In my most recent analysis on the Conti Ransomware Gang I established a direct connection between a Russia based rap and hip hop recording studio and members of the Conti Ransomware Gang.
The following attribution analysis aims to provide an in-depth including an additional set of related comments and elaboration including never-discussed or published before personally identifiable technical information confirming my original methodology results where I offered practical and relevant OSINT research and analysis on cyber threat actors which are directly related to the Conti Ransomware Gang in the context of having a Conti Ransomware Gang team member that’s involved in producing the gang’s marketing and advertising creative who is also involved in producing related marketing and advertising creative for other clients companies and organizations.
In this analysis I’ll take an in-depth look inside the primary sources which I used to obtain the leaked internal Conti Ransomware Gang internal communication and the process which based on my methodology that I used for data mining their internal leaked and publicly accessible internal communication produced successful and remarkable and never-discussed and published before personally identifiable information on some of the key activities of the Conti Ransomware Gang in the spirit of some of their “upcoming” brands and advertising and marketing creative activities.
I will also go in-depth and further elaborate and verify some of the previous research which I presented in terms of elaborating in-depth on some of the EXIF file analysis based on some of the internal leaked screenshots and related marketing and advertising creative of the gang which I obtained by first obtaining access to their publicly accessible internal leaked communication and their using my methodology to data mine process and enrich their internal leaked communication with a lot of success and a lot of positive results in terms of offering the big picture and an additional set of personally identifiable information on some of their “upcoming”brands including related activities that they’re involved in such as for instance several Russia based rap and hip hop recording studios a children’s online store including several Russia based fashion brands including a charity foundation where I did my best to collect the necessary details behind these individuals using my methodology including based on my research and analysis.
Key summary points:
Key summary points examples using EXIF analysis indicating that we have the exact same individual that’s hosting the entire Conti Ransomware Gang’s marketing and advertising compilation on Yandex Disk is indeed doing so and that we also have members of the Russia based Plastika rap and hip hop recording studio producing the Conti Ransomware Gang’s marketing and advertising creative including members of their own marketing and advertising creative team namely W8D8DIGITAL who are also busy producing marketing and advertising creative for the Conti Ransomware Gang:
Sample images and videos involved in the analysis include:
111.avi - ae_project_link_full_path - X:\YandexDisk\DESIGN\баннеры-новые-234\Untitled Project.aep
Related image:
EXIF Metadata on one of the images obtained from the leaked Conti Ransomware Gang’s internal leaked communication using public sources indicating that the author of the image is Reformer GraphicsReformer Graphics (Belarus)
Sovetskaya str., 48/15, Grodno, 230021, Belarus
Phone: +79107337839
E-mail: hello[.]reformermockup.com
Phone: +79107337839
E-mail: hello[.]reformermockup.com
hxxp://graphicriver.net/user/_reformer_
hxxp://packreate.com/vendor/cct/
hxxp://reformermockup.com/
hxxp://dribbble.com/Reformer_graphics
hxxp://www.facebook.com/ReformerMockup
hxxp://www.behance.net/marlot13a49
hxxp://twitter.com/SiarheiTsitou
hxxp://www.facebook.com/iReformer
hxxp://www.instagram.com/reformer_mockup/
hxxp://www.pinterest.com/cct0594/
Sample photos from the obtained compilation:
Just came across to this and I decided to elaborate.
Primary URL: hxxp://crimemarket.is - 188.114.97.2; 188.114.96.2
Related URLs:
hxxp://cm-status.net
hxxp://crime.cm - Email: crimecf@protonmail.com
hxxp://crime-market.cc
Related domain registrations done by individuals related to Crimemarket include:
hxxp://topnulled[.]com - Email: tn.warez@gmail.com - hxxp://nulledhard[.]com; hxxp://tunistuff[.]com; hxxp://0dayscripts[.]com - MD5: 2fa9723f4dd806d3313e800e2b107a52
hxxp://xxxchili[.]com
hxxp://upvote-me[.]com
hxxp://adult-bunny[.]com
hxxp://freshxtube[.]com
hxxp://allabouthentai[.]com
hxxp://mylittleasiancutie[.]com
hxxp://nasty-nuts[.]com
Related domain registrations using heikopetzold82@googlemail.com include:
hxxp://mylittleasiancutie[.]com
hxxp://nasty-nuts[.]com
hxxp://inteli-geek[.]com
hxxp://freemobilehacks[.]com
hxxp://webmonetizing[.]com
hxxp://freshteengalleries[.]com
hxxp://freshteentubex[.]com
hxxp://red-fap[.]com
hxxp://topvidx[.]com
hxxp://topnulled[.]com
hxxp://xxxchili[.]com
hyipforumbiz[.]gmail.com
Everything that has to be found has already been found somewhere online.
In this analysis I'll profile FBI's Most Wanted Ahmad Khatibi and offer an in-depth peek inside his Afkar System company.
URL: hxxp://www.afkarsystem.com; hxxp//afkarsystem.ir Mobile +983537254322 Email: khatibi2007[.]yahoo.com Facebook account - hxxp://www.facebook.com/ahmad.khatibi.35
URL: hxxp://afkarsystem.com - Email: khatibi2006[.]yahoo.com; am_taghavi[.]yahoo.com hxxp://nsrmeeting.org; hxxp://rmtomeeting.com - Email: khatibi2006[.]http://yahoo.com
hxxp://ircrafts.com - Email: farsigraph[.]yahoo.com
hxxp://taxirani.org - Email: irtuorg[.]gmail.com
hxxp://mohsenrahmani.com - Email: mat.ericsson[.]gmail.com
Related images:
Sample personal photos of FBI's Most Wanted Iran's Ahmad Khatibi's:
Since 2021 as a part of an in-house research and capability building project we’ve been collecting tons of publicly accessible only cybercrime forum information data where we aimed at building the actual volume for this project which currently amounts to 1.5TB of actionable intelligence on current and historical cybercrime and cybercriminal activity where we aim to provide an in-depth analysis in an upcoming set of white papers on the topic of the current and global and current and emerging state of cybercrime globally including to provide as much qualitative and quantitative including in-depth and relevant technical details on their malicious and fraudulent activity online where our primary goal would be to assist fellow researchers vendors and organizations including Law Enforcement on its way to improve their situational awareness in the field and to build their analysis capabilities by providing them with an in-depth overview including the big picture and all the relevant connect the dots research and analysis in our upcoming set of white papers.
In this analysis I'll discuss in-depth a IRC botnet that I came across using the original 1.5TB of actionable intelligence data set that I've been working on since 2021.
Sample personally identifiable email address account known to have been involved in the campaign includes:
breng_me_do[.]live.nl
Sample domains:
hxxp://mboost.su
hxxp://verify-security-settings.su
hxxp://kei.su
hxxp://paypalobjects-com-nl-secure-verify-cmdflowsession.net
hxxp://x1x2.su
Related domains:
hxxp://e2b3.org
hxxp://c1d2.org
hxxp://x1ua.org
hxxp://r00n.org - Email: trainerlouise[.]yahoo.com
hxxp://n0ur.org
hxxp://m4r4.org
Related MD5s known to have phoned back to these domains include:
978f87f1cdbd13b571a8b0fec4cfd1a1
cfb69f9061e28c74f2d617a67d3e19ad
69be9bb725115c880d500c02046e2f42
74a62a2e9de0952559e5609c6a126661
f980d6c065cd50d0e0e835141d080770
150498a047c1b6af4e347a0a9919d580
581f13653c95d8868c38e88cc5edec3f
Relate domains known to have been registered using trainerlouise[.]yahoo.com:
hxxp://jossven.com
hxxp://0dayx.com
hxxp://alm7.net
hxxp://marcandpatrick.net
hxxp://retk03.com
hxxp://xixbh.net
hxxp://0n3mmm.com
hxxp://drwhox.com
hxxp://myserversconfig.com
hxxp://yamimo.com
hxxp://caninebaby.com
hxxp://002mom.com
hxxp://rania-style.com
hxxp://001mom.com
hxxp://8rb.su
hxxp://lebanonbt.info - Email: sullt4n[.]hotmail.com
hxxp://honeycat.org
hxxp://thismynew1.info
hxxp://artiho.com
hxxp://003mom.com
hxxp://idolmovies.com
hxxp://sandbland.com - Email: jackycohen202[.]yahoo.com
hxxp://googleure.com
hxxp://retk01.com
hxxp://sult4n.net
hxxp://mom002.net - Email: perezoza1[.]gmail.com
hxxp://photobeat.su - Email: mingtian8132[.]qq.com
hxxp://elnytydma.com
hxxp://wipmania.net
hxxp://yongyuan2.com
hxxp://smellypussy.info
hxxp://xludakx.com
hxxp://tassweq.com
hxxp://rimpac0.com
hxxp://t7v4d.com
hxxp://haztuwebsite.com
hxxp://ksaxchat.net
hxxp://elperro23.net
hxxp://rwt234.com
Related domains known to have been registered using sullt4n[.]hotmail.com:
hxxp://l33t-milf.info
hxxp://x1x4x0.net
hxxp://alm7.net
hxxp://saudi.su
hxxp://l33t-ppl.info
Related MD5s known to have phoned back to these domains:
340acbbd837832cc42466a81357021dc
d8ef3cdc01c913766936fb030c82e0ea
866b03e6b586e9a021aafed06fa6d917
d42b2512ce22ee8ef61049821d14e83a
be347d137978487c3063c1801794ba46
13addecefb590192d4f537506af563b5
686a6b93bf39d770c750582aba9600a3
a8e4ac094b856e4fa4db55735c64736f
ad4f1412fc78ada25c9757ffa7a29ab3
bbfab98efe673911164de671542cb2ef
Related MD5s known to have phoned back to these domains include:
c74db600c2158d921bfd44eb3b5a1b35
a2fe5e31cb05073dadfe2d8c91f14bbc
1d05fba397bce9ebbb4684235e6b75b2
4150cc172ac27014796972a713717dcc
9ca0a2f6dffef2730a94ed79ef97aea9
942bc3399887085a7b6f771e5e5918e1
b617bb6abbe1995a97688e4cc74f7875
31175b6d020ff6cd98a870cee472172b
fe429f28fbdbd863a4b70a1a97bc11db
cba3813f2f3e1bd8ebe81b8d816639e1
f75909083afc394e3a30580ed6bbd538
55e676a6cb4e1a8b647a112c30ae3d0b
ceb6d8764e43cae795de32bd56c38489
15f2e12d309d143c2fb25d7040cd184a
e43bf58277a31894052b637ac70b658a
8cf9f96ff33a81bcd39d173356fc1adf
419a9ab98c26646d365aec564f1c3c51
a9d421a233108de81dbefc19623043a6
b6098ec3625f30bae42869b5d34b0273
ace5df390f8dcfd0defd286aba25a66e
1a24570afc2a0cd8f422fbf17352af6f
61cf47b9e315441ce20bb92665891103
5f3befb6f6749f58ba3b54041bde28d7
7bb27134f61163400306e2ac45b6e92b
76eeed5e103f690c555b0e88a536163f
388b23a3ae3f64837df0b0c95f20e731
cc13d2e7da89391428d078ef486978b2
2f086d52737f8f6b0d4333089aae5d49
934ff0dccf44a9dc662604050d1496a3
832d5a45883cf8e24f24113dfd5cce30
69795f0e15ce52303ef134cb527146d2
8ad16e64d26ae7eb976ab4137fd82b47
5e3ab30b83f661e3c9a9e03367505dff
b9d86885cec94ffdefe9a271d363e051
989c562db7edf397d512e28c5df41489
bbfab98efe673911164de671542cb2ef
be347d137978487c3063c1801794ba46
68636da56c83715de2290164bcf756b0
e8f92cafa9789d3579ceb11e5c01dab1
a8e4ac094b856e4fa4db55735c64736f
ad4f1412fc78ada25c9757ffa7a29ab3
bcea574ab3b77340f9547064b382f4e5
6e6a849a6d50223435b0bf8520616cc7
1ac0f0ed620167316005eed04188df52
d65a94fb3af688779a1341825e25eed1
6b32910a30125c548c502470b2735011
c5fcd41c4b226f09d3ae2964c62efb3a
347ab96164badd2a304ee1cb7acb86ce
d1b1ed1b4225834211d7a0511a572771
3fa93942d2e4bbbbea31940cbe689934
524b0ef1e7e4dfe2ad8c9fcb39760e02
fe4ba5c4b12f8d65417132dccca96614
What we’ve got here is a decent example of a fraudulent infrastructure where we have a confirmed and well known cybercriminal operating a low profile Penetration Testing company which also has a LinkedIn page where several people are known to work there including an additional domain parked on the same IP as the original IP of the domain operated by the cybercriminal where we also have a malicious software variant that’s phoning back to another domain parked on the same IP where we also have an additional set of malicious MD5s also phoning back to the same domain where both of these domains including the one registered by the confirmed cybercriminal are using the same IP which means that this is a very good example of a cybercriminal infrastructure gone rogue in the context of staying beneath the radar where the most important part of the situation is to keep in mind that the cybercriminal behind this low profile Penetration Testing company could easily turn it into a profitable business including to possibly scam an unknown number of users into doing business with him where the most important part would be to keep an eye on this Web property where the most important part would be to monitor for additional spam and advertising and additional advertising and promotion campaigns by the cybercriminal in order to drive sales and new clients to his low profile company on the Web.
Here's the analysis.
hxxp://www.warzone.ws/
Personal emails: solmyr@warzone.ws; ebase03@hotmail.com
XMPP/Jabber ID: solmyr@xmpp.jp
Telegram: solwz; sammysamwarzone
Skype: vuln.hf
Facebook account: https://www.facebook.com/il.meli.5
Sample photos of Warzone RAT (Remote Access Tool):
Sample photos of Daniel Meli:
Cheers!
Known responding IPs:
194.12.255.28
81.25.59.80
125.209.101.190
41.74.66.229
186.2.163.126
91.220.101.43
41.164.71.116
104.21.31.62
172.67.175.56
104.31.84.191
104.31.85.191
185.214.10.111
93.158.215.185
87.236.215.18
5.135.26.102
176.123.6.191
Personally identifiable information:
Email: support@xdedic.biz, abuse@xdedic.ac
Jabber Supports: support@xdedic.tk, support2@xdedic.tk
ICQ 591-20-47
support@e-investhost.com
Name Server: NS1.E-INVESTHOST.COM
Name Server: NS10.E-INVESTHOST.COM
Name Server: NS2.E-INVESTHOST.COM
Name Server: NS20.E-INVESTHOST.COM
Name Server: NS21.E-INVESTHOST.COM
Name Server: NS3.E-INVESTHOST.COM
Name Server: NS4.E-INVESTHOST.COM
Name Server: NS5.E-INVESTHOST.COM
Name Server: NS6.E-INVESTHOST.COM
Name Server: NS7.E-INVESTHOST.COM
Name Server: NS8.E-INVESTHOST.COM
Name Server: NS9.E-INVESTHOST.COM
Current related domain registrations:
infox.sg
getmobiledevices.com
trustpharms.com
start55555.com
elevrus24.com
Known responding IPs:
141.105.69.219
80.93.188.78
158.255.1.56
88.208.35.36
88.208.57.120
188.126.76.59
46.229.164.15
185.26.230.134
62.152.53.50
209.99.40.222
103.18.40.182
xdedic.biz
wertor.info
adminin.mobi
swap-money.biz
fedumps.pro
gossipgel.com
viagra-purchase.org
goodfinance-blog.com
q-seo.biz
ed-generics-online.com
hotnpapers.com
buycytotecnow.com
pharmaplus.biz
buyingamoxicillin.com
buyingclomid.com
amtrustpills.com
site-in-top.biz
omerta.cc
xdedic.biz
wertor.info
adminin.mobi
ed-generics-online.com
buycytotecnow.com
swap-money.biz
fedumps.pro
gossipgel.com
viagra-purchase.org
goodfinance-blog.com
q-seo.biz
pharmaplus.biz
91.195.240.117
193.187.128.22
18.215.128.143
193.187.128.60
52.4.209.250
149.202.225.167
18.213.250.117
91.227.18.166
172.67.164.204
194.190.153.138
104.31.70.227
212.47.196.170
195.140.147.9
104.31.71.227
51.161.1.45
89.111.178.107
45.156.119.4
209.99.40.220
40.117.174.224
89.111.176.101
178.154.240.197
89.111.176.224
194.85.61.76
38.11.201.106
38.165.108.130
204.12.207.178
192.151.154.52
104.21.31.62
156.253.118.74
186.2.163.126
5.135.26.102
91.220.101.43
172.67.175.56
119.28.6.251
104.31.84.191
72.52.178.23
104.31.85.191
150.95.54.165
41.164.71.116
150.95.255.38
194.12.255.28
185.28.193.195
81.25.59.80
159.253.25.197
125.209.101.190
159.253.28.197
41.74.66.229
187.134.45.172
89.35.39.50
190.133.29.139
209.99.40.223
189.245.138.156
141.8.224.169
187.204.88.251
91.237.88.232
201.119.124.139
186.50.114.86
201.119.9.63
186.48.59.8
170.178.183.18
103.224.182.242
75.2.18.233
165.3.150.34
154.221.230.198
169.148.17.239
154.201.195.229
179.25.249.159
155.159.237.68
2.88.87.18
160.124.92.248
186.50.124.35
15.197.210.240
178.73.236.178
210.230.244.170
141.8.224.93
91.209.77.20
188.120.239.86
184.168.221.55
208.91.197.206
185.53.179.8
141.8.224.183
85.114.137.19
52.200.243.123
52.20.104.240
52.71.117.99
107.23.160.218
162.214.81.12
103.50.163.86
52.71.185.125
52.6.86.86
54.210.33.190
54.236.123.224
107.23.198.240
52.4.72.137
23.20.239.12
54.174.212.152
54.208.174.161
I recently came across to another image courtesy of Conti ransomware gang's internal and publicly accessible leaked communication which I data mined with the idea to come up with a proper analysis and connect the dots which in this case appear that a member of the Conti ransomware gang who's responsible for their advertising and marketing creative is also busy doing advertising and marketing creative for other clients companies and organizations in this specific case Russia-based rap and hip artists and their album covers.
