Exposing Emotet's Modern Infrastructure - A Case Study on Tracking Down and Shutting Down Abusive Malware In Direct Cooperation with Abuse Departments

In this post I'll officially attempt to bring down and take offline the Emotet botnet including to actually provide never-published before OSINT type of research analysis on the actual C&C infrastructure behind the Emotet botnet which is one of the most prolific botnets up to present day with the idea to attempt a coordinated take down attempt in direct cooperation with multiple international ISPs and their associated abuse departments for the purpose of bringing it offline.

Sample Emotet known C&C infrastructure servers:

hxxp://109.123.78.10

hxxp://66.54.51.172

hxxp://108.161.128.103

hxxp://195.210.29.237

hxxp://5.35.249.46

hxxp://5.159.57.195

hxxp://206.210.70.175

hxxp://88.80.187.139

hxxp://188.93.174.136

hxxp://130.133.3.7

hxxp://162.144.79.192

hxxp://79.110.90.207

hxxp://72.18.204.17

hxxp://212.129.13.110

hxxp://66.228.61.248

hxxp://193.171.152.53

hxxp://129.187.254.237

hxxp://178.248.200.118

hxxp://133.242.19.182

hxxp://195.154.243.237

hxxp://80.237.133.77

hxxp://158.255.238.163

hxxp://91.198.174.192

hxxp://46.105.236.18

hxxp://205.186.139.105

hxxp://72.10.49.117

hxxp://133.242.54.221

hxxp://198.1.66.98

hxxp://148.251.11.107

hxxp://213.208.154.110

hxxp://192.163.245.236

hxxp://88.80.189.50

hxxp://185.46.55.88

hxxp://173.255.248.34

hxxp://104.219.55.50

hxxp://200.159.128.19

hxxp://198.23.78.98

hxxp://70.32.92.133

hxxp://192.163.253.154

hxxp://192.138.21.214

hxxp://106.187.103.213

hxxp://162.144.80.214

hxxp://128.199.214.100

hxxp://69.167.152.111

hxxp://46.214.107.142

hxxp://195.154.176.172

hxxp://106.186.17.24

hxxp://74.207.247.144

hxxp://209.250.6.60

hxxp://142.34.138.90

hxxp://74.217.254.29

hxxp://212.48.85.224

hxxp://167.216.129.13

hxxp://91.194.151.38

hxxp://162.42.207.58

hxxp://104.28.17.67

hxxp://8.247.6.134

hxxp://5.9.189.24

hxxp://78.129.213.41

hxxp://184.86.225.91

hxxp://107.189.160.196

hxxp://88.208.193.123

hxxp://50.56.135.44

hxxp://184.106.3.194

hxxp://185.31.17.144

hxxp://67.19.105.107

hxxp://218.185.224.231

Including the following C&C infrastructure servers part of Emotet's C&C infrastructure:

