Unmasking a Cybercrime Enabler: The Provider Behind Clop Ransomware
The subject of a new investigation is Alviva Holding, a provider whose infrastructure has long been a cornerstone for cybercriminal groups. The trigger for the probe was a change in contact details within the Clop ransomware gang: its leak site began redirecting victims to its own dedicated mail platform. Two domains used for correspondence, registered on May 2, 2025, were tied to servers running Roundcube.
The domain pubstorm.com was registered to an IP address in Germany, while pubstorm.net pointed to a server in Vanuatu. Both resources are associated with autonomous systems operated by Alviva Holding Limited. This infrastructure is not only used to manage communications with Clop’s victims but also underpins torrent networks distributing malicious software.
Alviva Holding’s history runs deeper. Since 2009, its address space has been repeatedly linked to the dissemination of Cobalt Strike and other tools heavily favored by criminal operations. An analysis of peering connections revealed links to Verdina Ltd of Belize and Ukraine’s FOP Gubina Lubov Petrivna, both of which have appeared in cyberattacks ranging from phishing against Ukrainian government agencies to operations attributed to APT28 and the hosting of Nokowaya infrastructure. Verdina, in particular, is notorious for offering “bulletproof hosting”, providing platforms for DDoS services, and being tied to campaigns involving BianLian, Storm-1575, and others.
The pivotal lead in the investigation came from the Pandora Papers, which revealed that Alviva Holding’s registered address in the Seychelles matched dozens of shell companies. The formal owner was listed as a Russian national named Denis, who appeared in the same leaks and was linked to Alpha Consulting, a firm stripped of its license by the SEC in 2025 after being blacklisted. That consultancy had been implicated in money-laundering schemes and had provided services to a sprawling network of front companies. A unique address in Kaliningrad Oblast was tied directly to Denis, while cross-referencing with other leaks exposed multiple records under his name, frequently used as a cover identity for offshore entities.
The scheme becomes clearer when viewed in legal context. For years, the United Kingdom preserved a loophole allowing partnerships exempt from public disclosure of ultimate beneficial owners. When combined with offshore administration in the Seychelles and shell company registrations in Britain, this framework granted durable anonymity — a convenient shield for grey-market hosting operations and projects financed through opaque sources. As a result, some Alviva clients renting mail or web servers for ransomware operations, data theft, or spam campaigns may remain unaware that their provider has long been blacklisted. Meanwhile, nominal holders signing paperwork often have little understanding of what exactly they are legitimizing.
For infrastructure defenders, the conclusion is evident: blanket blocking of Alviva subnets is ineffective, as addresses shift rapidly. A more effective strategy is greylisting and monitoring the recency of IP compromises. Any activity routed through ASN Alviva or its affiliates should be treated as a high-priority indicator warranting immediate scrutiny.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
