Dark background with domain name and IP address overlays representing threat intelligence investigation
News

justsstop.ru: Inside the Infrastructure Flagged as an Active Threat Campaign

The justsstop.ru domain and IP 165.22.170.129 are flagged as active indicators of compromise on a DigitalOcean node.
Sami Malik
Copywriter

The domain justsstop.ru and the IP address 165.22.170.129 were published as active indicators of compromise in an AlienVault OTX pulse in mid-2026. The infrastructure sits on a DigitalOcean node, registered under a Russian top-level domain, a combination that fits a well-documented pattern of threat actor hosting. What the specific indicators reveal about the operators, how to interpret them accurately, and what organisations should do with them tells a broader story about how modern threat campaigns are built and tracked.

What Was Flagged and Where

AlienVault OTX (Open Threat Exchange) is a crowd-sourced threat intelligence platform where security researchers, incident responders, and automated systems publish indicators associated with malicious activity. An OTX pulse is a structured record that groups related indicators — domains, IP addresses, file hashes, URLs , under a single campaign or threat actor entry, along with context about what was observed and when.

The Domain, the IP, and the DigitalOcean Node

The justsstop.ru indicator set consists of the domain itself, the associated URL structure, and the hosting IP 165.22.170.129. That IP resolves to a DigitalOcean droplet , a virtual private server on DigitalOcean's infrastructure. The .ru top-level domain places the registration under Russia's registry, though domain registration TLD and hosting provider are entirely independent choices that operators make for different reasons. Registering under .ru does not mean the operator is physically located in Russia; it means they chose to register there, which has its own implications for takedown requests and law enforcement cooperation.

The specific character pattern in "justsstop" , with a double 's' , is a deliberate obfuscation technique. Human reviewers scanning logs or email headers quickly may read it as "juststop" and not register the anomaly. This kind of confusable domain construction is documented across phishing, malware command-and-control, and brand impersonation campaigns as a simple way to reduce the speed at which defenders catch the domain in manual review.

How AlienVault OTX Indicators Work

OTX indicators carry a reliability score based on the contributing researcher's reputation and the number of corroborating pulses from independent sources. A single-source indicator , one pulse from one contributor , should be treated as a lead for investigation, not an automatic block trigger. The volume and diversity of corroboration matters: an IP address that appears in ten independent pulses from different researchers over six months is a stronger signal than one that appears in a single pulse from an account with no track record. When working with indicators of compromise, the source and corroboration level of the data is as important as the indicator itself.

What the Infrastructure Suggests About the Operators

Reading infrastructure choices as signals about the operators behind them is a core discipline in threat intelligence. The combination of justsstop.ru and a DigitalOcean IP is not random , it reflects deliberate decisions that tell us something about how this campaign was set up and why.

Russian-Registered Domain on Western Cloud Infrastructure

The pairing of a .ru domain with Western cloud hosting is one of the most frequently observed patterns in threat actor infrastructure. The logic from the attacker's perspective is straightforward: .ru domains are cheaper to register and more difficult to seize through Western legal mechanisms than .com or ccTLDs under friendly jurisdictions. DigitalOcean, meanwhile, offers reliable uptime, a global network of IP addresses with initially clean reputation scores, fast provisioning that can be completed in minutes, and payment methods that include cryptocurrency , reducing the friction of standing up new infrastructure quickly.

Netskope Threat Labs tracked a 17-fold increase in traffic to malicious web pages hosted on DigitalOcean over a six-month period, documenting campaigns that included tech support scams mimicking Windows Defender and phishing pages targeting financial institution customers. The pattern is consistent: reputable cloud infrastructure, low-cost or disposable domains, fast deployment. DigitalOcean has appeared repeatedly in threat intelligence research as documented by Krebs on Security over several years.

Why Threat Actors Use DigitalOcean

DigitalOcean's appeal for threat actors is not unique to that provider , AWS, Vultr, Linode, and similar platforms face the same challenge. Any cloud provider that offers fast, low-friction provisioning with broad geographic coverage will attract both legitimate developers and bad actors. DigitalOcean's IP ranges are not inherently more malicious than those of other providers; the issue is that a fresh DigitalOcean droplet starts with no reputation history, which means IP blocklists and URL filters have nothing to flag. By the time the IP earns a reputation for hosting malicious content, the campaign may have already moved.

Reading Indicators of Compromise: What This One Tells You

An indicator like justsstop.ru is more useful as a starting point for investigation than as a complete picture on its own. Understanding what it tells you and what it does not tell you is what separates actionable intelligence from alert noise.