103.201.150.209

104.131.11.150

104.131.208.175

104.236.151.95

104.236.246.93

104.236.99.225

105.224.171.102

109.104.79.48

109.73.52.242

111.67.12.221

112.72.9.242

115.124.109.85

115.71.233.127

117.218.133.244

125.99.106.226

125.99.61.162

128.199.78.227

134.196.209.126

136.243.177.26

138.201.140.110

138.219.214.164

138.68.106.4

142.4.198.249

142.93.88.16

144.139.247.220

147.135.210.39

149.62.173.247

159.203.204.126

159.65.241.220

159.65.25.128

162.144.119.216

162.217.250.243

162.243.125.212

167.114.210.191

169.239.182.217

170.247.122.37

173.212.203.26

174.136.14.100

175.100.138.82

176.250.213.131

176.31.200.136

177.242.214.30

177.246.193.139

178.62.37.188

178.79.161.166

178.79.163.131

179.14.2.75

179.32.19.219

179.40.105.76

181.134.105.191

181.15.180.140

181.15.243.22

181.16.127.226

181.171.118.19

181.189.213.231

181.198.67.178

181.231.72.200

181.28.144.64

181.28.248.205

181.39.134.122

181.48.174.242

183.82.97.25

185.129.93.140

185.86.148.222

185.94.252.27

186.138.56.183

186.144.64.31

186.22.209.16

186.23.146.42

186.23.18.211

186.4.167.166

186.4.234.27

186.83.133.253

186.86.177.193

187.149.41.205

187.163.180.243

187.163.222.244

187.178.9.19

187.188.166.192

187.189.195.208

187.242.204.142

188.166.253.46

189.180.84.115

189.196.140.187

189.209.217.49

190.1.37.125

190.102.226.91

190.112.228.47

190.113.233.4

190.117.206.153

190.145.67.134

190.147.12.71

190.186.203.55

190.186.221.50

190.189.112.116

190.189.204.100

190.19.42.131

190.193.131.141

190.230.60.129

190.246.166.217

190.25.255.98

190.36.88.98

190.55.39.215

190.72.136.214

190.97.10.198

191.97.116.232

195.242.117.231

196.6.112.70

197.211.244.6

198.58.114.91

200.107.105.16

200.123.101.90

200.24.248.206

200.28.131.215

200.32.61.210

200.43.231.10

200.57.102.71

200.58.171.51

200.58.83.179

200.80.198.34

200.85.46.122

201.199.89.223

201.212.24.6

201.219.183.243

201.220.152.101

201.231.44.78

201.238.152.20

201.251.229.37

201.252.229.169

202.83.16.150

203.25.159.3

205.186.154.130

206.189.98.125

211.63.71.72

212.71.234.16

213.120.104.180

216.98.148.136

216.98.148.156

217.113.27.158

217.13.106.160

217.92.171.167

219.74.237.49

222.214.218.136

222.214.218.192

225.153.252.228

77.122.183.203

109.123.78.10

66.54.51.172

108.161.128.103

195.210.29.237

5.35.249.46

5.159.57.195

206.210.70.175

88.80.187.139

188.93.174.136

130.133.3.7

162.144.79.192

79.110.90.207

72.18.204.17

212.129.13.110

66.228.61.248

193.171.152.53

129.187.254.237

178.248.200.118

133.242.19.182

195.154.243.237

80.237.133.77

158.255.238.163

91.198.174.192

46.105.236.18

205.186.139.105

72.10.49.117

133.242.54.221

198.1.66.98

148.251.11.107

213.208.154.110

192.163.245.236

88.80.189.50

185.46.55.88

173.255.248.34

104.219.55.50

200.159.128.19

198.23.78.98

70.32.92.133

192.163.253.154

192.138.21.214

106.187.103.213

162.144.80.214

128.199.214.100

69.167.152.111

46.214.107.142

195.154.176.172

106.186.17.24

74.207.247.144

209.250.6.60

142.34.138.90

74.217.254.29

212.48.85.224

167.216.129.13

91.194.151.38

162.42.207.58

104.28.17.67

8.247.6.134

5.9.189.24

78.129.213.41

184.86.225.91

107.189.160.196

88.208.193.123

50.56.135.44

184.106.3.194

185.31.17.144

67.19.105.107

218.185.224.231

Sample actionable intelligence on Emotet's C&C infrastructure:

Abuse Departments Primary Contact Points Involved in this Take Down Campaign Include:

noc@premianet.com

eig-abuse@endurance.com

cschelp@gov.bc.ca

complaints@cari.net

abuse@youbroadband.in

abuse@websupport.sk

abuse@webfusion.com

abuse@vps.net

abuse@trueinternet.co.th

abuse@tpnet.co.nz

abuse@telstra.net

abuse@telkomsa.net

abuse@tektonic.net

abuse@softlayer.com

abuse@skymedia.mn

abuse@sky.uk

abuse@rackspace.com

abuse@ovh.net

abuse@ovh.ca

abuse@nextlayer.at

abuse@netnames.com

abuse@mediatemple.net

abuse@lrz.de

abuse@liquidweb.com

abuse@linode.com

abuse@hetzner.com

abuse@hathway.net

abuse@fu-berlin.de

abuse@fasthosts.co.uk

abuse@expedient.com

abuse@dxc.com

abuse@dion.ne.jp

abuse@digitalocean.com

abuse@contabo.de

abuse@cloudflare.com

abuse@btopenworld.com

abuse@bluehost.com

abuse@atlantic.net

abuse@as47195.net

abuse@akamai.com

abuse@actcorp.in

abuse@123-reg.co.uk

sainfo@netsuite.com

support@premianet.com

noc@inap.com

noc@cybertrails.net

ipaddressing@level3.com

info@mellowhost.com

ipadmin@gov.bc.ca

network@cari.net

admin@armourcloud.io

gr.sridhar@youbroadband.co.in

info@websupport.sk

abuse@uk2group.com

ipadmin@trueinternet.co.th

tim@initech.co.nz

addressing@telstra.net

pieter@saix.net

abuse@telekom.de

matta@tektonic.net

abuse@ta.telecom.com.ar

ipadmin@softlayer.com

curtis1977@us.ibm.com

soyoloo@skymedia.mn

hostmaster@sky.uk

abuse@rapidswitch.com

hostmaster@rackspace.com

noc@ovh.net

abuse@online.net

ripe@online.net

noc@nextlayer.at

sys-ripe@netnames.com

dnsadmin@mediatemple.net

ipadmin@lrz.de

ipadmin@liquidweb.com

support@linode.com

abuse@hostturka.com

abuse@hostopia.com.au

ripe@hetzner.com

abuse@hekko.pl

vijaym@hathway.net

admin-c@fu-berlin.de

networks@fasthosts.com

ipm@expedient.com

abuse@esds.co.in

ipaddr@dxc.com

rir@cloudflare.com

btretail.ipam@bt.com

eig-net-team@endurance.com

eig-noc@endurance.com

ip-admin@atlantic.net

noc@as47195.net

ip-admin@akamai.com

tech.support@incredible.actcorp.in

ip-admin@actcorp.in

ripe@webfusion.com

sknetwork2012@gmail.com

hostmaster@twl-kom.de

idc_sales@daou.co.kr

hostmaster@bsnl.in

alejandro@patagoniadata.com.ar

jpinazo@axarnet.es

hello@syn.one

operations@hostafrica.co.za

nestorbonfante66@gmail.com

nic_tech@megacable.com.mx

ipadmin@tigo.com.co

admin.internet.co@telefonica.com

tasamail.ar@telefonica.com

adminternet@une.net.co

noc@megaservers.de

wimpie@letaba.net

andrew.alston@liquidtelecom.com

domains@send.itto.us

tech@duruan.co.kr

albert@web.am

pda@1b.hu

hostmaster@singnet.com.sg

anti-spam@ns.chinanet.cn.net

avmc@ctvnet.dp.ua

d.pastian@terralink.de

claude.demuth@lu-cix.lu

scharwitzl@bmlv.gv.at

bz@giganet.hu

mass-ripe@heg.com

noc@wikimedia.org

hostmaster@nic.ad.jp

noc@digitalocean.com

noc@next-gen.ro

rir-admin@fastly.com

Sample hostnames acting as Emotet C&C infrastructure servers:

zabbix-sakura2.anthill.jp

www.zedat.fu-berlin.de

www.snowmobile.gov.bc.ca

www.netdoktor.at

www.cceca.ca

www.bmlv.gv.at

www-riedle.transfermarkt.de

wp308.webpack.hosteurope.de

vps.cournoyer17.info

vmh17370.hosting24.com.au

vmd61678.contaboserver.net

universidadedoingles.com.br

twojj.com

trc-200-107-105-16.trcnet.com.ar

text-lb.esams.wikimedia.org

testwerk.org

static.bb.ahd.117.218.133.244.bsnl.in

static.24.189.9.5.clients.your-server.de

static.110.140.201.138.clients.your-server.de

static.107.11.251.148.clients.your-server.de

static-ip-cr1901471271.cable.net.co

static-ip-cablemodem-190.186.221.50.cotas.com.bo

static-ip-cablemodem-190.186.203.55.cotas.com.bo

static-ip-adsl-200.58.171.51.cotas.com.bo

static-200-58-83-179.supernet.com.bo

static-190-25-255-98.static.etb.net.co

snaplive.org

shopping.netsuite.com

server90240.uk2net.com

server88-208-193-123.live-servers.net

server.driveclassic.com

sapper.ethii.com

rtw7-rfpn.accessdomain.com

rs250366.rs.hosteurope.de

roadbikesales.com.au

rmolina.mx

rb2.leevee.it

popdesigngroup.com

pd95caba7.dip0.t-ipconnect.de

ovz06.gamesdom.com

ny-1.robbiebyrd.com

ns2.hospemex.com

ns2.datatrust.com.br

niotek.vservers.es

mail2.rhubarb-cs.com

mail.ps4hacked.es

mail.behaplastik.com

lvps109-104-79-48.vps.webfusion.co.uk

li89-144.members.linode.com

li695-139.members.linode.com

li616-91.members.linode.com

li318-248.members.linode.com

li301-131.members.linode.com

li299-166.members.linode.com

lasvegas-nv-datacenter.com

israel-studies.com

ip.77.122.183.203.dynamic.krr.volia.net

host90.200-123-101.static.telmex.net.ar

host37.170-247-122.netacebal.com.ar

host233-004.vccfranck.com.ar

host22.181-15-243.telecom.net.ar

host213-120-104-180.in-addr.btopenworld.com

host190.102.226.91.dynamic.pacificonet.cl

host181-189-213-231.wilnet.com.ar

host169.201-252-229.telecom.net.ar

host140.181-15-180.telecom.net.ar

host129.190-230-60.telecom.net.ar

host.thehiddencollective.com

host-186-4-234-27.netlife.ec

host-186-4-167-166.netlife.ec

host-181-16-127-226.telered.com.ar

hirlevel.uniweb.hu

hh4.secureserver.net.nz

h2041.gfsrv.net

gbg1.0x0.network

fixed-187-189-195-208.totalplay.net

enterprise.hellokrd.net

dynamic-ip-18686177193.cable.net.co

dynamic-ip-18683133253.cable.net.co

dynamic-ip-1861446431.cable.net.co

dsrecordings.com

dsl-189-180-84-115-dyn.prod-infinitum.com.mx

dsl-187-149-41-205-dyn.prod-infinitum.com.mx

dmj.southo.net

dinamic-tigo-179-14-2-75.tigo.com.co

customer.megaservers.de

customer-tgz-204-142.megared.net.mx

customer-smal-140-187.megared.net.mx

customer-qro-214-30.megared.net.mx

customer-col-193-139.megared.net.mx

customer-201-219-183-243.megacable.com.ar

cpe-190-55-39-215.telecentro-reversos.com.ar

cpe-186-23-18-211.telecentro-reversos.com.ar

cpe-186-23-146-42.telecentro-reversos.com.ar

cpe-186-22-209-16.telecentro-reversos.com.ar

comadosa.mx

cm-134-196-209-126.revip18.asianet.co.th

cable-181-134-105-191.une.net.co

bscloud.vps.wbsprt.com

bsbdb01.bsb.lrz.de

broadband.actcorp.in

bcairquality.ca

bb219-74-237-49.singnet.com.sg

b0fad583.bb.sky.com

aol-dial-200-57-102-71.zone-0.ip.static-ftth.axtel.net.mx

act2028316150.broadband.actcorp.in

a184-86-225-91.deploy.static.akamaitechnologies.com

82-138-100-175.static.youbroadband.in

78-44-231-201.fibertel.com.ar

64-144-28-181.fibertel.com.ar

62.4e.17c6.ip4.static.sl-reverse.com

505139.vps-10.com

46-214-107-142.next-gen.ro

40-24-mail.arylump.net

39.ip-147-135-210.eu

368940.customer.zol.co.zw

217-166-246-190.fibertel.com.ar

212-129-13-110.rev.poneytelecom.eu

210.advance.com.ar

205-248-28-181.fibertel.com.ar

201-251-229-37.mrse.com.ar

201-212-24-6.cab.prima.net.ar

200.80.198.34.static.techtelnet.net

200-72-231-181.cab.prima.com.ar

200-28-131-215.baf.movistar.cl

200-159-128-19.winfnet.com.br

20.201-238-152.etapanet.net

198-1-66-98.unifiedlayer.com

195-154-243-237.rev.poneytelecom.eu

195-154-176-172.rev.poneytelecom.eu

192.218.214.222.broad.ab.sc.dynamic.163data.com.cn

192-163-253-154.unifiedlayer.com

192-163-245-236.unifiedlayer.com

190-97-10-198.bvconline.com.ar

190-72-136-214.dyn.dsl.cantv.net

190-36-88-98.dyn.dsl.cantv.net

190-1-37-125.bvconline.com.ar

19-118-171-181.fibertel.com.ar

189-209-217-49.static.axtel.net

187-178-9-19.dynamic.axtel.net

187-163-222-244.static.axtel.net

187-163-180-243.static.axtel.net

183-56-138-186.fibertel.com.ar

179-40-105-76.mrse.com.ar

164.214.219.138.dynamic.grupoequis.com.ar

162-144-80-214.unifiedlayer.com

162-144-79-192.unifiedlayer.com

162-144-119-216.unifiedlayer.com

141-131-193-190.cab.prima.net.ar

136.218.214.222.broad.ab.sc.dynamic.163data.com.cn

131-42-19-190.fibertel.com.ar

116-112-189-190.cab.prima.net.ar

105-224-171-102.south.dsl.telkomsa.net

101.152.220.201.itc.com.ar

100-204-189-190.cab.prima.net.ar

Stay tuned!

Threat Intelligence - An Adaptive Approach to Information Security - Free Consultation Available

Dear, blog, readers, as, of, today, I'm, making, publicly, available, my, portfolio, of, services, including, active, threat, intelligence, gathering, and, processing, cybercriminals, and, network, assets, profiling, real, life, personalization, of, malicious, actors, OSINT, analyses, in-depth, understanding, and, processing, of, tactics, techniques, and, procedures (TTPs), including, the, production, of, custom, timely, and, relevant, managed, or, on, demand, client-tailored, reports, and, analysis, briefs, covering, managed, security, blogging, and, conference, attendance, cybercrime, malware, botnets, and, threat, intelligence, including, the, coverage, of, geopolitically, relevant, cyber, threat, assessments.

