We downloaded a free VPN that is being handed to Russian soldiers, installed it on a test phone in a sealed, offline lab, and watched it work. It connected. It tunneled traffic. In every visible way it behaved like the privacy tool its tagline promised: "Бесплатный VPN-сервис для участников СВО," a free VPN service for participants of the "special military operation."
Then it reached into the phone's storage, copied the files sitting in the WhatsApp and Telegram folders, packed them into an archive, and uploaded them to a server its operator controls. The last thing it logged was a small green checkmark: "Archive uploaded ✅." Moments later that same server pushed a notification back to the phone, displaying text we had written and wired to open any web page we chose.
The app is called SVOiVPN. It is not a VPN. It is spyware, aimed at the soldiers of the army that is, at this moment, working to make sure they cannot communicate any other way.
This is the story of what it is, the criminal business it belongs to, and the bulletproof-hosting network it runs on. It is also, just as important, the story of the things we could not prove.
The lure
To understand why a fake VPN works as bait for Russian soldiers, you have to understand what Russia has done to their phones.
Across 2025 and into 2026, the Russian state made working, private communication simultaneously essential and illegal for its own people. It criminalized the advertising of VPNs and blocked roughly 460 of them; it fined users for merely searching banned content; it throttled Telegram and, by February 2026, cut off WhatsApp outright.123456 In their place it pushed MAX, a state "national messenger" that carries no end-to-end encryption, is wired into the FSB's surveillance plumbing, and, per a 2026 reverse-engineering analysis, can tell when a device is running a VPN.78 Then the irony that opened the door: Russian troops were reportedly ordered to stop using MAX at the front as too insecure for combat, a directive carried by the independent outlet Mediazona and by pro-war military channels, and denied by the Kremlin.9
Russian soldiers live on Telegram, for orders, for coordinates, for the daily mechanics of staying alive. Stripped of it, ordered off it, and told the official substitute was unsafe for combat, they were left to buy their own phones and source their own circumvention tools through unvetted channels. A "free VPN for SVO participants" dangles exactly the thing the state insists they need and forbids them from having. Russia's own censorship manufactured the demand this app exists to exploit.
timeline
title Russia manufactures the demand · 2025 to 2026
section Criminalize the alternatives
Jul to Sep 2025 : VPN ads banned, searches fined (effective 1 Sep 2025)
: MAX state messenger made mandatory (1 Sep 2025)
Jan 2026 : Roughly 460 VPNs blocked
section Cut the messengers
10 Feb 2026 : Telegram throttled
12 Feb 2026 : WhatsApp blocked
section The gap opens
23 Feb 2026 : MAX reportedly called too insecure for the front (Kremlin denies)
Then : A free "VPN for SVO participants" appears
The app
svoivpn[.]cfd
presents itself as a free VPN service "for participants of the SVO,"
complete with a working-looking tunnel and an Android-only download.
Captured 2026-05.
The lure lives at svoivpn[.]cfd, a landing page styled in
Russian-flag colors, branded "СВОЙVpn" and tagged
"Быстрый VPN" (Fast VPN). The name is a pun: СВОЙ reads
both as СВО, the military operation, and as свой, one's
own. The page offers an Android-only download. We pulled the APK
(SVOiVPN.apk, package com.sdocument.app).
VirusTotal returned 0 of 66 detections; the file had never
been submitted before. Static analysis told us what it was built from:
- a functional WireGuard VPN: victims get a real, working tunnel;
- spyware services bolted alongside it:
DataServiceandFullScrapeWorkerfor file and media theft,CredentialConfig, aPushService, and a boot receiver for persistence; - a permission set that belongs to surveillanceware, not a VPN: all-files access (
MANAGE_EXTERNAL_STORAGE), fine location, media access, background execution; - and a debug signing key, the mark of something built fast and cheap.
Buried in the code was the address it phones home to:
api[.]equinoxharbgrp[.]com, a domain dressed
up as a Leicester, UK "financial calendar" company.
Following it home
The operator made a mistake. The command-and-control domain was
Cloudflare-fronted, but an unauthenticated endpoint leaked the real server,
64.188.98[.]201, hosted at SERV.HOST GROUP in
Frankfurt, and on that server the operator had left Apache
directory listing enabled. The entire backend was exposed: at
least eighteen PHP scripts across eight directories, including VPN
management, a push-notification system, user management, file-exfiltration
storage, an APK build pipeline, and debug tools.
/api/
backend: the exfiltration store (files/), the push-tasking
endpoint (push/), per-victim telemetry (logs.php),
and anti-forensics scripts (delete_by_ip.php,
delete_logs_by_device.php). Captured 2026-06-19.
