Pulse Detail — Threat Intelligence

PULSE NAME

First VPN Service Infrastructure Used by Ransomware Operators

WHITE Multiple ransomware groups (including Avaddon and affiliates) Rokalien77 2026-05-21 Modified: 2026-05-21

IOCs

MEDIUM VOLUME

This pulse contains indicators of compromise (IOCs) associated with the “First VPN Service,” a provider leveraged by multiple ransomware groups for anonymization, reconnaissance, and intrusion activities. According to an FBI FLASH report (May 21, 2026), this VPN infrastructure has been used by at least 25 ransomware groups to conduct scanning, brute-force attempts, and unauthorized network access. The service includes globally distributed exit nodes and supports protocols designed to mask malicious traffic as legitimate HTTPS activity. The included indicators (domains, IP addresses, and communication channels) represent historically observed infrastructure tied to this activity and should be validated with additional telemetry due to possible reassignment over time.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1090 T1133 T1110 T1498

MALWARE FAMILIES

Avaddon

Indicators of Compromise (47)

All IPv4 domain

TYPE	INDICATOR	DESCRIPTION	CREATED
IPv4	134.255.210.160	CC=ES ASN=AS206057 catv rociana sl	2026-05-21
IPv4	134.255.210.26	CC=ES ASN=AS206057 catv rociana sl	2026-05-21
IPv4	139.99.255.144	CC=AU ASN=AS16276 ovh sas	2026-05-21
IPv4	152.89.162.139	CC=CH ASN=AS9009 m247 ltd	2026-05-21
IPv4	178.175.139.203	CC=MD ASN=AS43289 i.c.s. trabia-network s.r.l.	2026-05-21
IPv4	178.209.51.234	CC=CH ASN=AS29691 nine internet solutions ag	2026-05-21
IPv4	179.43.184.22	CC=CH ASN=AS51852 private layer inc	2026-05-21
IPv4	185.128.43.54	CC=CH ASN=ASNone	2026-05-21
IPv4	185.247.71.107	CC=SE ASN=AS9009 m247 ltd	2026-05-21
IPv4	188.92.78.242	CC=LV ASN=AS43513 sia nano it	2026-05-21
IPv4	190.97.163.88	CC=PA ASN=AS27956 cyber cast international s.a.	2026-05-21
IPv4	193.106.31.98	CC=UA ASN=AS50297 infium uab	2026-05-21
IPv4	193.239.86.19	CC=HK ASN=AS9009 m247 ltd	2026-05-21
IPv4	195.206.107.203	CC=ES ASN=AS9009 m247 ltd	2026-05-21
IPv4	31.135.14.182	CC=RU ASN=AS29182 jsc iot	2026-05-21
IPv4	31.210.70.184	CC=TR ASN=AS42926 radore veri merkezi hizmetleri a.s.	2026-05-21
IPv4	31.210.70.186	CC=TR ASN=AS42926 radore veri merkezi hizmetleri a.s.	2026-05-21
IPv4	31.210.70.190	CC=TR ASN=AS42926 radore veri merkezi hizmetleri a.s.	2026-05-21
IPv4	46.105.79.45	CC=FR ASN=AS16276 ovh sas	2026-05-21
IPv4	5.181.234.59	CC=US ASN=AS9009 m247 ltd	2026-05-21
IPv4	51.75.34.158	CC=PL ASN=AS16276 ovh sas	2026-05-21
IPv4	51.79.111.220	CC=GI ASN=AS16276 ovh sas	2026-05-21
IPv4	51.79.208.134	CC=SG ASN=AS16276 ovh sas	2026-05-21
IPv4	54.37.200.68	CC=DE ASN=AS16276 ovh sas	2026-05-21
IPv4	77.246.157.26	CC=RU ASN=AS29182 jsc iot	2026-05-21
IPv4	77.83.247.81	CC=FI ASN=AS51765 oy crea nova hosting solution ltd	2026-05-21
IPv4	82.146.50.52	CC=RU ASN=AS29182 jsc iot	2026-05-21
IPv4	82.202.160.36	CC=RU ASN=AS29182 jsc iot	2026-05-21
IPv4	86.105.25.219	CC=RO ASN=AS9009 m247 ltd	2026-05-21
IPv4	89.38.224.3	CC=RS ASN=AS9009 m247 ltd	2026-05-21
IPv4	91.132.139.67	CC=AT ASN=AS9009 m247 ltd	2026-05-21
IPv4	91.193.5.91	CC=IT ASN=AS9009 m247 ltd	2026-05-21
IPv4	91.232.29.114	CC=UA ASN=AS41018 server.ua llc	2026-05-21
IPv4	92.223.66.103	CC=US ASN=AS199524 g-core labs s.a.	2026-05-21
IPv4	92.38.148.58	CC=US ASN=AS202422 g-core labs s.a.	2026-05-21
IPv4	92.38.162.4	CC=LU ASN=AS199524 g-core labs s.a.	2026-05-21
IPv4	92.38.180.39	CC=TR ASN=AS202422 g-core labs s.a.	2026-05-21
IPv4	92.38.186.86	CC=NL ASN=AS202422 g-core labs s.a.	2026-05-21
IPv4	94.23.27.208	CC=FR ASN=AS16276 ovh sas	2026-05-21
IPv4	94.242.253.11	CC=LU ASN=AS5577 root	2026-05-21
IPv4	94.242.253.13	CC=LU ASN=AS5577 root	2026-05-21
IPv4	94.242.254.43	CC=LU ASN=AS5577 root	2026-05-21
IPv4	95.213.164.12	CC=RU ASN=AS50340 ooo network of data-centers selectel	2026-05-21
domain	1jabber.com	—	2026-05-21
domain	1vpns.com	—	2026-05-21
domain	1vpns.net	—	2026-05-21
domain	1vpns.org	—	2026-05-21

References (1)

↗ alienvault_first_vpn_iocs.txt