Remember the SMS fraud housed on the RapidSwitch range? Well, now we've got yet another network involved.
This time, it's the turn of RedStation, AS35662. I've already dropped them an e-mail, but the notice on their contact page suggests this is going to have been a completely pointless exercise.
Wonder if they consider abuse reports to be "legal communications"?? We shall see.
In the meantime, this little lot is housed on at least 2 of their IPs. Namely 18.104.22.168 and 22.214.171.124.
All of those I've checked thus far, have had their downloads coming from allbrowsers.net (126.96.36.199 - 61-201-94-81.rackcentre.redstation.net.uk ), for example;
These are NSIS packed files, and the JDownloader file for example, contains two VBS scripts that hijack the Firefox homepage and search engine to point to;
With partner ID:
No great surprise as far as where pucuy.com is living - our old friends RapidSwitch;
Current IP: 188.8.131.52
IP PTR: Resolution failed
ASN: 29131 184.108.40.206/17 RAPIDSWITCH-AS RapidSwitch