The IoC Itself Is Not the Full Picture

A domain flagged in a single OTX pulse confirms that at least one researcher observed malicious activity associated with it at a specific point in time. It does not tell you what kind of malicious activity, which targets were involved, whether the campaign is still active, or whether the same IP is now hosting entirely different content from a different operator who simply provisioned the same DigitalOcean droplet after the previous tenant's campaign ended. IP addresses on cloud platforms are reassigned regularly. Acting on an old indicator without validating its current state can produce false positives that erode trust in threat intelligence feeds.

The right approach with justsstop.ru is to treat it as a lead: look up the current DNS resolution, check the domain's WHOIS history, query passive DNS databases for associated subdomains, submit the IP to Shodan to see what services are currently exposed, and search for the domain in additional threat intelligence sources beyond OTX. This enrichment process, described in detail in Cyber Threat Intelligence resources, gives a far more complete picture than the raw indicator alone.

What to Look for in Associated Infrastructure

When investigating infrastructure like justsstop.ru, the domain itself is typically one node in a larger cluster. Threat actors who set up one .ru domain on DigitalOcean almost always have others , registered around the same time, following similar naming patterns, or resolving to nearby IP addresses on the same cloud subnet. Looking for registration date clusters in WHOIS data, IP range neighbours in passive DNS, and similar confusable name patterns (jussstop, just-stop, justst0p) can reveal the broader infrastructure and provide more stable indicators to track and block.

Why Domain-Based Campaigns Are Hard to Track

Domains give threat actors more flexibility than IP addresses. IP addresses are tied to physical infrastructure that takes time to provision, move, and reprovision. Domains can be redirected to new IP addresses in seconds by updating DNS records, making infrastructure-level tracking a permanent catch-up game.

Fast Flux and Rapid Pivot Infrastructure

Fast flux is a technique where a domain's DNS records are configured with very short TTL values and rotated through a pool of different IP addresses every few minutes. From a defender's perspective, blocking 165.22.170.129 today means nothing if the domain resolves to a different IP tomorrow morning. In fast-flux setups, the domain name is the stable identifier to track , not the IP. Blocking at the DNS layer rather than at the IP layer is therefore more effective for this class of threat.

Burn-After-Use Domains

Some threat actors take the opposite approach: they use a domain for a short, intense campaign , a phishing wave, a malware distribution burst , and then abandon it entirely, moving to a fresh domain for the next operation. In this pattern, the domain is useful as a historical indicator for understanding past campaigns but has limited value as a forward-looking block. The registration pattern (date, registrar, name server choices) becomes more valuable than the domain itself for predicting the next infrastructure iteration.

What Organisations Should Do With These Indicators

The appropriate response to indicators like justsstop.ru depends on context: the maturity of your threat intelligence programme, the tools available for enforcement, and the risk profile of your environment.

Blocking at DNS and Firewall Layer

For organisations with a DNS security layer (Cisco Umbrella, Cloudflare Gateway, Infoblox Threat Defence, or similar), adding justsstop.ru to a block list is a low-cost, low-risk action that prevents systems on your network from resolving the domain. DNS blocking is preferable to IP blocking for the reasons described above: the IP may change, the domain is the stable identifier. At the firewall layer, adding 165.22.170.129 to an egress block list is reasonable but should be reviewed periodically against current passive DNS data to avoid maintaining stale rules.

Enriching the IoC Before Acting

Before triggering any broader response , alerting, hunting for historical connections in SIEM, notifying affected teams , enrich the indicator. Check whether any internal systems have made DNS queries for justsstop.ru or connections to 165.22.170.129 over the past 90 days. If they have, prioritise those systems for investigation. If they have not, the indicator is relevant context for blocking but does not require immediate incident response. The goal of managing your attack surface is not to respond to every indicator at maximum urgency, but to triage accurately and act proportionately.

The Broader Context: .ru Domains as Threat Infrastructure

The use of .ru domains in threat campaigns is a long-standing pattern, but it requires careful interpretation. The Russian ccTLD is used by millions of legitimate Russian businesses, individuals, and organisations. The presence of a .ru domain in a threat indicator does not mean the campaign originates from Russia, is state-sponsored, or is specifically targeting organisations with ties to Russia or Eastern Europe. It means the operator registered their domain there, which could be for reasons as mundane as cost or as deliberate as complicating international takedown requests.

