Inside a 63-Server Russian Spam Factory: Mailcow, Automated APIs, and a VPN Bot Panel
Inside a 63-Server Russian Spam Factory: Mailcow, Automated APIs, and a VPN Bot Panel
Summary
Multiple researchers have documented the ongoing Formbook/XLoader spam campaign targeting Italian users (commonly referred to as "Spam-ITA"). This report does not attempt to replicate that sample-level analysis — the community has done excellent work tracking the malware payloads, delivery chains, and ALTERNATE.dll loaders.
What this report adds to the public record is a full infrastructure mapping of the backend operation behind the campaign: 63 identically configured mail servers, a FastAPI-based mailbox generation service, an OCR CAPTCHA-solving API, and a Telegram-authenticated VPN bot support panel — all operated by a single actor whose OPSEC collapsed through a shared Cloudflare account.
Key Findings
- 63 mail servers across
144[.]31[.]50[.]2-62and144[.]31[.]107[.]75, all running identical Mailcow stacks (nginx, Dovecot, MariaDB 10.11.14) - Mailbox Generator API on port 6666 — a FastAPI/uvicorn service with Russian-language documentation for automated disposable email creation
- OCR CAPTCHA Solver API on port 8000 — accepts base64-encoded images, returns text predictions with worker process IDs
- vpnbot Support Panel at
144[.]31[.]50[.]172:8443— a full-featured operator management system with Telegram authentication via@zapretvpns_bot - Single operator confirmed through shared Cloudflare nameservers (mariah/ram) between the spam infrastructure domain (
solitaireonline[.]io) and a Formbook C2 domain (vextgeas[.]com)
Infrastructure Overview
The Mail Server Fleet
All 63 servers share a single TLS certificate with CN=mail.solitaireonline[.]io and expose identical service fingerprints:
| Service | Port | Software |
|---|---|---|
| Mailcow (nginx + Dovecot) | 25, 443, 993 | Mailcow dockerized |
| Grafana | 3000 | Grafana 12.3.3 |
| MariaDB | 3306 | MariaDB 10.11.14 |
| Mailbox Generator API | 6666 | FastAPI / uvicorn |
| OCR CAPTCHA Solver API | 8000 | FastAPI / uvicorn |
The IP range 144[.]31[.]50[.]2 through 144[.]31[.]50[.]62 covers 61 servers, with two additional servers at 144[.]31[.]107[.]75 and the panel host at 144[.]31[.]50[.]172. The allocation was made on February 12, 2026 through SERV.HOST GROUP LTD (AS210546), a hosting provider registered at 71-75 Shelton Street, London — a well-known virtual office address. The ASN country is listed as RU.
Mailbox Generator API (Port 6666)
The FastAPI service on port 6666 provides automated mailbox provisioning. The Russian-language API documentation includes endpoints described as:
"Показывает список доменов из конфига" — "Shows the list of domains from the config"
This service enables the operator to generate disposable email accounts at scale, feeding the 63-server Mailcow fleet with fresh sender identities for spam campaigns. The use of FastAPI with uvicorn indicates a modern Python deployment, likely containerized alongside the Mailcow stack.
OCR CAPTCHA Solver API (Port 8000)
A second FastAPI service on port 8000 accepts base64-encoded CAPTCHA images and returns predicted text solutions. Responses include worker process IDs, indicating a multi-process deployment designed for throughput. This service likely supports automated account registration on targeted platforms — a common requirement for spam operations that need to bypass CAPTCHA challenges at scale.
vpnbot Support Panel
At 144[.]31[.]50[.]172:8443, a separate web application serves as a support panel for what appears to be a VPN service operation. The login page displays "Login for moderators" in Russian and authenticates operators via Telegram through @zapretvpns_bot.
The panel exposes a full OpenAPI specification at /openapi.json, revealing a comprehensive operator management platform:
- Ticket system — customer support workflow with status tracking
- Operator management — role-based access for moderators
- Refund processing — payment dispute handling
- Template management — canned response system
- File attachments — support document handling
- Real-time feed — live activity monitoring
The panel uses nip.io wildcard DNS (panel.144.31.50.172.nip[.]io) for TLS certificate issuance — a technique that avoids registering a dedicated domain for internal tooling.
This suggests the spam infrastructure may be one revenue stream for an operator who also runs a VPN service — or that the VPN service provides operational cover for the spam network.
Attribution and Operator OPSEC
Shared Cloudflare Account
The strongest attribution link comes from DNS infrastructure. Both domains use the same Cloudflare nameserver pair:
| Domain | Purpose | Cloudflare NS |
|---|---|---|
solitaireonline[.]io | Mail server TLS cert CN | mariah / ram |
vextgeas[.]com | Formbook C2 | mariah / ram |
Cloudflare assigns nameserver pairs per account. Shared nameservers indicate both domains are managed under a single Cloudflare account, directly linking the spam mail infrastructure to the Formbook command-and-control.
