Malicious IPs and Domain Reconnaissance

In Malicious Github Repository Analysis we discovered a malicious GitHub repository then analyzed and de-obfuscated the code using an LLM/Gemini.

As with any investigation we gather more information and when we're probing servers or doing a box/lab/CTF recon tools are the first place to start.

We can use Censys, Shodan, ZoomEye query with: host.dns.names: "py-installer.com" and web.hostname: "py-installer.com" came up with nothing. Using wild-card search did: host.dns.names: "py-installer".

Hm, also from Modolva as indicated from WHOIS for the other IP Address.

	
Chisinau, Chișinău Municipality (MD)

We can see that the services: 22/SSH 80/HTTP 443/HTTP 3001/HTTP. The port 3001 is likely hosting Grafana:

The version is Grafana v12.4.0-20418128491 (5585595c16) which has several CVEs which I won't follow that rabbit hole.

Time to just look at the resolved IP with ping for our exact domain of py-installer.com

ping py-installer.com
PING py-installer.com (172.67.135.175): 56 data bytes
64 bytes from 172.67.135.175: icmp_seq=0 ttl=249 time=34.798 ms
64 bytes from 172.67.135.175: icmp_seq=1 ttl=249 time=19.704 ms

We search with host.ip="172.67.135.175" which gives us a CloudFlare hosted Web Application Firewall (WAF) in front of the server.

Looks like they allow for abuse report, but all they can do is report to the hosting provider and the owner.

We should just browse https://py-installer.com

Hm... interesting.

Common Name (CN)	py-installer.com
Organization (O)	<Not Part Of Certificate>
Organizational Unit (OU)	<Not Part Of Certificate>
Common Name (CN)	WE1
Organization (O)	Google Trust Services
Organizational Unit (OU)	<Not Part Of Certificate>
Issued On	Tuesday, June 2, 2026 at 2:55:14 AM
Expires On	Monday, August 31, 2026 at 3:52:49 AM
Certificate	abcede914e0cd4ca0017f6002be2c176db2dd288ef033f193dd321d997142e21
Public Key	181242e1cd9cab7db47d7197baad35dd6c9c489852b2efd000a3cfa66fd876f7

Issued pretty recently on 06-02-2026. The site is a SPA using ReactJS/NextJS. You can tell with https://builtwith.com/ and https://www.whatruns.com/

Looking at the IP with host.ip=217.156.122.146 we see:

Also in Modolva. Apparently, lots of malicious sites are hosted here due to it being a proxy battleground for geopolitical conflicts and it's long history of being a base for Darknet servers.

We go deeper...

References

• https://platform.censys.io

• https://shodan.io

• https://www.zoomeye.ai/

• https://en.wikipedia.org/wiki/Web_application_firewall

• https://www.cloudflare.com/trust-hub/reporting-abuse/

• https://builtwith.com/

• https://www.whatruns.com/

• https://moldova1.md/p/75896/moldovan-servers-tied-to-one-of-the-biggest-cybercrime-operations-online