← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Pattern 48: AEZA PTR Spoof Farm - Russian Credential Harvesting (github.com, telegram.org, VK, Yandex)
WHITE pduggusa 2025-12-05 Modified: 2026-01-04
3
IOCs
LOW VOLUME
Russian state-adjacent credential harvesting infrastructure using fake PTR records to impersonate major services. AEZA International LTD (UK shell company, 311 Shoreham Street Sheffield) controls 89.169.53.0/24 via REG.RU (Russian registrar) and AS31514 OOO Trivon Networks. Discovered via ThreatFox Stealc C2 correlation. Targets: developers (GitHub), Russian citizens (VK/Yandex/Telegram/RuTube), supply chain (Yandex repos).
pattern-48ptr-spoofingcredential-harvestingrussiaaezagithub-spooftelegram-spoofvk-spoofyandex-spoofuk-shell-companybulletproof-hostingdugganusastealc
Indicators of Compromise (3)
All domain
TYPEINDICATORDESCRIPTIONCREATED
domain ptr.network PTR spoofing domain - controls fake reverse DNS for entire operation 2025-12-05
domain cookiesvps.com VPS reseller frontend - registered via REG.RU Feb 2025 2025-12-05
domain aeza.net AEZA International LTD - bulletproof hosting provider 2025-12-05
References (2)
↗ https://analytics.dugganusa.com/api/v1/stix-feed ↗ https://www.virustotal.com/graph/gb7b0a26ff6f84514910a68452ce4e626c07812e27a2b4969a38e24947bbfc05c