One file decided the case. vpn_schema.sql, the database schema,
showed that the app stores each client's WireGuard private key on
the server. In a real VPN, that key never leaves the device; it is
the whole basis of the tunnel's secrecy. Storing it server-side means the
operator can decrypt everything the "VPN" carries. The tunnel is not
protection; it is a wiretap by design. An admin panel, embedded inside the
app itself through an Android WebView, completed the picture: a dashboard
the operator manages from the same app the victims installed.
That told us where it phones home and what it can do. The next step was to watch it do it.
Detonation
Static analysis tells you what an app is built to do. To see what it does, you run it, carefully. We detonated the sample on a hardware-accelerated Android emulator inside a fully network-isolated environment, pointed not at the operator's live server but at a stand-in of our own, and seeded the test device with nothing but uniquely-marked decoy files. Nothing it sent could reach the operator; nothing it stole was real.
It behaved exactly as designed. On launch it swept the device's photos,
downloads, and documents, and, pointedly, the files in the
WhatsApp and Telegram media folders, packed them into a
scraped_data archive, and uploaded it to
/api/files/upload.php, reporting each step back to the panel:
"Archive uploaded ✅." Every decoy we planted came back out the
other side. The exfiltration the leaked schema had only implied was now
something we had watched happen.
flowchart LR
P["Victim phone
SVOiVPN installed"]
SCR["scrapeMessengerFiles
scrapePublicMedia
scrapeLocation*"]
ZIP["scraped_data*.zip"]
UP["POST /api/files/upload.php"]
C2["C2 backend
SERV.HOST, Frankfurt"]
POLL["GET /api/push/poll.php"]
PR["PushResponse with actionUrl"]
NOTE["High-priority notification
operator title and body"]
TAP["Tap opens operator-chosen URL"]
P --> SCR --> ZIP --> UP --> C2
C2 -. push tasking .-> POLL --> PR --> NOTE --> TAP
classDef confirmed fill:#7a1d20,stroke:#C0272D,color:#fff;
classDef channel fill:#5a4a12,stroke:#F5C542,color:#fff;
class P,SCR,ZIP,UP,C2 confirmed;
class POLL,PR,NOTE,TAP channel;
Then the detonation surfaced a capability the code had only hinted at. The
push-notification endpoint, push/poll.php, is not the benign
feature its name suggests. The server can return a list of "pushes," each
carrying a title, a body, and, the important part, an
actionUrl. For each one, the app raises a high-priority
notification with the operator's text and wires the tap to open that URL
directly. When we fed our stand-in server a crafted push, the test phone
displayed it on cue: operator-chosen title, operator-chosen body,
operator-chosen link.
That turns the spyware's notification system into a remote phishing weapon. The operator can push any infected phone a convincing, urgent message (a fake "security alert," an "expired subscription," a counterfeit government notice) and route the victim's tap anywhere: a credential-harvesting page, a malicious APK, a payment form. It runs from the server, needs no app update, and can be retargeted at will. A fake VPN that already reads a soldier's traffic and steals their files can also, on command, put an attacker-chosen page in front of them and dress it up as a system notification.
The app's location-scraping code is present, and at runtime it tries to collect GPS, but our emulator's location services would not feed it a fix, so we confirmed the intent and the attempt, not a captured coordinate. We say so rather than imply more.
The business behind it
SVOiVPN is not a lone app. It is plugged into a criminal enterprise.
A second domain in the same infrastructure, withhatetoapi[.]cc,
hosts a public documentation portal for a phishing-as-a-service platform
that calls itself APEX RENT ("APEX API v1.1.4"). The docs
describe a complete fraud toolkit: eighteen integrated email mailers, an
SMS sender, two PDF-receipt generators, templates for a hundred consumer
brands across twenty countries, a team-and-affiliate model with API keys,
and a checker_balance flag that makes a phishing page ask a
victim for their bank balance.
docs[.]withhatetoapi[.]cc), self-branded
"APEX API v1.1.4" and "POWERED BY APEX RENT," fronts a phishing-as-a-service
platform with eighteen mailers, a hundred brand templates, and a
checker_balance flag. Here it renders inside the ANY.RUN
interactive sandbox, which flags it as malicious phishing. Captured 2026-05.
