Registry of sites distributing malware. Each entry is confirmed by YonSeSecurity analysis with attached reports. We recommend blocking at the DNS / proxy / firewall level.
Piracy software portal positioning itself as a source of 'verified' cracks. Analysis of files downloaded from this resource revealed a professional multi-component trojan with ransomware capabilities disguised as a legitimate installer. Payload is packed inside Inno Setup and is invisible to antivirus software during static analysis (0 detections). If one file contains malware of this level, there is no reason to trust other distributions.
Official distribution website for Telega, an unofficial Telegram client (ru.dahl.messenger) with a built-in Man-in-the-Middle attack against the MTProto protocol. The application replaces Telegram DC IP addresses with proxy servers controlled by AS203502 ("JSC TELEGA", upstream: VK/Mail.ru), injects a rogue RSA key, disables Perfect Forward Secrecy, suppresses secret chats, and operates government censorship panels (Zeus/Cerberus) processing RKN blocking requests. Also distributed via Telegram channels @dahlmessenger and @telegaru.