The, portfolio, of, services, includes, but, is, not, limited, to:

Real-time, managed, or, on, demand, analysis, briefs, and, reports, production:
- analysis, briefs, and, timely, and, relevant, reports, covering, cybercrime, malware, botnets, and, threat, intelligence, including, but, not, limited, to, tactics, techniques, and, procedures (TTPs), real, life, personalization, of, cybercriminals, and, network, assets

Geopolitically, relevant, and, geographically, selected, threat, intelligence, processing, and, gathering, relevant, reports:
- geopolitically, relevant, coverage, of, selected, geographic, regions, covering, cybercrime, malware, botnets, and, threat, intelligence, including, but, limited, to, tactics, techniques, and, procedures (TTPs), real, life, personalization, of, cybercriminals, and, network assets

Managed, security, blogging, and, presentation, conference, attendance:
- threat, intelligence, processing, as, a, service, including, but, not, limited, to, the, managed, processing, and, communication, of, threat, intelligence, gathering, and, processing, information, in, the, form, of, managed, communication, to, a, selected, set, of, audiences, including, but, not, limited, to, security, blogging, and, conferences, attendance, on, behalf, of, a, selected, enterprise, further, positioning, its, understanding, and, reaching, out, to, selected, clients

Managed, tactics, techniques, and, procedures (TTPs), processing, managing, and, gathering, analysis, and, reports:
- in-depth, understanding, of, tactics, techniques, and, procesures (TTPs), relevant, to, a, specific, cybercrime, group, geopolitically, relevant, region, or, a, selected, geographically, relevant, region

Approach me at dancho.danchev@hush.com

Enjoy!

Dancho Danchev's Threat Data - How to Request Free Access Including a Christmas Discount

Dear blog readers, I wanted to let everyone know that I'm currently offering unlimited and exclusive access to Threat Data - The World's Most Comprehensive Threats Database in the true spirit of the Christmas seasons to selected set of individuals and organizations that approach me at dancho.danchev@hush.com

Key Summary Points:
- the platform basically represents the majority of proprietary Threat Intelligence type of research that I produce on a daily basis
- the platform is properly populated on a daily basis with a variety of proprietary Threat Intelligence type of research data, IoCs (Indicators of Compromise) and hundreds of enriched Tactics Techniques and Procedures including proprietary OSINT analysis and research to help you and your organization stay on the top of its game and to ensure that your organization's infrastructure and situational awareness remains ahead of the cybercriminals and competition that affect your organization's infrastructure
- the portfolio of covered verticals include -  Malware Campaigns, Phishing Campaigns, Spam Campaigns, IM Malware Campaigns, Social Media Malware Campaigns, Mobile Malware Campaigns, Mac OS X Malware Campaigns, Blackhat SEO Campaigns, Fraud, Pharmaceutical Scams, Money Mule Recruitment, Reshipping Mule Recruitment, Malvertising Campaigns, Ransomware, Scareware

In case you're interested in obtaining free access to the service including a possible commercial partnership including a possible high-volume Christmas season discount - feel free to approach me with the following information.

01. Your Name
02. Your Position
03. How long have you been reading my blog?
04. How has my blog helped you achieve your career goals?
05. The primary reason for requesting access?
06. How much would you or your organization be willing to invest in order to obtain access to the service?

Looking forward to receiving your access request including possible discount-based Christmas season type of commercial partnership requests at dancho.danchev@hush.com

Stay tuned!

Dancho Danchev's Blog - Open Call for Blog Contributors and Guest Bloggers

UPDATE: Do you know which is one of the World's most popular Security blogs and who's running it? 

Guess what - you've been reading it all along. Ever since I started this blog in December, 2005 for the purpose of impressing my girlfriend and greatly inspired by a successful venture with Astalavista Security Group circa 2003-2006 I've received over 5M page views courtesy of a loyal base of users to whom I owe a great debt of gratitude for keeping track of my research and following my comments - in real-time. The time has come to expand and eventually launch a new set of products and services including a possible Advertising Inventory - therefore I've decided to launch an Open Call for Blog Contributors including Guest Bloggers. Interested in writing at this blog? Feel free to approach me - dancho.danchev@hush.com

Dancho Danchev's Blog - Major Security Web Property Statistics:

Dear blog readers, friends, partners, colleagues, Security Industry friends and partners including U.S Intelligence Community and U.S and International Law Enforcement friends and partners - it's been a decade since I originally decided to launch this blog positioning it as a top Security and Threat Intelligence including Cybercrime Research Major Web Property attracting thousands of high-profile and loyal users throughout the decade to whom I owe a great deal of personal thanks and admiration for following me and supporting my research and personal opinion throughout the years including the active spreading of high-quality and never-published before OSINT analysis cybercrime and threat intelligence gathering type of technical analysis.

