{
	"id": "3e05a921-6637-4440-96b4-fd06720b895c",
	"created_at": "2026-04-06T00:06:12.174468Z",
	"updated_at": "2026-04-10T03:32:46.175792Z",
	"deleted_at": null,
	"sha1_hash": "cfb24f0df7e6edaaa4767420430cd10299fd402d",
	"title": "Malicious Infrastructure as a Service",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 80895,
	"plain_text": "Malicious Infrastructure as a Service\r\nBy Silent Push Threat Team\r\nPublished: 2021-04-25 · Archived: 2026-04-05 20:24:40 UTC\r\nDomains created for malicious purposes are rarely registered on their own. When you have identified such a\r\ndomain, it is therefore always a good idea to look for other domains used in the same campaign.\r\nSometimes finding such a domain is easy. For example, you may notice a very similar domain (such as the .net\r\nversion of a .com domain) registered with the same registrar on the same day. At other times you will need to look\r\nfor other evidence, for example find them hosted on the same IP address.\r\nIn general, however, linking two domains through a single IP address isn’t strong enough evidence that the\r\ndomains themselves are linked. The link becomes a lot stronger though when two or more domains were seen\r\nmoving through the same set of IP addresses simultaneously.\r\nIn previous blog posts, this was used to find five domains that used the same infrastructure and that were made to\r\nlook like they belonged to a content delivery network, as well as the infrastructure of a LodaRAT campaign\r\ntargeting Bangladesh.\r\nIn this blog post, a few more examples showing sets of malicious domains that moved simultaneously through the\r\nsame set of IP addresses will be examined. The sets of domains are linked and there is some evidence to suggest\r\nthat the infrastructure belongs to a bulletproof hosting service.\r\nMagecart\r\nThe first set of domains spoofs well known services such as Cloudflare, Google, jQuery and Magento:\r\ncloudflareplus[.]com\r\ncloudflareplus[.]net\r\ncloudflareshop[.]com\r\ncloudflare[.]su\r\ngoogleexpert[.]name\r\ngoogleinfo[.]name\r\ngooglemanagerads[.]com\r\ngooglemaster[.]name\r\ngoogleplus[.]name\r\ngooqlescript[.]com\r\njquery24[.]com\r\njqueryexpert[.]com\r\njqueryinfo[.]com\r\njquery[.]su\r\njsstroy[.]com\r\nmagentoinfo[.]name\r\nhttps://www.silentpush.com/blog/malicious-infrastructure-as-a-service\r\nPage 1 of 8\n\nmagentoinfo[.]org\r\nmagentoportal[.]com\r\nmagentostore[.]org\r\nmanualseos[.]ru\r\nmycloudflare[.]net\r\nprocloudflare[.]com\r\nprocloudflare[.]net\r\nseocmson[.]ru\r\nThese domains were all registered at Russian registrar REG.RU on the 3rd of November 2020 and have\r\nsimultaneously moved through the same set of IP addresses. The all use the name servers of DNSPod, a Chinese\r\nDNS hosting provider that has long been popular with cyber criminals.\r\nFor the first three months of 2021, the domains were seen on the following twenty IP addresses, in this order:\r\n208.69.117[.]117\r\n194.147.78[.]6\r\n45.143.136[.]186\r\n92.38.130[.]71\r\n46.17.250[.]52\r\n46.17.250[.]84\r\n91.203.192[.]117\r\n34.65.156[.]213\r\n35.189.71[.]51\r\n34.65.43[.]209\r\n35.197.218[.]54\r\n35.205.161[.]91\r\n8.209.112[.]138\r\n35.228.62[.]27\r\n34.107.33[.]136\r\n35.228.209[.]29\r\n35.187.16[.]185\r\n35.228.228[.]1\r\n35.204.191[.]93\r\n35.198.110[.]173\r\nSometimes, the domains only pointed to an IP address for less than a day, but in one case they pointed to the same\r\nIP address for three weeks in a row.\r\nThe IP addresses belong to various hosting services, with a particular preference for Google’s.\r\nInterestingly, around the 8th of March, nine more domains joined the cycle:\r\nbing-visitors[.]com\r\ncloubfiare[.]net\r\ngoogiemanager[.]com\r\nhttps://www.silentpush.com/blog/malicious-infrastructure-as-a-service\r\nPage 2 of 8\n\ngooglemanagerads[.]com\r\ngooglemgr[.]net\r\ngoogletag[.]name\r\ngooqleads[.]net\r\nqodaddy[.]net\r\nyahoo-tracker[.]com\r\nThey have been pointing to the same IP address as the original set ever since.\r\nThere is public evidence linking these domains to Magecart. Magecart is an umbrella term use to refer to more\r\nthan a dozen groups that insert code into websites’ payment pages that steals credit card data. A common trick\r\nused by Magecart groups is to make their domains look like those from which code is regularly included into web\r\npages. A website owner looking at the source code on a webpage may thus incorrectly assume the inclusion of\r\nthird-party JavaScript is harmless.\r\nNote: because the domains sometimes pointed to an IP address for a very short time period, it is possible that the\r\nlist of IP addresses above isn’t complete for the three-month period January 1st to March 31st 2021. The same\r\napplies to the examples below.\r\nIcedID and Qakbot\r\nA second set of domains also cycled through a set of IP addresses, again all pointing to the same IP address at the\r\nsame point in time.\r\nThe domains are:\r\naath22rzmo03mvewdj[.]xyz\r\namr16pzcp03omerd[.]xyz\r\ncaqp10snyod03msvsqu[.]com\r\nfkko03vvxohq03taep[.]com\r\ncidn02mjco03pobx[.]com\r\ncyh26wcekai02atpeax[.]com\r\ndrt22uhfjmz03ltxc[.]xyz\r\ndskl02touc03jeby[.]com\r\ndzw10jpcgj03fckc[.]com\r\nemqjj27ljgl02hqqzi[.]com\r\netysu02scnabr03wzaxue[.]com\r\nevz15lmlir03sygmyr[.]xyz\r\nb25d3a23hy[.]com\r\nfb25d3add23hy[.]com\r\nfb25d3as23hy[.]com\r\nfb25d3asddd23hy[.]com\r\nfb25d3erda23hfy[.]com\r\nfb25era23hfy[.]com\r\nfb25erhfy[.]com\r\nftkaq03ihfbh03rehx[.]com\r\nhttps://www.silentpush.com/blog/malicious-infrastructure-as-a-service\r\nPage 3 of 8\n\nfyz10eijkl03mytjfb[.]com\r\ngbza26rngn02bekll[.]com\r\nghtyrncjf2df[.]com\r\nhei03tfxv03mahl[.]com\r\nhqcaz02egeq03bvmhm[.]com\r\nhqn27dyhvwp02wznv[.]com\r\nihjpn03sijjl03dtmtr[.]com\r\ninpa02lzjvt03anas[.]com\r\njam03iofwv03jniedf[.]com\r\njgu16cbxdr03ehqvx[.]com\r\njhj10jtvwu03zsjwk[.]com\r\njqilt27xsbz02anaeu[.]com\r\nklhlh16zldwun03vlpq[.]com\r\nkyvws03ndah03hecon[.]com\r\nlic02uiccnh03nruvp[.]com\r\nlxoyw10bipu03ilyig[.]com\r\nmtk23gqakwj03bzds[.]xyz\r\nqnvrih26coxejl02enyfn[.]com\r\nnwvv27dwmy02bgznc[.]com\r\nnygvj27cvlk02cktf[.]com\r\nolfs23kvri03wyyb[.]xyz\r\nououz02naba03oiyd[.]com\r\npbdq26xjey02uprxwx[.]com\r\nppk02dmgmzj03dxekog[.]com\r\nqab26utxb02pquc[.]com\r\nrdraj16rwjw03xnli[.]com\r\nrea26ypgvle02hcbunp[.]com\r\nrlvq27rmjej02sfvb[.]com\r\nrlyrt26rnxw02vqijgs[.]com\r\nrsjb23tnxjng03dgiy[.]xyz\r\nsal03gicu03qcwtif[.]com\r\ntmrz10fxhy03ntxjf[.]com\r\ntoj27nlpr02irajz[.]com\r\ntoqku26hwpu02shuroh[.]com\r\nttj10qrrqx03kdts[.]com\r\nusy15wycqme03dymh[.]xyz\r\nvad12mhpfp03vyfl[.]xyz\r\nvdk10pfsny03tzfva[.]com\r\nvpu03jivmm03qncgx[.]com\r\nvyhml26anpfyb02aqsehz[.]com\r\nvyw27lfrvoj02kkxo[.]com\r\nwnah27frybfe02sadb[.]com\r\nxgka03stox03cloeqz[.]com\r\nxjw10whta03ytgdi[.]com\r\nxsd22aeofw03lqzf[.]xyz\r\nyar03jmtvr03jtqg[.]com\r\nydw27hfhbk02zpidmv[.]com\r\nhttps://www.silentpush.com/blog/malicious-infrastructure-as-a-service\r\nPage 4 of 8\n\nywgiu10zmnwcx03vpnyp[.]com\r\nzkkn02lffiff03zkmh[.]com\r\nThe IP addresses are:\r\n47.254.134[.]0\r\n34.90.237[.]156\r\n8.209.64[.]96\r\n8.209.68[.]209\r\n34.89.57[.]175\r\n8.208.97[.]177\r\n35.228.62[.]27\r\n8.210.31[.]137\r\n35.228.48[.]27\r\n34.65.218[.]17\r\n8.209.98[.]100\r\n35.204.191[.]93\r\n8.211.4[.]209\r\nThe domains were registered between late February and mid March 2021, mostly through Dutch registrar Hosting\r\nConcepts with a few using REG.RU instead. The name servers used were again those of DNSPod, while the IP\r\naddresses belong to Google and Alibaba.\r\nInterestingly two of the IP addresses (marked in bold above) were also used by the Magecart domains above,\r\nsuggesting a possible link between the two sets.\r\nMany of the above domains have been used to download either the IcedID or the Qakbot malware. Both IcedID\r\nand Qakbot (also known as Qbot) are commonly used as initial access brokers. Though no direct link between\r\nthese two actors is known, recently URLs of the type that previously served Qakbot started to serve IcedID\r\ninstead.\r\nThis suggests that it is another actor that handles the spam campaigns that delivers either malware, an example of\r\nthe increased commoditization of cybercrime. This would also explain why the domains listed above are different\r\nfrom the IcedID command and control domains written about recently, which use a different hosting\r\ninfrastructure.\r\nUrsnif and phishing\r\nA third set of domains also cycled through a set of IP addresses:\r\naodacrtsrytuce[.]com\r\nashguq[.]com\r\nchonlinedocstorage[.]com\r\ncompanieshdocstorage-online[.]com\r\ndocusign-cloudab[.]com\r\nhttps://www.silentpush.com/blog/malicious-infrastructure-as-a-service\r\nPage 5 of 8\n\ndocusign-cloudbc[.]com\r\ndocusign-cloudcd[.]com\r\ndocusign-cloud[.]com\r\ndocusign-vault[.]com\r\nedssrdsceaaorb[.]com\r\nexhssppceaaorb[.]com\r\nhutnspiekeagrm[.]com\r\nioqpuyfshaio[.]com\r\nipqweyb[.]com\r\njyohjdowprwiondotrbkght[.]com\r\nnbmipqw[.]com\r\nospzsiq[.]com\r\nqpofsgw[.]com\r\nrconalacrtnspi[.]com\r\nrvprmsrirdeala[.]com\r\nsrirdelehssfaojr[.]com\r\nsrtnserqdelaeh[.]com\r\nuidacrtsppxece[.]com\r\nuiwoqp[.]com\r\nupsdocstorage[.]com\r\nupsdocstorage-online[.]com\r\nvcavwq[.]com\r\nwvmiap[.]com\r\nzhdipqw[.]com\r\nThe IP addresses in this case are:\r\n188.227.58[.]120\r\n45.143.136[.]43\r\n188.227.86[.]64\r\n91.203.192[.]117\r\n35.228.188[.]33\r\n35.246.93[.]71\r\n35.228.88[.]152\r\nAll these domains were registered through Eranet, a registrar based in Hong Kong, and again used  DNSPod’s\r\nnameservers. Two of the IP addresses, marked in bold, were also used by the Magecart domains, suggesting a\r\npossible link.\r\nInterestingly, there are two kinds of domains in the list. One the one hand, there are random looking domains\r\nwhich, as with the IcedID/Qakbot domains above, could suggest a domain generation algorithm (DGA). On the\r\nother hand, domains like docusign-cloud[.]com and upsdocstorage[.]com of which one can be all but certain they\r\nhave been used in phishing campaigns: both DocuSign and UPS are commonly used in phishing lures.\r\nIt is not surprising therefore that these latter domains were taken down, often within a week after becoming active:\r\nlookalike domains are actively hunted by the affected organisations.\r\nhttps://www.silentpush.com/blog/malicious-infrastructure-as-a-service\r\nPage 6 of 8\n\nAs for the DGA-like domains, one of them, uidacrtsppxece[.]com, has been linked to Ursnif, another common\r\nmalware delivered in email campaigns.\r\nIt is unclear whether there is a direct link between Ursnif and the phishing domains beyond the use of the same\r\ninfrastructure, or even whether all DGA-like domains have served Ursnif.   \r\nOther domains\r\nThere are many other domains that have used the same infrastructure, including the use of the DNSPod DNS\r\nprovider.\r\nFor example, the following domains…\r\nie-kbc[.]net\r\nie-kbc[.]org\r\nkbc-ie[.]net\r\nwww.kbcbanking[.]net\r\nwill no doubt have been used to impersonate KBC, an Irish bank, while authorise-eebilling[.]com has likely\r\ntargeted customers of UK mobile provider EE. There are also several more domains that suggest a DGA.\r\nConclusion: a bulletproof hosting provider?\r\nThe similarities among the various sets described above, such as the use of DNSPod and the sharing of IP\r\naddresses, suggests the campaigns described all use the same infrastructure, likely that of a bulletproof hosting\r\nservice.\r\nA bulletproof hoster serves a similar function as a content-delivery network (CDN) does for legitimate domains:\r\nmaking it harder for a denial-of-service attack. The “attack” in this case would come from law enforcement and\r\nsecurity researchers.\r\nIn the past, bulletproof hosters ran their own networks, which often led to the whole ASN being blocklisted. More\r\nmodern bulletproof hosters rent servers at cloud providers and set these up as proxies for their customers’ content.\r\nBy rotating through a set of IP addresses, the content is less vulnerable to being blocked based on the IP address.\r\nIntel471 recently wrote about bulletproof hosters and in particular mentioned DNSPod.\r\nOf course, we cannot be 100% certain that this is a bulletproof hoster, or even that the various campaigns do use\r\nthe same infrastructure: the sharing of IP addresses may be a coincidence, or because there is another party\r\ninvolved in renting the servers.\r\nBut this is yet another example that shows how understanding the context of a domain name can help one find a\r\nlot of related infrastructure that is worth blocking, even without having seen evidence of actual malicious activity.\r\nhttps://www.silentpush.com/blog/malicious-infrastructure-as-a-service\r\nPage 7 of 8\n\nSource: https://www.silentpush.com/blog/malicious-infrastructure-as-a-service\r\nhttps://www.silentpush.com/blog/malicious-infrastructure-as-a-service\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.silentpush.com/blog/malicious-infrastructure-as-a-service"
	],
	"report_names": [
		"malicious-infrastructure-as-a-service"
	],
	"threat_actors": [
		{
			"id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed",
			"created_at": "2023-01-06T13:46:38.814104Z",
			"updated_at": "2026-04-10T02:00:03.110104Z",
			"deleted_at": null,
			"main_name": "MageCart",
			"aliases": [],
			"source_name": "MISPGALAXY:MageCart",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31",
			"created_at": "2023-01-06T13:46:38.376868Z",
			"updated_at": "2026-04-10T02:00:02.949077Z",
			"deleted_at": null,
			"main_name": "Cleaver",
			"aliases": [
				"G0003",
				"Operation Cleaver",
				"Op Cleaver",
				"Tarh Andishan",
				"Alibaba",
				"TG-2889",
				"Cobalt Gypsy"
			],
			"source_name": "MISPGALAXY:Cleaver",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775433972,
	"ts_updated_at": 1775791966,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cfb24f0df7e6edaaa4767420430cd10299fd402d.pdf",
		"text": "https://archive.orkl.eu/cfb24f0df7e6edaaa4767420430cd10299fd402d.txt",
		"img": "https://archive.orkl.eu/cfb24f0df7e6edaaa4767420430cd10299fd402d.jpg"
	}
}