Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

Dear blog readers,

I wanted to find out whether any of my blog readers might be using Silent Circle - and whether you might be interested in approaching me with your Silent Circle ID to get the conversation going?

Feel free to approach me at dancho.danchev@hush.com

Stay tuned!

Dear blog readers,

I wanted to let you know of  my newly launched hacking and security community - Offensive Warfare 2.0 - The Future of Cyber Warfare - Hacking and Cyber Security Community - with public registration now open.

How you can help?

- Register today!
- Share this post with friends and colleagues.
- Approach me at dancho.danchev@hush.com with your comments feedback and general suggestions

Stay tuned!

Anyone there?

In a savagery peasant-aria which can be best described as the country where crime is supposedly prolific based on psychotropic substances and a "newspaper" courtesy -- you wish you wish -- of the basement of "someone" that thought that the CIA is running the country thanks to a "described" but supposedly "pre-scribed" leader of the country - increasing the longevity of peasant-aria land to continue vomiting in the very nothing? Not fair my friend. It shouldn't be surprising that nothing is ever taking place at all.

Keep reading.

- Key Summary Points

• Do you know what TOR is?

• Are you "based" on the Intelligence?

Can you best describe Bulgarian Intelligence Services? Pretty simple. It's your father's ugly Intelligence book with a vibrator on it - namely - an apparatus.

• When did you first discover Facebook?

Let's spit and vomit and take a photo of it - isn't this fancy? Or shall we spank your digital existence based on the clustered irrelevance of your degraded social vomit? Dare to press a button once again and We Shall Prevail to the bottom of the irrelevant obfuscation of your dare existence? Not fancy.

• Do you know who Yavor Kolev is?

• Do you have a career?

Do you "go" to work? Do you have a "career"? Can you make the difference? You wish.

• Are you heading to the airport? 

It's 2010 and I've recently came across to yet another currently active scareware-serving campaign courtesy of the Koobface gang this time successfully introducing a CAPTCHA-breaking module potentially improving the propagation and distribution scale within major social networks.

In this post I'll discuss the campaign and provide actionable intelligence on the infrastructure behind it.

Related malicious domains known to have participated in the campaign:
hxxp://goscandir.com/?uid=13301 - 91.212.107.103 - hosting courtesy of AS29550 - EUROCONNEX-AS Blueconnex Networks Ltd Formally Euroconnex Networks
hxxp://ebeoxuw.cn/?uid=13301
hxxp://ebiezoj.cn/22/?uid=13301
hxxp://goscanhand.com/?uid=13301
hxxp://byxzeq.cn/22/?uid=13301

Sample malicious MD5 known to have participated in the campaign:
MD5: 16575a1d40f745c2e39348c1727b8552

Once executed a sample malware phones back to:
hxxp://in5it.com/download/Ipack.jpg - the actual executable

Related malicious MD5 known to have participated in the campaign:
MD5: 1d5e3d78dd7efd8878075e5dbaa5c4fd

Related malicious MD5 known to have participated in the campaign:
MD5: 6262c0cb1459adc8f278136f3cff2777

It's worth pointing out that prior to analyzing the campaign it appears that the Koobface gang has recently introduced a CAPTCHA-breaking module which basically relies on the active outsourcing of the CAPTCHA-breaking process potentially improving the Koobface spreading and propagation effectiveness.

Sample malicious URL known to have participated in the campaign:
http://peacockalleyantiques.com/.sys/?getexe=v2googlecheck.exe

Sample malicious MD5 known to have participated in the campaign:
MD5: cf9729bf3969df702767f3b9a131ec2c

Sample malicious URL known to have participated in the campaign:
http://peacockalleyantiques.com/.sys/?getexe=v2captcha.exe

Sample malicious MD5 known to have participated in the campaign:
MD5: f2d0dbf1b11c5c2ff7e5f4c655d5e43e

Once executed a sample phones back to the following C&C server IPs:
hxxp://capthcabreak.com/captcha/?a=get&i=0&v=14 - 67.212.69.230
hxxp://captchastop.com/captcha/?a=get&i=1&v=14 - 67.212.69.230

It's 2010 and I've recently intercepted a currently circulating malicious and fraudulent scareware-serving campaign courtesy of the Koobface Gang this time successfully typosquatting my name within its command and control infrastructure.

In this post I'll provide actionable intelligence behind the campaign and will discuss in-depth the infrastructure behind it.

Sample malicious and fraudulent domains known to have participated in the campaign:
hxxp://qjcleaner.eu/hitin.php?affid=02979

Sample malicious MD5 known to have participated in the campaign:
MD5: 8df3e9c50bb4756f4434a9b7d6c23c8c

Once executed a sample malware phones back to:
hxxp://212.117.160.18/install.php?id=02979

which is basically our dear friends at AS44042 ROOT-AS root eSolutions

Parked at the same IP where Crusade Affiliates continue serving a diverse set of fake security software are also more scareware domains.

It's also worth pointing out that the Koobface gang has recently started typosquatting various domains using my name. Koobface gang is typosquatting my name for registering domains (for instance Rancho Ranchev; Pancho Panchev etc.) including hxxp://mayernews.com - which is registered to Danchev Danch (1andruh.a1@gmail.com).

With scareware continuing to proliferate I've recently intercepted a currently active malicious and fraudulent blackhat SEO campaign successfully enticing thousands of users into interacting with the rogue and malicious software with the scareware behind the campaign successfully modifying the HOSTS on the affected host potentially exposing the user to a variety of fake search engines type of rogue and fraudulent and malicious activity.

In this post I'll provide actionable intelligence on the infrastructure behind the campaign.

Sample malicious URL known to have participated in the campaign:
hxxp://guardsys-zone.com/?p=WKmimHVmaWyHjsbIo22EeXZe0KCfZlbVoKDb2YmHWJjOxaCbkX1%2Bal6orKWekJXIZWhimmVummWIo6THodjXoGJdpqmikpVuZ21uaHFtb1%2FEkKE%3D

Sample malicious MD5 known to have participated in the campaign:
MD5: 665480a64d4f72a33120251c968e9c28

Once executed the sample modifies the HOSTS and redirects them to the following domains:
hxxp://google-reseach.com/gfeed/click.php?q=&p=1 - 66.36.243.201
hxxp://google-reseach.com/search.php?&aff=32210&saff=0&q=

Related malicious rogue and fraudulent URL known to have participated in the campaign:
hxxp://88.85.73.139/landing/

Sample rogue and fraudulent payment processed used in the campaign:
hxxp://safetyself.com/safereports/ - 88.85.73.139

Remember loads.cc? In this post I'll provide actionable intelligence on the popular DDoS for hire service circa 2008 and offer in-depth perspective on the tactics utilized by the gang behind the service for the purpose of earning fraudulent revenue in the process of monetizing access to malware-infected hosts.

Sample malicious and fraudulent infrastructure known to have participated in the campaign:
hxxp://loads.cc - hxxp://ns1.udnska.cn (72.21.52.99), interestingly, hxxp://sateliting.cn is the C&C for hxxp://loads.cc service.

