Personally Identifiable Information Regarding Various Internationally Recognized Cyber Threat Actors - A 2021 Compilation - Free Download!

An image is worth a thousand words.

Go though my 230 pages 2021 compilation on some of the most high-profile and popular cybercrime gangs and cybercriminals internationally in the form of a cyber attack and cyber threat actor attribution information which could greatly improve your vendor's or organization's situational awareness in the world of cybercrime including cyber threat actor attribution campaigns.

Grab a copy from here.

Approach me at dancho.danchev@hush.com in case you're interested in discussing with me your cyber threat actor attribution or cyber attack or campaign attribution requirements and I would be happy to respond as soon as possible and assist with me knowledge and expertise in the field.

Stay tuned!

Inquiry About My Disappearance Circa 2010 in Republic of Bulgaria and Possible Local Police Offers Kidnapping Attempt Report - An Analysis

Dancho Danchev's "Personally Identifiable Information Regarding Various Internationally Recognized Cyber Threat Actors - A 2021 Compilation" Report Available! Request a Free Copy Today!

Dear blog readers,

This is Dancho. Are you a security researcher OSINT analyst threat intelligence analyst or LE officer or member of a security organization or a vendor that wants to catch up with some of the latest developments in the world of cyber threat actor attribution?

UPDATE: Here's the actual link.

I've just finished working on my 2021 compilation entitled "Personally Identifiable Information Regarding Various Internationally Recognized Cyber Threat Actors" which is available on request for free to blog readers who drop me a line at dancho.danchev@hush.com seeking access to the report. Grab a copy today!

Stay tuned!

Two Persons on the U.S Secret Service Most Wanted Cybercriminals List Run a Managed Android Malware Enterprise Including a Black Energy DDoS Botnet - An OSINT Analysis

Dear blog readers,

This is Dancho. In this post I'll provide actionable intelligence on two individuals on the U.S Secret Service's Most Wanted Cybercriminals list in particular - Oleksandr Vitalyevich Ieremenko including Danil Potekhin for the purpose of assisting U.S Law Enforcement on its way to track down and prosecute the individuals behind these campaigns.

In this analysis I'll offer actionable intelligence on the fact that the first individual Oleksandr Vitalyevich Ieremenko is currently running a profitable managed android malware botnet business using the - hxxp://agressivex.com domain for his business and is currently on the U.S Sanctions List as well.

Sample personally identifiable information for Oleksandr Vitalyevich Ieremenko:

Personal Web Site: hxxp://k0x.ru

ICQ: 123424

Personal Email: uaxakep@gmail.com

Sample personal photos of Oleksandr Vitalyevich Ieremenko including Danil Potekhin:

Sample photo showing that Oleksandr Vitalyevich Ieremenko is known to have been running a Black Energy DDoS botnet:

\

Sample personal photo of Danil Potekhin:

Sampl,e personal Web site: hxxp://agressivex.com

Sample personal email: potekhinl4@bk.ru

Sample MD5 known to have participated in the campaign:

MD5: ecb347518230e54c773646075e2cc5ea269dcf8304ad102cee4aae75524e4736

Stay tuned!

Image Courtesy of VeriSign.

Recommended Song of the Day!

Dear blog readers,

I've decided to share a high-profile and recently track with everyone to keep the spirit of the scene and the industry and to basically empower you to do your work more efficiency. Keep up the good work!

Stay tuned!

Exposing a Currently Active WannaCry Ransomware Domains Portfolio - An OSINT Analysis for WhoisXML API

Dear blog readers,

This is Dancho and I wanted to let everyone know of a series of recently released white papers and case studies courtesy of me for my employer - WhoisXML API detailing the activities of numerous fraudulent and malicious online gangs and enterprises.

The seventh white paper entitled "Exposing a Currently Active WannaCry Ransomware Domains Portfolio - An OSINT Analysis" we decided to offer in-depth and actionable threat intelligence on infamous WannaCry ransomware and offer a unique peek inside their domain portfolio based on the vast and in-depth real-time and historical WHOIS database courtesy of WhoisXML API.