In the spirit of offering high-quality research and malicious and fraudulent campaign analysis including the expansion of my personal blog to include a diverse set of new areas including a possible Advertising Inventory to offer to selected and invite-only vendors and organizations - I've decided to make an Open Call for Blog Contributors and Guest Bloggers with the idea to keep the spirit of my 2008-2013 series of analysis where I was busy dominating the news with new attack vectors and attacks techniques including the profiling and tracking down of new malware and cybercrime groups.

Interested in writing at this blog? Do you have a lot to say in the area of cybercrime research and Threat Intelligence including Privacy Anonymity and malicious software including botnets? Keep reading.

Who's Welcome to Approach me?

• Academic Institutions looking for ways to properly promote their research and content by offering a selected individuals who'd be responsible for offering an in-depth never published before perspective on the Institution's cybercrime and malicious software research perspective
• Threat Intelligence Vendors looking for ways to approach a new set of loyal user base and to promote their research products and services by appointing a selected individual who would be interested in communicating Key Vendor findings on a daily basis
• Independent Freelancers looking to reach out to a loyal user base and receive the necessary expose in terms of having their article read by thousands of loyal and selected users on a daily basis
• Friends and Colleagues with whom I've worked in the past or with who I continue to work nowadays who might be interested in making a valuable contributing to this high-quality Web property publication

Interested in writing at this blog? Do you want to make a valuable contribution? Feel free to approach me dancho.danchev@hush.com and I'll get back to you with proper access as soon as possible.

Guess Who's Still Running the Show?

Dear blog readers,

I've recently came across to a very informative presentation courtesy of a friend Jeffrey Carr from TaiaGlobal that lists me as a major competitor in Cyber Threat Intelligence next to the DHS. Outstanding! Keep it coming Jeff and don't forget to check out this post detailing the inner workings of the infamous Kneber Botnet.

How to set them straight? Stay tuned!

Anyone Using XMPP/OMEMO?

Dear blog readers,

Are you interested in catching up with me in terms of current and upcoming research including possible cybercrime research and commercial threat intelligence gathering services?

Here's my XMPP/OMEMO ID: dancho.danchev@kode.im

Stay tuned!

The Armadillo Phone - A Security Review

Dear blog readers,

As many of you know I've joined forces with Team Armadillo Phone in the fight against cybercriminals including nation-state and rogue and malicious including possibly fraudulent cyber adversaries for the position of Security Blogger in 2019 and I wanted to say big thanks to COO Rob Chaboyer and CEO Kelaghn Noy for bringing me on board and for initiating a series of video conversations to better help them understand my motivation for joining the company and what exactly I can bring on board.

Among my first responsibilities were to possibly include an actual Security Audit and actual Security Advice and Recommendation including practical implementation advice on new Privacy and Security themed related features actual reaching out to current and future customers including active posting of new and innovative Security Research at the company's blog.

In this post I'll provide an in-depth Security Review of the Armadillo Phone in terms of Privacy and Security features including their relevance and importance in today's modern cyber threat adversaries dominated Internet-based communication ecosystem including an in-depth introduction into some of the key features that I might be definitely looking forward to implementing and offering practical advice on in terms of new Privacy and Security features that might greatly assist new and future customers on their way to achieve a decent degree of Privacy and Security in their Internet-based communications.

Key Features of the Device include:

- Tamper-Resistant Packing
- Device Inspection
- Secure Hardware
- Multiple Passwords
- Zero Day Protection
- Security Peripherals

Among my key proposals that I sincerely hope will eventually make their place on COO Rob Chaboyer and CEO Kelaghn Noy's desk are:

• Security Researcher Working Space or a Security Module - the basic idea here would be to offer a built-in full-disclosure reader application including automatic subscription to major and popular Information Security and Hacking Mailing Lists.
• Built-in RSS Reader - the main idea here would be offer Armadillo Phone users to ability to take advantage of a built-in RSS reader with pre-defined set of major and high-profile Security and Provicacy Content Providers
• Security and Privacy Including National-Security Journalists' Opt-In Directory - have you ever wanted to directly reach out to a high-profile Security Privacy or National Security type of journalist for the purpose of sharing with them your opinion on a particular piece of to actually share a news tip? This is the main purpose behind this particular feature.
• Covert Channels - the main purpose behind this features is to allow Armadillo Phone users in particular journalists or hacktivists the opportunity to secure and convertly transmit information that's basically impossible to track down intercept
• Steganography - the main purpose behind this feature is to allow Armadillo Phone users with the opportunity to use an alternative secure communication channel that's basically impossible to intercept track down and censor

Key Security and Privacy Features of the Device include:

• AES-256-XTS block-level FDE
• Block-level FDE instead of Android's file-based encryption
• Scrypt work factors increased
• Minimum 8-character alphanumeric password
• Completely software-based
• Keymaster and gatekeeper disabled
• Normal password for deniable encryption
• Secret password stored at randomized offset
• Secret volume is hidden inside unused portion of decoy data
• Wipe password in footer to erase device
• Separate lockscreen password
• Password verification order randomized at runtime to prevent timing attacks 
• Enhanced KASLR and userland ASLR
• Increased ASLR entropy
• Several PaX patches ported
• Zygote uses exec() spawning instead of fork()
• Improved SELinux rules
• Hardened malloc implementation
• Stack and heap canaries detect overflows
• Enhanced FORTIFY_SOURCE implementation
• Function pointer protection
• Restrictive compile-time sanitization
• Additional attack surface reduction
• All connections made using pinned TLS 1.2 connections with high-entropy 4096-bit certificates
• Metadata can be further protected by enabling optional VPN
• Verify encryption keys using manual verification, QR code, SMP or NFC
• Chat uses OMEMO encryption
• Email uses PGP encryption
• Email uses randomized subjects
• Email uses encrypted connection to keyserver and mailserver
• Email requires 4096-bit PGP keys
• Radio Sentinel: Monitors WiFi networks for ARP poisoning. Monitors cellular networks for 2G networks, performs sanity checks and compares cellular towers to a database of known network
• RAM Sentinel: Monitors temperature to prevent cold-boot attacks
• Theft Sentinel: Connects to anti-theft beacon over BLE, alarms both beacon and phone if disconnected. If phone isn't unlocked or beacon isn't reconnected within 5 minutes the phone will shutdown. 

Based on my current experience with the device which I've recently started using for the purpose of keeping in touch with friends and colleagues I can easily say that this is one of the most advanced and technically sophisticated mobile security device that can be easily obtained from here and I sincerely hope that my research and security knowledge and technical knowledge expertise will prove highly valuable to what the Team at Armadillo Phone are currently doing.

Stay tuned!

Joining Team Armadillo Phone!

Dear blog readers,

It's a pleasure and an honor to let you know that I've recently joined forces with Team Armadillo Phone in the fight against sophisticated nation-state and rogue cyber threat actors for the position of Security Blogger targeting mobile devices on their way to compromise sensitive and often classified personal information and that I'll be definitely looking forward to making impact with the company through the publication of high-quality security and cyber threat research including the active education and spreading of information and knowledge to the company's clients on their way to further protect their sensitive and often classified data from mobile threats courtesy of a multi-tude of malicious and fraudulent adversaries.

Among my responsibilities will include active cyber threat an nation and rogue cyber adversary research including actual client outreach in terms of Security Blogger including the actual work and eventual implementation of new never-published and seen-before privacy and security features including the actual Security Audit of the device in terms of possible Threat Modelling flaws and actual practical solution and advice-oriented implementation of new privacy and security features next to the usual cyber nation-state and rogue cyber actor type of threat analysis and research that I've been doing throughout the past decade.

Perfect timing to say big thanks to COO Rob Chaboyer and CEO Kelaghn Noy for bringing me on board and for actually taking the time and effort to go through my proposal and actually initiate a video conversation with me for the purpose of working together.

My initial idea would be reach out to the company's client-base in terms of possible security threats outreach including the active production of high-quality security and cyber adversary research targeting mobile devices at the company's blog including the production of a Threat Modelling Scenario Research Analysis which I intend to publish at the company's blog including an actual practical and solution-oriented Security Audit of the device next to the actual introduction of new privacy and security features.

I will be definitely looking forward to making an impact with the company and I'll be definitely looking forward to continue publishing the high-quality and never-published before type of research analysis at my personal blog.

ManTech Introduces Newly Lauched Cyber Security "Space Range" - An Analysis

Have you ever dreamed of launching an offensive cyber warfare payload from Space? Keep reading.

It appears that the newly launched ManTech's "Space Range" cyber security simulation is truly capable of offering a fully-realistic cyber security and information security simulation environment that's successfully capable of launching an offensive cyber warfare payload from Space potentially signalling the presence of a sophisticated offensive cyber warfare adversary that's truly capable of making an impact and causing havoc on a wide-spread scale.

"ManTech has embraced the challenge of identifying and capturing the unique threats and vulnerabilities in the space domain with our newest offering, the ManTech Space Range. Built upon the success of ACRE®, ManTech’s innovative and fully operational cyber range, we are expanding our robust, scalable and hyper-realistic range to encompass the unique requirements of a cyber infrastructure supporting a space enterprise. ManTech’s ACRE range and highly trained team of space and cyber professionals are unrivaled within the IC and DoD. Our offense-informed cyber defense is an integral part of how we replicate any space, ground and network environment at any classification level to tackle today’s toughest cyber threats. ManTech’s Space Range provides “the right stuff” for customers to train to defend America’s vital space enterprise from the ground up. Most importantly, ManTech’s Space Range provides leaders with the confidence that critical space communications, navigation and intelligence gathering capabilities will be available and reliable when needed most."

A logical question emerges - what does really constitute a cyber war from Space? ManTech's initiative and research in this area can truly prove valuable to U.S National Security including its client-base for the purpose of empowering them with the necessary "know-how" and operational capabilities to launch offensive cyber warfare campaigns from Space.

Stay tuned!

Greetings from Bulgaria - 2019 - An Intelligence Analyst's Perspective

Anyone there?

In a savagery peasant-aria which can be best described as the country where crime is supposedly prolific based on psychotropic substances and a "newspaper" courtesy -- you wish you wish -- of the basement of "someone" that thought that the CIA is running the country thanks to a "described" but supposedly "pre-scribed" leader of the country - increasing the longevity of peasant-aria land to continue vomiting in the very nothing? Not fair my friend. It shouldn't be surprising that nothing is ever taking place at all.

Keep reading.

- Key Summary Points

• Do you know what TOR is?

• Are you "based" on the Intelligence?

Can you best describe Bulgarian Intelligence Services? Pretty simple. It's your father's ugly Intelligence book with a vibrator on it - namely - an apparatus.

• When did you first discover Facebook?

Let's spit and vomit and take a photo of it - isn't this fancy? Or shall we spank your digital existence based on the clustered irrelevance of your degraded social vomit? Dare to press a button once again and We Shall Prevail to the bottom of the irrelevant obfuscation of your dare existence? Not fancy.

• Do you know who Yavor Kolev is?

And since when did it became fashionable to know who Misho Mishov is? Think twice and feel free to skip these Congressional Hearings. 

• Do you have a career?

Do you "go" to work? Do you have a "career"? Can you make the difference? You wish.

• Are you heading to the airport? 

- Don't be in a hurry - there's a toilet.

Relocation and full-time cybercrime research security blogging and threat intelligence position proposals can be directed to dancho.danchev@hush.com

Stay tuned!

Joining Team Astalavista.box.sk - Official Project Re-Launch - Join us Today!

 Dear blog readers,

I wanted to take the time and effort and let you know that I've officially joined forces with Astalavista.box.sk which is the original Astalavista.box.sk search engine for hackers circa 1997 and which is one of the World's most popular Web sites for hackers and security experts where I'm currently acting as a Project Operator and where we've recently launched a high-profile and flagship search engine for hackers and security experts with the idea to make it publicly accessible and online for free potentially reaching out to thousands of loyal users across the globe on a daily basis which can be publicly accessed from the front page of the portal or from here including a flagship Dark Web search engine which can be accessed from the home page.

Currently running projects on the original Astalavista.box.sk include:

• Security and Hacking Forum
• Security Newsletter
• Crowd-funded Virtual Reality application for hackers and security experts
• Hacking and Security Blog

You can also browse the old version of the re-surrected portal here including the actual Call for Papers.  It's also a privilege and an honor to let you know that we're currently hiring and looking for possible full-time Team Members in a variety of categories where we intend to share some of the advertising revenue with current and upcoming Team Members.

You can also go through some of the following blog posts to catch up in terms of what we've been up to in terms of research:

• A Brief Introduction to the New Box.sk Project – or Who’s Dancho Danchev?
• Enter a Bold New World of Hacking and Security – Embrace the Cybertronics VR Platform for Hackers and Security Experts Today! We’re Hiring!
• Introducing Box.sk’s Flagship Hacking and Security Search Engine! We’re back!
• Announcing a New Hacking and Security Collaborative E-book Writing Initiative – Join Us Today!
• Announcing the Official Launch of Box.sk’s Hacking and Security IRC Network! Join Us Today!
• New Box.sk Online Security and Privacy Talk-Show featuring Dancho Danchev – Listen in Today!
• Announcing Dancho Danchev’s Exclusive Personal Hacking and Security Research Memoir – Free Copy Available!
• Announcing Box.sk’s World Hacker Global Domination Group (WHGDG) Call for Security and Privacy Papers and Call for Innovation
• Upcoming Box.sk High-Profile YouTube Livestream – The Scene and The Security Industry The Way We Know It – Bookmark the Link Today!
• Introducing Box.sk’s Flagship “Data Paradise” Old-School KGB-Style Dial-In Intranet

Stay tuned!