Related malicious and fraudulent URLs known to have participated in the campaign:
hxxp://sateliting.cn/?&v=exp6&lid=1033
hxxp://sateliting.cn/?&v=iron&lid=1033
hxxp://sateliting.cn/?&v=1810kj&lid=1033
hxxp://sateliting.cn/?&v=Loko&lid=1033
hxxp://sateliting.cn/?&v=mporlova&lid=1033
hxxp://satelit-ing.cn/?&v=mporlova&lid=1033
hxxp://sateliting.cn/?&v=gto&lid=1033

Related malicious IPs known to have responded to sateliting.cn:
hxxp://50.117.116.117
hxxp://216.172.154.34
hxxp://50.117.122.90
hxxp://205.164.24.45
hxxp://50.117.116.205
hxxp://50.117.116.204
hxxp://65.19.157.227

Related malicious MD5s known to have participated in the campaign:
MD5: eb0e25f2ac8f50590e3a00dcf766ef02
MD5: 48cf9b8b063715bb53e691da61601a73
MD5: 0b63dc08da40fcaf532847cfa5d9fc12
MD5: 0abaffe7d19c382d6dc94e40b27f199b
MD5: 0844b755c7e26c8051ab23369f720a4b
MD5: 2f3e270c37b48523e3e89ab76a012092

Love them or hate them - the ubiquitous beautiful girl utilizing fake bogus and rogue Facebook accounts scam campaign courtesy of Hamas targeting Israeli soldiers has to come to an end.

In this post I'll provide actionable intelligence on a currently active Pro-Hamas malicious and fraudulent infrastructure and will discuss in-depth the tactics techniques and procedures of the cybercriminals behind it and will offer in-depth perspective on a currently active Pro-Hamas hosting provider - "Nepras for Media & IT" which is basically a legitimate front-end company currently involved in a variety of Pro-Hamas malicious and fraudulent malware-serving and propaganda spreading online infrastructure provider directly related to yet another Pro-Hamas franchise - "Modern Tech Corp".

Sample Facebook Profile Names involved in the campaign:
Elianna Amer
Aitai Yosef
Karen Cohen
Amit Cohen
Loren Ailan
Verena Sonner
Lina Kramer

Sample profile photos of Pro-Hamas fake and rogue Facebook accounts:

Sample malicious and fraudulent URL known to have participated in the campaign:
hxxp://apkpkg.com/android/?product=yeecallpro - 50.63.202.43; 50.87.148.131; 50.63.202.56

Related malicious MD5s known to have participated in the campaign:
MD5: 8f1b709ae4fb41b32674ca8c41bfcbf7
MD5: 95a782bd8711ac14ad76b068767515d7
MD5: 5b2aac6372dea167c737b0036e1bd515
MD5: f6ffa064a492e91854d35e7f225b1313
MD5: b3e40659ae0a0852e2f6eb928d402d9d
MD5: 7a9503152b4c8c1ee80ac7daf5405a91

Related malicious and fraudulent domains known to have participated in the campaign:
hxxp://goldncup.com
hxxp://glancelove.com - 204.11.56.48; 198.54.117.1; 198.54.117.198; 198.54.117.200; 198.54.117.197; 192.64.118.163
hxxp://autoandroidup.website
hxxp://mobilestoreupdate.website
hxxp://updatemobapp.website

Related malicious IPs known to have participated in the campaign:
hxxp://107.175.144.26
hxxp://192.64.114.147

Related malicious MD5s known to have participated in the campaign:
MD5: 4f9383ae4d0285aeb86e56797f3193f7
MD5: 95a782bd8711ac14ad76b068767515d7
MD5: b3e40659ae0a0852e2f6eb928d402d9d
MD5: f6ffa064a492e91854d35e7f225b1313
MD5: 8f1b709ae4fb41b32674ca8c41bfcbf7
MD5: 5b2aac6372dea167c737b0036e1bd515
MD5: 7a9503152b4c8c1ee80ac7daf5405a91

Related malicious and fraudulent phone-back C&C server IPs:
hxxp://endpointup.com/update/upfolder/updatefun.php
hxxp://droidback.com/pockemon/squirtle/functions.php

Related malicious and fraudulent domains known to have participated in the campaign:
hxxp://androidbak.com
hxxp://droidback.com
hxxp://endpointup.com
hxxp://siteanalysto.com
hxxp://goodydaddy.com

Related emails known to have participated in the campaign:
info@palgoal.ps
support@nepras.com
mtcg@mtcgaza.com

Related fraudulent and malicious domains known to have been registered using the same email - info@palgoal.ps:
hxxp://7qlp.com
hxxp://all-in1.net
hxxp://androidmobgate.com
hxxp://arabstonight.com
hxxp://collectrich.com
hxxp://krmalk.com
hxxp://motionsgraphic.com
hxxp://orchidcollege.com
hxxp://paltrainers.org
hxxp://rosomat.net
hxxp://stikerscloud.com

Related fraudulent and malicious domains known to have been registered using the same email - support@nepras.com:
hxxp://acchd.net
hxxp://ahlulquran.com
hxxp://alalbait.ps
hxxp://alnorhan.com
hxxp://alowini.com
hxxp://alresalah.news
hxxp://alshibl.com
hxxp://alwanbook.com
hxxp://arqamschools.com
hxxp://azarcnc.com
hxxp://boxmarket.org
hxxp://bstcover.com
hxxp://caades.org
hxxp://detour-bs.com
hxxp://driverup2date.com
hxxp://drmazen.com
hxxp://drmazen.ps
hxxp://eta-water.com
hxxp://fares-alarab.com
hxxp://feker.net
hxxp://fekerjaded.net
hxxp://fekerjaded.com
hxxp://gaza-health.com
hxxp://gcstv.tv
hxxp://hairgenomics.com
hxxp://idco.center
hxxp://islamicbl.com
hxxp://khaledjuma.net
hxxp://kingtoys.ps
hxxp://learningoutcome.net
hxxp://lemaghi.com
hxxp://lsugaza.org
hxxp://mailsinfo.net
hxxp://majallaa.com
hxxp://manara.ps
hxxp://mobilyapp.com
hxxp://mtsc.tech
hxxp://nepras.net
hxxp://nepras.ps
hxxp://nsms.ps
hxxp://osamaalnajjar.com
hxxp://osratyorg.com
hxxp://panorama-pvs.com
hxxp://pay2earn.net
hxxp://pharmahome.net
hxxp://saqacc.com
hxxp://saudifame.com
hxxp://scc-online.net
hxxp://sondooq.net
hxxp://syada.org
hxxp://takafulsys.com
hxxp://taqat.work
hxxp://taqat.jobs
hxxp://technologylotus.com
hxxp://thoraya.net
hxxp://vgsat.com
hxxp://yabous.net
hxxp://yourav.net