In the taxonomy of phishing-as-a-service, that places APEX RENT in a specific lane, and we should be careful not to overstate it. There is no sign in the documentation of the real-time multi-factor interception that defines the premium tier, the platforms that hijack live login sessions. What APEX RENT competes on instead is breadth, the signature of high-volume consumer fraud, a close cousin of the Russian-language Telegram-bot scam factories that Group-IB tracks as Classiscam and ESET as Telekopye.1011 What is notable is less the technique than the packaging: a versioned REST API, affiliate keys, a documentation portal. The scam economy now ships its product the way a software startup would. APEX RENT is phishing with a product roadmap.
How does the fake VPN connect to it? Through shared bulletproof
hosting and a handful of converging tells. svoivpn[.]cfd
sits on the same server as a roughly 116-domain Telegram-phishing cluster;
the APEX Telegram channels openly market the host that carries all of it;
the spyware's command server and the phishing platform share a small,
distinctive code convention (the same log_type field).
Together that is enough to place SVOiVPN and APEX RENT inside the
same operation with reasonable confidence. It is
not enough to prove a single individual runs both: the connective
tissue is a shared landlord, and a bulletproof host serves many tenants. We
return to that gap below.
For the record: the thread we first pulled, a templated batch of phishing domains we call Cluster A, turned out to be the loosest one. We could not confirm those bulk domains belong to APEX RENT at all; the only observed redirect into the platform came from a single, separate brand-verification domain. The investigation's spine is the spyware, not the domains we started from, and we leave that link open rather than collapse it into a tidier story.
The operator and the neighborhood
The trail to the operator runs not through the C2 but through the
distribution site. svoivpn[.]cfd resolves to its own origin,
87.120.107[.]209, a different server and network from the
SERV.HOST box behind the C2, and that IP belongs to an autonomous system,
AS215428, operating as Shinomiya Hosting:
a bulletproof-hosting reseller (formerly "SapDedic") that markets dedicated
servers in Finland and Germany and advertises on Lolz.live, one of the
largest Russian-language criminal forums. Its public RIPE registration
names a Ukrainian national, Mykyta Skorobohatko, in
Shostka, Sumska Oblast, near the Russian border.
Here precision matters, and we keep it. That Skorobohatko is the registrant of the hosting is an observation, drawn from a public record. That the same person operates APEX RENT and SVOiVPN, rather than merely renting out the bulletproof hosting they run on, is an inference, supported by the convergence of services but not independently confirmed; the registration itself could be genuine, co-opted, or fabricated.
The network the registrant runs sits in bad company. The Qurium Media Foundation's investigation into the Doppelganger Russian disinformation operation names AS215428 directly,12 alongside the autonomous systems of a bulletproof-hosting constellation (Netshield, DpkgSoft, SERV.HOST) that fans out from Aeza, a Russian bulletproof host the U.S. Treasury sanctioned in July 2025,13 and from Stark Industries, sanctioned by the EU weeks earlier.141516 This is the sharpest version of a careful caveat: the operator's own network materially hosts Russian state-aligned operations, but as a landlord, not, on the evidence, as an author. The connection to sanctioned infrastructure is infrastructural, not operational. What it does establish is that the neighborhood the soldiers' data flows into is itself a target of coordinated Western sanctions.
The stakes
In this war, the data this app steals is not an abstract privacy harm. A frontline soldier's geolocation and the documents in their Telegram are fire-mission inputs. Russia's own Ministry of Defense, after a HIMARS strike killed scores of newly mobilized troops at Makiivka on New Year's Day 2023, blamed the dead soldiers' mass use of mobile phones for giving away their position.17 A RUSI analysis traced the November 2023 strike on Ukraine's 128th Mountain Assault Brigade to the compromise of a single soldier's Signal account.18 Both armies now treat a soldier's phone signal as a lethal liability, and both have restricted frontline phone use because of it.
It is worth being clear that SVOiVPN's targeting is not, in fact, unusual. It drops into a documented 2025–2026 pattern of Android spyware aimed at Russian soldiers: the trojanized Alpine Quest mapping app (Doctor Web, April 2025),19 and the romance-lure SiribClone campaign and its SafeLoveStealer implant (The Record, June 2026),20 both of which, like ours, harvest soldiers' messenger data and geolocation, and both of which remain unattributed.
That word is the one to sit with. Every comparable campaign against Ukrainian soldiers (Sandworm's Infamous Chisel, the GRU's Signal-device-linking, the fake artillery and army apps) has been firmly pinned on Russian military intelligence by government and vendor reporting.21222324 The campaigns against Russian soldiers, this one included, have been attributed to no one, though it is worth noting that the two precedents above were documented by Russian security vendors, who are unlikely to name their own state. The asymmetry of public attribution is real even so. Symmetry of tactics is not symmetry of proof, and we resist the temptation to supply the missing attribution.
