Trusted Design

Tracing Pony’s Threat Cycle and Multi-Stage Infection Chain

概要

From the beginning of 2015, a malicious spear-phishing campaign dubbed Pony, has been actively luring victims. The spam e-mails are enticing users by impersonating well known companies, using their logos and known subject lines to further sell the deception. These e-mails kick off a multi-stage infection chain. The first stage would be a malicious link within the e-mail or attachment, containing malicious code, in this case Pony. Pony will infect the victim computer and download an additional malware. Pony was originally configured to download different malware families, however, due to criminal strategy changes, it currently only downloads Dyre. Every Pony domain appears to belong to the same group, the infrastructure is mainly in Russia and Ukraine. Most of the IP addresses belong to known bulletproof hosting networks that advertise their services on different forums. The criminals are also relying on a network of hacked servers to perform the multi-stage infection chain.

Created: 2026-02-23

Indicators

• domain - mydocumentsholder.com -
• domain - righthetoneca.ru -
• FileHash-SHA1 - d9d9ba96bfce361002a7bec53db95390f72c3e0b -
• domain - hecunvelac.ru -
• domain - tonsulddijus.ru -
• domain - nycosedfor.ru -
• domain - appridefirstcom.com -
• domain - dortwindfayer.com -
• domain - nasedrontit.com -
• CVE - CVE-2014-1761 -
• domain - tonecarighthe.ru -
• domain - logottitne.com -
• domain - mostotransfer.com -
• domain - fastserviceworld.com -
• domain - doctrashformater.com -
• domain - invoiceformater.com -
• domain - dream-hoster.com -
• FileHash-SHA1 - 1f5be0bd8fa955cfd11be6fb35210bb398eed193 -
• domain - resqdocsfirm.com -
• domain - etritanfe.ru -
• domain - butledtinve.ru -
• domain - sparwasssinve.ru -
• domain - inpahauld.ru -
• domain - arwahengo.ru -
• FileHash-SHA1 - 2a1a0eb2b6071c56f25c4304c555da350d67c99a -
• domain - undvemofo.ru -
• domain - modelstarinvo.com -
• FileHash-SHA1 - e9c2d14bd123fa727ea5691c21374e88e95f877d -
• domain - poly-poly.net -
• domain - utwithdehan.com -
• domain - herssofhaprigh.ru -
• domain - integrated-express.com -
• domain - gowasstalpa.com -
• FileHash-SHA1 - 8422d870ebcafeb6c51142f1a95cc5b8f64b43ba -
• domain - justhegthathen.ru -
• domain - fastssamplestrash.com -
• domain - moskalskiybodun.com -
• domain - workwithdocuments.com -
• domain - mytorsmired.ru -
• domain - renrefhedked.ru -
• FileHash-SHA1 - 92d4c9117fb2fe48333e71822e433807fb5198c4 -
• domain - leftterbutbet.ru -
• domain - tanhadhidown.ru -
• domain - finder777.com -
• FileHash-SHA1 - edc9c1929ff20950b99c42e22f3f448591351ce4 -
• domain - maininvoicegate.com -
• domain - invoicewindow.com -
• domain - enherthadugh.ru -
• domain - worldshipone.net -
• domain - hapbetrowpar.ru -
• domain - manterinvoice.com -
• domain - doclibrarymk.com -
• FileHash-SHA1 - dda088b93f203845bca009a850b89b3a2cdf3538 -
• domain - formaterdocstras.com -
• FileHash-SHA1 - 3f548e9f4f8b1c1ee9341055a75345e1d2b4358a -
• domain - continental-transitmail.com -
• FileHash-SHA1 - 4011a69c7dcc5d1f903f2f777fb3e35de748c8a3 -
• domain - withetborom.ru -
• domain - ortandahan.com -