Related domains registered using "Nepras for Media & IT" infrastructure:
hxxp://googlemapsservice.com
hxxp://lipidgenomics.com
hxxp://akalgroup.net
hxxp://rami-kerenawi.com
hxxp://bestyleperfumes.com
hxxp://azarcnc.com
hxxp://go-2web.com
hxxp://jettafood.com
hxxp://mushtahatours.com
hxxp://pal4news.net
hxxp://pcr-shate.com
hxxp://saqacc.com
hxxp://shahidvideo.com
hxxp://shop8d.net
hxxp://spermgenomics.com
hxxp://tawjihips.com
hxxp://vidioarb.com
hxxp://yourav.net
hxxp://yourdialerpal.com
hxxp://freedombeacon.info
hxxp://neprastest.info
hxxp://nirmaali.com
hxxp://zaibaq-hearing.com
hxxp://bramgsoft.com
hxxp://hairgenomics.com
hxxp://dietgenomix.com
hxxp://arcadialanguages.com
hxxp://himoudco.com
hxxp://moltkaa.com
hxxp://toyoorjanna.com
hxxp://facebootshe.com
hxxp://facebootshe.net
hxxp://somoood.com
hxxp://alnorhan.com
hxxp://alwatantoday.net
hxxp://elianali.com
hxxp://sspal.net
hxxp://hi-galaxy.com
hxxp://youthn.net
hxxp://gmamalaysia.com
hxxp://cbspgaza.com
hxxp://madarikmedia.com
hxxp://website-testnew.com
hxxp://childworldsociety.com
hxxp://netmarketpal.net
hxxp://albwwaba.com
hxxp://saudib.info
hxxp://pwaha.com
hxxp://smilymedia.com
hxxp://ftyatalghad.com
hxxp://coldymedia.com
hxxp://kh-alsendawy.com
hxxp://scoutsyalla.com
hxxp://almofker.com
hxxp://rawnaqmedia.net
hxxp://pro-stud.com
hxxp://shawa-plast.com
hxxp://eta-water.com
hxxp://host4tech.net
hxxp://fekerjaded.com
hxxp://audioodrivers.com
hxxp://trsanweb.com
hxxp://3almpro.com
hxxp://neprasweb.info
hxxp://thaqefnafsak.net
hxxp://newpal21.com
hxxp://ads4market.net
hxxp://qcpalestineforum.net
hxxp://alothmanx.com
hxxp://detourbs.com
hxxp://engash.com
hxxp://anafenyx.com
hxxp://dar-pal.com
hxxp://loyal-hands.com
hxxp://sahabacomplex.net
hxxp://logintest.info
hxxp://mapartnr.com
hxxp://hejazeceramics.com
hxxp://gazaapeal.com
hxxp://tawzzef.com
hxxp://gazaappeal.com
hxxp://oqpizza.com
hxxp://arqamschools.com
hxxp://nafhacenter.com
hxxp://halaalmasry.com
hxxp://q9polls.com
hxxp://q8-polls.com
hxxp://palalghadschool.com
hxxp://servesni.com
hxxp://rose2020.com
hxxp://km-pal.com
hxxp://cfpalestine.com
hxxp://ipad2me.com
hxxp://arabsdownload.com
hxxp://projectsinturkey.com
hxxp://newmassa.com
hxxp://charitysys.info
hxxp://nepraswebsite.com
hxxp://iquds.com
hxxp://yabous.net
hxxp://appsapkandroid.us
hxxp://alltech4arab.com
hxxp://hadaf.info
hxxp://plmedgroup.com
hxxp://modhish.net
hxxp://mltaka.com
hxxp://ajelapp.com
hxxp://khmap.com
hxxp://cupsport.net
hxxp://arshdnytech.com
hxxp://gmaedu.net
hxxp://lemaghi.com
hxxp://creativityjob.com
hxxp://imes-group.net
hxxp://rawnaqmedia.com
hxxp://alwanbook.com
hxxp://fifafoot.com
hxxp://sportarabs.com
hxxp://el-qalam.com
hxxp://bawadirsoft.com
hxxp://palalghad-school.com
hxxp://mixedwork.com
hxxp://plmedgroup.com
hxxp://alowini.com
hxxp://detour-bs.com
hxxp://earningoutcome.net
hxxp://shahedcom.com
hxxp://sport-kora.com
hxxp://torathshop.com
hxxp://newsolararabian.com
hxxp://h3sk.com
hxxp://gh-gaza91.com
hxxp://watanps.com
hxxp://mobilyapp.com
hxxp://nfs-pal.com
hxxp://yousef123.com
hxxp://alhato.com
hxxp://alyawmpress.net
hxxp://technologylotus.com
hxxp://qavalues.com
hxxp://ask2play.net
hxxp://hamasld.com
hxxp://bhscfood.com
hxxp://nmanews.com
hxxp://ifcdoha4.com
hxxp://sparkpowerco.net
hxxp://archour.com
hxxp://nmanews.net
hxxp://academy-uk.net
hxxp://turkey-gate.com
hxxp://learningoutcome.net
hxxp://smattrix.com
hxxp://eradaa.net
hxxp://paltoday.com
hxxp://sugar-salt.net
hxxp://boutiqobasket.com
hxxp://ethadalpadia.com
hxxp://fonoungallery.com
hxxp://fonoungallery.com
hxxp://smattrix.com
hxxp://gazawiit.com
hxxp://alfarisnt.com
hxxp://lama-film.net

Related domains registered using "Nepras for Media & IT" infrastructure:
hxxp://lovemagazineofficial.com
hxxp://masmo7.com
hxxp://mnwrna.com
hxxp://androidbak.com
hxxp://fastdroidmob.com
hxxp://treestower.com
hxxp://aymanjoda.com
hxxp://advflameco.com
hxxp://mahmoudzuaiter.com
hxxp://libyatoda.com
hxxp://mtcpal.com
hxxp://khfamilies.com
hxxp://ch2t0.com
hxxp://dwratcom.com
hxxp://faker4.com
hxxp://orubah.com
hxxp://orchidcollege.com
hxxp://yasser-arafat.com
hxxp://wf-hall.com
hxxp://maharaty.net
hxxp://addoja.net
hxxp://arb10.com
hxxp://ajel-news.com
hxxp://rosomat.net
hxxp://sahifty.net
hxxp://looktik.com
hxxp://pstent.com
hxxp://newsmagasine.com
hxxp://gazass.com
hxxp://dooownloads.com
hxxp://androidmobgate.com
hxxp://koora-fast.com
hxxp://fitlifee.com
hxxp://share-crowd.com

Related domains registered using the "Modern Tech Corp" Pro-Hamas fraudulent and malicious infrastructure:
hxxp://atfalocom.com
hxxp://bopfile.com
hxxp://djadet.com
hxxp://ecsrs.com
hxxp://egp-gaza.com
hxxp://infoocean.net
hxxp://katakeety.com
hxxp://katakeety.net
hxxp://linefood.com
hxxp://mtcpal.net
hxxp://nawrastv.net
hxxp://shobbaik.com
hxxp://tashbik.biz
hxxp://tashbik.com
hxxp://vansac-english.com
hxxp://woodrom.com
hxxp://alfareeq.info
hxxp://tashbik.info
hxxp://cashbacksave.com
hxxp://nerab.com
hxxp://download4android.com
hxxp://altartosi.net
hxxp://fostanews.com
hxxp://silverdai.com
hxxp://selhelou.com
hxxp://albassam-co.com
hxxp://almanar-studio.com
hxxp://facekooora.com
hxxp://holylandcar.com
hxxp://qneibi.com
hxxp://shaheen-flower.com
hxxp://strong-k.com
hxxp://pioneerfoodco.com
hxxp://sinokrotex.com
hxxp://zawiaa.net
hxxp://amwwal.com
hxxp://abuamra.com
hxxp://madridista-arab.com
hxxp://donia-fm.com
hxxp://donia-fm.net
hxxp://lmasatfnya.com
hxxp://dolphinexpress1.com
hxxp://dolphinexpress1.info
hxxp://dolphinexpress1.net
hxxp://radiosurif.com
hxxp://sahaba-radio.com
hxxp://odmint.com
hxxp://ylapin.com
hxxp://ylapin.net
hxxp://mypage-pro.com
hxxp://mohdsheikh.com
hxxp://altelbany.com
hxxp://dolphinariumtours.com
hxxp://artsofali.com
hxxp://menalmuheetlelkhaleej.com
hxxp://alghaidaa.com
hxxp://ajwad-marble.com
hxxp://istakbel.com
hxxp://istaqbel.com
hxxp://istaqbil.com
hxxp://istaqbl.com
hxxp://istqbl.com
hxxp://estakbel.com
hxxp://estaqbel.com
hxxp://estaqbil.com
hxxp://estaqbl.com
hxxp://estqbl.com
hxxp://massrefy.com
hxxp://massrify.com
hxxp://amwwaly.com
hxxp://amwwaly.info
hxxp://amwwaly.net
hxxp://nawrastv.com
hxxp://stepcrm.com
hxxp://imraish.com
hxxp://zawiaa.com
hxxp://3la-kefak.com
hxxp://bsaisofamily.com
hxxp://imraish.com

