Wednesday, June 29, 2022

Seeking Cyber Security and Threat Intelligence Experts To Work On Collaborative Sharepoint and Microsoft Access Cyber Threat Actor Database! Approach Me Today!

Dear blog readers,

Here's the big news and I sincerely hope that you'll approach me at dancho.danchev@hush.com to discuss this project where the ultimate goal would be to come up with a commercial database including the necessary daily and weekly including monthly updates in terms of high-quality data and information on the bad guys including their online infrastructure including detailed information on their online whereabouts in a structured Microsoft Access database which we can eventually convert into a Windows Application where the ultimate goal would be to come up the actual information at the first place and then possibly introduce an API which other users can use including users who might want to purchase the full database. Feel like joining the project and working with me on the initial project taxonomy including to join the actual data entry process in your free time? Drop me a line at dancho.danchev@hush.com

Stay tuned!

Tuesday, June 28, 2022

Rogue iFrame Injected Web Sites Lead to the AndroidOS/FakeInst/Trojan-SMS.J2ME.JiFake Mobile Malware


A currently ongoing malicious campaign relying on injected iFrames at legitimate Web sites, successfully segments mobile traffic, and exposes mobile users to fraudulent legitimately looking variants of the AndroidOS/FakeInst/Trojan-SMS.J2ME.JiFake mobile malware.

Let's dissect the campaign, expose the domains portfolio currently/historically known to have been involved in this campaign, as well as list all the malicious MD5s known to have been pushed by it.

iFrame injected domains containing the mobile traffic segmentation script parked on the same IP:
asphalt7-android.org - 93.170.109.193
fifa12-android.org

gta3-android.org
fruit-ninja-android.org
wildblood-android.org
osmos-android.org
moderncombat-android.org
minecraft-android.org
googlanalytics.ws
getinternet.ws
ddlloads.com
googlecount.ws
opera-com.com
opgrade.ws
statuses.ws
ya-googl.ws
yadirect.ws
yandex-google.ws




Sample mobile malware MD5s pushed by the campaign:
MD5: e77f3bffe18fb9f5a1b1e5e6a0b8aaf8
MD5: 5fb4cc0b0d8dfe8011c44f97c6dd0aa2
MD5: 9348b5a13278cc101ae95cb2a88fe403
MD5: f4966c315dafa7e39ad78e31e599e8d0
MD5: 6f839dd29d2c7807043d06ba19e9c916
MD5: 8cfebfa7175e6e9a10e2a9ade4d87405
MD5: 4e5af55dd6a310bced83eb08c9a635b3

Phone back location: hxxp://depositmobi.com/getTask.php/task=updateOpening&s= - 93.170.107.130

Parked on the same IP (93.170.107.130) are also the following domains participating in the campaign's infrastructure:
123diskapp.com
1gameminecraft.ru
2010mobile.ru
absex.ru
ammla.info
and4mobiles.ru
android-apk-file.ru
android-games-skachat.ru.com
android-key.ru
android-market-apk.ru
android-market-cools.ru
android-vk.com
android7s.ru
androidcool.tk
androiderus.com
androidnns.ru
androidone.net
androidperfomance.com
androids-market.ru
androidupos.ru
24-android.ru
online-android.ru
moiandroid.ru
ktozdesj.ru
super-androids.ru


The following malicious mobile malware MD5s are known to have phoned back to the same IP in the past:
MD5: 572b07bd031649d4a82bb392156b25c6
MD5: 9685ff439e610fa8f874bf216fa47eee
MD5: 6d9dd3c9671d3d88f16071f1483faa12
MD5: 276b77b3242cb0f767bfba0009bcf3e7
MD5: aefdbdee7f873441b9d53500e1af34fa

