Undercover investigation in Seychelles: ELITETEAM hosting’s role as a cybercrime hub
The Knownsec 404 team brought to light a wide-ranging network operated by the hosting provider ELITETEAM, facilitating infrastructure for cyber offenders.
These offerings enable criminals to skirt legal oversight, aiding malware deployment, deceptive websites, unsolicited emails, and diverse illicit actions. Specialists underscore that “bulletproof” hosting services pose a grave menace to worldwide cybersecurity, functioning within settings of lax legal enforcement and showing considerable resilience to judicial interventions.
According to the findings, ELITETEAM was incorporated in Seychelles in November 2020 under the entity “1337TEAM LIMITED.” The provider manages the independent system AS51381, delivering solutions for hosting phishing schemes, malware instances, botnet management and control nodes, along with infrastructure supporting digital currency scams. The defining attribute of these providers lies in a deliberate selection of regions with permissive legal frameworks.
As per Interisle’s 2021 study on phishing schemes, a single division within the ELITETEAM network, comprising 256 IP addresses, secured the eighth position globally for harmful activities. On the VirusTotal platform, every one of the 256 IP addresses linked to ELITETEAM were labeled as malicious, reaffirming their involvement in cyber assaults. On the ThreatFox platform, several IP addresses were flagged with compromise indicators (IOC) in 2024 associated with malware like Amadey and RedLine, pointing to their application in phishing expeditions and malware proliferation.
Cloudflare specialists observed that ELITETEAM IP addresses are heavily involved in the compromise of WordPress sites. The attacks are directed at login areas and XML-RPC interfaces, through which perpetrators seek to leverage vulnerabilities to infiltrate systems.
Trend Micro has connected the ELITETEAM framework with the propagation of Quakbot and Emotet ransomware. In the initial quarter of 2023 alone, 200,000 incidents of harmful traffic associated with the ELITETEAM framework were cataloged; 140,000 of these were localized within Seychelles. These programs were employed to scramble corporate network data, aiming to extort payment.
ELITETEAM’s framework also backed digital currency fraud within the Hydra clandestine marketplace, facilitating unlawful dealings and currency laundering. Such conduct attracted the scrutiny of Interpol, which disseminated multiple directives to probe the enterprise’s undertakings.
An examination of data concerning network section 185.215.113.0/24 via the ZoomEye platform highlighted its primary traits: open pathways for distant admission (22/3389), web functionality (80/443), junk email dissemination (25/465/587), alongside C2 servers (7766). A set of ten IP addresses stemming from this portion display accessible mail gateways, possibly suggesting use in broadcasting spam. Furthermore, distinct SSL digital signatures and HTTP data attest that the network functions in orchestrating cyber offensives.
The investigation successfully associated the 185.208.158.0/24 subnet with the primary ELITETEAM portion. Of the subnet’s 256 addresses, 95 were tagged as malicious. Both network entities are registered within Seychelles and are technically interconnected via shared SSL authentications. A collection of eight IP addresses extracted from both networks demonstrated matching SSL digital signatures between September and November 2024, demonstrating oversight by a unified hacker collective.
A comprehensive review distinguished five suspect IP addresses: 185.208.158.114, 185.208.158.115, 77.91.68.21, 147.45.47.102 and 109.107.182.45. These addresses are categorized owing to unique qualities of SSL certificates and HTTP content. To illustrate, the SSL certificate fingerprint C416E381FAF98A7E6D5B5EC34F1774B728924BD8 was identified both within the 185.208.158.0/24 subnet and inside the core ELITETEAM network.
Specialists remark that operations executed by such hosting suppliers cultivate favorable settings for cyber perpetrators. Since 2015, the APT28 faction has launched in excess of 80 incursions utilizing bulletproof hosting platforms for phishing, data exfiltration, and clandestine surveillance. Positioning infrastructure in nations with limited regulation enables perpetrators to avert prosecution and sustain functions over extended timelines.