Related malicious MD5s known to have participated in the campaign:
MD5: 10f27d243adb082ce0f842c7a4a3784b01f7248e
MD5: b8237782486a26d5397b75eeea7354a777bff63a
MD5: 09c3af7b0a6957d5c7c80f67ab3b9cd8bef88813
MD5: 9b923303f580c999f0fdc25cad600dd3550fe4e0
MD5: 0b58c883efe44ff010f1703db00c9ff4645b59df
MD5: 0a5dc47b06de545d8236d70efee801ca573115e7
MD5: 782a0e5208c3d9e8942b928857a24183655e7470
MD5: 5f71a8a50964dae688404ce8b3fbd83d6e36e5cd
MD5: 03b404c8f4ead4aa3970b26eeeb268c594b1bb47

Related certificates known to have participated in the campaign:
10:EB:7D:03:2A:B9:15:32:8F:BF:68:37:C6:07:45:FB:DF:F1:87:A6
9E:52:71:F3:D2:1D:C3:22:28:CB:50:C7:33:05:E3:DE:01:EB:CB:03
44:52:E6:4C:97:4B:6D:6A:7C:40:AD:1E:E0:17:08:33:87:AA:09:09
67:43:9B:EE:39:81:F3:5E:10:33:C9:7A:D9:4F:3A:73:3B:B0:CF:0A
89:C8:E2:E3:4A:23:3C:A0:54:A0:4A:53:D6:56:C8:2D:4A:8D:80:56
B4:D5:0C:8B:73:CB:A9:06:8A:B3:F2:49:35:F8:58:FE:A2:3E:2E:3A

Related malicious MD5s known to have participated in the campaign including C&C phone-back locations:
MD5: 8f1b709ae4fb41b32674ca8c41bfcbf7 - once executed the sample phones back to the following malcious domain - hxxp://jonalbertwebsite.000webhostapp.com
MD5: 95a782bd8711ac14ad76b068767515d7 - once executed the sample phones back to the following malicious domains - hxxp://107.175.144.26/apps/d/p/op.php -> hxxp://app-measurement.com/config/app/1:487050065789:android:6a899b85b4fafd55?app_instance_id=76d4b711c98c3632398d47cb8d5777a3&platform=android&gmp_version=11200
MD5: 5b2aac6372dea167c737b0036e1bd515
MD5: f6ffa064a492e91854d35e7f225b1313 - once executed the sample phones back to the followin malicious domain - hxxp://192.64.114.147/apps/d/p/op.php
MD5: b3e40659ae0a0852e2f6eb928d402d9d
MD5: 7a9503152b4c8c1ee80ac7daf5405a91

Related malicious MD5s known to have participated in the campaign:
MD5: f1b709ae4fb41b32674ca8c41bfcbf7
MD5: 95a782bd8711ac14ad76b068767515d7
MD5: 5b2aac6372dea167c737b0036e1bd515
MD5: f6ffa064a492e91854d35e7f225b1313
MD5: b3e40659ae0a0852e2f6eb928d402d9d
MD5: 7a9503152b4c8c1ee80ac7daf5405a91

Related malicious URL known to have participated in the campaign:
hxxp://bit.ly/2M7E2Zg

UPDATE: Flashpoint Intel issued a response to my research.

UPDATE: SCMagazine picked up the story.

UPDATE: Anti-Malware.name picked up the story.

UPDATE: EnterpriseTimes picked up the story

UPDATE: Rambler News picked up the story.

It appears that Flashpoint's official Web site is currently embedded with malware-serving malicious script potentially exposing its visitors to a multi-tude of malicious software.

Original malicious URL hosting location:
hxxp://www.flashpoint-intel.com/404javascript.js
hxxp://www.flashpoint-intel.com/404testpage4525d2fdc

Related malicious URL redirection chain:
hxxp://www.flashpoint-intel.com -> hxxp://destinywall.org/redirect?type=555 - ; hxxp://ermoyen.tk/index/?4831537102803 -> hxxp://search.plutonium.icu/?utm_medium=7710edb9b -> hxxp://search.plutonium.icu/?utm_term=66793697539 -> hxxp://search.plutonium.icu/proc.php?37ba8df02c6d  -> hxxp://onwardinated.com/c/5a37c8ad-f104-11e5-9f1f -> hxxp://circultural.com/v/c3937168-5def-11e9-b07a -> hxxp://3daa61.circultural.com/l/8c579bd6-2433-11e


Second sample URL redirection chain:
hxxp://www.flashpoint-intel.com/ -> hxxp://destinywall.org/redirect?type=555&  -> hxxp://ermoyen.tk/index/?4831537102803 -> hxxp://search.plutonium.icu/?utm_medium=7710edb9b -> hxxp://search.plutonium.icu/?utm_term=66793698655 -> hxxp://search.plutonium.icu/proc.php?123dd67462ec -> hxxp://onwardinated.com/c/5a37c8ad-f104-11e5-9f1f  -> hxxp://circultural.com/v/d45c2e40-5def-11e9-bd47

Related legitimate URL known to have participated in the campaign:
hxxp://boards.greenhouse.io/flashpoint/jobs/4125871002?gh_jid=4125871002

Related malicious URL redirection chain:
hxxp://unanimous.live/ - 104.28.24.233- hxxp://jsc.adskeeper.co.uk/a/d/adw.toolbar.com.333699.js
hxxp://destinywall.org/redirect?type=555& - 176.123.9.53 -> hxxp://ermoyen.tk/index/?4831537102803 - 37.230.116.105

Related malicious URLs known to have participated in the campaign:
hxxp://oussercondition.tk/index/?4831537102803
hxxp://testify.newsfeed.support/esuznxifqk?c=15&amp
hxxp://impress.newsfeed.support/esuznxifqk?c=20&amp


hxxp://minently.com/RnSda/rDN3/ojdn/-nsy7qV12UzKdEclLfy6SOfF-12z43GPMrEyUTBKdtGlCYlxwB8e?qDo=MS_WW_AGG_Desktop&subid=6679367743860375570&ext1=1608
hxxp://minently.com/RnSda/rDN3/uSJk/-nsy7qV12UzKdEclLfy6SOfF-12z43GPMrEyUTBKdtGlCYlxwB8e/_jVh7fd2lUHCfkQjLfPyHo_ZayrHiuU?ori=6x&ex=6&pbi=5cb1e1a50b08e2.738349245
hxxp://minently.com/RnSda/rDN3/uSJk/-nsy7qV12UzKdEclLfy6SOfF-12z43GPMrEyUTBKdtGlCYlxwB8e/_jVh7fd2lRfKJxF0KvzyETF1t74kzXE?ori=6x&ex=6&pbi=5cb1e1ac8e8cd8.865930185 - 205.147.93.131
hxxp://search.plutonium.icu/?utm_term=6679367743860375570&clickverify=1&utm_content=fdc2c69a9 - 99.198.108.198
hxxp://minently.com/RnSda/rDN3/uSJk/-nsy7qV12UzKdEclLfy6SOfF-12z43GPMrEyUTBKdtGlCYlxwB8e/_jVh7fd1kUSXfhYjK_7yHXZI1b-Xzt8?ori=6x&ex=6&pbi=5cb1e2e0ebe9a2.271109695 - 205.147.93.131
hxxp://click.monetizer-return.com/?utm_medium=f0b5c66dbbca0c7df1803313f76c9a781d4f8
e57 - 198.143.165.221
hxxp://play.superlzpre.com/red/?code=RY6GVO6HT5VM&a=6679370333725656167&pubid=1608 - 217.13.124.95


