![]() The other half of the Kolesnikov websites are far more recent phishing domains mostly ending in “.top” and “.app” that appear designed to mimic the domains of major software companies, including ccleaner-cdntop, adobeusatop, and In August 2023, researchers with Trustwave Spiderlabs said they encountered domains registered to Mihail Kolesnikov being used to disseminate the Rilide information stealer trojan.īut it appears multiple crime groups may be using these domains to phish people and disseminate all kinds of information-stealing malware. About half of the domains appear to be older websites advertising female escort services in major cities around the United States (e.g. Either way, it’s clearly a pseudonym, but there are some other commonalities among these domains that may provide insight into how Snatch and other ransomware groups are sourcing their victims.ĭomainTools says there are more than 1,300 current and former domain names registered to Mihail Kolesnikov between 2013 and July 2023. Kolesnikov could be a nod to a Russian general made famous during Boris Yeltsin’s reign. More interestingly, that address is home to multiple recent domains that appear confusingly similar to known software companies, including libreoff1cecom and This is interesting because the phishing domains associated with the Snatch ransomware gang were all registered to the same Russian name - Mihail Kolesnikov, a name that is somewhat synonymous with recent phishing domains tied to malicious Google ads. The Moscow Internet address accessed the Snatch darknet site all day long, and that address also housed the appropriate Snatch clear-web domains. ![]() According to, this address also hosts or else recently hosted the usual coterie of Snatch domains, as well as quite a few domains phishing known brands such as Amazon and Cashapp. It could well be that this Internet address is showing up frequently because Snatch’s clear-web site features a toggle button at the top that lets visitors switch over to accessing the site via Tor.Īnother Internet address that showed up frequently in the Snatch server status page was 194.168.175226, currently assigned to Matrix Telekom in Russia. Probably the most active Internet address accessing Snatch’s darknet site is 193.108.11441, which is a server in Yekaterinburg, Russia that hosts several Snatch domains, including snatchteamtop, sntech2chtop, dwhyj2top and sn76930193chtop. This “server status” page says that Snatch’s website is on Central European Summer Time (CEST) and is powered by OpenSSL/1.1.1f, which is no longer supported by security updates. The Snatch ransomware gang’s victim shaming site on the darknet is leaking data about its visitors.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |