Exposing an Indian Police Spyware Cyber Operation that Fabricated Evidence on the PCs of Indian Activists - An OSINT Enrichment Analysis

This is what happens when you're cheap. Guess which are the major IoCs (Indicators of Compromise) in this cyber attack campaign featured on Wired.com? Keep reading this OSINT enrichment analysis and find out the actual true Indicators of Compromise.

Sample Gmail accounts known to have been involved in the campaign include:

jagdish.meshraam@gmail.com

drsnehapatil64@gmail.com

sinhamuskaan04@gmail.com

jennifergonzales789@gmail.com

payalshastri79@gmail.com

Sample malicious domains known to have been involved in the campaign:

researchplanet.zapto.org

socialstatistics.zapto.org

duniaenewsportal.ddns.net

Sample domain registrant email address accounts known to have been involved in the campaign include:

harpreet.singh1984@yahoo.com

marlenecharlton@outlook.com

abadaba@eml.cc

REUBEN123@RISEUP.NET

Related malicious domains known to have been involved in the campaign include:

hxxp://greenpeacesite.com

hxxp://new-agency.us

hxxp://chivalkarstone.com

hxxp://newmms.ru

hxxp://gayakwaad.com

hxxp://bbcworld-news.net

hxxp://newsinbbc.com

Sample responding IPs for known malicious domains known to have been involved in the campaign:

208.48.81.179

36.86.63.182

64.15.205.100

64.15.205.101

198.105.254.11

167.160.46.164

208.48.81.134

209.99.40.223

185.205.210.23

5.1.82.106

69.195.129.70

69.195.129.72

104.239.213.7

146.112.61.106

52.4.209.250

141.8.224.134

216.120.146.200

141.8.224.126

192.154.103.67

34.246.254.156

72.52.179.174

199.59.242.153

199.59.243.220

199.59.240.200

75.2.122.238

217.26.70.230

192.64.147.152

103.254.155.203

208.73.211.250

8.5.1.33

91.217.90.201

166.78.106.200

98.124.245.24

146.148.34.125

8.5.1.49

54.210.47.225

109.236.90.147

199.191.50.21

199.59.243.200

185.82.202.155

185.117.66.188

185.117.74.47

185.117.74.28

185.45.193.14

Sample malicious MD5s known to have been involved in the campaign include:

619c707672fc36279f7983f95387e5fdcaff56c58620b23e6dc47dd200add9b7

7533597d2ed0a0e2b981ae1b0d79a37d5343fe790bc3116e036b9b8f3d6b3fe8

22d72a14a1c9837d1c57b9393e88dee4cf21a98eb446008393ac04afa3edc712

5d28df67b12a990af0300120747c8606604c22c6959d31c8706ff8040175414a

18f9e34af21f5b5186e4c6367b86d268fcf0ec41e0879d06bbb9d0ef5c4dc3a2

4dbb14ff2836733b34594956c4234d2a54c04257710dd31a0884b1926d35d7bc

e179f03dd608b090bec933fa62d3714b6deda6c1629eec6bf82f2df55aa22307

e6da12f819a7f50608b1f6a16f1dd6c08c906cd060244cbb1e5b0eb9ab5e75b5

828de55ffbfb1c1b6ffcbb56b838486dbaecc9b41a0d111fcca290978ed05e95

76970287697bb7601970bcd5d5cfa60e1c6558b60046501b885d203eda9c9b44

99131b4fdedbf01721eed38ad685a305140feb73a6d0fb8cc48f1fad3143be92

221dde812ab1c734cd308da2ed8ead6033c6772864d383317fa2526a58e803ae

f6b4f5f05907caf6eaf58109500144d69a798f177f6ac3cb32648fadb304192c

5ede813e52c325fec54d1d8cb9e6b63118f64fce0585c1da4263cbf4a00e1651

4fbb41eefb0e8a99417c855038bd7c89cc3190c07e0d4b4106d8ddbcf2634774

94fa3ff2ef14ae0fcd461c89f90deae5ed6417a238ec5131ef6cb80400de0586

261f13f9e6d08869b41dca972016f177e1cefada9155d806a18f590c3f487a5f

ca2f1df3639a5b5896d98aa70eb68507abf1cea6aba8fe054671cdd0711faf9e

095ec879f323a0a3eceb97013125880d49ac701eef568e3b010fdddb1333941f

11cef331557eb693e718d27b6a7211a98d3982117a03ec1491db8098ea3cec00

16b5c74fb55f52ae0ae4328f65b2bf3bbe3e5ee34268c1d32a247a0a1dfa3186

21d24e08889f75461a7ce6f21fc612a701bca35da1a218cf3cdd6e23f613bb4d

31a3e3aba03b553d0f23f10b06ade30ae053cd667a8cc9660f310705ee471b68

5a4aca57541954195953066a4be96dfb19776ba099d72f8f1d3677581594606e

88b92d985b7d616c93c391731c1e4a6d3c8323fdcbf31cfc4d340e27253913a7

ac4d5d938009fd44b2f7587986862ab2278887a17d32f748278445b625b3efd9

b09ca9d48a0455ed5e02a56aabeb397c41fb63320244719749e0741da72e79c4

b1b6e133aa320669c772ec7e5fd6fbe4cb3edca13ad5351f14df3c1f13939d09

de302a61e5f07b0e65753355d44d22181a2742ac3a92aa058bdcd00cc4dab788

e3dea449bf74434ee1c9cdc04ca68b8f3c9bac357768e07df303433f257d3b9a

ea5f37e1feab670171963aa83b235c772202b2d4bb7289dd45302c3851dbd6f9

Stay tuned!