Analysts at F6 discovered a network of domains used by the group NyashTeam, which distributes malware and provides hosting services to criminals. The group’s clients have attacked users in at least 50 countries worldwide, including Russia. More than 110 domains in the .ru zone used by NyashTeam have been blocked.
NyashTeam has been active since at least 2022 and operates in the field of MaaS (Malware-as-a-Service). The group sells malware from the DCRat and WebRat families through Telegram bots and websites, and also provides hosting services for cybercriminal infrastructure, offering customer support via plugins, guides, and data processing tools.
It is noted that most of the targets attacked by the attackers using NyashTeam’s tools were located in Russia, and the group primarily focuses on a Russian-speaking audience.
NyashTeam gained popularity due to the relatively low cost of their malware. For instance, a subscription to the backdoor DCRat (designed for remote control of infected devices) is priced at 349 rubles per month. A monthly subscription to WebRat (used for stealing data from browsers, including passwords, cookies, and autofill information) costs 1,199 rubles, while web hosting is 999 rubles for two months. The attackers accept payments through Russian payment systems as well as cryptocurrency wallets.
Researchers report that in most cases, the group’s clients distribute malware via YouTube and GitHub. The attacks primarily target gamers looking for cheats, as well as users wanting to download software for free.
On YouTube, attackers use fake or compromised accounts to upload videos promoting game cheats, software cracks, and game bots. The links under such videos direct users to file-sharing sites, where under the guise of cheats and cracks, they are offered to download an archive containing malware. On GitHub, NyashTeam’s malicious software is disguised as cracked versions of licensed software, utilities, or cheats, and is hosted in public repositories.
To provide hosting services for malware distribution, NyashTeam actively registers second-level domains, including in the .ru zone. Hackers predominantly use distinctive domain names such as “nyanyash[.]ru”, “nyashback[.]ru”, “nyashk[.]ru”, “nyashka[.]top”, “nyashkoon[.]ru”, “nyashlife[.]ru”, “nyashnyash[.]ru”, “nyashprivat[.]ru”, “nyashru[.]ru”, “nyashteam[.]ru”, “nyashteam[.]site”, “nyashteam[.]top”, “nyashtop[.]ru”, “nyashvibe[.]ru”, “nyashware[.]ru”, “n9sh[.]top”, “n9shteam[.]in”, “n9shteam[.]ru”, “n9shteam2[.]top”, “renyash[.]ru”, “devnyash[.]top”, “devnyashk[.]ru”, “shnyash[.]ru”, “nyashteam[.]ml” or names containing malware names like “webrat” and “dcrat”, and based on these, they create third-level domains.
According to F6, since the start of NyashTeam’s activities in 2022, more than 350 second-level domains have been involved in their infrastructure. The peak of malicious domain registration activity occurred in December 2024 and January-February 2025.
At the same time, experts noted not only an active increase in the number of domains used by NyashTeam but also their use in attacks. For example, in 2024, the group’s clients sent phishing emails with DCRat to Russian companies operating in the fields of logistics, oil and gas extraction, geology, and IT.
CERT-F6 provided information about domains associated with NyashTeam to the Coordination Center for .RU/.РФ Domains. As a result, as of July 21, 2025, more than 110 domains in the .ru zone have been blocked. Four more domains in other zones are in the process of being blocked. It is also reported that a Telegram channel with the source code for WebRat was blocked, as well as four hacker tutorial videos on a popular video hosting platform.
“The NyashTeam case clearly proves that the infrastructure of MaaS operators distributing malware can be detected and effectively blocked. Analyzing and subsequently blocking the domains used by the NyashTeam group allowed us to significantly limit the spread of threats and hinder the criminals’ operations, at least temporarily,” said Vladislav Kugan, cyberattack research analyst in the Threat Intelligence department at F6.
2025.02.06 — Let's Encrypt to stop sending expiration notification emails
The nonprofit organization announced that, starting June 4, 2025, it will stop sending expiration notification emails to subscribers. The primary reason behind this decision…
Full article →
2025.03.24 — Alexa to stop processing data locally. All voice requests will be sent to Amazon Cloud
Amazon announced that the privacy option allowing users of Echo speakers to avoid sending their voice recordings to the company's cloud will no longer be supported. Effective March…
Full article →
2025.02.03 — PyPI introduces a project archival system to combat malicious updates
The Python Package Index (PyPI) introduces a new project archival system: a project can now be archived to notify users that it's not expected to be updated…
Full article →
2025.01.28 — J-magic backdoor attacked Juniper Networks devices using 'magic packets'
A massive backdoor attack targeting Juniper routers often used as VPN gateways has been uncovered. The devices were attacked by the J-magic malware that…
Full article →
2025.03.12 — Mass exploitation of PHP-CGI vulnerability in attacks targeting Japanese companies
GreyNoise and Cisco Talos experts warn that hackers are actively exploiting CVE-2024-4577, a critical PHP-CGI vulnerability that was discovered and fixed in early June 2024. CVE-2024-457…
Full article →
2025.02.28 — Qualcomm extends support for Android devices to 8 years
Qualcomm Technologies announced its collaboration with Google with the purpose to provide extended support for OEM devices running on company's flagship chipsets. This partnership will…
Full article →
2025.02.25 — More than 100,000 users downloaded SpyLend malware from Google Play Store
According to Cyfirma, a malicious Android app called SpyLend was available on the official Google Play Store for some time and has been downloaded from there…
Full article →
2025.02.08 — Hackers exploit RCE vulnerability in Microsoft Outlook
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Federal Civilian Executive Branch (FCEB) Agencies that they have to secure their systems from ongoing…
Full article →
2025.04.30 — Coinbase fixes 2FA bug that made customers panic
Cryptocurrency exchange Coinbase has fixed a bug in its Account Activity logs that caused customers to think their credentials were compromised. Earlier this month, BleepingComputer…
Full article →
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE
Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…
Full article →