Void Balaur is a highly active hack-for-hire / cyber mercenary group with a wide range of known target types across the globe. Their services have been observed for sale to the public online since at least 2016. Services include the collection of private data and access to specific online email and social media services, such as Gmail, Outlook, Telegram, Yandex, Facebook, Instagram, and business emails.
Void Balaur was first reported in 2019 (eQualitie), then again in 2020 (Amnesty International). In November 2021, our colleagues at Trend Micro profiled the larger set of malicious activity and named the actor “Void Balaur” based on a monster of Eastern European folklore. Most recently Google’s TAG highlighted some of their activity earlier this year. Building on top of analysis from each of our above colleagues, the purpose here is to share our analysis of interesting findings based on newer activity and the large scale set of attacker infrastructure.
During our inaugural LABScon event today I presented on this very topic – a careless mercenary group known as Void Balaur. Attendees of the conference were given a more detailed overview of the content shared here, including specific details on attribution to individuals in Latvia. In the spirit of LABScon, I look forward to further tracking of this actor alongside our industry colleagues to better protect society.
The hack-for-hire service offering linked to Void Balaur has been advertised through various brand names, as also noted by previous reporting. These are only two early examples of likely others run by the same entity.
First is Hacknet, or “Hackernet-Service”, which began operating in late 2016. In these early years of activity, the group advertised their “Professional Hacking to Order” service for good and to help meet the needs others can not meet. The name can be found advertising across many darkweb forums.
The section on legality of their service provides insight into the mindset and justification of the attacker.
Services first offered for hacking at the time included Yandex, Rambler, Mail.ru, Gmail, UKR.net, Yahoo, Outlook, corporate email, Instagram, VK.com, OK.ru, Facebook, and Skype, in addition to “Hacking Training”.
A year later in 2017 the group removed the services of hacking Outlook, Facebook, and UKR.net while adding ICQ messages. In 2018, the group updated their legality pitch noting that corporate email and other requests outside of their advertised list would be considered. Additionally, the group began offering services around content modification/uploading to email and social media networks.
Ultimately, the Hacknet persona and their service ended around early 2020 following bans across services and brand collapse after failing to follow through with hacking services they were paid for.
The second example is “RocketHack”, which became active in early 2018, acting as a second persona operated by the same entity.
The RocketHack persona and offerings were thoroughly documented in the TrendMicro report. Interestingly, in our screenshot of their landing page, they used a quote from Nikolay Kononov’s book Kod Durova, a story on the creation of the Russian VK social network.
Around 2019, Hacknet and RocketHack began offering services through various hacker forums to provide information on individuals, including banking and government documents. The personas also begin to offer services for:
As of this blog, Void Balaur has operated over 5,000 unique domains used against individual targets. With a quantity of actor controlled domains in the thousands, each provides us an opportunity for the attacker to make mistakes and lead us to a new set of useful clues. Focusing on the most recent activity from Void Balaur, the set of domains follow a repeating generic set of patterns.
The collection of associated attacker infrastructure, such as domains and non-shared IPs, is quite large and requires automated methods of tracking to keep up.
Based on our collection of all known Void Balaur domains, we can determine the creation time of each based on year for an estimate of actor campaign activity. While early years activity was generally a very small set of infrastructure, we can note the explosion of activity in 2019. Around this time is when the group was gaining a bad reputation and abandoning brands (Hacknet). This indicates that the group remained highly active without a well known brand, potentially fulfilling requests for customers without the need to publicly advertise anymore.
It’s worth noting that the 2022 quantity is lower than expected at this time. However, the group historically has registered domains in bulk rather than evenly throughout the year. Additionally, we have observed a new set of infrastructure and campaigns we believe may be Void Balaur; however, technical links are not yet confident enough to publicly share at this time. Such activity could be an entirely unique group, or a new phase of Void Balaur attempting to evade further tracking.
A potential indicator of the careless OPSEC in the Void Balaur infrastructure is a low confidence connection to the Russian Federal Protective / Guard Service (FSO). The FSO institution operates with a range of capabilities, including the right to conduct surveillance, monitor communications, and operate clandestine activities. Was this a customer-confidentiality oversight by Void Balaur? Perhaps a mistake in the workflow of expanding their infrastructure? The meaning and exact technical reason behind this connection is unclear; however, based on our attribution to technical operators outside of Russia, it is potentially a clue that Russian intelligence agencies are somehow involved with Void Balaur and the FSO is either directly using the services or supporting the use of the services internally.