Catch up with some of the previous released white papers and case studies courtesy of me here.

Stay tuned!

Exposing a Currently Active Cyber Jihad Domains Portfolio - An OSINT Analysis for WhoisXML API

Dear blog readers,

This is Dancho and I wanted to let everyone know of a series of recently released white papers and case studies courtesy of me for my employer - WhoisXML API detailing the activities of numerous fraudulent and malicious online gangs and enterprises.

The sixth white paper entitled "Exposing a Currently Active Cyber Jihad Domains Portfolio - An OSINT Analysis" we decided to offer in-depth and actionable threat intelligence on various cyber jihad themed and related domains including their owners and offer a unique peek inside their domain portfolio based on the vast and in-depth real-time and historical WHOIS database courtesy of WhoisXML API.

Catch up with some of the previous released white papers and case studies courtesy of me here.

Stay tuned!

Exposing a Currently Active Domain Portfolio Managed and Operated by Members of the Ashiyane Digital Security Team - An OSINT Analysis for WhoisXML API

Dear blog readers,

This is Dancho and I wanted to let everyone know of a series of recently released white papers and case studies courtesy of me for my employer - WhoisXML API detailing the activities of numerous fraudulent and malicious online gangs and enterprises.

The fifth white paper entitled "Exposing a Currently Active Domain Portfolio Managed and Operated by Members of the Ashiyane Digital Security Team - An OSINT Analysis" we decided to offer in-depth and actionable threat intelligence on the domain portfolio owned and operated by the infamous Ashiyane Digital Security Team and offer a unique peek inside their domain portfolio based on the vast and in-depth real-time and historical WHOIS database courtesy of WhoisXML API.

Catch up with some of the previous released white papers and case studies courtesy of me here.

Stay tuned!

Who's Behind the Conficker Botnet? - An OSINT Analysis for WhoisXML API

Dear blog readers,

This is Dancho and I wanted to let everyone know of a series of recently released white papers and case studies courtesy of me for my employer - WhoisXML API detailing the activities of numerous fraudulent and malicious online gangs and enterprises.

The fourth white paper entitled "Who's Behind the Conficker Botnet? - An OSINT Analysis" we decided to offer in-depth and actionable threat intelligence on infamous Conficker malware and offer a unique peek inside their domain portfolio based on the vast and in-depth real-time and historical WHOIS database courtesy of WhoisXML API.

Catch up with some of the previous released white papers and case studies courtesy of me here.

Stay tuned!

Using Maltego and WhoisXML API's Real-Time and Historical WHOIS Database to Profile A Currently Active CoolWebSearch Domains Portfolio - An OSINT Analysis for WhoisXML API

Dear blog readers,

This is Dancho and I wanted to let everyone know of a series of recently released white papers and case studies courtesy of me for my employer - WhoisXML API detailing the activities of numerous fraudulent and malicious online gangs and enterprises.

The third white paper entitled "Using Maltego and WhoisXML API's Real-Time and Historical WHOIS Database to Profile A Currently Active CoolWebSearch Domains Portfolio - An OSINT Analysis" we decided to offer in-depth and actionable threat intelligence on infamous CoolWebSearch spyware enterprise and offer a unique peek inside their domain portfolio based on the vast and in-depth real-time and historical WHOIS database courtesy of WhoisXML API.

Catch up with some of the previous released white papers and case studies courtesy of me here.

Stay tuned!

Exposing a Currently Active NSO Spyware Group's Domain Portfolio - An OSINT Analysis for WhoisXML API

Dear blog readers,

This is Dancho and I wanted to let everyone know of a series of recently released white papers and case studies courtesy of me for my employer - WhoisXML API detailing the activities of numerous fraudulent and malicious online gangs and enterprises.

The second white paper entitled "Exposing a Currently Active NSO Spyware Group's Domain Portfolio - An OSINT Analysis" we decided to offer in-depth and actionable threat intelligence on the recent NSO Spyware Group campaigns internationally and offer a unique peek inside their domain portfolio based on the vast and in-depth real-time and historical WHOIS database courtesy of WhoisXML API.

Catch up with some of the previous released white papers and case studies courtesy of me here.