Additional Domains
Several additional domains appear connected to this operator's infrastructure:
xg66s[.]sbs— Active XLoader gate returning X-Trace encrypted headers on standard gate paths (/frag,/fgds,/j2c3). Also runs tinyproxy 1.11.0 on port 8888, likely the operator's forward proxy.bodyritualz[.]com— Hosted on Hostnet BV, Netherlandsmaxbotfinance[.]ru— Hosted on Timeweb/JSC Russia, registered through REG.RUforsacecobol[.]online— Registered via Namecheap, currently showing a parking page
Registration and Hosting
solitaireonline[.]iowas registered in November 2023 through GoDaddy, suggesting this operator has been active for over two years- The February 2026 IP allocation through SERV.HOST GROUP LTD represents the most recent infrastructure buildout
- The
.rudomain registration and Russian-language API documentation are consistent with a Russia-based operator
Connection to Formbook/XLoader Campaigns
The Formbook/XLoader campaign targeting Italian users has been active since at least April 7, 2026 and uses identical ALTERNATE.dll sideloading payloads (GUID 6b7ee55e-1424-4c78-9e13-002fbad76039). Community researchers have extensively documented the delivery chain and payload analysis.
This infrastructure mapping connects the campaign's delivery mechanism (the 63-server spam fleet) to its command-and-control (vextgeas[.]com for Formbook, xg66s[.]sbs for XLoader) through the shared Cloudflare account — confirming a single operator controls the full kill chain from spam delivery through C2.
IOC Table
IP Addresses
| IOC | Type | Context |
|---|---|---|
144[.]31[.]50[.]2 - 144[.]31[.]50[.]62 | IPv4 Range | 61 identical Mailcow spam servers |
144[.]31[.]107[.]75 | IPv4 | Additional Mailcow spam server |
144[.]31[.]50[.]172 | IPv4 | vpnbot support panel host |
Domains
| IOC | Type | Context |
|---|---|---|
solitaireonline[.]io | Domain | Shared TLS cert CN across all 63 servers |
vextgeas[.]com | Domain | Formbook C2 — same Cloudflare account as spam infra |
xg66s[.]sbs | Domain | Active XLoader gate + tinyproxy |
bodyritualz[.]com | Domain | Associated infrastructure (Hostnet BV) |
maxbotfinance[.]ru | Domain | Associated infrastructure (Timeweb, REG.RU) |
forsacecobol[.]online | Domain | Associated infrastructure (Namecheap, parked) |
panel.144.31.50.172.nip[.]io | Domain | vpnbot panel nip.io wildcard DNS |
Services
| IOC | Type | Context |
|---|---|---|
| Port 6666 (FastAPI) | Service | Mailbox Generator API — Russian-language docs |
| Port 8000 (FastAPI) | Service | OCR CAPTCHA Solver API |
| Port 8443 | Service | vpnbot support panel |
| Port 8888 (tinyproxy 1.11.0) | Service | Forward proxy on xg66s[.]sbs |
@zapretvpns_bot | Telegram Bot | vpnbot panel authentication |
Malware
| IOC | Type | Context |
|---|---|---|
6b7ee55e-1424-4c78-9e13-002fbad76039 | GUID | ALTERNATE.dll sideloading payload |
Detection Opportunities
- Network signatures: Monitor for outbound connections to the
144[.]31[.]50[.]0/24range, particularly on ports 6666 and 8000 which are uncommon for legitimate services - TLS certificate matching: Alert on TLS certificates with
CN=mail.solitaireonline[.]io— a single cert shared across 63 servers is a strong pivot point - XLoader gate paths: HTTP requests to
/frag,/fgds,/j2c3on any of the associated domains indicate active C2 communication - Mailcow + Grafana + custom API stack: The combination of Mailcow, Grafana 12.3.3, and FastAPI services on ports 6666/8000 represents a distinctive fingerprint for this operator's infrastructure
- Email header analysis: Received headers containing any IP in the
144[.]31[.]50[.]2-62range should be treated as high-confidence spam indicators
Confidence Assessment
| Assessment | Confidence | Basis |
|---|---|---|
| 63 servers are operated by a single actor | High | Identical TLS cert, identical service stack, contiguous IP allocation |
| Spam infrastructure serves Formbook/XLoader campaigns | High | Shared Cloudflare account between mail infra and C2 domains |
| Operator is Russia-based | Moderate | Russian-language API docs, .ru domain, RU ASN country, Russian-language panel |
| VPN service and spam operation share an operator | Moderate | Co-located on same /24 allocation, same hosting provider |
| Infrastructure has been active since at least Nov 2023 | Moderate | Domain registration date; current server allocation is Feb 2026 |
Disclosure
At the time of publication, the infrastructure described in this report remains active. Relevant indicators have been shared with abuse contacts at SERV.HOST GROUP LTD and Cloudflare.
This report focuses on infrastructure that is being actively used to distribute malware. No credentials, private keys, or personal data were accessed or exfiltrated during this investigation. All findings are based on publicly accessible services and standard OSINT techniques.
Acknowledgments
The Formbook/XLoader campaign targeting Italian users has been tracked by multiple researchers in the threat intelligence community. This report builds on that collective work by adding infrastructure-level context. We encourage anyone with prior documentation of this campaign or its infrastructure to reach out — proper credit matters.
Mapped by GHOST. Published by Breakglass Intelligence. When the infrastructure is the story, we read every page.