Related malicious domains known to have participated in the campaign:
hxxp://destinywall.org - 176.123.9.53
hxxp://hellofromhony.org
hxxp://hellofromhony.com
hxxp://thebiggestfavoritemake.com
hxxp://destinywall.org
hxxp://verybeatifulpear.com
hxxp://strangefullthiggngs.com
hxxp://stopenumarationsz.com

Related malicious and fraudulent IPs known to have participated in the campaign:
hxxp://onwardinated.com - 52.85.88.105; 52.85.88.202; 52.85.88.224; 52.85.88.151; 52.85.58.244; 52.85.58.217 ; 52.85.58.236 ; 52.85.58.52
hxxp://205.147.93.131
hxxp://99.198.108.198
hxxp://217.13.124.95
hxxp://143.204.247.69
hxxp://143.204.214.90


Related malicious MD5s known to have participated in the campaign:
MD5: b28e98bb6ed0e0af8ec7a2d47ca6b053
MD5: f0dfab9f9a1a7e5dc8c00222292e401e
MD5: 6b986d4bc5475af102bfff4d28a5cf50
MD5: e963ed9b5c052d02c972e449142f7946
MD5: 7dee4f221d3b3779301f4b38061d6992

Related malicious MD5s known to have participated in the campaign:
MD5: 30f6d6bd507317dbcf1708edc449c970
MD5: 437cfb417c5a6e7fc3d446dcd35203fc
MD5: e1fd735fdf97cc734ec46d2b33aac8bf
MD5: b37b7d221526faa8ffbea52626e5ac87
MD5: 821a00b057a9fabe670174eab4b28e77


Related malicious MD5s known to have participated in the campaign:
MD5: 0bb4e038ce1fecb88be583d776cfa4a0
MD5: 7197f433b0d269848ae1d1e957a9b858
MD5: 1d72d5255bd2450fb04a7a2c68ff87bd
MD5: b3722ade8c3ee908b6f82ae81ae2d748
MD5: 89ddddb5b3a88ef3d6da57c72197e0cc
MD5: 6a490bbd341db8033ec86fc771f24926
MD5: b52d0377b2f741dd20e17dfad3ca58aa
MD5: 813e84f9bd30eed6390f5ce806916f2a
MD5: 81810b6e4c89c03260a6bac4a16ef3ba
MD5: c9cb7f2ea5b8a16f4fb4246825e8a3de

Related malicious and fraudulent URLs known to have participated in the campaign:
hxxp://notifymepush.info
hxxp://101newssubspush.info
hxxp://Bestofnewssubspush.info
hxxp://Burningpush.info
hxxp://Checkadvisefriends.info
hxxp://Checksayfriends.info
hxxp://Checksuefriends.info
hxxp://Conewssubspush.info
hxxp://Enewssubspush.info
hxxp://Examinenotifyfriends.]info
hxxp://Gonewssubspush.info
hxxp://Hitnewssubspush.info
hxxp://Inewssubspush.info
hxxp://Inspectnotifyfriends.info
hxxp://Justnewssubspush.info
hxxp://Livenewssubspush.info
hxxp://Metanewssubspush.info
hxxp://Newnewssubspush.info
hxxp://Notifymepush.info
hxxp://Nunewssubspush.info
hxxp://Pushmeandtouchme.info
hxxp://Scannotifyfriends.info
hxxp://Searchnotifyfriends.info
hxxp://Testnotifyfriends.info
hxxp://Thentouchme.info
hxxp://Topnewssubspush.info
hxxp://Touchthenpush.info
hxxp://Trynewssubspush.info
hxxp://Upnewssubspush.info
hxxp://Usenotifyfriends.info
hxxp://Wenewssubspush.info

Related malicious and fraudulent domains known to have responded to 109.234.39.160:
hxxp://ivreprsident.tk
hxxp://uvrirordre.tk
hxxp://offriractivit.tk
hxxp://ermoyen.tk
hxxp://iterrisque.tk
hxxp://derchef.tk
hxxp://echance.tk
hxxp://terminerespace.tk
hxxp://rofiterami.tk
hxxp://evenirweb.tk
hxxp://nviterinformation.tk
hxxp://xemple.tk
hxxp://isercarte.tk
hxxp://airelaisserquestion.tk
hxxp://derimage.tk
hxxp://alsoutenirdomaine.tk
hxxp://arderplan.tk
hxxp://rsentermonde.tk
hxxp://marquerexprience.tk
hxxp://germatire.tk
hxxp://rerlivre.tk
hxxp://ngersource.tk
hxxp://voyercasino.tk
hxxp://onctionnerfrance.tk
hxxp://raliserpage.tk
hxxp://nterespace.tk
hxxp://ectuerpartie.tk
hxxp://erguerre.tk
hxxp://nnatrevaleur.tk
hxxp://fierargent.tk
hxxp://irmertravers.tk
hxxp://dcidertemps.tk
hxxp://irebase.tk
hxxp://inerpied.tk
hxxp://limiterprsident.tk
hxxp://resteraffaire.tk
hxxp://laisserloi.tk
hxxp://treterre.tk
hxxp://iresuite.tk
hxxp://tenirair.tk
hxxp://rganiserargent.tk
hxxp://nelchoisirhistoire.tk
hxxp://grertte.tk
hxxp://oncernerpriode.tk
hxxp://ncerchoix.tk
hxxp://mpagnercas.tk
hxxp://permesure.tk
hxxp://urirproduit.tk
hxxp://relieu.tk
hxxp://sderplan.tk
hxxp://prparerchance.tk
hxxp://hergestion.tk
hxxp://disposerpouvoir.tk
hxxp://isirtat.tk
hxxp://dercoup.tk
hxxp://frersource.tk
hxxp://suivreobjet.tk
hxxp://itteranne.tk
hxxp://anisertude.tk
hxxp://pparatrecouleur.tk
hxxp://trouverplaisir.tk
hxxp://sterenfant.tk
hxxp://ttervente.tk
hxxp://ntirgestion.tk
hxxp://rouverdveloppement.tk
hxxp://nnelfalloirchoix.tk
hxxp://merdemande.tk
hxxp://nnellireapplication.tk
hxxp://ercoup.tk
hxxp://tgrertte.tk
hxxp://moyen.tk
hxxp://duirecorps.tk
hxxp://rerespecterministre.tk
hxxp://mposerconseil.tk
hxxp://nnatrevaleur.tk
hxxp://choisirfemme.tk
hxxp://nsidreran.tk
hxxp://rderdomaine.tk
hxxp://nuerweb.tk
hxxp://attrecentre.tk
hxxp://raiterbesoin.tk
hxxp://leresprit.tk
hxxp://ontenirforme.tk
hxxp://nirfonction.tk
hxxp://chergroupe.tk
hxxp://rtte.tk
hxxp://epied.tk
hxxp://erparis.tk
hxxp://liserpouvoir.tk
hxxp://rtagertype.tk
hxxp://reconnatrefemme.tk