Stay tuned!

Exposing a Currently Active Domain Portfolio of Currently Active High-Profile Cybercriminals Internationally - An OSINT Analysis for WhoisXML API

Dear blog readers,

This is Dancho and I wanted to let everyone know of a series of recently released white papers and case studies courtesy of me for my employer - WhoisXML API detailing the activities of numerous fraudulent and malicious online gangs and enterprises.

The first white paper entitled "Exposing a Currently Active Domain Portfolio of Currently Active High-Profile Cybercriminals Internationally" we took a sample data set consisting of well-known cybercriminal gang and lone cybercriminals personal email addresses which we obtained using Technical Collection and offered a unique peek inside their domain portfolio based on the vast and in-depth real-time and historical WHOIS database courtesy of WhoisXML API.

Catch up with some of the previous released white papers and case studies courtesy of me here.

Stay tuned!

Profiling "Nedasites" - A DDoS Attack Tool Campaign Aiming to Target Iran Prior to the 2009 Election - An OSINT Analysis

I've recently stumbled upon a unique DDoS tool which is basically enticing users into downloading it and launching DDoS attacks against a pre-defined list of Iran-based government and various other Iran-based targets which appears to have been originally released during the 2009 election in Iran.

In this post I'll provide actionable intelligence and discuss in-depth the campaign including the actual tool and provide the actual list of targeted URLs including the actual MD5 for the malicious DDoS tool and discuss in-depth the actual crowd-sourcing DDoS campaign which was originally lauched during the 2009 election in Iran.

It appears that back in 2009 a tiny group of folks including companies actually organized an online spree to help and support Iran's activists and protestors with technologies and access to free service which basically violates the law and should be considered a dangerous precendent in the context of assisting Iran-based activists and protestors. Therefore I've decided to take a deeper look inside the trend that took place internationally back in the 2009 Iran-based election and offer practical and relevant technical and actionable intelligence information on the actual infrastructure behind the campaign including its participants.

Related domains and URLs known to have been involved in the campaign:

https://lxkghnyg2owy6scd.onion

http://iran.whyweprotest.net/

http://haystack.austinheap.com/

http://www.haystacknetwork.com/

http://iproxyiran.tk/

http://iranpetitie.wordpress.com/

https://davepack.net/retweetforiran.html

https://iranfree.cryptocloud.net/

http://servers-info.com/

MD5: 25bc5507934756a836e574e9b43f8b3a - Detection rate

Sample official download location of the actual DDoS application:

https://sites.google.com/site/nedasites

Sample targeted URLs and domains list:

http://keyhannews.ir

http://www.iran-newspaper.com

http://www.irna.com

http://www.irna.ir

http://www2.irna.com

http://www5.irna.com

http://www.irna.net

http://www.tabnak.com

http://www.farsnews.com

http://english.farsnews.com

http://shahabnews.com

http://www.rajanews.com

http://www.khamenei.ir

http://www.ahmadinejad.ir

http://www.gerdab.ir

http://www.bornanews.com

http://www.bornanews.ir

http://www.leader.ir/langs/en

http://www.president.ir/fa/

http://www.mod.ir

http://www.isna.ir

http://www.justice.ir

http://www.presstv.ir

http://www.police.ir

http://mfa.gov.ir

http://sahandnews.com

http://www.farsnews.net

HAMSEDA.IR -- theplanet.com

HAMSHAHRIONLINE.IR -- cogentco.com

AYANDENEWS.COM -- theplanet.com

ASRIRAN.COM -- theplanet.com

SHIA-NEWS.COM -- theplanet.com

SHAFAF.IR -- theplanet.com

SIBNA.IR -- theplanet.com

SAYENEWS.COM -- theplanet.com

KAYHANNEWS.IR -- theplanet.com

RESALAT-NEWS.COM -- iweb.com

DEILAMNEWS.COM -- iweb.com

KHORASANNEWS.COM -- abac.com

JAHANNEWS.COM -- theplanet.com

JARASNEWS.COM -- theplanet.com

POOLNEWS.IR -- theplanet.com

PARSINE.COM -- theplanet.com

BUSHEHRNEWS.COM -- theplanet.com

TEBNA.COM -- theplanet.com

IWNA.IR -- theplanet.com

ALBORZNEWS.NET -- theplanet.com

ERAMNEWS.IR -- theplanet.com

AYANDENEWS.COM -- theplanet.com

JOMHOURIESLAMI.COM -- iweb.com

Something else that's also worth emphasizing on in terms of the Iran 2009 election is that the U.K's GCHQ has also been busy attempting to track down protestors including activists and has been busy working on an election specific and GCHQ owned URL shortening service which I managed to profile and expose here including the following still active Twitter accounts and URLs known to have been involved in the GCHQ campaign to monitor and track down Iran 2009 election protesters and activists:

https://twitter.com/2009iranfree

https://twitter.com/MagdyBasha123

https://twitter.com/TheLorelie

https://twitter.com/Jim_Harper

https://twitter.com/angelocerantola

https://twitter.com/recognizedesign

https://twitter.com/akhormani

https://twitter.com/FNZZ

https://twitter.com/GlenBuchholz

https://twitter.com/enricolabriola

https://twitter.com/katriord

https://twitter.com/ShahkAm147

https://twitter.com/Pezhman09

https://twitter.com/jimsharr

https://twitter.com/blackhatcode

Stay tuned!

Upcoming Personal Memoir - Pre-Orders Accepted!

Free Chapter - Upcoming Personal Memoir!

Historical OSINT - An Analysis of the South Korean/U.S DDoS Attacks Circa 2009

 During the last couple of days, I was getting harder to resist not publishing some of literally moronic commentary on the DDos attacks, thankfully not made

by people I know in person or virtually. From the "we know they did it but we don't have data to prove it", to the very latest and most disturbing commment

by a U.S intelligence

Why disturbing? Because that's exactly what the person -- controversial to the common wisdom you don't need a team to launch this old school amateur-ish http

request flooder -- 

Key summary points:

- if such a small botnet with such a noisy and amateur-ish request flooder can shutdown the U.S FCC for days, I wonder what would have happened to the rest

of the sites in the target list if the size of the botnet and sophistication of DDoS techniques improved

Let me continue in this line of thought - or they secretly brainwash the Teletubies and infiltirate he hearts and minds of children across the globe, a future

generation of pro-North Korean youngerts. Or they could secretly become a Russian Business Network franchise, now try sending an abuse notice to the non-existent

North Korean ISPs. They could, 

The Web is abuzz with news reports regarding the ongoing DDoS (distributed denial of service attack)

The attacks which originally took off in the 4th of July weekend, target 26 Sourth Korean and American government sites and financial institutions.

The W32.Dozer comes in the form of an email attachment

Upon execution the trojan attempts to download the list of targets from three apparently compromised servers based in Germany, the U.S and Austria.

213.23.243.210 - Mannesmann Arcor Telecommunications AG & Co

216.199.83.203 - FDN.com 

213.33.116.41 - Telekom Austria Aktiengesellschaft

75.151.32.182

92.63.2.118

75.151.32.182

202.14.70.116

201.116.58.131

200.6.218.194

163.19.209.22

122.155.5.196

newrozfm.com

text string “get/China/DNS

The word china within the malware code, the

http://www.virustotal.com/analisis/7dee2bd4e317d12c9a2923d0531526822cfd37eabfd7aecc74258bb4f2d3a643-1247001891

http://www.virustotal.com/analisis/1d1814e2096d0ec88bde0c0c5122f1d07d10ca743ec5d1a3c94a227d288f05a7-1246990042

http://www.virustotal.com/analisis/7c6c89b7a7c31bcb492a581dfb6c52d09dffca9107b8fd25991c708a0069625f-1246990249

http://www.virustotal.com/analisis/f9feee6ebbc3dc0d35eea8bf00fc96cf075d59588621b0132b423a4bbf4427d4-1247006555

Thanks, But no Thanks!

