Full Report
The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) has levied sanctions against Russia-based bulletproof hosting (BPH) service provider Aeza Group to assist threat actors in their malicious activities and targeting victims in the country and across the world. The sanctions also extend to its subsidiaries Aeza International Ltd., the U.K. branch of Aeza Group, as well
Analysis Summary
This analysis focuses on the sanctioned entity, **Aeza Group**, as the primary subject infrastructure supporting multiple threat actors, rather than a single, traditional threat actor group. The summary treats the Aeza Group as the key enabler node discussed in the context.
# Threat Actor: Aeza Group (Bulletproof Hosting Provider)
## Attribution & Identity
The entity is **Aeza Group**, a Russia-based bulletproof hosting (BPH) service provider headquartered in St. Petersburg.
**Sanctioned Entities/Subsidiaries:** Aeza International Ltd. (U.K. branch), Aeza Logistic LLC, Cloud Solutions LLC.
**Key Individuals Sanctioned:**
* Arsenii Aleksandrovich Penzev (CEO and 33% owner)
* Yurii Meruzhanovich Bozoyan (General Director and 33% owner)
* Vladimir Vyacheslavovich Gast (Technical Director)
* Igor Anatolyevich Knyazev (33% owner, managing operations when others are absent)
* *Note: Penzev was previously arrested on charges related to hosting the BlackSprut dark web marketplace.*
## Activity Summary
The U.S. Treasury’s OFAC sanctioned Aeza Group for providing critical infrastructure support to various cybercriminals globally. The core activity is offering BPH services, characterized by deliberately ignoring abuse reports and law enforcement takedown requests, making their infrastructure resilient for malicious hosting. Aeza Group's services have been used by numerous ransomware and malware operations.
## Tactics, Techniques & Procedures
The primary TTP enabled by this actor is **hosting malicious infrastructure** without consequence.
- Hosting Command-and-Control (C2) servers.
- Hosting phishing sites.
- Providing resilient infrastructure for various malware operations.
- *No specific MITRE ATT&CK IDs were mentioned in the context.*
## Targeting
- **Sectors:** U.S. defense industrial base and technology companies (via ransomware groups using their infrastructure). General cybercrime victims worldwide.
- **Geography:** Global targeting, supported by a Russia-based entity.
- **Victims:** Organizations targeted by ransomware and information stealer families utilizing Aeza's infrastructure.
## Tools & Infrastructure
- **Malware families supported:** BianLian, RedLine, Meduza, Lumma (Ransomware/Information Stealers).
- **Other affiliated groups/operations:** Doppelganger (pro-Russian influence operation), Void Rabisu (known to use Aeza for RomCom RAT infrastructure).
- **Infrastructure:** Bulletproof hosting services provided by Aeza Group entities. (No specific domains or IPs were defanged in the context).
## Implications
The sanctioning highlights the U.S. strategy of targeting the **critical nodes and infrastructure** that underpin the cybercriminal ecosystem, specifically BPH providers. Disruption of Aeza Group aims to degrade the operational resilience and longevity of numerous ransomware and financially motivated threat actors who rely on such "godsend" services for their operations.
## Mitigations
- Defense against attacks originating from this infrastructure requires enhanced monitoring for C2 or phishing activity known to leverage resistant hosting environments.
- Continuous monitoring and geopolitical awareness regarding actors utilizing Russian-based resilience/bulletproof hosting services for C2 or data exfiltration.