Specifically, one domain in the thousands of those created and operated by Void Balaur over the years was seen immediately resolving to the Russian FSO network after it was registered. In early 2022 the domain accounts-my-mail-gmail[.]com
resolved to 95.173.132[.]1
for four days following its registration, then quickly shifting to the traditional Void Balaur cluster of infrastructure. The IP 95.173.132[.]1
is owned and operated by the Russian FSO, typically reserved for official .ru
government websites. To reiterate, this connection is only observed once in the entirety of Void Balaur infrastructure.
Void Balaur continues their known targeting of a wide variety of individuals and organizations across the globe. The vast majority of known 2022 targets hold a special interest or involvement in business and political situations relevant to organizations inside Russia. Examples include individuals heavily involved in geopolitics, legal, business transactions, technology, human rights and more. Locations of these individuals include:
We observed continued targeting in 2022 making use of generic, highly reproducible, phishing emails to lure targets into providing account credentials. Based on thousands of phishing domains we collected, Google owned services are the most common targets and attack themes.
However, in most cases the phishing emails are somewhat more relevant to the target of choice. For example, this includes emails designed to mimic local government services, or online websites common to a particular target, such as banking or social media. Void Balaur has made use of this approach for much of its existence. Examples include a 2016 attempt at phishing on the Moscow motorcycle road racing Youtuber Alexey Naberezhny, and in 2017 the Russian journalist and social media personality Ilya Varlamov. These individuals were targeted by Void Balaur with phishing emails spoofing Russian Public Services traffic fines.
In this case, the payment link goes to srv-gm[.]ru
, accountc-gooogle.com
, and others, which returns an illicit Google login page.
In 2022, we observed cases in which Void Balaur sought to compromise Google accounts with multi-factor authentication enabled as well. For example, some phishing pages would ask the target to enter backup codes Google provides during the initial 2-Step verification setup process.
Void Balaur remains a highly active and evolving threat to individuals across the globe. From the targeting of well known email services to the offering of hacking corporate networks, the group represents a clear example of the hack-for-hire market. We expect this type of actor to be increasingly common to observe in the wild.
account-mail-passport[.]ru account-my-mail-gmail[.]com account-my-oauths-mail[.]ru account-oauth-gmail[.]com accounts-mail-passport[.]ru accounts-my-mail-gmail[.]com accounts-my-oauth-mail[.]ru accounts-oauth-gmail[.]com cloud-account-mail[.]ru cloud-accounts-goglemail[.]com cloud-accounts-mail[.]ru cloud-my-accounts-mail[.]ru cloud-myaccount-goglemail[.]com cloud-myaccount-mail[.]ru community-experience-manager[.]ru community-experience-my-community[.]ru community-experience-permission[.]ru community-experience-preference[.]ru community-experience-types[.]ru community-experience[.]ru community-manager-experience[.]ru community-manager-place[.]ru community-manager-preference[.]ru community-manager-safety[.]ru community-manager-smartlink[.]ru community-manager-types[.]ru community-manager[.]ru community-my-permission[.]ru community-my-place[.]ru community-my-safe[.]ru community-my-safety[.]ru community-my-source[.]ru community-my-types[.]ru community-online-experience[.]ru community-online-manager[.]ru community-online-permission[.]ru community-online-place[.]ru community-online-types[.]ru community-permission-experience[.]ru community-permission-manager[.]ru community-permission-preference[.]ru community-permission-source[.]ru community-permission[.]ru community-place-community[.]ru community-place-manager[.]ru community-place-permission[.]ru community-place-preference[.]ru community-place-types[.]ru community-place[.]ru community-preference-manager[.]ru community-preference-permission[.]ru community-preference-place[.]ru community-safe-manager[.]ru community-safe-permission[.]ru community-safe-place[.]ru community-safe-types[.]ru community-safety-manager[.]ru community-safety-my-experience[.]ru community-safety-permission[.]ru community-safety-place[.]ru community-safety-preference[.]ru community-safety-types[.]ru community-smartlink-experience[.]ru community-smartlink-manager[.]ru community-smartlink-permission[.]ru community-smartlink-types[.]ru community-source-manager[.]ru community-source-permission[.]ru community-source-place[.]ru community-source-preference[.]ru community-types-experience[.]ru community-types-manager[.]ru community-types-permission[.]ru community-types[.]ru experience-community-manager[.]ru experience-community-my-smartlink[.]ru experience-community-permission[.]ru experience-community-preference[.]ru experience-manager-community[.]ru experience-manager-permission[.]ru experience-manager-place[.]ru experience-manager-safety[.]ru experience-manager-smartlink[.]ru experience-manager-types[.]ru experience-manager[.]ru experience-my-community-smartlink[.]ru experience-my-manager[.]ru experience-my-online-smartlink[.]ru experience-my-permission[.]ru experience-my-place[.]ru experience-my-preference-smartlink[.]ru experience-my-preference[.]ru experience-my-safe-smartlink[.]ru experience-my-safe[.]ru experience-my-safety[.]ru experience-my-source-smartlink[.]ru experience-my-source[.]ru experience-online-manager[.]ru experience-online-my-smartlink[.]ru experience-online-permission[.]ru experience-online-place[.]ru experience-online-preference[.]ru experience-online-smartlink[.]ru experience-online-types[.]ru experience-permission-community[.]ru experience-permission-manager[.]ru experience-permission-place[.]ru experience-permission-preference[.]ru experience-permission-smartlink[.]ru experience-permission-source[.]ru experience-permission[.]ru experience-place-smartlink[.]ru experience-place-types[.]ru experience-place[.]ru experience-preference-manager[.]ru experience-preference-my-smartlink[.]ru experience-preference-permission[.]ru experience-preference-place[.]ru experience-preference-smartlink[.]ru experience-safe-manager[.]ru experience-safe-my-smartlink[.]ru experience-safe-permission[.]ru experience-safe-place[.]ru experience-safe-preference[.]ru experience-safe-smartlink[.]ru experience-safe-types[.]ru experience-safety-manager[.]ru experience-safety-my-smartlink[.]ru experience-safety-permission[.]ru experience-safety-place[.]ru experience-safety-preference[.]ru experience-safety-smartlink[.]ru experience-safety-types[.]ru experience-smartlink-manager[.]ru experience-smartlink-permission[.]ru experience-smartlink-preference[.]ru experience-source-my-smartlink[.]ru experience-source-place[.]ru experience-source-preference[.]ru experience-source-smartlink[.]ru experience-types-place[.]ru experience-types-smartlink[.]ru experience-types[.]ru login-account-cloud-mail[.]ru login-accounts-mail[.]ru login-auth-account-mail[.]ru login-auth-accounts-mail[.]ru login-cloud-account-mail[.]ru login-cloud-myaccount-mail[.]ru login-my-acounts-mail[.]ru login-myaccount-cloud-mail[.]ru login-oauth-mail[.]ru mail-auth-account[.]ru mail-auth-myacount[.]ru mail-ems[.]ru mail-login-auth[.]ru mail-login-oauth[.]ru mail-my-acounts-mail[.]ru mail-my-passport-account[.]ru mail-security-myaccount[.]ru mail-security-myaccounts[.]ru manager-community-permission[.]ru manager-community-place[.]ru manager-community-types[.]ru manager-experience-permission[.]ru manager-experience-place[.]ru manager-experience-preference[.]ru manager-experience-types[.]ru manager-my-community[.]ru manager-my-experience[.]ru manager-my-preference[.]ru manager-my-safe[.]ru manager-my-smartlink[.]ru manager-my-source[.]ru manager-online-community[.]ru manager-online-permission[.]ru manager-online-place[.]ru manager-online-preference[.]ru manager-online-smartlink[.]ru