Dear blog readers,

Following a series of successful data mining and OSINT enrichment successes in the face of OSINT and Law Enforcement operation called "Uncle George" including my recent attempt to take down approximately 3,000 ransomware emails which was quite a success including the recent and ongoing publication of various compilations of currently active high-profile cybercriminal email addresses and XMPP/Jabber accounts I had the privilege to get several of my blog posts censored and basically taken offline courtesy of Google which is actually good news in the face of the basic news that I'm currently sitting have been and will continue to be sitting on a treasure trove of threat intelligence and cyber attack attribution information on current and emerging cyber threats including to get actual legal threats from various individuals who appear to have been busy closing down their Twitter and Facebook accounts including LinkedIn accounts meaning quite a success for the actual data mining and technical collection process where the ultimate goal here would be to assist U.S Law Enforcement and the U.S Intelligence Community on its way to track down and prosecute the cybercriminals.

Who wants to rock the boat with me? Request an invite-only reader access today! Sharing is caring.

Are you a long-time reader of this blog? Are you basically fascinated by the richness and the informative content on current and emerging cyber threats? Do you want to get a private invite-only reader access to keep me motivated? Sharing is caring. Consider sending an introduction message to dancho.danchev@hush.com including your current position and motivation for reading this blog how has it helped you including a copy of your CV for the purpose of getting invite-only private access that would greatly motivate me to produce high-quality and never published content before in an invite-only fashion.

Therefore after approximately 12 years of active one-man operation running one of the security industry's leading security publications which is my personal blog which I originally launched in December, 2005 when I was working on https://astalavista.com while I was studying in the Netherlands I've decided that the time has come to find an alternative medium to communicate the treasure trove of threat intelligence and OSINT information that I'm currently sitting on and have been sitting on throughout the past decade with the idea to show and present the crown jewels of my research to basically any sort of vetted and trusted client who's interested in my research and proven methodology for fighting and disrupting the bad guys in a systematic and efficient way throughout the past decade.

It's been a privilege and an honor to serve everyone's needs for approximately 12 years as an independent contractor running this blog where I've actually had the chance to meet and actually get to know some of the security industry's leading companies and actual folks working within the security industry and it will continue to be a privilege and an honor to know and work with them in the future.

What's next? Always feel free to approach me at my dancho.danchev@hush.com where you can direct your "keep up the good work" "keep it cool" and "keep up the good spirit" including to actually inquire about my expertise and how I can jump on board on your cybercrime research and threat intelligence including OSINT research and analysis project in terms of fighting cybercrime.

Awesome. 

Check this out in terms of my disappearance and possible kidnapping courtesy of Bulgaria's Law Enforcement in the form of an illegal arrest using a stolen ID from my place and actual home molestation courtesy of local police officers who basically escorted me and held me in another town for a period of couple of months.

Related resources:

https://twitter.com/ykolev

https://twitter.com/dansbg

https://twitter.com/bo_go

https://twitter.com/tstsvetanov/status/6051397340

https://web.archive.org/web/20091130172926/https://twitter.com/dansbg

https://web.archive.org/web/20100818222802/http://twitter.com/boiko

https://web.archive.org/web/20090523162911/http://twitter.com/sergeystanishev

https://web.archive.org/web/20091110153835/http://twitter.com/bo_go

https://twitter.com/georgeparvanov/status/93951503504654336

https://search.wikileaks.org/?query=yavor+kolev&exact_phrase=&any_of=&exclude_words=&document_date_start=&document_date_end=&released_date_start=&released_date_end=&include_external_sources=True&new_search=True&order_by=most_relevant#results

https://ddanchev.blogspot.com/2020/07/dancho-danchevs-disappearance-2010.html

https://ddanchev.blogspot.com/2019/11/dancho-danchevs-disappearance-2010.html

https://ddanchev.blogspot.com/2021/02/dancho-danchevs-disappearance-2010.html

https://ddanchev.blogspot.com/2019/04/dancho-danchevs-2010-disappearance.html

https://ddanchev.blogspot.com/2021/03/dancho-danchevs-disappearance-2010.html

https://ddanchev.blogspot.com/2020/12/how-i-got-robbed-and-beaten-and.html

God bless and let's don't forget about the rest!