Posts Tagged: Alexander Nazarenko

Jul 13

Styx Crypt Makers Push DDoS, Anti-Antivirus Services

I recently published a piece that examined the role of several Ukrainian men likely responsible for making and marketing the Styx Pack malware exploit kit. Today’s post will show how this same enterprise is linked to a DDoS protection scheme and a sprawling cybercrook-friendly malware scanning service that is bundled with Styx-Crypt.

Anonymous antivirus scanning service -- captain-checker[dot]com -- bundled with the Styx exploit pack.

Anonymous antivirus scanning service — — bundled with Styx.

As I noted in a graphic accompanying a July 8 analysis of Styx, the $3,000 exploit pack includes a built-in antivirus scanning service that employs at least 17 antivirus products. The scanning service is “anonymous,” in that it alerts Styx customers whenever one of the antivirus tool detects their malware  as such, but the service also prevents the antivirus products from reporting home about the new malware detections.

When Styx customers click on one of these malware scanning reports from within the Styx pack panel itself, the full scanning results are displayed in a new browser window at the domain captain-checker[dot]com (see screenshot above). The Styx panel that I examined earlier this month was based at the Internet address, and was reachable only by appending the port number 10665 to the numeric address. At first, I thought this might be a standard port used by Styx installations but that turns out not to be the case, according to interviews with other researchers. I didn’t realize it at the time, but now I’m thinking it’s likely that the panel I examined was actually one run by the Styx Pack curators themselves.

I discovered that although captain-checker[dot]com is hosted at another address (, it also had this 10665 port open. I noticed then that captain-checker shares that server with 12 other Web sites. All of those sites also respond on port 10665, each revealing a captain-checker login page. Among the 12 is uptimer[dot]biz, one of two sites that led to the identity of Alexander “Nazar” Nazarenko — one of the main marketers and sellers of Styx pack.

styx-reality7-mapNot only are all of these sites on the same server, an Nmap scan of these systems shows that they all are on the same Windows workgroup — “Reality7.” This dovetails nicely with the other domain that I noted in that July 10 story as tied to Nazarenko — reality7solutions[dot]com.

Many of the other domains on the server (see graphic to the left) use some variation of the word “wizard,” and share a Google Analytics code, UA-19307857. According to, this code is embedded in the homepage for at least 38 different Web sites.

In my previous story on Nazarenko and his Styx Pack business partner — Max “Ikar” Gavryuk —  I noted that both men were advertising “Reality Guard,” a service to help protect clients from distributed denial-of-service (DDoS) attacks designed to knock sites offline. I had a closer look at their site — reality-guard[dot]com — and learned several interesting things: For starters, the site also responds with a captain-checker[dot]com login page when you append “:10665” to the domain name. It also is on a Microsoft Windows workgroup called “Reality7”. Finally, the reality-guard[dot]com home page includes an icon for virtual currency Webmoney that when hovered over pops up Nazar’s Webmoney account (someone changed the name on this account from “Nazar” to “Lives” within hours after my July 10 story on the Styx Pack purveyors).

Continue reading →

Jul 13

Who’s Behind The Styx-Crypt Exploit Pack?

Earlier this week I wrote about the Styx Pack, an extremely sophisticated and increasingly popular crimeware kit that is being sold to help miscreants booby-trap compromised Web sites with malware. Today, I’ll be following a trail of breadcrumbs that leads back to central Ukraine and to a trio of friends who appear to be responsible for marketing (if not also making) this crimeware-as-a-service.

styxlogoAs I noted in Monday’s story, what’s remarkable about Styx is that while most exploit kits are sold on private and semi-private underground forums, Styx has been marketed and sold via a regular Web site: styx-crypt[dot]com. The peddlers of this service took down their site just hours after my story ran, but versions of the site cached by hold some important clues about who’s responsible for selling this product.

At the bottom of the archived styx-crypt homepage, we can see two clickable banners for an account at virtual currency Webmoney to which potential customers of Styx will need to send money in order to purchase a license for the software. The Webmoney account #268711559579 belongs to a Webmoney Purse number Z268711559579. Follow that link and you’ll see that the registered username attached to that purse is “Ikar.” If we look closer we can see that Ikar’s Webmoney purse is connected to another purse at Webmoney account 317426476957, which is this purse belonging to a user named “Nazar.” (Update: July 11, 10:14 p.m.: Both Ikar and Nazar changed the names on their Webmoney accounts after this story ran. Thankfully, cached the old data. The links to the purses above have been changed accordingly.)

Both Ikar and Nazar are nicknames that were used in Styx sales threads on several underground forums, including damagelab[dot]org, secnull[dot]cc and antichat[dot]ru. In these threads, Ikar used the contact address ““, while Nazar listed ““. Both addresses are associated with forum accounts named “Ikar” and “Renzor” (for examples, see this cached, Google-Translated page from Renzor’s account on, and this cached page from secnull[dot]cc). Nazar’s address is linked to a “Max Lighter” profile on Facebook, but not much more information is available on that profile. doesn’t appear to be connected to anything special, but Nazar’s address was used as the point-of-contact in registering two very interesting domains: and Looking at the familiar wormhole-like squiggly at the top of, I noticed it was very similar to the rotating icon ( video) used by the Styx pack.’s homepage lists an address in the United States for a company called EPAM Systems, which according to the business directory maintained by Hoovers  is a public company that specializes in IT outsourcing. Hoovers says the company provides “software development and other IT services to US and European customers primarily from development centers in Russia, Belarus, Hungary, Ukraine, Kazakhstan and Poland.”

The ICQ number listed on the homepage of belongs to a Website design professional from Khmelnitsky, Ukraine named Stanislav Shangin. If we look at Schangin’s personal page where he lists all of the Web sites he’s been hired to create, we can see he designed both styx-crypt[dot]com and, among dozens of other sites. Shangin did not respond to requests for comment.

Continue reading →