Recruited by a shady Russian hosting company
One morning, an email landed. Subject line: ‘your cloud cost reduction setup?’
That one lands cleanly, honestly. Cloud cost reduction is one of the things I put on my public shingle, so the sender just copied my own shingle into their subject line and threw it back at me.
The greeting made it better. ‘Hi Jun - Senior Cloud Infrastructure Engineer,’. Then, a few lines down, the same name-and-title got slotted in again mid-sentence, like a table corner you keep walking into. ‘so I wanted to reach out to Jun - Senior Cloud Infrastructure Engineer directly’. I laughed when I saw it. That awkward inline injection is a merge field, a machine pouring a scraped profile into a name-and-title template. A mass blast wearing an ‘I wrote this just for you’ face, with the seams showing.
The attachment was one PDF.
Aéza Referral Program.pdf.
I had a slightly bad feeling before even opening it. (That feeling is usually right.)

Why is a PDF from a stranger scary at all?
A PDF is not ‘a picture of a piece of paper’. It is a format you can embed a program into.
A malicious PDF usually arrives through one of three doors.
- a script that runs automatically the moment you open it
- another executable file bundled inside the PDF
- a ‘click here’ that funnels you off to a trap site
So a PDF from an unknown sender does not get a double-click. Before I let it render as a picture, I count what is actually inside it as bytes.
I dissected the PDF, and it was disappointingly clean
So I counted what was inside. Auto-run triggers, embedded files, forms that phone home, encryption used to hide things. The parts that are known to be dangerous, looked for one by one.
Every count came back zero.
- auto-run scripts: none
- embedded executables: none
- form submissions or embedded links: none (not even a clickable link)
- encryption used to hide content: none
As a bonus, the tool that built the PDF had left its name inside, a library that converts HTML to PDF. This was not a hand-made sales deck. It was one sheet mass-produced from an HTML template by a machine, the generator practically confessing that it was auto-generated to be sprayed at everyone.
Technically, this PDF does nothing, sitting there or opened. Harmless.
Mildly deflated, I finally started reading the actual words inside. That is where the problem was.
The content was a pitch: promote our product and make money
The whole PDF was an affiliate-program brochure.
Here is the pitch.
- hand out a referral link to our hosting (server rental) to your audience
- and we pay you up to 40%, forever, of whatever the people you refer spend
- the referred users get a first-time bonus too, so it is easy to sell
- we even pay a flat fee up front, no exclusivity, start in minutes
At a glance, a bog-standard influencer affiliate deal. Bold commission rate, you would think, and scroll past.
But I stopped here. Who exactly is this ‘our hosting’?
Check the advertiser. Do not go on memory, hit a primary source
Even if a company name rings a faint bell, I do not rule from memory. With anything security-adjacent, my own assumptions are the most dangerous input, so I checked it against an authoritative primary source.
The sender was Aéza (Aeza Group). The signature at the bottom helpfully included the full legal name and address: ‘Aeza International LTD, 347 Barking Road, London, United Kingdom’.
I ran that name against the U.S. Treasury (OFAC) sanctions list, and it matched exactly.
Aeza Group was designated by the U.S. Treasury (OFAC) on July 1, 2025, labelled a bulletproof hosting provider. Based in St. Petersburg, Russia, renting servers to criminal groups, that was the reason for the designation.
Bulletproof hosting, in plain words: server rental whose selling point is sheltering criminals so they are hard to take down. A normal host says ‘we shut you down for abuse’. This one sells ‘we protect our customer even when the abuse reports come in’.
The specifics were concrete.
- provided servers to infostealer malware (Meduza, Lumma) and ransomware (BianLian) operators
- whose targets included U.S. defense and technology companies
- hosted an illegal darknet marketplace (BlackSprut, for drugs)
- one crypto wallet (a single TRON address) got designated too, with over $350,000 having flowed through it
- and there was an overseas shell company (a front) set up to dodge sanctions, which was Aeza International LTD (UK), the very entity in the email signature
The company name signing the pitch to me was itself the sanctioned front. Behind the clean brochure sat criminal infrastructure.
And it kept going. After the July designation they tried to swap the sign on the door and move their infrastructure to a new company, and in November 2025 they got hit again, this time jointly by the U.S., U.K., and Australia. A party that gets chased even after it runs.
Sources: U.S. Treasury Treasury Sanctions Global Bulletproof Hosting Service (2025-07-01) / OFAC Recent Actions 2025-07-01 / multilateral follow-up (2025-11)
The danger was never inside the file. It was in the role the file was handing me.
‘So you want me to hack something?’ No, it is cleverer than that
I flinched for a second here. Ransomware, malware, the whole lineup, and your brain jumps to ‘wait, are they asking me to help attack people?’.
No. The role they want me to play is not attacker, it is salesman.
- I just hand out the referral link
- and a cut of whatever my referred customers spend flows to me, continuously
The job is lead generation, bringing customers in. Zero hacking required.
Which is exactly why it is poison. The place I would be bringing customers to is sanctioned criminal infrastructure, and I would be lending my real-name credibility to it, becoming the funnel for its signups and billing. My hands stay clean, my name does not. Let your credibility do the marketing for the bad thing, and get baited with a payout. One survival tactic of a bulletproof host after sanctions cut off its legitimate payment rails, I would guess. The ‘pay in crypto, skip the banks’ selling point reads very differently in hindsight.
Since reviewing security is part of what I do, let me draw the line honestly. Writing the code yourself and merely lending your name are both complicity. If anything, the second is easier to fall for, because no guilt invoice ever reaches your desk. The invitations you can excuse with ‘well, my hands are clean’ are the ones I watch hardest.
Why me, of all people?
Remember the subject line, ‘your cloud cost reduction setup?’. A straight copy of my public shingle.
I do technical writing and put commercial signals on it. Good at cost reduction, open to inquiries, funnels I put out there myself. That is a funnel for good inquiries and a perfect target for exactly this kind of solicitor. Someone with a technical audience who accepts inbound pitches is the one profile an affiliate solicitor wants most.
The moment you put commercial signals on public technical writing, this kind of pitch starts pouring into the funnel alongside the good inquiries. I cannot stop it, so I run my setup to sort it as noise.
Lesson: the safety of the file and the safety of the sender are checked separately
The file being harmless and the offer being safe are completely different statements. I checked on two fronts.
- inspect the file statically. Count the auto-run, embeds, and outbound forms, and confirm it is technically harmless.
- verify the sender’s business against a primary source. Run the company name against the Treasury sanctions list, and find it is designated criminal infrastructure.
Do only the first and go ‘clean PDF, so I am safe’, and you become a salesman for criminal infrastructure. Skip the second and vibe-delete it as ‘some sketchy email’, and you never learn why it was dangerous, so you miss the next, cleverer one. A malware scanner only looks at the file. Whether the job that file is handing you is good or evil, you check yourself, against a primary source.
Closing
A PDF from a stranger. A bad feeling. Cracked it open, disappointingly harmless. But what that harmless sheet of paper delivered was the one invitation you must never accept.
The most harmless-looking file can walk the most dangerous invitation right through your front door.
So when a clean brochure shows up, separate from the file’s safety, just once, look up the sender’s business. (Usually, the moment the subject line is a copy of your own shingle, it is already a little suspicious.)