What's also worth emphasizing on is that we've also got a decent number of malicious Windows samples known to have phoned back to the same IP in the past, presumably in an attempt by fellow cybercriminals to monetize the traffic through an affiliate program.
MD5: bac8f2c5d0583ee8477d79dc52414bf5
MD5: a1ae35eadf7599d2f661a9ca7f0f2150
MD5: 419fdb78356eaf61f9445cf828b3e5cf
MD5: abce96eaa7c345c2c3a89a8307524001
MD5: 93d11dc11cccc5ac5a1d57edce73ea07
MD5: 53bbad9018cd53d16fb1a21bd4738619
MD5: 15f3eca26f6c8d12969ffb1dbeead236
MD5: 72c6c14f9bab8ff95dbaf491f2a2aff6
MD5: a282b40d654fee59a586b89a1a12cac2
MD5: e0798c635d263f15ab54a839bf6bac7f
MD5: 7b1d8820cc012deac282fc72471310bd
MD5: 21fdbb9e9e13297ae12768764e169fb4
MD5: 47fa4a3a7d94dad9fac1cbdc07862496
MD5: 5e9321027c73175cf6ff862019c90af7
MD5: cfbaccc61dc51b805673000d09e99024
MD5: 8bc4dd1aff76fd4d2513af4538626033
MD5: f6a622f76b18d3fa431a34eb33be4619
MD5: c068d11293fc14bebdf3b3827e0006ac
MD5: d68338a37f62e26e701dfe45a2f9cbf2
MD5: e1c9562b6666d9915c7748c25376416f
MD5: 1dccd14b23698ecc7c5a4b9099954ae4
MD5: 47601e9f8b624464b63d499af60f6c18

Actual download location of a sample mobile malware sample:
hxxp://mediaworks3.com/getfile.php?dtype=dle&u=getfl&d=FLVPLayer - 78.140.131.124


The following mobile malware serving domains are also known to have responded to the same IP (78.140.131.124) in the past:
4apkser.ru
absex.ru
agw-railway.com
androedis.ru
android-apk-file.ru
android-update.name
android6s.ru
android7s.ru
androidappfile.name
androidaps.ru
androidbizarre.com
androidilve.ru
androidovnloads.com
androidupss.ru
apk-load.ru
apkzona.ru
bali-special.ru
com-opera.com
dml-site.ru
download-opera.com


As well as the following malicious MD5s:
MD5: 8cfebfa7175e6e9a10e2a9ade4d87405
MD5: 4e5af55dd6a310bced83eb08c9a635b3

Thanks to the commercial availability of DIY iFrame injecting platforms, the current commoditization of hacked/compromised accounts across multiple verticals, the efficiency-oriented mass SQL injection campaigns, as well as the existence of beneath the radar malvertising campaigns, cybercriminals are perfectly positioned to continue monetizing mobile traffic for fraudulent/malicious purposes.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Bogus "Shocking Video" Content at Scribd Exposes Malware Monetization Scheme Through Parked Domains


Bogus content populating Scribd, centralized malicious/typosquatted/parked domains/fraudulent infrastructure, combined with dozens of malware samples phoning back to this very same infrastructure to monetize the fraudulently generated traffic, it doesn't get any better than this, does it?

URL redirection chain:
hxxp://papaver.in/shocking/scr68237 -> hxxp://dsnetservices.com/?epl=98EbooDNwLit-qQViA4tbYD7JMZAQuEUyV387pMYNBODms0CdAg9qAe5QvBgKTO6xW6jHW1iYo5F8yDIvYx
7Aavd8wLHmZwHDIltbG4Eta-GVtiO3i9LlnzyK0YgWmT2BOaEeaipahFlE8yB7mCEBrQzXXtQBVUSIMGIEwTo9iUp0IyDUOM
0mZKYzSpf6qGlAAgYN_vvwAA4H8BAABAgFsLAADgPokxWVMmWUExNmhaQqAAAADw -> monetization through Google/MSN

 


Domain names reconnaissance:
papaver.in - 69.43.161.176 - Email: belcanto@hushmail.com - Belcanto Investment Group
dsnetservices.com - 208.73.211.152 - Email: admin@overseedomainmanagement.com - Oversee Domain Management, LLC

