[.]ru\r\ntypes-online-smartlink[.]ru\r\ntypes-palce-experience[.]ru\r\ntypes-palce-smartlink[.]ru\r\ntypes-permission-experience[.]ru\r\ntypes-permission-place[.]ru\r\ntypes-place-community[.]ru\r\ntypes-place-experience[.]ru\r\ntypes-place-permission[.]ru\r\ntypes-place-preference[.]ru\r\ntypes-place-smartlink[.]ru\r\ntypes-place[.]ru\r\ntypes-preference-experience[.]ru\r\ntypes-preference-place[.]ru\r\ntypes-safe-experience[.]ru\r\ntypes-safe-smartlink[.]ru\r\ntypes-safety-experience[.]ru\r\ntypes-safety-smartlink[.]ru\r\ntypes-smartlink-community[.]ru\r\ntypes-smartlink-experience[.]ru\r\ntypes-smartlink-manager[.]ru\r\ntypes-smartlink-place[.]ru\r\ntypes-smartlink[.]ru\r\nyandex-account-mail-passport[.]ru\r\nyandex-account-passport[.]ru\r\nyandex-accounts-mail-passport[.]ru\r\nyandex-auth-passport[.]ru\r\nyandex-my-account-passport[.]ru\r\nyandex-my-accounts-passport[.]ru\r\nyandex-my-passport-accounts[.]ru\r\nyandex-my-profile-passport[.]ru\r\nyandex-myaccount-mail-passport[.]ru\r\nyandex-myaccount-passport[.]ru\r\nyandex-myaccounts-mail-passport[.]ru\r\nyandex-myaccounts-passport[.]ru\r\nyandex-mypassport-account[.]ru\r\nyandex-mypassport-accounts[.]ru\r\nyandex-myprofile-passport[.]ru\r\nhttps://www.sentinelone.com/labs/the-sprawling-infrastructure-of-a-careless-mercenary/\r\nPage 26 of 27\n\nyandex-oauth-passport[.]ru\r\nyandex-passport-my-account[.]ru\r\nyandex-profile-passport[.]ru\r\nSource: https://www.sentinelone.com/labs/the-sprawling-infrastructure-of-a-careless-mercenary/\r\nhttps://www.sentinelone.com/labs/the-sprawling-infrastructure-of-a-careless-mercenary/\r\nPage 27 of 27",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.sentinelone.com/labs/the-sprawling-infrastructure-of-a-careless-mercenary/"
	],
	"report_names": [
		"the-sprawling-infrastructure-of-a-careless-mercenary"
	],
	"threat_actors": [
		{
			"id": "eed84d1d-a457-43d7-8dba-e41cf7cea6e5",
			"created_at": "2023-01-06T13:46:39.474045Z",
			"updated_at": "2026-04-10T02:00:03.340923Z",
			"deleted_at": null,
			"main_name": "Void Balaur",
			"aliases": [],
			"source_name": "MISPGALAXY:Void Balaur",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "dd5d24e4-366c-4bd4-8587-fc9606a0cff6",
			"created_at": "2022-10-25T16:07:24.383804Z",
			"updated_at": "2026-04-10T02:00:04.969329Z",
			"deleted_at": null,
			"main_name": "Void Balaur",
			"aliases": [
				"Rockethack"
			],
			"source_name": "ETDA:Void Balaur",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434749,
	"ts_updated_at": 1775826690,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/81eaf0f606b4e5290f66d9b5c60f3ec533eef844.pdf",
		"text": "https://archive.orkl.eu/81eaf0f606b4e5290f66d9b5c60f3ec533eef844.txt",
		"img": "https://archive.orkl.eu/81eaf0f606b4e5290f66d9b5c60f3ec533eef844.jpg"
	}
}