• domain - infelitthec.ru -
• domain - destnarrowweek.com -
• domain - eventjohnmihim.ru -
• domain - donquertofear.com -
• domain - ferginestor.com -
• domain - documentfacilitysec.com -
• domain - cyheckledand.com -
• domain - thenjechap.com -
• FileHash-SHA1 - ee051a2a04c0caf6ff81db0542ca3fa35b05c7b4 -
• domain - hapwroncihen.ru -
• domain - veetdohi.ru -
• FileHash-SHA1 - 2ca92663a66a5b2047a921f746be56674fa05631 -
• domain - document-fast-cloud.com -
• FileHash-SHA1 - 8b6619e4d4ef2297a18e8dd3aad9dda93883d574 -
• FileHash-SHA1 - b31423f986f562ae2070b5d103435a2bd0783762 -
• domain - fuckingsfish.com -
• domain - wastolddinghes.ru -
• domain - ireqinvoiceparm.com -
• domain - gutotdolo.ru -
• domain - aningritoron.ru -
• domain - torsmimyred.ru -
• domain - salecheapflight.com -
• domain - faststornet.com -
• domain - behesjusrat.com -
• domain - documenttargettrace.com -
• domain - parterledhed.com -
• FileHash-SHA1 - e11f512fb681ec2c5333da75dcd64f28bcfa5e3c -
• domain - fastdrozdfund.com -
• FileHash-SHA1 - baea5192f69d7942722138445ed74c5a9909d255 -
• domain - redesparda.com -
• domain - atorrenevent.ru -
• domain - fortgureket.ru -
• domain - talahedtug.ru -
• domain - intexpressform.com -
• domain - banqulerroman.com -
• domain - mystoredoc.com -
• domain - document-searcher.com -
• domain - docustoragebank.com -
• FileHash-SHA1 - 83f1b17fb18fc0ad14ce1bbf2a5d165404edef93 -
• domain - fortuldryhow.ru -
• domain - thenlouldnot.ru -
• domain - notleftrofugh.ru -
• domain - ie-form.net -
• domain - hisruboti.ru -
• domain - moskalvtumane.com -
• domain - gotthendiran.com -
• domain - myfishdown.com -
• domain - ughwagerew.ru -
• domain - document-view-online.com -
• domain - ninghaprewrof.ru -
• domain - undmiredhem.ru -
• domain - iecomp-mail.com -
• domain - ondereteveng.ru -
• domain - fenesihert.ru -
• FileHash-SHA1 - 61481016dace6765a485f32fd52760b2fb9b95ec -
• FileHash-SHA1 - 496f84635f216e93d9661a403e43ff1903a2a2e8 -
• domain - torssedbabbe.com -
• FileHash-SHA1 - c707f688eff865b1f40dcb5dddd130b508d8e589 -
• domain - tumanimoskal.com -
• FileHash-SHA1 - f1fa5d774901995234fdfedb562953c6ed4c9eff -
• domain - tofthenningref.com -
• domain - saloross.com -
• domain - ughimsinna.ru -
• domain - tumanmoskalskiy.com -
• domain - somedocushare.com -
• domain - nohissandbo.ru -
• domain - rosupletwas.com -
• domain - uldhowhedtca.ru -
• domain - ranrianinghers.ru -
• domain - sestoreinv.com -
• domain - tontuldverbab.ru -
• domain - document-qiew-online.com -
• domain - wantools40.com -
• domain - manydocsfastrack.com -
• domain - pizdetshuiovosboduna.com -
• domain - continental-transit-mail.com -
• domain - thettoortoft.ru -
• domain - infodocslibmanagers.com -
• domain - fordahecbet.ru -
• FileHash-SHA1 - 8ab7df1193c9a3f6ad33426b634c581939dc9281 -
• domain - podvigtitanika.com -
• FileHash-SHA1 - 462fe924876597a9396999dd24773e8ed9746997 -
• domain - renwitedrom.ru -
• FileHash-SHA1 - 12cb416b69ffc56c12aad92f95040603261dc217 -
• domain - redwithtertreb.ru -
• domain - sabotierfirst.com -
• domain - pebulelet.ru -
• domain - rinheckguny.ru -
• domain - fohenroprab.com -
• FileHash-SHA1 - 4398c2b731f4939414bba70aac5260ff1d1ae865 -
