{ "id": "315f6482-9bdd-4336-bb50-26f3baf5e6fa", "created_at": "2026-04-06T00:11:35.377509Z", "updated_at": "2026-04-10T13:12:40.774042Z", "deleted_at": null, "sha1_hash": "ad45990a97017af443c49039a9efaa377497e79c", "title": "Lighting the Exfiltration Infrastructure of a LockBit Affiliate (and more)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1347331, "plain_text": "Lighting the Exfiltration Infrastructure of a LockBit Affiliate (and\r\nmore)\r\nBy L M\r\nPublished: 2023-10-04 · Archived: 2026-04-05 13:04:24 UTC\r\nPress enter or click to view image in full size\r\nExecutive Summary\r\nWe investigated a recent LockBit extortion incident that occurred in Q3 2023, which involved an unusual\r\nFTP server located in Moscow. The hostname of this server was identified as matching many hostnames\r\nfound in various posts on the LockBit leak site.\r\nOur investigation revealed that this remote endpoint is associated with criminal activities dating back to\r\n2019, indicating that these hosts were likely under the control of the same technical administration.\r\nFurthermore, the results of our analysis also linked this particular hostname to an individual named\r\n“Bentley,” who was previously the technical lead and system administrator for the Conti group.\r\nBased on our findings, we identified a potential connection between a person responsible for maintaining\r\nthese hosts and both the LockBit incident and a broader spectrum of criminal activities.\r\nhttps://medium.com/@lcam/lighting-the-exfiltration-infrastructure-of-a-lockbit-affiliate-and-more-f57fbb7a4e79\r\nPage 1 of 9\n\nNOTE: This version of the report has been redacted for TLP:WHITE disclosure.\r\nIntroduction\r\nDigging into ransomware infections always provides valuable insights. This time, we investigated peculiar details\r\nof a recent Lockbit-based intrusion that happened in Q3 2023, and we uncovered connections between a wide\r\nrange of cybercriminal activities, highlighting some of the constants characterizing a dangerous threat actor\r\noperating deeply in the digital underground.\r\nIn this article, we present our findings from examining the exfiltration infrastructure associated with one of the\r\nmost notorious LockBit affiliates, which has also been tracked by CISA. We elucidate how these findings are\r\ninterconnected within a broader threat landscape encompassing numerous other criminal business verticals, all\r\nseemingly under the control of a single enigmatic administration.\r\nTechnical Details\r\nEvidence from the field\r\nAt some point, the Lockbit incident investigation landed at a very interesting point: the ransomware affiliate\r\nconducted the data exfiltration phase through an FTP channel tunneled over a TLS connection. As reported by\r\nCISA in their “AA23–165A” joint advisory back in June 2023, the operator ingeniously exploited the FileZilla\r\nFTP client and employed Ngrok tunneling services to facilitate this process. Notably, in this specific instance, the\r\nransomware affiliate utilized a server located in Moscow, which was administered by a Hong Kong-based hosting\r\nprovider known as Chang Way Technologies Co. Limited.\r\nGet L M’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nA quick examination of the publicly accessible profile of the Moscow-based server swiftly uncovered a\r\npeculiarity. Among the array of exposed services, there was an active RDP (Remote Desktop Protocol) service\r\nrunning on the machine, disclosing not only its operating system version but also, of greater interest, its hostname.\r\nFigure. The hostname of a LockBit exfiltration server\r\nhttps://medium.com/@lcam/lighting-the-exfiltration-infrastructure-of-a-lockbit-affiliate-and-more-f57fbb7a4e79\r\nPage 2 of 9\n\nAt first sight, the particular hostname does not mean much: the format “WIN-XXXXXXXXXXX” resembles the\r\ntypical default, randomly generated hostname chosen by the Windows operating system during the installation\r\nphase. But here we noticed the interesting part: multiple past LockBit victims show this hostname within their\r\ndedicated page on the gang’s data leak site. This re-use might not be just aesthetic, the chance of multiple LockBit\r\naffiliates randomly matching their hostname is almost zero, so this correlation enables us all to spot the connection\r\nbetween this particular affiliate and its victims.\r\nPress enter or click to view image in full size\r\nFigure. Example of a LockBit victim showing the “WIN-LIVFRVQFMKO” hostname.