manager-online-types[.]ru manager-permission-place[.]ru manager-permission-preference[.]ru manager-permission-source[.]ru manager-permission-types[.]ru manager-place-community[.]ru manager-place-experience[.]ru manager-place-permission[.]ru manager-place-preference[.]ru manager-place-smartlink[.]ru manager-place-types[.]ru manager-preference-community[.]ru manager-preference-permission[.]ru manager-preference-place[.]ru manager-preference-smartlink[.]ru manager-preference-types[.]ru manager-safe-community[.]ru manager-safe-experience[.]ru manager-safe-permission[.]ru manager-safe-place[.]ru manager-safe-preference[.]ru manager-safe-smartlink[.]ru manager-safe-types[.]ru manager-safety-community[.]ru manager-safety-permission[.]ru manager-safety-place[.]ru manager-safety-smartlink[.]ru manager-smartlink-permission[.]ru manager-smartlink-place[.]ru manager-smartlink-types[.]ru manager-source-community[.]ru manager-source-permission[.]ru manager-source-place[.]ru manager-source-preference[.]ru manager-source-smartlink[.]ru manager-types-community[.]ru manager-types-experience[.]ru manager-types-permission[.]ru manager-types-place[.]ru my-account-auth-mail[.]ru my-account-mail-passport[.]ru my-account-my-cloud-mail[.]ru my-account-oauth-mail[.]ru my-accounts-mail-passport[.]ru my-acount-oauths[.]ru my-cloud-accounts-mail[.]ru my-community-experience[.]ru my-community-manager[.]ru my-community-permission[.]ru my-community-place[.]ru my-community-smartlink[.]ru my-community[.]ru my-experience-manager[.]ru my-experience-permission[.]ru my-experience-place[.]ru my-experience-preference[.]ru my-mail-account-mail[.]ru my-mail-account-yahoo[.]com my-mail-accounts-mail[.]ru my-manager-community[.]ru my-manager-experience[.]ru my-manager-place[.]ru my-manager-preference[.]ru my-manager-safety[.]ru my-manager-smartlink[.]ru my-oauth-account-gmail[.]com my-oauth-account-mail[.]ru my-oauth-accounts-mail[.]ru my-oauths-account-mail[.]ru my-oauths-accounts-mail[.]ru my-online-experience[.]ru my-online-permission[.]ru my-online-place[.]ru my-permission-community[.]ru my-permission-experience[.]ru my-permission-manager[.]ru my-permission-place[.]ru my-permission-preference[.]ru my-permission-smartlink[.]ru my-place-smartlink[.]ru my-preference-experience[.]ru my-preference-manager[.]ru my-preference-permission[.]ru my-preference-place[.]ru my-preference[.]ru my-safe-community[.]ru my-safe-experience[.]ru my-safe-permission[.]ru my-safe-place[.]ru my-safety-community[.]ru my-safety-experience[.]ru my-safety-permission[.]ru my-safety-place[.]ru my-signin-account-gmail[.]com my-signin-accounts-gmail[.]com my-smartlink-experience[.]ru my-smartlink-manager[.]ru my-smartlink-permission[.]ru my-smartlink-place[.]ru my-smartlink[.]ru my-source-community[.]ru my-source-place[.]ru my-types-community[.]ru my-types-permission[.]ru my-types-place[.]ru myaccount-mail-passport[.]ru myaccount-my-mail-gmail[.]com myaccount-oauths[.]ru myaccounts-auth[.]ru myaccounts-mail-passport[.]ru myaccounts-my-mail-gmail[.]com no-reply-gosuslugi[.]ru oauth-login-account-mail[.]ru oauth-login-accounts-mail[.]ru permission-community-experience[.]ru permission-community-manager[.]ru permission-community-place[.]ru permission-community-preference[.]ru permission-community-types[.]ru permission-experience-manager[.]ru permission-experience-preference[.]ru permission-manager-community[.]ru permission-manager-experience[.]ru permission-manager-place[.]ru permission-manager-preference[.]ru permission-manager-smartlink[.]ru permission-manager-types[.]ru permission-my-community[.]ru permission-my-experience[.]ru permission-my-manager[.]ru permission-my-place[.]ru permission-my-preference[.]ru permission-my-safe[.]ru permission-my-smartlink[.]ru permission-my-source[.]ru permission-my-types[.]ru permission-online-experience[.]ru permission-online-manager[.]ru permission-online-place[.]ru permission-online-preference[.]ru permission-online-types[.]ru permission-place-community[.]ru permission-place-experience[.]ru permission-place-manager[.]ru permission-place-smartlink[.]ru