Related malicious and fraudulent domains known to have responded to 37.230.116.105:
hxxp://lpoursuivretat.tk
hxxp://gycazyuge.tk
hxxp://optygyty.tk
hxxp://hurevente.tk
hxxp://kofojok.tk
hxxp://expliopjipn.tk
hxxp://nijiscy.tk
hxxp://mprendreauteur.tk
hxxp://vertravers.tk
hxxp://truirefrance.tk
hxxp://lokodasre.tk
hxxp://prendrecorps.tk
hxxp://iokoivefikolf.tk
hxxp://hudabertee.tk
hxxp://larereffet.tk
hxxp://husanuie.tk
hxxp://pocokie.tk
hxxp://gysazatre.tk
hxxp://ssurercentre.tk
hxxp://iperuvre.tk
hxxp://ferfreau.tk
hxxp://poserscurit.tk
hxxp://jidytzae.tk
hxxp://jikogyda.tk
hxxp://tirsystme.tk
hxxp://thermesure.tk
hxxp://plaisijir.tk
hxxp://tyferet.tk
hxxp://irefrance.tk
hxxp://sedkorlor.tk
hxxp://serfille.tk
hxxp://ruiyrgion.tk
hxxp://permettretravers.tk
hxxp://lpouruiretat.tk
hxxp://fournirplupart.tk
hxxp://roposergenre.tk
hxxp://tircadre.tk
hxxp://reconnatrechef.tk
hxxp://oiril.tk
hxxp://enterguerre.tk
hxxp://irvaleur.tk
hxxp://irsocit.tk
hxxp://hugersoir.tk
hxxp://jokofasa.tk
hxxp://gyrecersa.tk
hxxp://ekotyfereen.tk
hxxp://kosazagerr.tk
hxxp://ioterexu.tk
hxxp://voirirguerre.tk
hxxp://stermain.tk
hxxp://kokofete.tk
hxxp://uiregy.tk
hxxp://lodokiv.tk
hxxp://nedfuheihg.tk
hxxp://koduhutr.tk
hxxp://husadere.tk
hxxp://gytedexen.tk
hxxp://jisazabyt.tk
hxxp://potycerer.tk
hxxp://lopotyre.tk
hxxp://huqerwerite.tk
hxxp://rtircouleur.tk
hxxp://tirhujmort.tk
hxxp://huderesen.tk
hxxp://expliqueren.tk
hxxp://uihytyf.tk
hxxp://ikiryve.tk
hxxp://jisazajic.tk
hxxp://hudasarete.tk
hxxp://potijife.tk
hxxp://lsejikog.tk
hxxp://gytlsentirsite.tk
hxxp://tiosuivremillion.tk
hxxp://kojerconseil.tk
hxxp://okinterlien.tk
hxxp://tenterargent.tk
hxxp://eordre.tk
hxxp://onterami.tk
hxxp://vrirvente.tk
hxxp://nerbesoin.tk
hxxp://nertiko.tk
hxxp://geolorge.tk
hxxp://gyvercherdroit.tk
hxxp://bokosabe.tk
hxxp://lsjifferde.tk
hxxp://dyjursite.tk
hxxp://lopofibut.tk
hxxp://cevoirguerre.tk
hxxp://atteindreair.tk
hxxp://ardermillion.tk
hxxp://koiterplace.tk
hxxp://travaillersite.tk
hxxp://cuperquipe.tk
hxxp://ferdplaisir.tk
hxxp://lsentirsite.tk
hxxp://tsuivremillion.tk
hxxp://eciotersystme.tk
hxxp://ortercration.tk
hxxp://koeioijfgel.tk
hxxp://ituerexemple.tk
hxxp://olravaillersant.tk
hxxp://poloeioijfgel.tk
hxxp://pliquerformation.tk
hxxp://tsortirgouvernement.tk
hxxp://vkojrguerre.tk
hxxp://kijiirraison.tk
hxxp://ndreterme.tk
hxxp://iterplace.tk
hxxp://oposerprojet.tk
hxxp://ldclarerplace.tk
hxxp://permort.tk


Related malicious and fraudulent domains known to have participated in the campaign (138.68.113.179; 172.64.196.39; 172.64.197.39; 104.27.170.199; 104.27.171.199):
hxxp://click.newsfeed.support
hxxp://soprano.newsfeed.support
hxxp://clarify.newsfeed.support
hxxp://theater.newsfeed.support
hxxp://impress.newsfeed.support
hxxp://urgency.newsfeed.support
hxxp://thinker.newsfeed.support
hxxp://glasses.newsfeed.support
hxxp://qualify.newsfeed.support
hxxp://warning.newsfeed.support
hxxp://scandal.newsfeed.support
hxxp://minimum.newsfeed.support
hxxp://general.newsfeed.support
hxxp://glimpse.newsfeed.support
hxxp://extreme.newsfeed.support
hxxp://officer.newsfeed.support
hxxp://silence.newsfeed.support
hxxp://capital.newsfeed.support
hxxp://voucher.newsfeed.support
hxxp://dentist.newsfeed.support

Dear blog readers, I wanted to take the time and effort and introduce you to my latest project called Unit-123.org where you can find quality research articles in a variety of topics that I will be publishing on a daily basis with the idea to bring back the spirit of my editorial years and to continue spreading quality data information and knowledge to a loyal base of users and readers.

Feel free to reach me at dancho.danchev@hush.com

Stay tuned!

UPDATE: I can be reached at dancho.danchev@hush.com or at +359 87 68 93 890 in case of an emergency.

UPDATE: It appears that recently a car belonging to local police department (hxxp://troyan-police.com; police_troyan@abv.bg) was stopped somewhere around my place with the lights turned on with the idea to provoke a possible local police visit.

UPDATE: It appears that my place was visited for a second time by local police officers (hxxp://troyan-police.com; police_troyan@abv.bg) with third-party doctors (http://mbal-troyan.com; mbal_troyan@abv.bg) for the purpose of apparently injecting me and a document for the injection was signed by someone that I know.

UPDATE: It appears that someone managed to twist my arm and therefore pressed a pressure on my eye without my knowledge with random people attempting to communicate with me behind a wall.

UPDATE: It appears that prior to my presentation at InfoSec 2012 someone managed to place a plaque on the wall in Earl's Court and therefore I experienced a pressure on my head while making a presentation.

UPDATE: It appears that prior to my presentation visit in Lyon in 2010 someone managed to wound my mouth with something that can be described as wall interference.

UPDATE: It appears that someone managed to open my eye and therefore I'm currently experiencing a pressure behind a wall with random people attempting to communicate with me.

UPDATE: It appears that I'm currently persistently experiencing a pressure on my mouth including something in the lines of a toxic chemical on my nose.

UPDATE: It appears that someone managed to map my place including my head and body using rubber and is persistently trying to communicate with me.

UPDATE: In case you're interested in contacting me in terms of my law enforcement issues and potential kidnapping and harassment attempts including possible interview requests - feel free to approach me at dancho.danchev@hush.com as I'm currently busy looking for a full time cybercrime researcher security blogger and threat intelligence analyst type of position.

I would be also definitely looking forward to sharing some of my sensitive projects including related work in various other sensitive areas with the idea to end the ongoing IP (Intellectual Property) robbery courtesy of a variety of industry-leading companies and individuals. Has the time come to work hard and set them straight? It appears so. Feel free to approach me at dancho.danchev@hush.com

You can use the following PGP key to approach me regarding possible career opportunities regarding possible involvement in related sensitive projects at dancho.danchev@hush.com or just to say hi request Threat Data access including a sample or a possible trial or make a comment regarding my current and historical OSINT research including possible references to my 2010 disappearance including various cybercrime underground chatter referencing me and my research including disappearance and possible kidnapping including possible GCHQ Lovely Horse references and related resources and comments.

Sample Information Security and Information Warfare cartoon circa 2008:



UPDATE: It appears that someone managed to somehow place a basketball ball on my head chin and eye and therefore I'm currently experiencing a pressure on my eye and my face with people attempting to communicate with me.

UPDATE: It appears that someone is attempting to communicate with me using pressure pressed on my stomach.

UPDATE: It appears that someone is pressing a doll on a wall and is attempting to communicate with me including an increased pressure in my place.

UPDATE: It appears that different people are attempting to communicate with me behind a wall using a basketball ball interfering with the pressure in my place.