Is this the case? Let's find out.
Original Russia-based Artist album cover screenshot found by data mining Conti ransomware gang's publicly accessible leaked internal communication
Sample personal photos of Nikita Zharinov:
Artwork courtesy of: W8D8DIGITAL - hxxp://www.instagram.com/w8d8w8d8/
hxxp://vk.com/w8d8w8d8 -> hxxp://vk.com/lungo999 -> Alexey Plyushkin - Born - 11 April 1994
Sample personal photos of the owner and the advertising and marketing creative developer for the album cover – W8D8DIGITAL:
Sample photo of Flowers a Capella recording studio also based on the same address:
Sample personal photo of Oleg Dyachenko:
Sample personal photo of Oleg Khruschev:
Flowers a Capella -> Oleg Dyachenko - Born 10 February -> hxxp://vk.com/where.oreo; hxxp://vk.com/id234109753
Олег Хрущев - Born 14 February -> hxxp://vk.com/lezhatpluslezhat; hxxp://vk.com/id166833144 (Oleg Khruschev)
+7 (912) 629-76-36
улица Кирова, 9, Екатеринбург
hxxp://t.me/flowersacapellastudio -> hxxp://t.me/kreasttik
hxxp://vk.com/whoisplutok9
hxxp://vk.com/id654906170 -> hxxp://vk.com/flowers.since2023
What leads us to conclude while and when data mining publicly accessible forum communities used by cybercriminals?
It's their digital footprint which often comes invaluable when doing research such as for instance the following user IDs.
Sample personally identifiable XMPP/Jabber and email address accounts obtained by data mining a publicly accessible cybercrime-friendly forum community:
112233[.]exploit.im
1ntersect[.]mail.ru
365pills[.]richim.org
492962059[.]xmpp.ru
6262217[.]qip.ru
6262217[.]xmpp.jp
a10ne[.]exploit.im
activemoney[.]jabba.biz
adm[.]likeboss.biz
admin[.]multi-vpn.biz
administrator[.]d-2018.com
adv_supp[.]creep.im
advertisement[.]cryptomus.com
affiliate[.]Pharmaexpressrx.com
affiliate_support[.]clicklead.ru
affiliates[.]affmy.com
affiliates[.]faphouse.com
affsupp[.]jabber.ru
ager[.]paytechnique.com
aleksa[.]azinomoney.com
alex_popup[.]mail.ru
alexander.margulis[.]fxclub.org
alphacrew[.]protonmail.com
amusing[.]jabber.me
andls[.]rambler.ru
andy.g[.]pharmcash.net
andy[.]tjabb.com
angel4you21[.]qip.ru
annie[.]7bitpartners.com
arbitrage[.]webmoney.ru
arrish[.]jabber.ru
av[.]profitpixels.com
avd[.]247camsupport.com
big.t[.]exploit.im
big.t[.]thesecure.biz
bigtomas[.]sj.ms
brightmean[.]xmpp.jp
brightmean008[.]gmail.com
business[.]prime4pay.com
case[.]tacolo.co
commercialsites[.]react.org
consult[.]1jabber.com
contact[.]mondiad.com
contacts[.]byoffers.com
corsair[.]onlinesup.com
crewprime[.]protonmail.com
cryptoscanone[.]gmail.com
D007D007[.]gmail.com
dasjfkhsd[.]yandex.ru
Den.evilin[.]gmail.com
drbucks.support.2[.]jabber.no
educashion[.]jabber.ru
edu-money[.]jabber.ru
edu-profit[.]jabber.ru
edward[.]bourgaffiliateprogram.com
edward[.]im.solname.com
elchip[.]lryq.com
elen[.]imonetizeit.com
eugenia[.]adtrafico.com
evasupport[.]jabber.org
exfan.org[.]gmail.com
FinanceCPA[.]yandex.ru
forfind[.]xmpp.ru
hello[.]ipgate.io
help[.]coinshop24.org
hiddmark[.]gmail.com
hola[.]lospollos.com
hola[.]tacolo.co
info[.]edu-money.com
info[.]ezmob.com
info[.]hidmark.com
info[.]hidmark.ru
info[.]proxy-solutions.net
info[.]smmpanelus.com
info[.]softservice.org
info[.]tapgerine.com
ipillcash[.]jabber.ru
ipillcash[.]protonmail.com
john[.]tjabb.com
kate[.]bizprofits.com
kekc[.]im.solname.com
kristy[.]bongacash.com
krok[.]jabber.ru
lapochkalena13[.]gmail.com
leha78job[.]gmail.com
liza[.]bestseospace.com
liza[.]bourgaffiliateprogram.com
liza[.]im.solname.com
lucky-max[.]xmpp.jp
luna[.]traffcore.com
mailienteam[.]yahoo.com
markexchanger[.]xmpp.ru
melanie[.]bourgaffiliateprogram.com
melanie[.]im.solname.com
mikle[.]ipca-security.com
mmp[.]jabber.at
moneypartner[.]protonmail.com
mraffbiz[.]jabber.ru
mudilo[.]xmpp.ru
mxdor12[.]mail.ru
n1oise[.]mail.ru
nicegram[.]appvillis.com
npharma-security[.]opsecsecurity.com
optimizations[.]i.ua
order[.]shahan.pro
palumbo.eu11[.]gmail.com
partners[.]edu-revenue.com
partners[.]newretropartners.com
partners[.]runetki.com
paysover[.]proton.me
paywayrx[.]protonmail.com
pc_techsupport[.]jabber.ru