permission-place-types[.]ru permission-place[.]ru permission-preference-manager[.]ru permission-preference-types[.]ru permission-safe-experience[.]ru permission-safe-manager[.]ru permission-safe-place[.]ru permission-safe-preference[.]ru permission-safe-types[.]ru permission-safety-experience[.]ru permission-safety-manager[.]ru permission-safety-place[.]ru permission-safety-preference[.]ru permission-safety-smartlink[.]ru permission-safety-types[.]ru permission-smartlink-experience[.]ru permission-smartlink-manager[.]ru permission-smartlink-preference[.]ru permission-smartlink-types[.]ru permission-smartlink[.]ru permission-source-manager[.]ru permission-source-preference[.]ru permission-types-place[.]ru place-community-experience[.]ru place-community-manager[.]ru place-community-permission[.]ru place-community-safe[.]ru place-community-safety[.]ru place-community-smartlink[.]ru place-community-source[.]ru place-community-types[.]ru place-community[.]ru place-experience-community[.]ru place-experience-manager[.]ru place-experience-permission[.]ru place-experience-place[.]ru place-experience-safe[.]ru place-experience-safety[.]ru place-experience-source[.]ru place-experience-types[.]ru place-experience[.]ru place-manager-community[.]ru place-manager-permission[.]ru place-manager-safe[.]ru place-manager-safety[.]ru place-manager-smartlink[.]ru place-manager-source[.]ru place-manager-types[.]ru place-manager[.]ru place-my-community[.]ru place-my-experience[.]ru place-my-manager[.]ru place-my-permission[.]ru place-my-preference[.]ru place-my-safe[.]ru place-my-smartlink[.]ru place-my-types[.]ru place-online-community[.]ru place-online-experience[.]ru place-online-manager[.]ru place-online-permission[.]ru place-online-safety[.]ru place-online-smartlink[.]ru place-online-source[.]ru place-online-types[.]ru place-permission-community[.]ru place-permission-experience[.]ru place-permission-safety[.]ru place-permission-smartlink[.]ru place-permission-source[.]ru place-permission-types[.]ru place-permission[.]ru place-preference-community[.]ru place-preference-experience[.]ru place-preference-manager[.]ru place-preference-place[.]ru place-preference-safe[.]ru place-preference-smartlink[.]ru place-preference-source[.]ru place-preference-types[.]ru place-preference[.]ru place-safe-community[.]ru place-safe-experience[.]ru place-safe-manager[.]ru place-safe-permission[.]ru place-safe-safety[.]ru place-safe-smartlink[.]ru place-safe-source[.]ru place-safe-types[.]ru place-safety-community[.]ru place-safety-experience[.]ru place-safety-permission[.]ru place-safety-smartlink[.]ru place-safety-source[.]ru place-safety-types[.]ru place-smartlink-community[.]ru place-smartlink-experience[.]ru place-smartlink-manager[.]ru place-smartlink-preference[.]ru place-smartlink-safe[.]ru place-smartlink-safety[.]ru place-smartlink-source[.]ru place-smartlink-types[.]ru place-smartlink[.]ru place-source-community[.]ru place-source-experience[.]ru place-source-permission[.]ru place-source-safety[.]ru place-source-smartlink[.]ru place-types-community[.]ru place-types-experience[.]ru place-types-permission[.]ru place-types-smartlink[.]ru preference-community-experience[.]ru preference-community-manager[.]ru preference-community-place[.]ru preference-manager-community[.]ru preference-manager-experience[.]ru preference-manager-permission[.]ru preference-manager-smartlink[.]ru preference-manager-types[.]ru preference-my-manager[.]ru preference-my-permission[.]ru preference-my-source[.]ru preference-online-manager[.]ru preference-online-permission[.]ru preference-online-place[.]ru preference-online-types[.]ru preference-permission-place[.]ru preference-permission[.]ru preference-place-community[.]ru preference-place-smartlink[.]ru preference-place-types[.]ru preference-safe-experience[.]ru preference-safe-manager[.]ru preference-safe-place[.]ru preference-safety-permission[.]ru preference-safety-place[.]ru preference-smartlink-experience[.]ru preference-smartlink-permission[.]ru preference-smartlink-place[.]ru