\r\nIn addition, the machine presenting this hostname presents the system language configured to the Russian one, but\r\nthis is not the only interesting fact. Pivoting on the infrastructure we found 105 hosts with the same hostname\r\nserving an IIS-based FTP service. Such servers have been deployed in 16 countries spread worldwide: Russia,\r\nNetherlands, Finland, United States, Kazakhstan, Turkey, Ukraine, Czech Republic, Latvia, Norway, Poland,\r\nRomania, Uzbekistan, Germany, France, and Greece.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@lcam/lighting-the-exfiltration-infrastructure-of-a-lockbit-affiliate-and-more-f57fbb7a4e79\r\nPage 3 of 9\n\nFigure. Remote Desktop login screen of “WIN-LIVFRVQFMKO”\r\nWidening the Connections\r\nAfter the discovery of this hidden connection, we moved forward to investigate what else could be linked to this\r\nLockBit affiliate through its infrastructure, and was astonishing: many researchers were stumbling up into that\r\nhostname for various malicious operations. For instance:\r\nIn September 2019, Cybereason found this hostname in old LockBit 2.0 extortions, linking the “WIN-LIVFRVQFMKO” hostname to another exfiltration endpoint handled by the same provider, Chang Way\r\nTechnologies Co. Limited.\r\nIn 2021, that hostname appeared in SMTP messages from an M247 LTD Berlin host reported as a\r\n“romance scam” in a popular romance and dating scam tracking forum.\r\nIn March 2022, the hostname appeared in the Conti Leak chat in a particular conversation dated back to\r\nOctober 2021 where Bentley (one of the group sys admin), was switching a piece of their Tor infrastructure\r\nfrom onion v2 domains to onion v3. In this context, a user named “bloodrush” leaked the hostname by\r\ncopy-pasting a chat line written by Bentley, and accidentally leaking the hostname.\r\nIndicators the NetmanageIT Threat Intelligence team shared about a June 2023 Ursnif campaign targeting\r\nItaly report many remote destinations hosting Ursnif tier 1 command and controls sharing the same\r\nhostname (Melbikomas UAB, ).\r\nOn August 2023, the security researcher 0xToxin documented an infection chain leveraging AutoIT scripts\r\nto deliver the DarkGate malware, a particular stealer supporting also HVNC and HAnyDesk, and the C2 he\r\ndecoded was using the same hostname too (XHOST INTERNET SOLUTIONS LP).\r\nhttps://medium.com/@lcam/lighting-the-exfiltration-infrastructure-of-a-lockbit-affiliate-and-more-f57fbb7a4e79\r\nPage 4 of 9\n\nThis hostname connection is particularly heterogeneous, but it technically makes sense. As specified above, the\r\nWindows operating system typically generates a random hostname only during the installation phase, and typical\r\nsystem administration and DevOps practices do not require the Windows installation from scratch so often.\r\nFrequently, Sysadmins rely on the so-called Golden Images: snapshots of a pre-installed operating system ready to\r\nbe customized for the particular application.\r\nSo, with a good degree of confidence, we are looking at multiple instances generated from the same base image,\r\nlikely linked to a single organization, and the extension of this linked infrastructure involves more than 8 thousand\r\nhosts worldwide, and at least a third of it is located in CIS countries.\r\nPress enter or click to view image in full size\r\nFigure. Potential extension of the related infrastructure\r\nAll these pieces draw a very unsettling picture. In fact, since 2019, the hostname has linked a wide range of\r\neCrime activities such as ransomware and data extortions, info-stealing malware spreading, botnet infections, and\r\nscams. Basically, seems we are observing a piece of infrastructure linked to a very well-organized criminal gang\r\noperating in the full depth of the eCrime ecosystem: stealing initial access credentials, deploying banking bots and\r\nransomware precursors, conducting digital extortions, and laundering money through unaware individuals. And, to\r\nmake it worse, this hostname seems also related to an ex-Conti sysadmin, dreading a link with the Wizard Spider\r\ncriminal group.\r\nUnveiling the Criminal Identity\r\nThe curious fact of all this investigation is the potential connection with a Russian DevOp professional specialized\r\nin managing these machines.\r\nDue to the sensitive nature of this information, we are not going to disclose any details publicly. This TLP:RED\r\ninformation can only be shared with vetted researchers.