Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

In the overwhelming sea of information, access to timely, insightful and independent open-source intelligence (OSINT) analyses is crucial for maintaining the necessary situational awareness to stay on the top of emerging security threats. This blog covers trends and fads, tactics and strategies, intersecting with third-party research, speculations and real-time CYBERINT assessments, all packed with sarcastic attitude

Saturday, May 20, 2023

Exposing The "Denis Gennadievich Kulkov" a.k.a Kreenjo/Nordex/Nordexin/Try2Check Cybercriminal Enterprise - An Analysis

Who would have thought? The U.S Secret Service is currently offering $10M reward for Denis Gennadievich Kulkov also known as Kreenjo/Nordex/Nordexin who's particularly famous for running the infamous Try2Check credit card checking cybercriminal enterprise.

What's so special about this individual is the fact that he's also been running a well known money mule recruitment operation since 2016 using the World Issuer LLC money mule recruitment franchise based on my research using public sources where we've got the actual hxxp://worldissuer[.]biz domain registered using identical domain registration information such as for instance hxxp://try2services[.]cm including several other domains such as for instance hxxp://dam-shipping[.]com and hxxp://cloudnsman[.]org and the following domain which is hxxp://elementconstructiongroup[.]company.

Among the actual domains known to be part of the Try2Check cybercriminals enterprise include:

hxxp://try2services[.]pm

hxxp://try2services[.]cm

hxxp://try2services[.]vc

including the following domain:

hxxp://just-buy[.]it

including the following two ICQ numbers 855377 and 555724 and let's don't forget his personal email address accounts obtained using public sources which are polkas@bk.ru nordexin@ya.ru

and it doesn't get any better than this as we've got a pretty good and informative domain portfolio registered by the same individual based on public information sharing the same domain registration details such as for instance hxxp://worldissuer[.]biz which actually are:

hxxp://cloud-mine[.]me

hxxp://gpucloud[.]org

hxxp://hyperhost[.]info

hxxp://miservers[.]info

hxxp://carterdns[.]com

hxxp://reshipping[.]us

hxxp://keyserv[.]org

hxxp://antmining[.]biz

hxxp://investmentauditor[.]com

hxxp://sunnylogistics[.]us

hxxp://try2services[.]cm

hxxp://greatwallhost[.]net

hxxp://jaqjckugrfffqa[.]com

hxxp://numberoneforyou[.]net

hxxp://getprofitnow[.]biz

hxxp://avsdefender[.]com

hxxp://spyware-defender[.]com

hxxp://beta-dns[.]net

hxxp://mpm-profit-method[.]com

hxxp://public-dns[.]us - related including this

hxxp://adobe-update[.]net - Email: krownymaradonna@onionmail.org related domains known to have been involved in the campaign include - hxxp://amazon-clouds[.]com; hxxp://microsoft-clouds[.]net; hxxp://telenet-cloud[.]com; hxxp://vmware-update[.]com

hxxp://kwitri[.]net

hxxp://dcm-trade[.]com

hxxp://karoospin[.]biz

hxxp://fastvps[.]biz

Stay tuned!

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

Exposing Hacking Team GhostSec - An Analysis

In this post I'll profile Hacking Team GhostSec and I'll provide all the relevant and necessary IoCs (Indicators of Compromise) including all the relevant personally identifiable information in terms of assisting U.S Law Enforcement and the U.S Intelligence Community on its way to properly track down and monitor and prosecute the cybercriminals behind these campaigns.

Personal Photos:

Related IoCs and personally identifiable information for GhostSec:

Official Web Site URL: hxxp://opiceisis.strangled.net

Official Web Site URL: hxxp://81.4.124.11/index.php

Official Web Site URL: hxxp://pst.klgrth.io

Official Group's Twitter account: hxxp://twitter.com/ghost_s3curity

Official Group's Telegram account: hxxp://t.me/GhostSecc

Official Group's Medium account: hxxp://medium.com/@OfficialGhostSec

Official Group's Web Site URL: hxxp://ghostsec-team.org

Official Group's Web Site URL: hxxp://ghostsecret-team.blogspot.com

Official Group's Email Address Account: ghostsecteam.org@gmail.com

Stay tuned!