preference-source-experience[.]ru preference-source-permission[.]ru preference-source-place[.]ru preference-types-place[.]ru safe-manager-experience[.]ru safe-manager-smartlink[.]ru safe-online-experience[.]ru safe-permission-experience[.]ru safe-permission-source[.]ru safe-place-community[.]ru safe-place-experience[.]ru safe-place-permission[.]ru safe-place-preference[.]ru safe-place-smartlink[.]ru safe-safety-experience[.]ru safe-smartlink-experience[.]ru safe-source-experience[.]ru safety-community-source[.]ru safety-manager-source[.]ru safety-my-smartlink[.]ru safety-permission-community[.]ru safety-place-community[.]ru safety-place-experience[.]ru safety-place-permission[.]ru safety-place-preference[.]ru safety-place-smartlink[.]ru safety-preference-experience[.]ru safety-preference-source[.]ru safety-smartlink-source[.]ru security-my-account[.]ru security-myaccount[.]ru security-myaccounts[.]ru smartlink-communit-safety[.]ru smartlink-experience-place[.]ru smartlink-experience[.]ru smartlink-manager-permission[.]ru smartlink-manager-place[.]ru smartlink-manager-safety[.]ru smartlink-manager-types[.]ru smartlink-manager[.]ru smartlink-my-manager[.]ru smartlink-my-permission[.]ru smartlink-my-place[.]ru smartlink-my-safe[.]ru smartlink-my-safety[.]ru smartlink-my-source[.]ru smartlink-online-permission[.]ru smartlink-online-place[.]ru smartlink-online-safety[.]ru smartlink-online-types[.]ru smartlink-permission-community[.]ru smartlink-permission-experience[.]ru smartlink-permission-safety[.]ru smartlink-permission-source[.]ru smartlink-permission[.]ru smartlink-place-community[.]ru smartlink-place-manager[.]ru smartlink-place-permission[.]ru smartlink-place-types[.]ru smartlink-place[.]ru smartlink-safe-manager[.]ru smartlink-safe-permission[.]ru smartlink-safe-place[.]ru smartlink-safe-safety[.]ru smartlink-safe-types[.]ru smartlink-safety-place[.]ru smartlink-safety-types[.]ru smartlink-source-manager[.]ru smartlink-source-permission[.]ru smartlink-source-place[.]ru smartlink-source-safety[.]ru smartlink-types-place[.]ru smartlink-types[.]ru source-community-preference[.]ru source-experience-preference[.]ru source-place-community[.]ru source-place-experience[.]ru source-place-permission[.]ru source-place-preference[.]ru source-place-smartlink[.]ru source-safe-preference[.]ru source-safety-preference[.]ru source-source-preference[.]ru types-community-experience[.]ru types-community-permission[.]ru types-community-place[.]ru types-community-preference[.]ru types-community[.]ru types-experience-place[.]ru types-experience[.]ru types-manager-permission[.]ru types-manager-place[.]ru types-manager-preference[.]ru types-manager-smartlink[.]ru types-my-permission[.]ru types-my-place[.]ru types-my-smartlink[.]ru types-online-community[.]ru types-online-experience[.]ru types-online-permission[.]ru types-online-place[.]ru types-online-preference[.]ru types-online-smartlink[.]ru types-palce-experience[.]ru types-palce-smartlink[.]ru types-permission-experience[.]ru types-permission-place[.]ru types-place-community[.]ru types-place-experience[.]ru types-place-permission[.]ru types-place-preference[.]ru types-place-smartlink[.]ru types-place[.]ru types-preference-experience[.]ru types-preference-place[.]ru types-safe-experience[.]ru types-safe-smartlink[.]ru types-safety-experience[.]ru types-safety-smartlink[.]ru types-smartlink-community[.]ru types-smartlink-experience[.]ru types-smartlink-manager[.]ru types-smartlink-place[.]ru types-smartlink[.]ru yandex-account-mail-passport[.]ru yandex-account-passport[.]ru yandex-accounts-mail-passport[.]ru yandex-auth-passport[.]ru yandex-my-account-passport[.]ru yandex-my-accounts-passport[.]ru yandex-my-passport-accounts[.]ru yandex-my-profile-passport[.]ru yandex-myaccount-mail-passport[.]ru yandex-myaccount-passport[.]ru yandex-myaccounts-mail-passport[.]ru yandex-myaccounts-passport[.]ru yandex-mypassport-account[.]ru yandex-mypassport-accounts[.]ru yandex-myprofile-passport[.]ru yandex-oauth-passport[.]ru yandex-passport-my-account[.]ru yandex-profile-passport[.]ru