pharma-security[.]opsecsecurity.com
pharmempire[.]jabbim.com
plugins[.]wordpress.org
poleveter707[.]gmail.com
psi[.]brandshield.com
psi-2022[.]brandshield.com
robystudio[.]gmail.com
romochka.volkov.91[.]inbox.ru
ru.traf.suda[.]gmail.com
rxsupport[.]jabbim.com
s1[.]hotsecure.biz
s2[.]hotsecure.biz
segaldseo[.]gmail.com
senderproject[.]ya.ru
seodmitriyc[.]gmail.com
seolink.orders[.]gmail.com
seomen[.]jabber.at
sergey.gnadm[.]gmail.com
sharon[.]now.cn
shevjul[.]gmail.com
smm20401[.]yandex.ru
stas.b[.]affstream.com
storebucks[.]yandex.ru
support[.]7offers.ru
support[.]adnitro.pro
support[.]adspower.net
support[.]adtrafico.com
support[.]advanced.name
support[.]advertise.ru
support[.]affiliate.top
support[.]alientarget.su
support[.]azinomoney.com
support[.]bestchange.com
support[.]clicklq.com
support[.]cryptoexchanger.org
support[.]cryptomus.com
support[.]educashion.net
support[.]edu-money.com
support[.]edu-profit.com
support[.]enot.io
support[.]essaypartner.com
support[.]evadav.com
support[.]freechange.cc
support[.]gamblingcraft.com
support[.]help24x7.me
support[.]jabber-a.com
support[.]jabbis.com
support[.]justproxy.biz
support[.]kadam.net
support[.]keitaro.io
support[.]medconvert.com
support[.]media-kings.com
support[.]mirexpay.com
support[.]multi-vpn.biz
support[.]oxyproxy.pro
support[.]partnersdbbet.com
support[.]paysale.net
support[.]payv.com
support[.]pelicanprogram.com
support[.]proxy5.ru
support[.]ProxyWins.com
support[.]smmchat.com
support[.]srv24.net
support[.]tacolo.co
support[.]the-smartlink.com
support[.]traffcore.com
support[.]trafficstore.pro
support[.]yochange.com
t3leads[.]jabber.org
tacoloco_team[.]outlook.com
tanya[.]adtrafico.com
tes[.]react.org
titanseo[.]gmail.com
trollsgrot[.]gmail.com
tv7892[.]gmail.com
usec[.]jabber.vg
vad42833[.]gmail.com
vanessa[.]bestseospace.com
vanessa[.]bourgaffiliateprogram.com
vanessa[.]im.solname.com
vasilshop[.]xmpp.jp
vasyashop1[.]gmail.com
vera-simfoniya[.]mail.ru
vittelor86[.]gmail.com
voyeur.traffic[.]gmail.com
webkazna[.]jabb3r.org
webkazna[.]xmpm.pw
webkazna_1[.]xmpp.jp
webkazna2[.]exploit.im
welcomepartnershelp[.]gmail.com
write8004[.]gmail.com
xwab[.]bk.ru
ZakazatBanner[.]yandex.ru
zombi[.]jaberrx.com
Related:
DetectiveAgencyOfficial[.]proton.me
dumpstv[.]exploit.im
elliotsnitzer[.]hotmail.com
fasol[.]isgeek.info
fl3008830[.]gmail.com
hackcore[.]thesecure.biz
ideal_docs[.]exploit.im
info[.]betelnut.ie
jabber[.]jabber.com
jeosenco[.]gmail.com
joshuakrudy[.]gmail.com
Kerlim[.]jabb3r.de
Liamdaves[.]protonmail.com
lucifer6[.]exploit.im
Mrgenji[.]jabber.calyxinstitute.org
mulamoose[.]xmpp.jp
n7269[.]xmpp.jp
neizvestnost74[.]exploit.im
nelliotsnitzer[.]hotmail.com
ninfo[.]betelnut.ie
njoshuakrudy[.]gmail.com
nmulamoose[.]xmpp.jp
noneflone[.]jabb.im
nPauldugan[.]proton.me
ntsar[.]thesecure.biz
ntylerlewis40[.]yahoo.com
oliviam[.]5222.de
oneflone[.]jabb.im
Pauldugan[.]proton.me
peachesncreme_77[.]yahoo.com
peterwt50[.]yahoo.com
procrd[.]exploit.im
procrd[.]gajim.org
REDLINEVIP[.]protonmail.com
sclassadmin[.]exploit.im
siebermr[.]gmail.com
support[.]abcproxy.com
support[.]anonrdp.com
t.cases750[.]gmail.com
tsar[.]thesecure.biz
tylerlewis40[.]yahoo.com
vasilshop[.]xmpp.jp
vasyashop1[.]gmail.com
zedpoint[.]tutanota.com
zedpoint[.]vipole.com
Related:
CConscience[.]xmpp.jp
evil_angel[.]xmpp.jp
lafontain3[.]xmpp.jp
zipshop[.]xmpp.jp
crave[.]jabber.cz
dedmakarr[.]jabber.ru
jabberadrastos[.]sj.ms
johnsnowisalive4[.]jabber.hot-chilli.net
lawton_supp_en[.]public-jabber.me
lawton_supp_ru[.]public-jabber.me
banality[.]creep.im
banalitybiz[.]exploit.im
cardvilla[.]exploit.im
Ego[.]creep.im
reallibrarian[.]exploit.im
zipshop[.]exploit.im
This is the second part. Check out part one here. If it's going to be a cyber warfare doctrine make sure that China and Russian didn't copy it acting as copycats basically positioning themselves over a decade ago in military and cyberspace operations thinking. If that's the case then I'll do my best to elaborate more on my understanding and the actual practice of cyber deception and cyber military deception in cyberspace.
