This investigation links Clop ransomware infrastructure (pubstorm[.]com / pubstorm[.]net) to IPs hosted in AS209132 and AS209272 owned by Alviva Holding Limited, and traces Alviva to a Seychelles-registered shell company network connected to Alpha Consulting and a beneficial owner, Denis Nachaev. Evidence includes WHOIS, VT records, ASN peer relationships (Verdina Ltd, FOP Gubina Lubov Petrivna), Pandora Papers/ICIJ leak references, and historical abuse tied to Cobalt Strike and other criminal services. #Clop #AlvivaHoldingLimited
Keypoints
- Clop ransomware updated leak site contact addresses using pubstorm[.]com and pubstorm[.]net, which resolve to IPs 185.55.242.97 and 147.45.112.231 respectively.
- Both IPs map to ASNs operated by Alviva Holding Limited (AS209272 and AS209132) located in Seychelles and Vanuatu, indicating provider linkage to Clop infrastructure.
- Historical abuse records show Alviva-associated ASNs have hosted Cobalt Strike and other malicious services; peers include Verdina Ltd (Belize) and FOP Gubina Lubov Petrivna (Ukraine).
- Verdina infrastructure has prior ties to booters/stressers, DDoS-for-hire, credential harvesting, and hosting malware families and loaders (BianLian, Koi Loader, L3MON RAT, etc.).
- Pandora Papers / ICIJ leaks identify Alviva’s registered Seychelles address and associate the entity with Alpha Consulting and Denis Nachaev, a Russian-linked beneficial owner.
- UK registration practices and limited partnership disclosure gaps enable shell company anonymity, allowing Seychelles/Belize/Vanuatu operational bases to mask illicit activity.
- Recommendations: treat IPs from these ASNs as high-risk (greylist in SIEM), avoid blocking entire subnets blindly, and corroborate threat intelligence across platforms due to stale ASN records.
MITRE Techniques
- [T1071] Application Layer Protocol – Clop hosted Roundcube webmail on pubstorm domains to communicate with victims (“Mail Provider setup by Clop Ransomware”).
- [T1090] Proxy: Bidirectional Communication – Use of bulletproof hosting and AS-level infrastructure (Alviva AS209132/AS209272) to relay and mask attacker infrastructure (“Both IPs belongs to the same AS: Alviva Holding Limited”).
- [T1566] Phishing – Spearphishing used by Vermin (UAC-0020) delivering SPECTR malware targeting Ukrainian government, leveraging infrastructure peers (“SPECTR Malware Delivery targeting the Ukrainian Government via SpearPhishing in March 2022 by Vermin (UAC-0020)”).
- [T1105] Ingress Tool Transfer – Hosting of malware, loaders and Cobalt Strike on Alviva-linked ASNs facilitating delivery of tools such as Koi Loader, L3MON RAT, Brute Ratel & Sliver (“Cobalt Strike, Koi Loader, L3MON RAT, Brute Ratel & Sliver: 2025”).
- [T1588] Obtain Capabilities: Malicious Services – Use of Verdina and Alviva-affiliated services to buy DDoS, booters/stressers, and other attack capabilities (“Verdina[.]net … Booter/Stresser Service … Bulletproof Hosting”).
Indicators of Compromise
- [IP] pubstorm mail hosting – 185.55.242.97 (pubstorm[.]com), 147.45.112.231 (pubstorm[.]net)
- [Domain] Clop contact domains – pubstorm.net, pubstorm.com (Roundcube mail pages: /mail/ and /srv.pubstorm.net/mail/)
- [ASN] Hosting providers – AS209272 (Alviva Holding Limited), AS209132 (Alviva Holding Limited)
- [URLs] DLS/mail endpoints – https://pubstorm.net/mail/, https://srv.pubstorm.net/mail/, https://pubstorm.com/mail/
- [Hosting name] Service aliases – srv.pubstorm.net and srv.pubstorm.com referenced as mail hostnames (and other related pubstorm URLs)