 
The following related domains are also registered with the same email (belcanto@hushmail.com):
4cheapsmoke.com
777payday.com
aboutforexincome.com
agroindusfinance.com
atvcrazy.com
bbbamericashop.com
bizquipleasing.com
cashforcrisis.com
cashmores-caravans.com
cashswim.com
cheapbuyworld.com
cheaptobbacco.com
cheapuc.com
debtheadaches.com
debtonatorct.com
gcecenter.com
goldforcashevents.com
studioshc.com
thestandardjournal.com
travelgurur.com
atlanticlimos.net
bethelgroup.net
caravanningnews.net
casting-escort.net
cheapersales.net
couriernetwork.net
dragonarttattoo.net
girlgeniusonline.net
madameshairbeauty.net
manchester-escort.net
mygirlythings.net
vocabhelp.net
cheapmodelships.com
financialdebtfree.com
mskoffice.com
cashacll.com
apollohealthinsurance.com
nieportal.com
playfoupets.com
wducation.com
carwrappingtorino.net
crewealexultras.net
diamondsmassage.net
isleofwightferries.org
migliojewellery.org
mind-quad.org
moneyinfo.us
2daysdietslim.com
999cashlline.com
capitalfinanceome.com
capitlefinanceone.com
captialfinanceone.com
carehireinsurance.com
cashadvaceusa.com
cashadvancesupprt.com
cashdayday.com
cashgftingxpress.com
cashginie.com
cashsoltionsuk.com
cathayairlinescheapfare.com
cheapaddidastops.com
cheapaparmets.com
cheapariaoftguns.com
cheapcheapcompters.com
cheapdealsinmalta.com
cheapdealsorlando.com
cheapeestees.com
cheapetickete.com
cheapeygptholidays.com
cheapfaresairlines.com
cheap-flighs.com
cheapflyithys.com
cheapfreestylebmx.com
cheapgoldjewelery.com
cheaphnoels.com
cheapholidaysites.com
cheaphotellakegeorge.com
cheaplawnbowls.com
cheapm1a1airsoft.com
cheapmetalsticksdiablo.com
cheapmpwers.com
cheapmsells.com
cheapotickeds.com
cheapottickets.com
cheapprotien.com
cheapryobicordlesstools.com
cheap-smell.com
cheapsmellscom.com
cheapsmes.com
cheapsscents.com
cheapstockers.com
cheapsummerdresser.com
cheaptents4sale.com
cheaptertextbooks.com
cheaptikesps.com
cheaptrainfairs.com
cheaptstickts.com
cheaptunictops.com
cheapuksupplement.com
cheapversaceclothes.com
cheapviagra4u.com
cliutterdiet.com
cocheaptickets.com
dailcheapreads.com
dcashstudious.com
debtinyou.com
diabetesdietsplans.com
dietaetreino.com
dietcetresults.com
dietcheff.com
dietdessertndgos.com
dietemaxbrasil.com
dietopan.com
discoveryremortgages.com
dmrbikescheap.com
ferrrycheap.com
financeblogspace.com
firstleasingcompanyofindia.com
firstresponcefinance.com
forexdirecotery.com
forexfacdary.com
foreximegadroid.com
forextrading2u.com
iitzcash.com
insanelycheapfights.com
insurancenbanking.com
inevenhotel.net
islamic-bank.us
italyonlinebet.com
m3motorsite.com