Some of the key principles that I'll outline in the second part of this series of blog posts include:
As I've already mentioned the process and the practice of misperception it should be also clearly noted and emphasized on that the basic concept of misperception of individuals and organizations in cyberspace launched and operated by an information operation can be basically on purposely proposed by an information operation or the individual or an organization that's managing it.
Yet another highly relevant concept in terms of cyber deception and cyber military deception has to do with in a context of hiding the real and actual information or a fact for the purpose of building an information operation around this idea and actual process which also has to do with.
- Hiding the Real
This is a fairly interesting concept where the primary concept would have to do with with a bit a sensitive topic the concealment of an individual an item or an organization's own characteristics or a pattern be a pattern of behavior or a pattern of activity which could also mean and include the introduction of new characteristics or pattern of behavior or its on purpose or operation-based exclusion of certain characteristics where the ultimate goal would be to raise uncertainty or work in a classified or sensitive fashion.
- Showing the False
This is a very important concept where the primary purpose would be to disinform on the true state of an adversary's or an individual or an organization's true understanding of a specific concept where the ultimate goal would be to disinform a specific individual or an organization including possibly to introduce a new concept or practice also known as showing the false which could also reach a pattern based behavior both in the context of an individual or an organization's behavior.
- Pre-defined target response reaction
The primary goal here would be to create a mechanism where a specific party could expect a specific party's response in a specific way or a manner where the ultimate response could be both classified or sensitive and whether the actual response could be both surprising or hiding the real or showing the false.
- Pre-defined perception determination
Believe it or not this doesn't necessary require an expert or a specialist in the field as believe it or not it would undermine the very concept behind this practice which has to do with on purposely positioning yourself as knowledge based party in a specific situation where the ultimate response would be by something that you know or perceive to know as an expert or a specialist or as a position in the field.
- Hide or Show assets decionary model
A bit of an interesting practice that greatly reminds me a moment in time when you could really "IM me a Strike Order" where the ones who would ultimately know and understand the adversary could have a could to properly respond and strike back in a professional and specific manner.
Stay tuned!
]]>Sample domains:
hxxp://aes[.]one - Kirill Borzov - Email: borzoff_k[.]grr[.]la; 89531976767@mail[.]ru
Sample URL: hxxp:/aes[.]one/files/d/e0t/1u4lg8iu6deal10c4k13lei1q7/94290198d07d9e0e/
Related domains:hxxp:/ запчасти71[.]рус - Email: 89531976767[.]mail[.]ru
hxxp:/continews[.]click - 89[.]45[.]4[.]98; 86[.]106[.]20[.]166; 146[.]70[.]71[.]184
Related Conti domains known to have been parked on the same IP (89[.]45[.]4[.]98):
hxxp:/continews[.]club
hxxp:/continews[.]xyz
hxxp:/contirecovery[.]click
hxxp:/contirecovery[.]best - 185[.]14[.]30[.]76
Related Conti domains known to have been parked on the same IP (185[.]14[.]30[.]76):
hxxp:/contirecovery[.]top
hxxp:/contirecovery[.]icu
Related Conti domains known to have been parked on the same IP (185[.]14[.]30[.]76):
hxxp://bet4rate[.]com - Anton Petrov - Email: a[.]lexboesky@gmail[.]com
Related domains known to have been registered using a[.]lexboesky@gmail[.]com include:
hxxp:/bet4rate[.]fr
hxxp:/bet4forum[.]com
hxxp:/nbaforecast[.]com
hxxp:/mlbforecasts[.]com
hxxp:/forecastpackage[.]com
hxxp:/betforrate[.]com
hxxp:/betspackage[.]com
hxxp:/analytics4sport[.]net
hxxp:/analytics4sport[.]org
hxxp:/sport4[.]us
hxxp:/4sport[.]us
hxxp:/bet4rate[.]com
hxxp:/center4sportanalytics[.]com
hxxp:/sport4analysis[.]com
Working spreadsheet:
hxxp:/docs[.]google[.]com/spreadsheets/d/1pI71arcyNDmcCZPfGFDFc0o9GJlrcJOycBWZEyrfjlA/edit
Working Google Drive account:
https://drive[.]usercontent[.]google[.]com/download?id=1TzaiXSmdZpSUvm_quI4DjiedpxAQ05mo
I just came across China's I-SOON leaks and I decided to jump in with research and expertise.
Drop me a line at dancho.danchev@hush.com in case you want or need cyber threat actor research and analysis and attribution services.