UPDATE: It appears that the robot has been persistently sprayed with homo-sexual spray including a possible female spray leading to a persistent harassment and torture currently affecting my life-being work-relationships and intellectual property.

UPDATE: It appears that someone managed to placed a box on the top of the robot for a period of several years successfully blinding me and restraining me from remote work activity.


In a related news story regarding my experience and expertise in the field it appears that the GCHQ has been actively monitoring me on Twitter including active traffic monitoring in a 2012 Intelligence Community program labeled - Lovely Horse that's basically a Palantir implementation of OSINT practices regarding a certain Twitter account. The purpose? Active traffic and content monitoring for the purpose of robbing me out of sensitive research and related research data which leads me to believe that I've been successfully contributing to a massive treasure trove IP (Intellectual Property) theft and robbery courtesy of the GCHQ and the NSA for a significant period of time.


- Western Spy Agencies Secretly Rely on Hackers for Intel and Expertise
- LOVELY HORSE: GCHQ Program Monitored Hacker/InfoSec Community on Social Media
- GCHQ's 'Lovely Horse' tool helped spooks monitor hackers online
- GCHQ created 'Lovely Horse' to keep track of top hackers' and security specialists' blogs and tweets
- Spy Agencies Rely on Hackers for Stolen Data and Monitoring Security Experts for Expertise
- GCHQ Create Their Own Tweetdeck To Track People of Interest
- GCHQ siphoned off info stolen by hackers for its own ends
- Some hackers are unknowingly gathering intel for the NSA

It's also becoming increasingly evident that I'm also a participant in several other Intelligence Community Programs that appear to have successfully attempted to rob and steal my "know-how" leading me to pursue a possible closed-community data and research sharing or to request invite-only access to related research and data. Remember HBGary? It appears that every then and now a security company tries to re-position the industry by offering targeted and proprietary Threat Intelligence to a variety of sources successfully undermining a variety of community-offered and presented actionable Threat Intelligence.


While it's an honor to receive a competing proposition it should be noted that the majority of my research is public excluding several community-driven sensitive projects that I spend my time working on. It appears that the time has come for me to take my research to a whole new level which led me to pursue my own career patch within the Intelligence Community by successfully launching Disruptive Individuals including the Obmonix - Cybercrime and Cyber Jihad Fighting Platform including the eventual launch of the invite-only Threat Data - The World's Most Comprehensive Threat Database including a possible career opportunity with the industry-leading Webroot including a short-term venture with GroupSense including a possible SCMagazine 2011 nomination for my Twitter activity including the upcoming launch of Astalavista Security Group 2.0 - my primary working location throughout the 90's with a currently active crowdfunding campaign.


While I continue to be a firm believer that sharing and communicating actionable Threat Intelligence to a variety of source is the appropriate way to proceed and process a variety of cybercrime-related campaigns and malicious activity I believe that the time has come for me to take my research to a whole new level prompting me to seek a new career opportunity as the World's leading cybercrime researcher security blogger and threat intelligence analyst.


The majority of sources referenced in the original research basically represent the majority of my RSS feeds circa 2006 and it's becoming increasingly interesting perhaps even funny to figure out that the majority of my OSINT techniques including active WHOIS monitoring and research are widely accepted and discussed within the Intelligence Community.


What prompted the GCHQ to issue an active traffic and Twitter account monitoring campaign? Keep reading - back in the day throughout the period of 2008-2013 I used to actively monitor and profile various high-profile nation-state malicious and fraudulent campaigns including the infamous Koobface botnet -- listed to the original MP3 interview -- which I extensively profiled and managed to practically take down including the active exposing of its core botnet master including the active exposure of client-side exploits being served through the Koobface botnet through what appears to be a partnership between the Koobface botnet master and a well known cybercriminal - Exmanoize a well known author of a well known Web malware exploitation kit including the receiving of malware-infected host embedded messages in response to my "10 things you didn't know about the Koobface gang" including what appears to be a direct redirection of Facebook to my personal blog including yet another message left by the Koobface gang, including a variety of typosquatted C&C server domains registered to my name including extensive Russian Business Network coverage at the time.

Sample Koobface Botnet Infographic courtesy of CyberCamp 2016:


It's also worth mentioning that at the time the U.S Treasury Department was also redirecting to my Blogger profile including the active HOST file modification courtesy of a well known money-mule recruitment campaign.

Consider going through the following set of resources and news articles throughout 2008-2013 which can best describe the Threat Intelligence Scene the way I know it and the way I'm positive it should be.

Research and News Articles covering my research and referencing me throughout - 2008:

• Russian hacker 'militia' mobilizes to attack Georgia
• Fraudsters Target Facebook With Phishing Scam 
• Fake Microsoft e-mail contains Trojan virus
• Hackers expand massive IFRAME attack to prime sites
• Hackers infiltrate Google searches
• Hackers expand massive IFrame attack to prime sites
• Hackers knocked Comcast.net offline
• Adobe investigates Flash Player attacks
• High-tech bank robbers phone it in
• Attackers booby-trap searches at top Web sites
• Carpet bombing networks in cyberspace
• Storm worm e-mail says U.S. attacked Iran
• India's underground CAPTCHA-breaking economy
• Domain Name Record Altered to Hack Comcast.net
• Google searchers could end up with a new type of bug
• Ongoing IFrame attack proving difficult to kill
• Hackers expand massive IFRAME attack to prime sites
• Danchev: The small pack Web malware exploitation kit
• Danchev: Massive SQL injection the Chinese way
• CAPTCHAs are dead - new research from Dancho Danchev confirms it
• Hackers infiltrate Google searches
• Massive faux-CNN spam blitz uses legit sites to deliver fake Flash
• Faked CNN spam blitz pushes fake Flash
• Danchev: Anti-fraud site DDOS attack
• Sony PlayStation site victim of SQL-injection attack
• Fake CNN Alert Still Spreading Malware
• Look Ma, I'm on CIA.gov

Research and News Articles covering my research and referencing me throughout - 2009:

UPDATE: It appears that an unknown group of people is attempting to communicate with me using a transmitter on my mouth using plastic paper in their mouth.

UPDATE: It appears that someone is permanently trying to hide my eyes using plastic paper apparently using a transmitter that's been apparently placed on my mouth. It also appears that the person behind the transperant is attempting to move closely thereby ruining my equipment and life-being.

UPDATE: It appears that the transperant is operated by someone relying on lenses including bottles to map and touch-point related activities of an individual in place following persistent harassment and life-being manipulation.


In a related news article - "ZDNet Security Blogger Goes Missing in Bulgaria" covering my disappearance I came across to a juicy comment referencing the work of a well-known artist which leads me to research a little bit further leading me to the following CD/Vinyl label - "Blue Sabbath Black Cheer / Griefer ‎– We Hate You / Dancho Danchev Suck My Dick" courtesy of the the following individual.


Take into consideration the following brief post regarding the associated individual:

"It's 2010 and I'm stumbling upon a defaced image of my head shot (circa 2006). I never actually bothered about what others say, even when they insist that I'm maliciously enjoying the fact that I profile, expose, and disrupt cybercrime campaigns when there's no time for enjoyment, as the stakes are too high.

The defaced headshot is part of the released back in 2010 album "We Hate You/Dancho Danchev S*ck my D*ck" by the Blue Sabbath Griefer group.



So who's behind this "black PR" campaign? Who's the mysterious Photoshop-er? It's a Canadian music artist called Ron Brogden, who spends his spare time coding for hire, when he's not photoshoping my headshots.