"Symmetry of tactics is not symmetry of proof. We can show you the machine, who it is aimed at, and what one tap costs. We will not invent the sponsor the evidence does not name."
What we proved, and what we didn't
We ran the question of who is behind this through a formal Analysis of Competing Hypotheses, now spanning thirty-two pieces of evidence across four scenarios. The leading explanation (a Russian-speaking, Ukrainian-registrant cybercriminal and bulletproof-hosting reseller, operating for profit in the mold of the Classiscam scam economy) carries zero inconsistencies; the runtime behavior we confirmed, indiscriminate bulk theft plus a built-in fraud-and-redirect channel, is the shape of profit-driven crime, not the selective collection of an intelligence service. We put our confidence at roughly 70 to 80 percent. What keeps it short of certainty is the one thing infrastructure analysis cannot settle: whether this individual operates the spyware or merely resells the hosting it runs on, and whether the soldier-targeting carries any motive beyond money.
We are also careful about novelty, because it is easy to overclaim. We are
not the first to see this infrastructure:
withhatetoapi[.]cc had been scanned roughly a hundred times and
flagged as a possible threat in automated feeds since February 2026, months
before we looked. What we did not find is any published analysis that
identifies it as a phishing-as-a-service platform, names it "APEX RENT," or
connects it to SVOiVPN; and the spyware's command server, by contrast, had
never been scanned at all. Our contribution is the identification and the
linkage, not the discovery of a domain.
withhatetoapi[.]cc sits behind a Cloudflare "Suspected Phishing"
interstitial: the platform was visible to automated detection long before we
named it. Captured 2026-06-21 (ANY.RUN).
And we cannot tell you how many soldiers installed it. Only its operator can: the victim count lives in the very database we chose not to mine. The signals we can see point to a small, low-profile operation, not a mass campaign: a marketing footprint of a few hundred subscribers, a sample no one else had submitted, infrastructure that flew under the radar. The story's weight is not in a headcount. It is that a working spyware machine is aimed at frontline soldiers, where even a handful of compromised phones is a lethal liability, and we can show you the machine, who it is aimed at, and what one tap costs.
We believe that intellectual honesty about what remains unconfirmed makes the confirmed findings stronger, not weaker.
Detection and indicators
All indicators are defanged. Treat the domains and IPs below as hostile, and do not transact with the named sanctioned hosts.
| Fake-VPN distribution | svoivpn[.]cfd |
| APEX RENT platform | withhatetoapi[.]cc · TDS traffic[.]withhatetoapi[.]cc (403s non-browsers) · docs docs[.]withhatetoapi[.]cc |
| SVOiVPN C2 | equinoxharbgrp[.]com (api. / panel.) |
| Shinomiya origin | 87.120.107[.]209 · AS215428 · Finland |
| C2 origin | 64.188.98[.]201 · SERV.HOST GROUP · AS207957 · Frankfurt |
| SHA-256 | 29b42cf018b81e6d09b886ecfa97093680776257ec132ce89aff4b7a81ff77d7 |
| Package | com.sdocument.app |
| Signer | fa0f2a2dcf974b428842c28f05e91d4641fde50e (Android Debug cert) |
| VirusTotal | 0 / 67 (undetected as of 2026-06-20) |
| Exfiltration | /api/files/upload.php (multipart scraped_data*.zip) |
| Telemetry | /api/logs.php (per-victim, carries log_type) |
| Push / redirect | /api/push/poll.php (actionUrl tasking) |
| Fingerprint .icu | ^[a-z]{2}\d{2,3}-\d{2,3}\.icu$ |
| Secure-* .icu / .com | ^secure-[a-z]\d{3,4}\.(icu|com)$ |
| Caveat | The secure-* pattern is also used by unrelated actors; verify registrar and registration timing before acting. |
| APEX RENT | @Apex2Rent · @apexhelper · @apexmailerinfo · @ApexDomainBot · @ApexHost_Bot |
| SVOiVPN / hosting | @svojvpn · @svojvpn_bot · @shinomiya_com · @shinomiya_robot · @shinomiya_sup |
Methodology
This investigation ran in two phases.
Passive collection and attribution. The infrastructure was mapped entirely from passive and public sources: passive DNS, certificate transparency, ICANN zone files, RDAP/WHOIS, a Shodan survey, static APK decompilation, and third-party sandbox analysis (Joe Sandbox and ANY.RUN), corroborated by external reporting (DecodeCybercrime, Qurium, Krebs on Security) and U.S. Treasury and EU sanctions records. Every C2 detail described above was read from unauthenticated endpoints the operator left publicly exposed; no credentials were bypassed or exploited. Attribution follows the ICD 203 estimative-language standard and a formal Analysis of Competing Hypotheses, with each claim graded by confidence and unconfirmed links labeled as such.