hxxp://t[.]wss[.]ink/f/8iykyg9b6st - Email: 2592858885@qq[.]com; 4826193@qq[.]com - hxxp://www[.]wenshushu[.]cn/f/8iykyg9b6st - 111[.]231[.]213[.]199
hxxp://t[.]wss[.]ink/f/8kmzl1edc19
hxxp://t[.]wss[.]ink/f/8abv0if4m5p
hxxp://t[.]wss[.]ink/f/8iykyg9b6st
42[.]177[.]83[.]82
113[.]207[.]69[.]126
113[.]59[.]43[.]73
211[.]93[.]211[.]192
hxxp://wss[.]show
hxxp://wss[.]ink
hxxp://wss[.]zone
hxxp://wss[.]email
hxxp://wss[.]pet
hxxp://i-soon[.]net - 123[.]56[.]229[.]155; 112[.]126[.]82[.]38
Sample users involved in these campaigns include:
r3kapig
天枢Dubhe
Nepnep
ADVambystoma
EDISEC
V&N
CNSS
justCatTheFish
Radboud Institute of Pwning
⚔️TSJ⚔️
Arr3stY0u
NaN
polaris
Nu1L
0RAYS
VTeam
N3w55
Admin
/mnt/ain
0ops
waterdrop
Need eXplore eXecute and eXploit
SOter14
天权megrez
purf3ct
Vidar-Team
KCSC
TAT
Aurora
CyberSlacker
Volcano
VnC
Sarmat
/bad
招联中英街
A1natas
ECSC Team France
SU
风信子
BinX
n03tAck
Phish2Own
0xFA
Scr1w
spookies
Mukyu~
Subuthax
xunlan
ukry
Tower of Hanoi
_W&M_
0x401
nnnnnn
d4rkn19ht
f1rs7_7im3
Dest0g3
HDFR
xdlddw
Venom
葱花泡面
r00t
土风
Kap0k
Vindicator
return catbui;
EchoSec
flag{}___Orz
ECSCTeamGreece
ARESx
ECSC Slovak Cyber Team
PearlSky
ECSCTeamEstonia
m1dm4n
LSP
EnKai
L
WHT
altair
IllIllIIllIIlII
always
noobteam
TeamRocketIst
-_-
Shell01_Team
TimelineSec
arancinHaCK
Suyun114
D1no
人菜瘾大
Xp0int
vvu
bad_cat
leizee
jitshit
Sloth
viol1t
d00m
NEUX
NYSEC
gsgx
Yellow Panda
SiBears
flag不太队
奇怪龙
d4rkc0de
sleeper
m3ow
Diligenza
UzUzuga
ONO
M4rshall
Sitting Ducks
S0FTS3C
EvilBunnyWrote
Tide
A[.]H[.]M[.]4
solobolo
JonPwnJones
hhhhhh
S&F
bisqet
Azure Assassin Alliance
Brunnerne
IQ-toppene
Delusions of Grandeur
Delogrander
糖炒栗子队
Ujang_No_Limit
thehackerscrew
US[.]m0n4d
i'm down QQ
th3_5had0w
sweeeets[.]conf
4learne
Sakana
tello619
AmTrain
Flyteam
R4iny13lueB311
ShinyColors
JDI
为了综测什么都队
WMCTF_rxm
fxxk questioner
single_seal
Luoxioheizhanji
北理工的饿龙
不会CTF惨惨
helloWorld
FAQ
m1rr0r
breakthrough
NIS
BitWarriors
explo1t
alpha
0xFE
tmttmt
GET
XingXing
rwebOrz
c18c
AGCTF
Mr[.]
Trumpiter
momomo
xcustar
flaggycat
iptls
Co1l_8ct_LigHt
混混混
NISA
cyfctf
BeiluoSect
We're Frenemies
Newcomer_PLZ
Ze3boola
AW
Blue
th3_bl1nd3r
DDDD_orz
wlove-team
mammoth
guess
ACT
M1O
R3dC0re
GW11
Ireland without the RE
FPTU EThical Hackers
0xC5C-NYIT
D0V
CrypticC
鹰盾
Aspirant
atkmt
泥电蒟蒻入门求带捏
K8X7Q8PWYWDW6XKH1
bobo
koplop
sscc
0xcoo1
b3f0re
tsia
whoami01
mouseman
SAINTSEC
0xD1SN3YL4ND
Uranus
610
acquireBag
4Ks1Gn
or4nge
Bomba
MSEC_Rev3nge
MSEC ADC
Ge91an
JK-branch
lousix
MSEC_Try_H4rd
23楼来签到
0xdecafbad
ns4style
ONC_Team
TCP1P
skills
WJSb
ECSC CAN
Nb_orz
TheFulaniGovernment
HacktBack
supersquad
nini
Byte Goblins
AEeo
suibianlaiwanwan
nihaohello
OneOne
RR
香香嘴炒饭
TorchWood
MoTeam
whoami
你有想法吗
CyberSquad
berTrAM-WatchDog
N0FR13NDS
BreakYourLimit
P3QU1
Em0t3t
bh
b_p
TheRoundTable
Have breakfast??
lonelydance
A[.]k[.]a[.]t[.]s[.]u[.]k[.]i
z0n3
Baka_Crypto
Ilovetehpeng
ctfxiaobai
汪汪队坐大牢
see the world
LVM
Spirit
<OOO>
吃颗大力果
Cut3 Guys
SourceCode
Matrix
BlackLight
LEVEL
Do_I_Know_You?