What makes justsstop.ru analytically interesting is the combination of factors: a confusable domain name with a deliberate extra character, a .ru registration paired with Western cloud hosting, and appearance in threat intelligence feeds suggesting active malicious use. Each of those choices is individually common. Together, they form a profile consistent with operationally experienced threat actors who build infrastructure designed to delay detection, complicate attribution, and survive takedowns , all standard characteristics of campaigns worth monitoring through a sustained threat intelligence programme.

Frequently Asked Questions

What does "active indicator of compromise" actually mean?

An active indicator of compromise is a technical artefact , a domain, IP address, file hash, or URL , that has been associated with observed malicious activity and is believed to still be in operational use by the threat actor. "Active" distinguishes it from historical indicators that were once malicious but are now associated with inactive infrastructure. In practice, "active" on an OTX pulse means "active at the time of publication," which may or may not still be true when you encounter it. Validation of the current state is always recommended before acting on any indicator.

Should I block 165.22.170.129 on our firewall right now?

Blocking the IP on your egress firewall is a reasonable precautionary measure with minimal downside risk, provided you document the block and review it periodically. However, block the domain justsstop.ru at the DNS layer as a priority , it is more stable than the IP address and will remain effective even if the operator moves to a different DigitalOcean droplet. Check first whether any systems in your environment have recently connected to the IP; if they have, the incident response priority rises significantly.

How does AlienVault OTX decide which indicators are credible?

OTX does not centrally validate every indicator submitted to the platform. Instead, it uses a combination of contributor reputation scoring and the number of independent corroborating pulses to signal confidence. Indicators from highly reputed contributors or those that appear in multiple independent pulses carry more weight than single-source submissions. For critical blocking decisions, treat OTX as one data source and cross-reference with other threat intelligence feeds or your own telemetry before taking action.

What is fast flux DNS and how does it complicate takedowns?

Fast flux DNS is a technique where a domain's IP address changes very frequently , sometimes every few minutes , by rotating through a pool of addresses configured in the domain's DNS records with very short TTL (Time to Live) values. This makes the infrastructure more resilient: taking down or blocking one IP address simply causes the domain to resolve to the next address in the pool. Law enforcement takedowns of fast-flux infrastructure require seizing or disabling the domain itself, not just individual hosting nodes, which is more complex and time-consuming. It also means that IP-based blocklists become stale very quickly for these domains.

Can I use AlienVault OTX indicators in my SIEM without a paid subscription?

Yes. AlienVault OTX offers free API access that allows you to query indicators, subscribe to pulse feeds, and integrate OTX data into your SIEM or threat intelligence platform. The OTX DirectConnect API provides real-time access to pulses matching your subscribed tags and threat types. Most major SIEM platforms and threat intelligence management tools have native OTX integrations available. Commercial subscribers to AT&T Cybersecurity (the parent company of OTX) get additional correlation features, but the core indicator data is accessible without a paid subscription.

Threat Actor Infrastructure Patterns: What Repetition Reveals

The value of studying individual indicators like justsstop.ru extends beyond the specific campaign they represent. Every piece of threat actor infrastructure leaves traces that, when aggregated across multiple campaigns and compared over time, reveal operational patterns that help defenders anticipate future activity even before new indicators are published.

The registration characteristics of justsstop.ru , a .ru ccTLD, a confusable domain name using character repetition, and hosting on DigitalOcean , collectively match a pattern observed in dozens of unrelated campaigns over the past several years. This is not because all those campaigns share the same operator; it is because the same cost-benefit reasoning leads different threat actors to the same infrastructure choices independently. .ru domains are inexpensive and offer limited exposure to Western domain seizures. DigitalOcean provides fast provisioning, clean initial IP reputation, and cryptocurrency payment acceptance. Confusable domain names slow down human defenders without requiring any technical sophistication to create.

When security teams document these patterns systematically and share them through platforms like MISP, AlienVault OTX, or internal threat intelligence repositories, they build predictive capability. A new domain that shares three or four of these characteristics with previously confirmed malicious infrastructure warrants closer scrutiny, even before any direct malicious activity is observed. This is the difference between reactive threat intelligence , responding to confirmed incidents , and proactive threat intelligence that identifies likely threats before they activate.

OSINT Investigation Techniques for Domain-Based Indicators

Open-source intelligence (OSINT) investigation of a domain like justsstop.ru does not require commercial tools or paid subscriptions. Several free resources, used in combination, can build a reasonably complete picture of an indicator's history and current state.