Out of the hundreds of domains known to have phoned back to the same IP in the past, the following are particularly interesting:
motors.shop.ebay.com-cars-trucks-9722711.1svvo.net
motors.shop.ebay.com-trucks-cars-922.1svvo.net
paupal.it
paypa.com.login.php.nahda-online.com
paypal-secure.bengalurban.com
paypal.com-cgi.bin-webscr.cmd.login.submit-dispatch.5885d80a.13c0db1f8.e263663.d3faee.38deaa3.e263663.login.submit.3.webrocha.com
paypal.com-cgi.bin-webscr.cmd.login.submit-dispatch.5885d80a.13c0db1f8.e263663.d3faee.38deaa3.e263663.login.submit.4.webrocha.com
paypal.com.update.service.cgi.bin.webscr.cmd.login-submit.modernstuf.com
paypal.com.update.service.cgi.bin.webscr.cmd.login.submit.modernstuf.com
paypal.com.us.cgi-bin.webscr-cmd.login-run.dispatch.5885d80a13c0db1f8e263663d3faee8d43b1bb6ca6ed6aee8d43b16cv27bc.

darealsmoothvee.com
paypal.it.bengalurban.com


Malicious MD5s known to have made HTTP (monetization) requests to the same IP (69.43.161.176):
MD5: 7fa7500cd90bd75ae52a47e5c18ba800
MD5: 84b28cf33dee08531a6ece603ca92451
MD5: f04ce06f5b1c89414cb1ff9219401a0e
MD5: b2019625e4fd41ca9d70b07f2038803e
MD5: 6cfb98ac63b37c20529c43923bcb257c
MD5: 04641dbafe3d12b00a6b0cd84fba557f
MD5: 02476b31f2cdc2b02b8ef1e0072d4eb2
MD5: 0d5a69fa766343f77630aa936bb64722
MD5: 57f7520b3958031336822926ed0d10b5
MD5: 00d08b163a86008cbe3349e4794ae3c0
MD5: 8dd2223da1ad1a555361c67794eb7e24
MD5: 737309010740c2c1fba3d989233c199c
MD5: eb3043e13dd8bb34a4a8b75612fe401e
MD5: eb4737492d9abcc4bd43b12305c4b2fc
MD5: 6257b9c3239db33a6c52a8ecb2135964
MD5: 481366b6e867af0d47a6642e07d61f10
MD5: d58b7158b3b1fb072098dba98dd82ed5
MD5: 9dd425b00b851f6c63ae069abbbec037
MD5: 6b0c07ce5ff1c3a47685f7be9793dce5
MD5: b2b5e82177a3beb917f9dd1a9a2cf91c
MD5: 05070da990475ac3e039783df4e503bc
MD5: c332dd499cdba9087d0c4632a76c59f0
MD5: 0768764fbbeb84daa5641f099159ee7f
MD5: 843b44c77e47680aa4b274eee1aad4e7
MD5: 36f92066703690df1c11570633c93e73
MD5: 0504b00c51b0d96afd3bea84a9a242a2
MD5: 8b0de5eabc27d37fa97d2b998ffd841a
MD5: 2944b1437d1e8825585eea3737216776
MD5: fa13c7049ae14be0cf2f651fb2fa74ba
MD5: ba5e47e0ed7b96a34b716caee0990ea3
MD5: e67e56643f73ed3f6027253d9b5bdfac
MD5: 8b0de5eabc27d37fa97d2b998ffd841a
MD5: 2944b1437d1e8825585eea3737216776
MD5: 0ab654850416e347468a02ca5a369382
MD5: 4e372e5d1e2bd3fa68b85f6d1f861087
MD5: 696a9b85230a315cfe393d9335cae770
MD5: 04343c3269c33a5613ac5860ddb2ab81
MD5: 384a496cd4c2bc1327c225e19edbee54
MD5: a44b2380cdac36f9dfb460f8fbff3714
MD5: 9e2a83adb079048d1c421afaf56a73a6
MD5: e377c7ad8ab55226e491d40bf914e749
MD5: 46c7c70e30495b4b60be1c58a4397320
MD5: 841890281b7216e8c8ea1953b255881e
MD5: 4392f490e6ee553ff7a7b3c4bd1dd13f
MD5: eeeda63bec6d2704cf6f77f2fb8431cd
MD5: b68e183884ce980e300c93dfa375bb1f
MD5: 7990fb5c676bbcd0a6168ea0f8a0c1d7
MD5: adc250439474d38212773e161dadd6b4
MD5: 075ae09c016df3c7eb3d402d96fc2528
MD5: d03b5bf4a905879d9b93b6e81fc1ca55
MD5: 00c62c8a9f2cf7140b67acec477e6a14
MD5: b228fae216a9564192fa2153ae911d54
MD5: 2f778fc3a22b7d5feb0a357c850bdd0d
MD5: 9080f3a0dfde30aa8afa64f7c3f5d79a
MD5: 526c1f10f94544344de12abec96cf96f
MD5: 4d8ddc8d5f6698a6690985ca86b3de00
MD5: 1a7bb0c9b79d1604b4de5b0015202d02
MD5: 528be69afad5a5e6beb7b40aeb656160
MD5: 1769f1b5beae58c09e5e1aac9249f5de
MD5: 6fb86421ea607ed6c912a3796739ce9b
MD5: 22e36b887946e457964a2a28a756a1cd
MD5: 31a7816a1458321736979e0cfdd3d20f
MD5: 113572249856fc5f2848d1add06dc758
MD5: a8a002732c5a4959afbf034d37992b5d
MD5: 413a9116362ab8fb9ba622cc98c788b1
MD5: 4abb29fe3ec3239d93f7adbc8cb70259
MD5: 989bea3435e5ac5b8951baa07d356526
MD5: 9a966076f114fbffc5cdbf5a90b3fd01
MD5: 14e64da2094ab1aae13d162107c504ec
MD5: 96bb6df37daef5b8de39ceae1e3a7396
MD5: d864369a0e8687ad3f89b693be84c8eb
MD5: 26b8b2c06e1604daee6bfe783a82479e
MD5: 63b922c94338862e7b9605546af2ef14
MD5: 19ba1497f088d850bd3902288bb3bd92
MD5: 96bb6df37daef5b8de39ceae1e3a7396
MD5: d864369a0e8687ad3f89b693be84c8eb
MD5: 26b8b2c06e1604daee6bfe783a82479e