• domain - harropthenthe.ru -
• domain - randomwfu365.com -
• FileHash-SHA1 - bbece44ad7d76ffc70239cc97f5238de01ce6ccd -
• domain - trbestbuy.com -
• FileHash-SHA1 - b2abfaa9d14435a5b079b847a039b57b4036836c -
• FileHash-SHA1 - d3ab3f733ad076546abb7debc3c79575083ec6d0 -
• domain - video-promo.org -
• domain - ticalharked.ru -
• domain - johnmiheventim.ru -
• domain - herstianingun.ru -
• domain - smallconfigs.com -
• domain - invoicebankstore.com -
• domain - rebledughid.com -
• domain - toldbiledin.ru -
• domain - doqument-view-online.com -
• domain - documentsecurestorage.com -
• domain - document-organizer.com -
• domain - invoiceseclib.com -
• domain - rofhanrighhen.ru -
• domain - docscountry.com -
• domain - kesedrathow.ru -
• domain - toldontinwi.ru -
• domain - wrononeratwass.ru -
• domain - wituldwihow.com -
• domain - shareinvoicelib.com -
• domain - rebettheligh.ru -
• domain - funnyinvoiceorg.com -
• domain - uttejustrep.ru -
• domain - forcaltonttof.com -
• domain - rearmheadfire.com -
• domain - miafast.org -
• FileHash-SHA1 - f13fa4951edddea82255db0de91a0c17f1b947b1 -
• domain - sofforjeclet.ru -
• domain - trashformatdocer.com -
• domain - navicompany.com -
• domain - toldronher.com -
• domain - myrorecrab.com -
• domain - debulittro.com -
• domain - trash4docs.com -
• domain - padetitdidn.com -
• FileHash-SHA1 - dc31cbded9d2afc0a8bcf9eea731712abaf12dfb -
• domain - menstoreins.com -
• CVE - CVE-2012-1258 -
• FileHash-SHA1 - eecbe32d493d3a5eaef2d6720e0d0cdfb8bc175c -
• domain - pasnirthland.com -
• FileHash-SHA1 - de5cdbec6ce4a38f9938944aa82fe8d30ae20171 -
• domain - invoicelibrary.com -
• domain - dortehthisnet.com -
• FileHash-SHA1 - b4a3ad2992af82d739d4eb110fab6966479ffd62 -
• domain - fifibabok.com -
• domain - hetonshanver.ru -
• domain - starinvoicemodel.com -
• domain - nestorganje.com -
• domain - aningutterbut.com -
• FileHash-SHA1 - f6d69a32f36e3d2e8a2b69acfd932e04ed3d2002 -
• domain - dcfastgroup.com -
• FileHash-SHA1 - 071b754bffa96101bf8c563ad7efd4df3f221b2e -
• domain - lerentoftjohn.ru -
• domain - titanikvmoskalii.com -
• domain - veronefosof.com -
• domain - sampledocstrash.com -
• domain - midehefo.ru -
• domain - faetsandrep.ru -
• FileHash-SHA1 - 93327b8105ea5f67a5a5bcb3ffe9b8cbe75185d0 -
• domain - pardijusat.ru -
• FileHash-SHA1 - a7c016bee0766f57f6a977f248c45cf06de5ab00 -
• FileHash-SHA1 - 48593abe9a8543c9183e375fc185fd97c28f3549 -
• domain - deadfishup.com -
• FileHash-SHA1 - 653cccc1daa752da24a9afbdad0449baae07bf1c -
• domain - trashdocformat.com -
• domain - logmein-security.com -
• domain - hedattoftle.ru -
• FileHash-SHA1 - 5b85b8cd91539f19f0d0cb2fc692722bc944f32a -
• domain - netshipgroup.com -
• domain - tumanvmoskalii.com -
• domain - secureinvoicedocs.com -

類似Pulses

• Exposedbotnets: probably Pony domains (score: 0.70)
• Microsoft Word Intruder: Operation Pony Express (score: 0.66)
• Malicious VBScript file delivers Pony Loader (score: 0.65)
• The Postal Group (score: 0.64)
• Dyre: Emerging threat on financial fraud landscape (score: 0.63)

このPulseに関連する脅威アクター (事実ベース)

このPulseに関連する脅威アクター (推論ベース)

Related CVEs

このPulseに見つかったCVEはありません。

Pulse – 脅威アクター グラフ

---

← Pulse一覧に戻る