Hatred-friendly domain name reconnaissance:
deterrent.net - 95.142.172.70 - Email: slave@codegrunt.com
Domain owner: Ron Brogden, Secondary emai: moron@industrial.org
Music Label Address: P.O. Box 8021; Victoria, BC, Canada; V8W 3R7
Home address: 647 Speed Avenue, Victoria, British Columbia, V8Z 1A5
Phone: +1.250-360-0372; +1.250-381-0088

Responding to the same IP are also the following domains operated by Ron:
codegrunt.com
deterrent.net
industrial.org
nuckflix.com"



In terms of my 2010 disappearance I also recently came across to the following screenshots courtesy of the cybercrime-friendly forum Darkode courtesy of an individual known as Xylitol discussing my disappearance including a possible Hitman Request charging at $10,000. Unfortunately, the screenshots were taken using the name of Nassef with whom Xylitol shared his accounting details with me including the taking of the screenshots.







UPDATE: It appears that my 2010's disappearance is slowly turning into a modest kidnapping attempt on behalf of Bulgarian law enforcement in constitution with DANS (State Agency for National Security) who appear to have been operating a long-turn operation to ruin my reputation intellectual property and work relationships successfully holding me a hostage for a period of seven years following a long-run kidnapping and harassment attempts leading to a ruined career intellectual property violation and work relationships.

Operating a remotely-operated gas pomp with azbest targeted at my place Bulgarian law enforcement in constitution with DANS (State Agency for National Security) appear to have successfully tracked down and manipulated my life-being following a successful set of long-run kidnapping and harassment attempts leading to a successfully ruined career intellectual property violation and work relationships.

It appears that Bulgarian law enforcement in constitution with DANS (State Agency for National Security) have placed remote stickers on my place and have managed to successfully map my place leading to a successful illegal entry courtesy of an unknown person followed by another unknown person supposedly a colleague followed by an illegal entry courtesy of unknown police officers who took my ID an escorted me to a local institution without explaining the reason for holding me hostage there.

It appears that the group is operating a transperant using feelings to map and touch point related activities of the individuals in place following a successful kidnapping and harassment attempt leading to illegal entry and possible kidnapping attempt. It appears that Bulgarian law enforcement in constitution with DANS (State Agency for National Security) have managed to place a plastic sticker in my mouth leading to a successful monitoring and tracking including the use of a transperant leading to a successful kidnapping and harassment attempt leading to a ruined career intellectual property violation and work relationships.

UPDATE: Great News: Missing Cybersecurity Expert Dancho Danchev Is No Longer Missing, We need help with the strange disappearance of Dancho Danchev, Security Researcher, Cybercrime Foe Goes Missing, Dancho Danchev: Missing cybersecurity expert, Cybercrime Blogger Vanishes After Finding Tracking Device In His Bathroom, Zero Day blogger Dancho Danchev: he's back, The Strange Disappearance of Dancho Danchev, We need help with the strange disappearance of Dancho Danchev, Mystery Surrounds Cyber Security Blogger Dancho Danchev’s Whereabouts, Update on Dancho Danchev, ZDNet Security Blogger Mysteriously Disappears, ZDNet Blogger Disappears Mysteriously In Bulgaria, ZDNet Blogger Disappears Under Mysterious Circumstances


UPDATE: Prior, to, my, stay, in, another, town, I, was, contacted, by, Riva Richmond, (riva@rivarichmond.com), and, set, up, a, meeting, to, discuss, a, potential, New York Times, article.



UPDATE: Prior, to, my, stay, at, a, local, institution (dpblovech@abv.bg), for, a, period, of, three, months, the, same, person, Kamen Kovachev (Kamen Tzura) (tsyrov@abv.bg), was, released, by, another, person, known, as, Nesho Sheygunov (https://www.facebook.com/nesho.sheygunov).

UPDATE: While, my, stay, at, a, local, institution (dpblovech@abv.bg), for, a, period, of, three, months, another, person, that, I, know, Kamen Kovachev (Kamen Tzura) (tsyrov@abv.bg), was, taken, to, the, room, where, I, was, confined, and, I, spent, a, night, in, the, corridor.


UPDATE: While, I, was, taken, to, a, local, institution (dpblovech@abv.bg), for, a, period, of, three, months, I, had, my, phone, taken, and, I, was, confined.

UPDATE: While, I, was, taken, out, of, my, place, to, an, unknown, car, the, fuel, was, charged, to, someone, that, I, know.

UPDATE: Prior, to, my, stay, at, a, local, institution (dpblovech@abv.bg), I, was, offered, to, take, vitamins.


UPDATE: My, place, was, recently, visited, by, unknown, men, taking, me, to, local, police, department (hxxp://troyan-police.com; police_troyan@abv.bg), and, asking, me, to, write, that, my, equipment, was, interfering, with, that, of, local, police, department.

UPDATE: It, appears, that, someone, has, taken, the, time, and, effort, to, take, a, t-shirt, of, mine.

UPDATE: Prior, to, my, visit, at, a, local, hotel, (hxxp://central-hotel.com/en; central@central-hotel.com), some, of, my, clothes, were, missing.


UPDATE: It, appears, that, my, place, was, recently, supposedly, visited, by, Plamen, Dakov (hxxp://universalstroi.com), Hristo, Radionov (hxxp://universalstroi.com; hxxp://www.facebook.com/hristo.radionov), and, Ivailo, Dochkov (hxxp://www.facebook.com/ivodivo), who, left, money, for, me.

UPDATE: Prior, to, my, attendance, in, a, local, institution (dpblovech@abv.bg), Ivailo, Dochkov (hxxp://www.facebook.com/ivodivo), tried, to, meet, me.




Prior, to, my, accommodation, I, was, contacted, by, Pauline, Roberts (pauline.roberts@ic.fbi.gov), who, recommended, me, to, Yavor, Kolev (javor.kolev@gmail.com), and, Albena, Spasova (albaadvisors@gmail.com), from, Bulgarian, local, authorities, followed, by, a, series, of, communication.

Prior, to, returning, to, my, place, in, 2011, my, house, was, vandalized, by, three, police, officers (hxxp://troyan-police.com; police_troyan@abv.bg), from, the, local, police, department, who, entered, my, house, in, particular, my, bedroom, and, unpolitely, asked, my, to, dress, while, showing, me, a, copy, of, my, personal, ID, that, I, haven't, presented, and, taking, me, to, an, unknown, car, without, explaining, the, reason, for, taking, me.







Sample Email communication between me, Pauline Roberts, Javor Kolev and Albena Spasova circa 2010:

Original message sent by Pauline Roberts - 2010

Second email received from Pauline Roberts - 2010



Original response issued to Pauline Roberts, Javor Kolev, and Albena Spasova - 2010 - Part Two
 Original message received by Albena Spasova - 2010


 Original response issued by Javor Kolev - 2010



 Original response issued by Javor Kolev - 2010 - Part Two


 Original response issued to Javor Kolev - 2010 - Part Two





 Original response issued to Javor Kolev - 2010









A, few, hours, later, I, find, myself, located, in, an, institution (dpblovech@abv.bg), for, a, period, of, three, months, without, anyone, explaining, the, reason, for, holding, me, there.

Upon, entering, I, had, my, phone, taken, without, having, received, any, sort, of, explanation, for, taking, me, and, holding, me, there.

UPDATE: My most recent visit to local police department was to announce a possible food-poisoning and I was told not to live in my place.

Given, this, circumstances, I, feel, that, it, has, become, highly, unproductive, to, continue, my, work, and, therefore, I'm, currently, seeking, a, permanent, relocation, including, a, possible, full, time, career, opportunity, in, the, field, of, cybercrime, research, security, blogger, or, threat, intelligence, analyst.

In case you're aware of someone looking to hire full-time threat intelligence analyst cybercrime researcher or a security blogger feel free to approach me at dancho.danchev@hush.com