Malicious MD5s known to have made HTTP (monetization) requests to the same IP (208.73.211.152):
MD5: db0aac72ed6d56497e494418132d7a41
MD5: aa47bd20f8a00e354633d930a3ebcb19
MD5: a957e914f697639df7dfb8483a88483b
MD5: a0b7b01a0574106317527e436e515fd3
MD5: 3d0d834fe7ca583ca6ed056392f4413d
MD5: fa342104b329978cba33639311afe446
MD5: f3b3e8b98bdfb6673da6d39847aec1b3
MD5: 3ef52b2fd086094b591eb01bc32947c8
MD5: 128e70484a9f19ab9096fb9b1969bf89
MD5: ee7dc2d2c7d33855b4dd86ae6243ad22
MD5: 6fc317b6f66d73903ffe8d12df72e5f7
MD5: 3800a4a6d6620aa15db7ea717b4d10f5
MD5: 830bbfcaa499de30ab08a510ce4cbba2
MD5: 085afd7f26f388bd62bc53ed430fbbc6
MD5: 3035e120ce08f1824817e0d6eaecc806
MD5: d4db511618c52272e58f4c334414ed6e
MD5: dc4ab086d50dcdcd5ae060acfe9bddca
MD5: c2bc9e266857537699fd10142658bf31
MD5: 9e6ab643d34a6c37b6150aeb8a2e5adb
MD5: b6bb96470ef67c26c0a0e8a4d145c169
MD5: f5aa326e0b5322d7ac47a379e1e1c1f8
MD5: dc0f5c01d8deaabe9d57d31f9daf50b9
MD5: 4a42c42e7acd9ff32ebb18efc2d5b801
MD5: a254b2824867e05d52c60e0464121588
MD5: 7e612f7ac81ccddb368d3c9e47c9942a
MD5: 66cec28f23b692ff2019c70a76894c41


This case is a great example of one of the core practices when profiling cybercrime incidents and campaigns -> sample everything, as what you're originally seeing is just the tip of the iceberg.