Dancho Danchev

Monday, May 08, 2023

Happy Holidays From The (Not) Republic of Bulgaria - An Analysis - Part Five

Dipshit. The deepest of them all.

Stay tuned!

Dancho Danchev

Sunday, May 07, 2023

Hacker Database

I would like to take the time and effort and let you know about my latest project which is called Hacker Database. Obtain access here.

Sample screenshots:

Sample visualizations produced using the database in GraphML format:

Dancho Danchev

Wednesday, May 03, 2023

How Do Cybercriminals Manage Compromised Hosts Using Desktop Management Applications? - An Analysis

If an image is worth a thousand words then check out the following which although released in 2006 appears to be one of the cybercrime ecosystem's most sophisticated and advanced compromised hosts management tool within the ecosystem up to present day.

Sample screenshots include:

Dancho Danchev

Tuesday, May 02, 2023

Who's Behind the Butterfly Bot/DCI Bot/DownTroj/Aspergillus Botnet Malicious Software?

Awesome.

Emails known to have been involved in the campaign include:

iserdo@gmail.com

toadmin@1337crew.info

wg.fatal@gmail.com

emailedgov.hacN@gmail.com

admin@1337crew.info

jernej_5@hotmail.com

usediserdo@gmail.com

toiserdo@gmail.com

schlist90210@gmail.com

Waisted.time@hotmail.com

addressnetNairo@hotmail.com

betweennetNairo@hotmail.com

hamlet1917@hotmail.com

addresshamlet1917@hotmail.com

withhamlet1917@hotmail.com

floxter@hotmail.com

ice@iceman.in

addressleniqi.mentor@siol.net

leniqi.mentor@siol.net

accountiserdo@gmail.com

addressicemangjN@hotmail.com

Sample screenshot:

Related domains:

hxxp://voc[.]cash

hxxp://deepbluesecurity[.]nl

hxxp://erc20collector[.]com

hxxp://b2bradio[.]net

hxxp://threatforce[.]net

hxxp://intelhub[.]link

Related screenshots:

Related domains:

hxxp://voc[.]cash

hxxp://deepbluesecurity[.]nl

hxxp://erc20collector[.]com

hxxp://b2bradio[.]net

hxxp://intelhub[.]link

hxxp://albahost[.]net

hxxp://albaname[.]com

hxxp://mpuq[.]net

hxxp://albaname[.]net

hxxp://threatforce[.]net

hxxp://tamiflux[.]net

hxxp://tamiflux[.]org

Sample screenshot of Voc Cash:

Dancho Danchev

Monday, May 01, 2023

Exposing the Ukrainian Insider Trading Hackers that Stole $30M Using a SEC's EDGAR Securities Fraud Scheme - The Technical Details - Exclusive

"An OSINT conducted today is a tax payer's buck saved somewhere".

Official U.S Secret Service $1M reward listing on U.S Secret Service's Most Wanted Cybercriminals List for "Oleksandr Vitalyevich Ieremenko".

Handle: Zl0m; Lamarez; Ded.MCz; l@m@rEz

Email: lamarez@mail.ru; uaxakep@gmail.com - xeljanzusa.com - 62.109.25.228 (https://www.secureworks.com/research/point-of-sale-malware-threats); 62.109.1.69

Commpany: 2016 Кзерокс

Phone: +7 951 366 17 17

ICQ: 123424

Web Money: 258807111393

Related URLs:

hxxp://ageline.ru/lamarez.php

hxxp://k0x.ru/md5.salt.tx

hxxp://k0x.ru/_bot.exe - 82.146.60.59

hxxp://k0x.ru/black_energy_31337_/stat.php

http://k0x.ru/siicywu36dswh/addddos.php

hxxp://xtoolz.ru

hxxp://cup.su

hxxp://xwarez.us

Dancho Danchev