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@lcam/lighting-the-exfiltration-infrastructure-of-a-lockbit-affiliate-and-more-f57fbb7a4e79\r\nPage 5 of 9\n\nFigure. Potential Lockbit Affiliate Public Profile\r\nConclusion\r\nOur investigation into a recent LockBit incident led us to unwrap the enigmatic mystery of the “golden\r\nhostname”, which painted a disturbing portrait of a highly organized criminal enterprise operating deeply into the\r\neCrime ecosystem. The evidence we’ve uncovered points to a single organization using multiple instances likely\r\ngenerated from the same base image.\r\nSince 2019, this hostname has been implicated in a wide array of cybercriminal activities, ranging from\r\nransomware attacks and data exfiltrations to info-stealing malware distribution and scams. Furthermore, the\r\npotential link to the ex-Conti sysadmin hints at ties to the notorious Wizard Spider criminal group, raising\r\nconcerns about the scale and scope of their operations.\r\nIn a curious twist, our investigation has led us to a curious overlap between a Russian DevOps professional and\r\nthe same LockBit incident where we investigated, pointing to a potential connection between this individual and\r\none of the largest cybercriminal enterprises.\r\nThis LockBit incident serves as a reminder that shared intelligence and collaboration among cybersecurity\r\nprofessionals are our most potent weapons against the dark forces of the digital world. By piecing together the\r\npuzzle of cybercrime, we can better prepare companies and organizations to protect against these modern and\r\nextensive threats.\r\nIndicator of Compromise\r\nPotentially Linked Exfiltration Infrastructure:\r\n104.206.238.57\r\n109.248.11.215\r\nhttps://medium.com/@lcam/lighting-the-exfiltration-infrastructure-of-a-lockbit-affiliate-and-more-f57fbb7a4e79\r\nPage 6 of 9\n\n135.181.168.29\r\n142.202.188.109\r\n142.202.189.103\r\n142.202.191.183\r\n162.216.241.8\r\n172.81.61.202\r\n172.81.61.242\r\n176.114.5.55\r\n178.250.189.36\r\n185.100.65.104\r\n185.104.248.161\r\n185.105.46.136\r\n185.111.106.16\r\n185.113.134.100\r\n185.135.86.116\r\n185.147.80.202\r\n185.204.109.61\r\n185.217.131.46\r\n185.244.216.69\r\n185.246.154.72\r\n185.250.204.31\r\n185.51.121.74\r\n185.81.68.71\r\n185.92.148.170\r\n185.94.166.68\r\n188.120.227.9\r\n188.120.231.42\r\n188.127.231.239\r\n188.165.35.96\r\n188.40.190.248\r\n192.162.246.28\r\n193.232.179.187\r\n193.3.23.210\r\n194.26.135.135\r\n194.26.135.136\r\n194.61.1.112\r\n194.61.1.242\r\n194.61.1.87\r\n194.61.2.208\r\n194.61.2.222\r\n195.10.205.0\r\n195.226.192.191\r\n195.242.110.16\r\n195.244.63.177\r\n195.244.63.9\r\n212.109.195.136\r\n212.8.246.250\r\nhttps://medium.com/@lcam/lighting-the-exfiltration-infrastructure-of-a-lockbit-affiliate-and-more-f57fbb7a4e79\r\nPage 7 of 9\n\n213.159.208.212\r\n213.183.48.194\r\n45.135.132.28\r\n45.143.138.112\r\n45.146.7.119\r\n45.67.231.188\r\n45.67.34.71\r\n45.81.224.54\r\n45.82.176.96\r\n45.87.154.68\r\n45.88.77.32\r\n45.89.67.185\r\n45.89.67.57\r\n45.91.201.83\r\n46.227.62.61\r\n46.227.62.63\r\n46.8.220.104\r\n46.8.220.223\r\n51.178.156.248\r\n5.154.181.85\r\n5.252.21.118\r\n5.44.41.90\r\n62.109.14.188\r\n62.109.2.176\r\n62.109.3.28\r\n62.109.9.201\r\n62.173.142.160\r\n62.173.149.29\r\n65.21.19.65\r\n65.21.30.172\r\n77.91.124.231\r\n77.91.124.47\r\n77.91.68.1\r\n77.91.68.16\r\n77.91.68.238\r\n77.91.68.239\r\n79.174.12.118\r\n80.85.140.156\r\n80.85.143.189\r\n80.89.234.85\r\n82.146.37.147\r\n82.146.48.233\r\n82.146.56.207\r\n82.146.63.105\r\n85.10.203.29\r\n85.10.203.61\r\n91.142.90.24\r\nhttps://medium.com/@lcam/lighting-the-exfiltration-infrastructure-of-a-lockbit-affiliate-and-more-f57fbb7a4e79\r\nPage 8 of 9\n\n91.199.147.168\r\n91.208.127.107\r\n91.240.87.69\r\n92.119.113.18\r\n92.38.222.102\r\n92.38.222.119\r\n92.38.222.133\r\n92.63.106.120\r\n93.170.73.126\r\n95.164.38.75\r\n95.181.164.14\r\n95.217.101.26\r\n95.217.67.197\r\nSource: https://medium.com/@lcam/lighting-the-exfiltration-infrastructure-of-a-lockbit-affiliate-and-more-f57fbb7a4e79\r\nhttps://medium.com/@lcam/lighting-the-exfiltration-infrastructure-of-a-lockbit-affiliate-and-more-f57fbb7a4e79\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://medium.com/@lcam/lighting-the-exfiltration-infrastructure-of-a-lockbit-affiliate-and-more-f57fbb7a4e79" ], "report_names": [ "lighting-the-exfiltration-infrastructure-of-a-lockbit-affiliate-and-more-f57fbb7a4e79" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434295, "ts_updated_at": 1775826760, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ad45990a97017af443c49039a9efaa377497e79c.pdf", "text": "https://archive.orkl.eu/ad45990a97017af443c49039a9efaa377497e79c.txt", "img": "https://archive.orkl.eu/ad45990a97017af443c49039a9efaa377497e79c.jpg" } }