Controlled active analysis. To move key findings from present in the code to observed in behavior, we then conducted two live analyses under strict containment, shielding the origin of our own activity. We rendered the cloaked pages in an anonymized, origin-shielded browser. And we executed the spyware on a hardware-accelerated Android emulator in a fully network-isolated environment (no route to the internet and no path to the operator's servers) with its outbound traffic terminated by a stand-in server under our control, the test device seeded only with uniquely-marked decoy files. The live sample was never run anywhere it could reach the operator, and no real data ever left our control. Where a capability could not be exercised in testing, notably GPS-location collection, we say so rather than imply confirmation.
Sources
- Meduza. "No more phone-sharing, VPN ads, or foreign-agent teachers," September 1, 2025. meduza.io. ↑
- Meduza. "Putin signs law penalizing online searches for content deemed extremist," July 31, 2025. meduza.io. ↑
- Human Rights Watch. "Russia Clamps Down on Online Searches," July 24, 2025. hrw.org. ↑
- Izvestia. "Roskomnadzor blocked more than 400 VPN services in 2025," January 22, 2026. iz.ru. ↑
- The Moscow Times. "Roskomnadzor tightens restrictions on Telegram as users report disruptions," February 10, 2026. themoscowtimes.com. ↑
- CNN Business. "Russia blocks WhatsApp," February 12, 2026. cnn.com. ↑
- The Moscow Times. "Everything you need to know about MAX, Russia's state-backed answer to WhatsApp," August 28, 2025. themoscowtimes.com. ↑
- TechRadar. "Russia's state-backed MAX app may know if you are using a VPN" (2026 reverse-engineering analysis; corroborated by RKS Global; MAX denied). techradar.com. ↑
- Meduza. "The Kremlin spent years building a messenger to replace Telegram. Now it's reportedly telling soldiers the substitute is too insecure to use at the front," February 23, 2026 (sourced to Mediazona and pro-war military channels; denied by the Kremlin). meduza.io. ↑
- Group-IB. "Inside Classiscam," March 1, 2021. group-ib.com. ↑
- ESET WeLiveSecurity. "Telekopye: Hunting Mammoths using a Telegram bot," August 24, 2023. welivesecurity.com. ↑
- Qurium Media Foundation. "Exposing the evil empire of Doppelganger disinformation" (names AS215428 / MYKYTASKOROB), July 2024. qurium.org. ↑
- U.S. Department of the Treasury / OFAC. Press release sb0185, "Treasury Sanctions Bulletproof Hosting Service Aeza Group," July 1, 2025. home.treasury.gov. ↑
- Council of the EU. "Russian hybrid threats: EU lists further 21 individuals and 6 entities" (Stark Industries), May 20, 2025. consilium.europa.eu. ↑
- KrebsOnSecurity. "Stark Industries Solutions: An Iron Hammer in the Cloud," May 23, 2024. krebsonsecurity.com. ↑
- KrebsOnSecurity. "Bulletproof Host Stark Industries Evades EU Sanctions," September 11, 2025. krebsonsecurity.com. ↑
- Al Jazeera. "Russia now says 89 killed in Ukraine attack, blames mobile phones," January 4, 2023. aljazeera.com. ↑
- RUSI (Dan Black). "Russia's Cyber Campaign Shifts to Ukraine's Frontlines," July 22, 2024. rusi.org. ↑
- Doctor Web. "Android.Spy.1292.origin" (trojanized Alpine Quest targeting Russian military), April 23, 2025. news.drweb.com. ↑
- The Record. "Hackers pose as women seeking romance to target Russian military" (SiribClone / SafeLoveStealer), June 9, 2026. therecord.media. ↑
- CISA. Malware Analysis Report AR23-243a, "Infamous Chisel," August 31, 2023. cisa.gov. ↑
- NCSC-UK. "UK and allies support Ukraine, calling out Russia GRU malware campaign," August 31, 2023. ncsc.gov.uk. ↑
- Google Threat Intelligence Group. "Signals of Trouble: Russia targeting Signal Messenger," February 20, 2025. cloud.google.com. ↑
- CrowdStrike. "Danger Close: Fancy Bear Tracking of Ukrainian Field Artillery Units," December 2016. crowdstrike.com. ↑
CrimsonVector, investigative research by Diego Parra into criminal infrastructure, threat-actor attribution, and security research. Defanged URLs and IPs are intentionally bracketed per responsible disclosure conventions.