WHOIS history lookup tools such as DomainTools Whois History (limited free tier) or SecurityTrails reveal when the domain was first registered, which registrar was used, what name servers are configured, and whether the WHOIS contact information has changed over time. Registration date clustering , finding that justsstop.ru was registered on the same day as several other .ru domains with similar naming patterns , is a strong signal of coordinated infrastructure provisioning. Passive DNS databases, available through Circl.lu's free PassiveDNS API or RiskIQ Community (limited free access), show all IP addresses that the domain has resolved to over its history, not just its current resolution. This historical view can reveal if the domain previously pointed to infrastructure associated with other documented campaigns, establishing a stronger attribution link than the current indicator alone provides.

IP reputation services such as AbuseIPDB, Shodan, and Censys provide different lenses on the hosting IP 165.22.170.129. AbuseIPDB shows whether the IP has been reported by other organisations for abuse. Shodan reveals what services the IP is currently exposing to the internet , which ports are open, what software is responding on those ports, and what SSL certificates are installed. SSL certificate data is particularly valuable: certificates installed on threat actor infrastructure often contain organisation fields, email addresses, or common names that appear across multiple campaigns, creating linkage points that are not visible from the domain or IP alone. Censys provides similar capability with different scanning coverage and a slightly different free tier.

Integrating Single-Source Indicators Into a Mature Intelligence Programme

One of the most common mistakes in operationalising threat intelligence is treating all indicators equally regardless of their evidential basis. A domain that appears in a single OTX pulse from an unknown contributor carries very different evidential weight than one that appears across ten independent pulses, correlates with active phishing campaigns documented by multiple vendors, and has been blocked by major DNS security providers. Acting on the first with the same urgency as the second wastes analytical resources and erodes confidence in the threat intelligence function.

A simple confidence scoring framework helps teams triage indicators appropriately. Factors that increase confidence include: multiple independent sources reporting the same indicator, corroboration from your own telemetry (internal DNS queries, firewall logs, email headers), association with known malware families or documented threat actor TTPs, and recent activity (indicators older than 90 days on dynamic cloud infrastructure should be re-validated before acting). Factors that decrease confidence include: single-source reporting with no corroboration, indicators associated with shared hosting or cloud IP ranges where legitimate traffic is common, and very recent registration with no observed malicious activity yet documented.

Justsstop.ru, evaluated against this framework at the time of publication, sits in the medium-confidence range: it appears in documented threat intelligence feeds, its infrastructure characteristics are consistent with malicious use, but the single-pulse documentation means it warrants monitoring and DNS blocking as a precaution rather than immediate incident response mobilisation unless your own telemetry shows connections to it. A mature threat intelligence programme treats this kind of indicator as background enrichment , worth tracking, worth blocking at low cost, but not worth waking the incident response team over unless corroborating evidence emerges.

Reporting and Sharing: Contributing Back to the Community

Security teams that investigate indicators like justsstop.ru and develop enriched understanding of the associated infrastructure have both the opportunity and the professional responsibility to contribute their findings back to the threat intelligence community. Submitting enriched indicators to AlienVault OTX, reporting the hosting IP to AbuseIPDB, or sharing findings in an appropriate ISAC (Information Sharing and Analysis Centre) for your sector makes the entire community more resilient. The threat actor infrastructure that targeted your sector today may be used against another organisation in a different sector tomorrow, and the intelligence you gathered may be exactly what that organisation needs to detect or block the attack before it succeeds.

This culture of sharing is what makes community threat intelligence platforms meaningful. Every organisation that treats its threat intelligence as proprietary and fails to contribute back makes the ecosystem slightly less effective for everyone. The attack surface that defenders collectively protect is larger than any single organisation's perimeter, and the threat actors operating against it benefit from their own communities of knowledge exchange. Defenders who share do not give attackers any advantage , the attackers already know what they are doing. They give other defenders a fighting chance.


Defendis helps security teams monitor exposed assets, compromised credentials, and threat actor activity across the dark web and open sources. to see how continuous threat intelligence can support your organisation's security posture.

How Defendis Can Help

Attacks like this one rarely announce themselves through official channels first. New payloads, active infrastructure, and exploitation techniques circulate in closed forums and private channels well before any public research surfaces them. By the time an incident makes it into a threat report, organisations without early visibility are already behind.

Defendis gives your security team that early visibility. We monitor the dark web, underground forums, and threat actor channels so your team receives relevant intelligence before it becomes breaking news, context about emerging threats matched against your organisation's exposure, without requiring your analysts to spend time in places they should not have to go.

Book a demo →

About the author
Sami Malik is a copywriter passionate about crafting clear, engaging, and impactful content that helps brands connect with their audience through storytelling and strategy.

Related Articles

Discover simplified
Cyber Risk Management
Request access and learn how we can help you prevent cyberattacks proactively.