0x0
0XGIT
oniichan
zhu-shu
sudocide
boom
cyber_panda
mayf1y
Cyb3rTh1eveZ
CanCan
0xE4s0n
q1uf3ng
_r4nd0m_
NEUQRO
qds
yyds2022
poum
1!5!^^
Earl3ssC4t
e1even
IndiaCTF
TeamShakti
Never
ggggglacier
Z3r01
Invaders
魔法少女天团
Hcl4y
jff
HNN4ABO
rnerd
BC Gangz
VexillumHunters
Team NEXIX
LS
misc
moon
_j0k3r_
Wani Hackase
NMOSS
Mousers
flagdode
Ubuntu_Turbo_Turtle
Bebas mang
猫猫逛逛吃吃吃
D34nhK13n
n0n
Th3ee
TeamGipsy
KleinJ
Bits & Pieces
CyberWolves
干煸豆角
Poker
klandestin
liudehua
istudy
hvvgoodluckrt
uetctf
onlywxz
lU@H
zodiac
AnonSec
M1nk
Team Sp1d3rV3r5e
XL
Imitate
Serika
ConsultBoB
CURS<R
taicaile
B3L20
309
Dead-Code
LinyTail
o2lus
NahNah
ASIS
n4uTr1n0
H34pst3rs
Broski
Flag Poisoning
brooo
FaKappa
Ash
No Rules
Chers
Rise
casper
Beginner
Yokyok
cincin
horoo
Plue__
tryhackmus
BEBEK
TRI
Big Fortress Down
impact
whoami223
l33t_r0b0t
FR13NDS TEAM
oido141jj
T1M
ZZUCTF
Eliauk
Light1ng
SeaHatVN
w41b
P3WP3W
ChapeauDePaille
0xtest
Heaven's_Birds
hanppy
krypton
evcevcevcevc
ByteSizedSword
BITSkrieg
huashui
Ir0n Maiden
ogo kacheli
mkdir
TrickyWickets
0x1F605
hidden
Dat2Phit
mikejam
Cr4zyThurs
Lf5
Testteamdonotjoin
sdzyydx
Ramolino
fzhshzh
h4ck3rn0nl4
3331
JumpingCats4000
luk333
Krak3net
布鲁克林疯人院
Lobsters[.]544e
BYU Cyberia
Nupakachi
Guti
Server
Uptome
maharlika
pps0u1
player
Ambrosia
M4lw4r3
AlwaysBeNoobing
pwn1337
apocalypse
cass0ulet
11:14
pwnt3am
misc bacon strip
D4ntae
Darkside
R3pl1c4nt
BlackDragon
Flarefox
stoneme
HTEV
小龙人
Tr0n
eyz
teamisbad
闽侯上街男子dokidoki学院F4得斯
Newbie_team
corgi
汪汪队睡大觉
Pligonstein
mk_black_x
ZiaoY
VA-Manner
X1cT34m
BackMoon
pwnt3ster
ElctroC
P_al0ne
0xInSec
0xFF
Nomads
ultra hacking club
Related photos:
ccstc[.]i-soon[.]net
oa[.]i-soon[.]net
live[.]i-soon[.]net
qiniudce[.]i-soon[.]net
dce[.]i-soon[.]net
edu[.]i-soon[.]net
fzpt[.]i-soon[.]net
i-soon[.]net
ku[.]i-soon[.]net
im[.]i-soon[.]net
www[.]i-soon[.]net
yq[.]i-soon[.]net
Known responding IPs:
47[.]108[.]80[.]161
106[.]187[.]102[.]130
47[.]108[.]80[.]161
220[.]169[.]152[.]41
183[.]61[.]177[.]41
182[.]107[.]80[.]41
47[.]109[.]21[.]45
180[.]97[.]198[.]41
218[.]93[.]204[.]41
47[.]108[.]118[.]238
59[.]188[.]252[.]171
106[.]187[.]102[.]130
123[.]56[.]229[.]155
112[.]126[.]82[.]38
218[.]2[.]110[.]91
Contact points:
QQ:727697644 Email: ctf@whitecap100[.]rog
Related URL shortening URLs known to have served malware:
https://t[.]wss[.]ink/f/8kd4y733mj1
https://t[.]wss[.]ink/f/ajnim7pusck
https://t[.]wss[.]ink/f/bfjq0a7njdv
https://t[.]wss[.]ink/f/bfpqf64mrf3
https://t[.]wss[.]ink/f/bgdvc80lljj
https://t[.]wss[.]ink/f/bhpswv6k9ur
https://t[.]wss[.]ink/f/bhrsefmgk1v
https://t[.]wss[.]ink/f/bm2essrfd6r
https://t[.]wss[.]ink/f/boe4v8tdpsz
https://t[.]wss[.]ink/f/cc278l37m37
https://t[.]wss[.]ink/f/cc29395ne3s
Sample photos:
When you're so dumb that even the "drugs" can't "catch you". The next thing that follows is the laughing.
UPDATE:
UPDATE:
Personally identifiable information:
hxxp://bit[.]ly/nubankmodulo
hxxp://goatrat[.]com/apks/apk20[.]apk
Sample MD5s:
6583a9b6b83738e0bf2a261fc04483e18772da3241e467fdef37a8e27b1869a7
9a8e85cf1bbd32c71f0efa42ffedf1a0
hxxp://api[.]goatrat[.]com:3008
Social Media:
hxxp://t[.]me/sickoDevz
hxxp://t[.]me/goatmalware
Web site:
hxxp://criminalmw[.]fun
hxxp://clientes[.]criminalmw[.]fun
WhatsApp - +5511987457894
ba5833b49e2c6501f5bbce90b7948a85
Code Signing Certificate Signed By: Mr[.] Paxton Doyle PhD
SSL: 94ba7810ece1a1b227e6a5b509c8bb228e7285a1a5cee5f0ee26542783d4b09a
Sample C&C servers:
104[.]244[.]75[.]74
138[.]197[.]166[.]92
142[.]251[.]143[.]110
142[.]251[.]143[.]129
142[.]251[.]143[.]142
142[.]251[.]143[.]163
142[.]251[.]143[.]193
142[.]54[.]162[.]114
159[.]69[.]27[.]103
174[.]128[.]250[.]164
185[.]204[.]1[.]84
185[.]225[.]68[.]133
188[.]214[.]132[.]49
216[.]239[.]32[.]36
216[.]239[.]34[.]36
31[.]133[.]1[.]108
51[.]148[.]150[.]203
51[.]81[.]93[.]37
80[.]241[.]214[.]102
82[.]128[.]229[.]109
93[.]115[.]91[.]66
95[.]216[.]209[.]129
Sample C&C servers:
tgutjgo6kvqdst5ock[.]com
olbvu5pv2apkc57zfeg[.]com
hxxp://h4j7ewfdpwfzg6g6[.]com - 185[.]177[.]206[.]72
hxxp://3ajzfjsxou4yzn3jw552dg[.]com - 87[.]236[.]195[.]198
hxxp://f53ia7lqhbg54y7xd7ydp3[.]com - 178[.]63[.]41[.]183
hxxp://lblhluz7or[.]com - 178[.]63[.]41[.]183
hxxp://inylslu7vfq24vb[.]com - 185[.]177[.]206[.]72
51[.]81[.]56[.]136
89[.]163[.]128[.]25
81[.]7[.]16[.]177
81[.]170[.]128[.]221
109[.]70[.]100[.]71
158[.]255[.]1[.]112
j6jvmwqorhq4xpjkcy26d3i4au6pz6nyroqxreefmnl7yxgcruxzkmyd[.]onion
Sample Photos: