{
	"id": "4bdb50d5-b042-4b68-939c-5583f8ee936b",
	"created_at": "2026-04-06T00:11:10.959362Z",
	"updated_at": "2026-04-10T13:12:08.802026Z",
	"deleted_at": null,
	"sha1_hash": "d98422df074e1812a31ecf5856507448884dd000",
	"title": "What Service NSW has to do with Russia?",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1448941,
	"plain_text": "What Service NSW has to do with Russia?\r\nBy Hunter22\r\nPublished: 2020-09-22 · Archived: 2026-04-05 22:00:44 UTC\r\nOne interesting offshoot of researching .gov.au websites running outside Australia was an odd service running\r\nfrom Russia. How the Service NSW – a website offering government services online – ended up associating with\r\na Russian datacentre?\r\nAccording to this Shodan query, the domain name mta.comms.service.nsw.gov.au (an email server belonging to\r\nService NSW) appear to be hosted on the IP address 82.202.226.62 .\r\nSix Australian Government-related services appear to be running from ... Russia?\r\nThe GeoIP database shows that this IP (82.202.226.62) belongs to Selectel, an IT company with six data centres in\r\nMoscow and St. Petersburg.\r\nWhat is going on here?\r\nBefore anyone gets excited, there is no direct association between Service NSW and Russia. The reality is\r\nmore boring, but with a clever twist.\r\nLinks to banking malware\r\nAccording to Hybrid Analysis report from earlier, the IP address 82.202.226.62 was associated with a phishing\r\ncampaign.\r\nhttps://osint.fans/service-nsw-russia-association\r\nPage 1 of 5\n\nA malware analysis of a phishing campaign shows the IP is associated with malware.\r\nThe phishing campaign featured a Word document with a malicious payload trying to download a banking trojan\r\non the victims’ computer. The screenshots of this Word document with the malicious payload indicate that the\r\ncampaign was targeting NatWest (UK bank) customers.\r\nThe phishing campaign was targeting NatWest Bank customers in the UK.\r\nAn additional search reveals that the Russian IP address is (was) associated with a banking trojan called Trickbot.\r\nThis piece of malicious software was developed in 2016 with the sole purpose of stealing from bank accounts,\r\nhttps://osint.fans/service-nsw-russia-association\r\nPage 2 of 5\n\nBitcoin wallets and downloading other harmful code to the victims’ PC.\r\nAccording to Vulners, the IP (82.202.226.62) appears to be a ‘Command and Control’ (C2) server, which is an\r\nimportant network infrastructure element to control and operate the botnet.\r\nVulners.com confirms that the Russian IP address was associated with the Trickbot baking trojan.\r\nThe last remaining question is, what Trickbot has to do with the NSW Government? If we do a reverse DNS\r\nlookup on 82.202.226.62 , it resolves to mta.comms.service.nsw.gov.au .\r\nhttps://osint.fans/service-nsw-russia-association\r\nPage 3 of 5\n\nA reverse DNS lookup shows that the Russian IP resolves to a Service NSW domain name.\r\nThe answer is that it is a clever attempt to disguise any communication between the infected PCs and the Trickbot\r\nC2 server (82.202.226.62) on corporate networks.\r\nBig companies usually monitor and log network traffic originating from their internal network. If a security\r\nanalyst drills into the network logs to identify covert communication channels between the corporate network and\r\nC2 servers on the Internet, a reverse DNS lookup on 82.202.226.62 will result in the innocuous-looking domain\r\nname mta.comms.service.nsw.gov.au seemingly belonging to a government-run website.\r\nAs DNS records for reverse DNS lookups are managed by the hosting provider (Selectel in this case), the malware\r\noperator may choose any arbitrary hostname to deceive security analysts.\r\nhttps://osint.fans/service-nsw-russia-association\r\nPage 4 of 5\n\nThe website on the Russian IP address was likely to be hacked and turned into a C2 server.\r\nThis is confirmed when we visit http://82.202.226.62 . The website on this IP address seems to belong to a\r\nchemical company based in Russia. The website is hosted on WordPress, which was likely to be hacked and\r\nturned into a Command and Control server for the banking malware.\r\nConclusion\r\nSecurity analysis should not always trust reverse DNS lookups when hunting for malware. As this example shows,\r\nthe operators of Trickbot were actively trying to evade detection by disguising the Command and Control IP\r\naddress as a legitimate NSW Government service.\r\nWhat Service NSW can do in this situation is contacting either Selectel or RU-CERT to have the deceptive reverse\r\nDNS record removed.\r\nSource: https://osint.fans/service-nsw-russia-association\r\nhttps://osint.fans/service-nsw-russia-association\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://osint.fans/service-nsw-russia-association"
	],
	"report_names": [
		"service-nsw-russia-association"
	],
	"threat_actors": [],
	"ts_created_at": 1775434270,
	"ts_updated_at": 1775826728,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d98422df074e1812a31ecf5856507448884dd000.pdf",
		"text": "https://archive.orkl.eu/d98422df074e1812a31ecf5856507448884dd000.txt",
		"img": "https://archive.orkl.eu/d98422df074e1812a31ecf5856507448884dd000.jpg"
	}
}