Full Report
Two other employees at the St. Petersburg-based hosting provider Azea Group were arrested. The company has alleged links to state-sponsored disinformation campaigns and cybercriminal infrastructure.
Analysis Summary
# Threat Actor: Aeza Group / Associated Actors (Yuri Bozoyan, Maxim Orel, Tatyana Zubova)
## Attribution & Identity
* **Primary Entity:** Aeza Group (St. Petersburg-based hosting provider, founded 2021).
* **Key Figures Detained:** Yuri Bozoyan (CEO), Maxim Orel, Tatyana Zubova. Arseny Penzev (Cofounder) is also reportedly suspected.
* **Attribution Tendency:** Believed by researchers to have links to state-sponsored disinformation campaigns and Russian cybercriminal infrastructure.
* **Aliases/Associations:** Linked to the pro-Kremlin disinformation campaign known as **Doppelgänger**. The office location was formerly used by entities associated with Yevgeny Prigozhin's operations ("troll farms").
## Activity Summary
Aeza Group has been implicated in both state-aligned information operations and large-scale cybercrime/narcotics trafficking:
* **Disinformation:** Hosting infrastructure for the Doppelgänger campaign, which publishes fake articles mimicking Western media since at least 2022 to amplify Russian narratives and create Western division.
* **Cybercrime Infrastructure:** Hosting servers used by operators behind malware strains like Lumma and Meduza.
* **Criminal Enterprise:** Suspected of hosting the darknet drug marketplace **BlackSprut**. Authorities dismantled part of this operation in February following an undercover purchase.
## Tactics, Techniques & Procedures
* **T1560 (Archive Collected Data):** Involved in hosting illicit marketplaces (BlackSprut).
* **T1071.001 (Application Layer Protocol: Web Protocols):** Utilized for disinformation campaigns mimicking legitimate news sites.
* **Operational Modus Operandi:** Operates as a "bulletproof" hosting provider, shielding illicit activity from law enforcement by attracting clients via darknet forums.
* **Information Operations:** Generating fabricated content designed to mimic reputable news sources (e.g., Der Spiegel, The Guardian).
## Targeting
* **Sectors:** Media/Information Sector (via disinformation), Cybercrime (hosting infrastructure for malware/drug trafficking).
* **Geography:** Operations active in Europe (targeting Western narratives/media perception); core company operations based in St. Petersburg, Russia.
* **Victims:** General Western society/media consumers (through disinformation); Customers/users of darknet drug marketplaces (BlackSprut).
## Tools & Infrastructure
* **Malware Families Used:** Lumma, Meduza (Aeza hosted infrastructure linked to these strains).
* **Illicit Platforms Hosted:** BlackSprut (darknet drug marketplace).
* **Infrastructure:** Aeza Group servers/hosting services. No specific C2 or IPs were listed for defanging.
## Implications
The case highlights the sophisticated convergence of Russian state-aligned influence operations (disinformation via Doppelgänger) and domestic, large-scale cybercriminal activities (drug trafficking via BlackSprut) leveraging the same hosting infrastructure. The arrest of key personnel exposes vulnerabilities in the operational security of Russian infrastructure supporting both espionage and organized crime.
## Mitigations
* Implement strict vetting and Know Your Customer (KYC) procedures for hosting clients, especially those utilizing "bulletproof" features or located in high-risk jurisdictions.
* Monitor infrastructure for known associations with Doppelgänger disinformation campaigns.
* Threat hunting for malware infrastructure (Lumma, Meduza) should include checks against known Aeza IP ranges or historical hosting patterns.
* Increased vigilance regarding darknet marketplaces operating in Eastern Europe, particularly platforms like BlackSprut.