Related posts:
Click Fraud, Botnets and Parked Domains - All Inclusive
A Commercial Click Fraud Tool

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Is Koobface Botnet's Master KrotReal Back in Business? Try the Adult Entertainment Industry First!

This summary is not available. Please click here to view the post.

Monday, June 27, 2022

Exposing an Indian Police Spyware Cyber Operation that Fabricated Evidence on the PCs of Indian Activists - An OSINT Enrichment Analysis

This is what happens when you're cheap. Guess which are the major IoCs (Indicators of Compromise) in this cyber attack campaign featured on Wired.com? Keep reading this OSINT enrichment analysis and find out the actual true Indicators of Compromise.

Sample Gmail accounts known to have been involved in the campaign include:

jagdish.meshraam@gmail.com

drsnehapatil64@gmail.com

sinhamuskaan04@gmail.com

jennifergonzales789@gmail.com

payalshastri79@gmail.com

Sample malicious domains known to have been involved in the campaign:

researchplanet.zapto.org

socialstatistics.zapto.org

duniaenewsportal.ddns.net

Sample domain registrant email address accounts known to have been involved in the campaign include:

harpreet.singh1984@yahoo.com

marlenecharlton@outlook.com

abadaba@eml.cc

REUBEN123@RISEUP.NET

Related malicious domains known to have been involved in the campaign include:

hxxp://greenpeacesite.com

hxxp://new-agency.us

hxxp://chivalkarstone.com

hxxp://newmms.ru

hxxp://gayakwaad.com

hxxp://bbcworld-news.net

hxxp://newsinbbc.com

Sample responding IPs for known malicious domains known to have been involved in the campaign:

208.48.81.179

36.86.63.182

64.15.205.100

64.15.205.101

198.105.254.11

167.160.46.164

208.48.81.134

209.99.40.223

185.205.210.23

5.1.82.106

69.195.129.70

69.195.129.72

104.239.213.7

146.112.61.106

52.4.209.250

141.8.224.134

216.120.146.200

141.8.224.126

192.154.103.67

34.246.254.156

72.52.179.174

199.59.242.153

199.59.243.220

199.59.240.200

75.2.122.238

217.26.70.230

192.64.147.152

103.254.155.203

208.73.211.250

8.5.1.33

91.217.90.201

166.78.106.200

98.124.245.24

146.148.34.125

8.5.1.49

54.210.47.225

109.236.90.147

199.191.50.21

199.59.243.200

185.82.202.155

185.117.66.188

185.117.74.47

185.117.74.28

185.45.193.14

Sample malicious MD5s known to have been involved in the campaign include:

619c707672fc36279f7983f95387e5fdcaff56c58620b23e6dc47dd200add9b7

7533597d2ed0a0e2b981ae1b0d79a37d5343fe790bc3116e036b9b8f3d6b3fe8

22d72a14a1c9837d1c57b9393e88dee4cf21a98eb446008393ac04afa3edc712

5d28df67b12a990af0300120747c8606604c22c6959d31c8706ff8040175414a

18f9e34af21f5b5186e4c6367b86d268fcf0ec41e0879d06bbb9d0ef5c4dc3a2

4dbb14ff2836733b34594956c4234d2a54c04257710dd31a0884b1926d35d7bc

e179f03dd608b090bec933fa62d3714b6deda6c1629eec6bf82f2df55aa22307

e6da12f819a7f50608b1f6a16f1dd6c08c906cd060244cbb1e5b0eb9ab5e75b5

828de55ffbfb1c1b6ffcbb56b838486dbaecc9b41a0d111fcca290978ed05e95

76970287697bb7601970bcd5d5cfa60e1c6558b60046501b885d203eda9c9b44

99131b4fdedbf01721eed38ad685a305140feb73a6d0fb8cc48f1fad3143be92

221dde812ab1c734cd308da2ed8ead6033c6772864d383317fa2526a58e803ae

f6b4f5f05907caf6eaf58109500144d69a798f177f6ac3cb32648fadb304192c

5ede813e52c325fec54d1d8cb9e6b63118f64fce0585c1da4263cbf4a00e1651

4fbb41eefb0e8a99417c855038bd7c89cc3190c07e0d4b4106d8ddbcf2634774

94fa3ff2ef14ae0fcd461c89f90deae5ed6417a238ec5131ef6cb80400de0586

261f13f9e6d08869b41dca972016f177e1cefada9155d806a18f590c3f487a5f

ca2f1df3639a5b5896d98aa70eb68507abf1cea6aba8fe054671cdd0711faf9e

095ec879f323a0a3eceb97013125880d49ac701eef568e3b010fdddb1333941f

11cef331557eb693e718d27b6a7211a98d3982117a03ec1491db8098ea3cec00

16b5c74fb55f52ae0ae4328f65b2bf3bbe3e5ee34268c1d32a247a0a1dfa3186

21d24e08889f75461a7ce6f21fc612a701bca35da1a218cf3cdd6e23f613bb4d

31a3e3aba03b553d0f23f10b06ade30ae053cd667a8cc9660f310705ee471b68

5a4aca57541954195953066a4be96dfb19776ba099d72f8f1d3677581594606e

88b92d985b7d616c93c391731c1e4a6d3c8323fdcbf31cfc4d340e27253913a7

ac4d5d938009fd44b2f7587986862ab2278887a17d32f748278445b625b3efd9

b09ca9d48a0455ed5e02a56aabeb397c41fb63320244719749e0741da72e79c4

b1b6e133aa320669c772ec7e5fd6fbe4cb3edca13ad5351f14df3c1f13939d09

de302a61e5f07b0e65753355d44d22181a2742ac3a92aa058bdcd00cc4dab788

e3dea449bf74434ee1c9cdc04ca68b8f3c9bac357768e07df303433f257d3b9a

ea5f37e1feab670171963aa83b235c772202b2d4bb7289dd45302c3851dbd6f9

Stay tuned!

DDanchev is for Hire! - Who Wants to Hire Me in Europe?

Folks, 

After a decade of fighting bad guys I've decided to finally look for a way to relocate and begin a fresh start in my professional security blogger/cybercrime researcher/OSINT analyst and threat intelligence analyst career path by seeking a permanent position anywhere in Europe from anyone who's interested in directly hiring me and offering relocation and accommodation assistance on a short notice where I can basically relocate and begin the position without a period of three days prior to signing a contract and receiving the necessary relocation and accommodation assistance and let's not forget that someone should meet me at the airport and say hi.

The current situation:

- I'm based in Bulgaria holding a Bulgarian citizenship

- I'm willing to relocate anywhere in Europe for a security blogger/cybercrime researcher/OSINT analyst and threat intelligence analyst position

- I work primary using email which is dancho.danchev@hush.com where you can reach me 24/7 and expect a brief response three hours prior to sending your message

- My CV is available as PDF here and here's my LinkedIn Profile just in case you need it for anything

My requirements:

- I need only a direct hire proposition where you're 100% sure that you're interested in working with me

- I need a contract in advance before I travel on a short notice approximately three days prior to signing the contract

- I need relocation assistance in the form of an airplane ticket including accommodation assistance where I need a place to crash work and live in your country

How to approach me:

Send me an email at dancho.danchev@hush.com and I'll shortly get back to you to discuss

Looking forward to receiving your email. Let's make this happen!

Shots from the Wild West - Sample Compilation of RATs (Remote Access Tools) and Trojan Horses Screenshots - An OSINT Analysis

Dear blog readers,

Find attached a second portfolio of photos obtained while doing my research back in 2010. Enjoy and don't forget to grab a copy of my memoir here including to catch up with my latest research here.




























































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































Stay tuned!