Saturday, May 20, 2023

Exposing The "Denis Gennadievich Kulkov" a.k.a Kreenjo/Nordex/Nordexin/Try2Check Cybercriminal Enterprise - An Analysis

Who would have thought? The U.S Secret Service is currently offering $10M reward for Denis Gennadievich Kulkov also known as Kreenjo/Nordex/Nordexin who's particularly famous for running the infamous Try2Check credit card checking cybercriminal enterprise.

What's so special about this individual is the fact that he's also been running a well known money mule recruitment operation since 2016 using the World Issuer LLC money mule recruitment franchise based on my research using public sources where we've got the actual hxxp://worldissuer[.]biz domain registered using identical domain registration information such as for instance hxxp://try2services[.]cm including several other domains such as for instance hxxp://dam-shipping[.]com and hxxp://cloudnsman[.]org and the following domain which is hxxp://elementconstructiongroup[.]company.

Among the actual domains known to be part of the Try2Check cybercriminals enterprise include:
hxxp://try2services[.]pm
hxxp://try2services[.]cm
hxxp://try2services[.]vc


including the following domain:
hxxp://just-buy[.]it

including the following two ICQ numbers 855377 and 555724 and let's don't forget his personal email address accounts obtained using public sources which are polkas@bk.ru nordexin@ya.ru

and it doesn't get any better than this as we've got a pretty good and informative domain portfolio registered by the same individual based on public information sharing the same domain registration details such as for instance hxxp://worldissuer[.]biz which actually are:


hxxp://cloud-mine[.]me
hxxp://gpucloud[.]org
hxxp://hyperhost[.]info
hxxp://miservers[.]info
hxxp://carterdns[.]com
hxxp://reshipping[.]us
hxxp://keyserv[.]org
hxxp://antmining[.]biz
hxxp://investmentauditor[.]com
hxxp://sunnylogistics[.]us
hxxp://try2services[.]cm
hxxp://greatwallhost[.]net
hxxp://jaqjckugrfffqa[.]com
hxxp://numberoneforyou[.]net
hxxp://getprofitnow[.]biz
hxxp://avsdefender[.]com
hxxp://spyware-defender[.]com
hxxp://beta-dns[.]net
hxxp://mpm-profit-method[.]com
hxxp://public-dns[.]us - related including this
hxxp://adobe-update[.]net - Email: krownymaradonna@onionmail.org related domains known to have been involved in the campaign include - hxxp://amazon-clouds[.]com; hxxp://microsoft-clouds[.]net; hxxp://telenet-cloud[.]com; hxxp://vmware-update[.]com
hxxp://kwitri[.]net
hxxp://dcm-trade[.]com
hxxp://karoospin[.]biz
hxxp://fastvps[.]biz


Stay tuned!

Exposing Hacking Team GhostSec - An Analysis

In this post I'll profile Hacking Team GhostSec and I'll provide all the relevant and necessary IoCs (Indicators of Compromise) including all the relevant personally identifiable information in terms of assisting U.S Law Enforcement and the U.S Intelligence Community on its way to properly track down and monitor and prosecute the cybercriminals behind these campaigns.

Personal Photos:


Related IoCs and personally identifiable information for GhostSec:

Official Web Site URL: hxxp://opiceisis.strangled.net

Official Web Site URL: hxxp://81.4.124.11/index.php

Official Web Site URL: hxxp://pst.klgrth.io

Official Group's Twitter account: hxxp://twitter.com/ghost_s3curity

Official Group's Telegram account: hxxp://t.me/GhostSecc

Official Group's Medium account: hxxp://medium.com/@OfficialGhostSec

Official Group's Web Site URL: hxxp://ghostsec-team.org

Official Group's Web Site URL: hxxp://ghostsecret-team.blogspot.com

Official Group's Email Address Account: ghostsecteam.org@gmail.com

Stay tuned!

Monday, May 08, 2023

Happy Holidays From The (Not) Republic of Bulgaria - An Analysis - Part Five

Dipshit. The deepest of them all.


Stay tuned!

Sunday, May 07, 2023

Hacker Database

I would like to take the time and effort and let you know about my latest project which is called Hacker Database. Obtain access here.

Sample screenshots:







Sample visualizations produced using the database in GraphML format:



Wednesday, May 03, 2023

How Do Cybercriminals Manage Compromised Hosts Using Desktop Management Applications? - An Analysis

If an image is worth a thousand words then check out the following which although released in 2006 appears to be one of the cybercrime ecosystem's most sophisticated and advanced compromised hosts management tool within the ecosystem up to present day.

Sample screenshots include:






Tuesday, May 02, 2023

Who's Behind the Butterfly Bot/DCI Bot/DownTroj/Aspergillus Botnet Malicious Software?

Awesome.

Emails known to have been involved in the campaign include:

iserdo@gmail.com

toadmin@1337crew.info

wg.fatal@gmail.com

emailedgov.hacN@gmail.com

admin@1337crew.info

jernej_5@hotmail.com

usediserdo@gmail.com

toiserdo@gmail.com

schlist90210@gmail.com

Waisted.time@hotmail.com

addressnetNairo@hotmail.com

betweennetNairo@hotmail.com

hamlet1917@hotmail.com

addresshamlet1917@hotmail.com

withhamlet1917@hotmail.com

floxter@hotmail.com

ice@iceman.in

addressleniqi.mentor@siol.net

leniqi.mentor@siol.net

accountiserdo@gmail.com

addressicemangjN@hotmail.com

Sample screenshot:


Related domains:
hxxp://voc[.]cash
hxxp://deepbluesecurity[.]nl
hxxp://erc20collector[.]com
hxxp://b2bradio[.]net
hxxp://threatforce[.]net
hxxp://intelhub[.]link

Related screenshots:


Related screenshots:


Related domains:
hxxp://voc[.]cash
hxxp://deepbluesecurity[.]nl
hxxp://erc20collector[.]com
hxxp://b2bradio[.]net
hxxp://intelhub[.]link
hxxp://albahost[.]net
hxxp://albaname[.]com
hxxp://mpuq[.]net
hxxp://albaname[.]net
hxxp://threatforce[.]net
hxxp://tamiflux[.]net
hxxp://tamiflux[.]org

Sample screenshot of Voc Cash:

Monday, May 01, 2023

Exposing the Ukrainian Insider Trading Hackers that Stole $30M Using a SEC's EDGAR Securities Fraud Scheme - The Technical Details - Exclusive

"An OSINT conducted today is a tax payer's buck saved somewhere".

Official U.S Secret Service $1M reward listing on U.S Secret Service's Most Wanted Cybercriminals List for "Oleksandr Vitalyevich Ieremenko".

Handle: Zl0m; Lamarez; Ded.MCz; l@m@rEz

Email: lamarez@mail.ru; uaxakep@gmail.com - xeljanzusa.com - 62.109.25.228 (https://www.secureworks.com/research/point-of-sale-malware-threats); 62.109.1.69


Commpany: 2016 Кзерокс

Phone: +7 951 366 17 17

ICQ: 123424

Web Money: 258807111393

Related URLs:

hxxp://ageline.ru/lamarez.php

hxxp://k0x.ru/md5.salt.tx

hxxp://k0x.ru/_bot.exe - 82.146.60.59

hxxp://k0x.ru/black_energy_31337_/stat.php

http://k0x.ru/siicywu36dswh/addddos.php

hxxp://xtoolz.ru

hxxp://cup.su

hxxp://xwarez.us