Exposing Bulgaria's Largest Data Leak - An OSINT Analysis

I've recently came across to a news article detailing the recently leaked Bulgaria NAP records database and I decided to take a closer look. What does this leak basically constitute? Basically the attacker managed to compromise the security of the Web Site basically leading to a successful extraction of a decent-portion of data which could basically constitute a leak.

NOTE: The data in this analysis has been obtained using public sources.



In this post I'll profile a novice Bulgaria-based cybercriminal that basically managed to obtain access to the database and shared it within several cybercrime-friendly forum communities making it publicly accessible including an in-depth overview of TAD Group which is basically a Bulgaria-based penetration testing company.




Real Name: Daniel Ganchev - Email: daniel.ganchev@abv.bg

Sample URL of the cybercriminal involved in the campaign:
hxxp://instakilla.com/ - Email: wp@instakilla.com; info@instakilla.com

Instagram Account: hxxp://www.instagram.com/instakilla_/

Bitcoin address used in the campaign: 3Ex6LeHorgRjkBmws4SsRZ3FXSJDXk5FhP

Sample additional domain known to have been used by the same individual: hxxp://209.250.232.143

Related URLs known to have participated in the campaign:
https://instakilla.com/5k.txt
https://instakilla.com/teaser.txt

Sample Screenshot of the Original Letter Send to Journalists:

Let's take a closer look at the Bulgaria-based TAD-Group is basically a well-known penetration testing company currently running Bulgaria's largest and most popular hacking forum community - hxxp://www.xakep.bg which was recently blamed for Bulgaria's largest database leak in particular its founders and several employees in the context of performing an OSINT analysis basically highlighting some of the key functions of the company and its involvement in the incident.

Sample Company Logo:

Sample Hacking Forum Logo:

Sample Exploits Developed courtesy of the founder of the group:

Sample Photos of TAD Group Employees:

Sample TAD Group Photos:

Related personally identifiable information of TAD members:

Real Name: Ivan Todorov

Email: todorov_i@tadgroup.com; todorov_i@subway.bg

Related social network accounts:

hxxp://github.com/chapoblan

hxxp://www.facebook.com/chapoblan/

Sample Bulgaria Leaked Database URL:

hxxp://uploadfiles.io/s1p3gzh8

Sample Email known to have been used in the campaign:

Email: minfin_leak@yandex.ru

Sample MD5 known to have been used in the campaign:

MD5: 3125f2f04d3bac84c418ceb321959aba

It's also worth pointing out that I've managed to come across to a fraudulent proposition courtesy of the hxxp://www.xakep.bg cybercrime-friendly forum community with the cybercriminal behind it currently soliciting managed hacker-for-hire type of services.

Sample screenshots courtesy of the service:

We'll be keeping an eye on the campaign and we'll post updates as soon as new developments take place.

Continue reading →

Upcoming Offensive Warfare 2.0 Cyber Security and Hacking Community YouTube Livestream Broadcast - RSVP Today!

Dear blog readers,

I wanted to let everyone know that I'll be doing a Live YouTube Broadcast - this Friday - 05/07/2019 20:30 P.M - Eastern European Summer Time (EEST), UTC +3 in terms of my newly launched Offensive Warfare 2.0 - Cyber Security and Hacking Community. Are you interested in attending and learning more about the project? RSVP Today and consider registering to get the conversation going!

Feel free to approach me dancho.danchev@hush.com

Stay tuned! Continue reading →

Upcoming Security Project - Accepting Donations and Feedback!

Dear blog readers I wanted to let everyone know that I've recently added a "Donate Today!" button including a Pop-Up banner within my blog with the idea to seek you donations and feedback to raise the necessary capital for an upcoming Security Project.

How you can contribute in case you're a long-time reader of this blog - and want to possibly see more high-quality Security and Cybercrime research? Consider making a modest $500 donation - which will better help me to scale the project and eventually launch it.

Feel free to approach me at dancho.danchev@hush.com

Stay tuned! Continue reading →

Dancho Danchev's Blog - Audio Version Available - Listen to Every Post!

Dear blog readers,

I wanted to let everyone know that I've recently introduced an audio-listening functionality to every blog post basically allowing you to listen to every blog post on this blog. What do you think?

Basically it allows you to easily plug and play your head-set and listen on current historical and upcoming posts. Stay tuned for an updated set of features to be implemented anytime soon.

Consider going through the following high-profile Security Interviews which I managed to produce throughout 2003-2006 while working for Astalavista Security Group.

- Security Interviews 2004/2005 - Part 1
- Security Interviews 2004/2005 - Part 2
- Security Interviews 2004/2005 - Part 3

including the following commentary and Open Letter to the U.S Intelligence Community:

 - The Threat Intelligence Market Segment - A Complete Mockery and IP Theft Compromise - An Open Letter to the U.S Intelligence Community

Enjoy and stay tuned! Continue reading →

Dancho Danchev's Blog - Public Search Now Open!

Continue reading →

Dancho Danchev's Blog - Public Comments Now Open!

Dear blog readers,

Ever since 2005 where I originally launched this blog - I decided to turn off public comments so that I can present a decent portion of my Information Security knowledge to a diverse set of audiences. Back in the glorious Web 2.0 years when I was busy doing business development and PR outreach for a variety of Security Projects I've recently decided that the time has come to open public comments on one of the Security Industry's most popular personal blogs on Information Security Cybercrime Research and Threat Intelligence with the idea to reach out to everyone reading this blog potentially building a high-quality comment and research feedback network of Security Industry members U.S Intelligence Community members and the general public.

Looking forward to receiving your comments - and as always feel free to go through the archives to catch up with what I've been up to.

Stay tuned! Continue reading →

Proprietary Cybercrime and Dark Web Forum Search Engine - BETA Access Available!

Dear blog readers - I wanted to let everyone know of a currently active BETA project - namely - the general invite-only proprietary access to a Cybercrime and Dark Web Underground Forum Search Engine - exclusively targeting Security Vendors the U.S Intelligence Community and Law Enforcement including independent-vetted invite-only subscription-based access to the World's largest and near-real-time repository of Cybercrime Research Data - worth $3,500 in the form of one-time payment - for the purpose of fueling growth into the project - and to request the necessary access - including possible subscription-based agreement - further fueling growth into the project and the quality of the inventory of data.

How to request access?

Feel free to approach me at dancho.danchev@hush.com with your inquiry in terms of this project.

Stay tuned! Continue reading →

Proprietary Threat Intelligence Reports Available On Demand - Request a Copy Today!

Dear blog readers - I wanted to let everyone know of two -- currently in the works -- proprietary Threat Intelligence type of reports - that you and your organization can easily acquire on demand. The first report details in-depth including tactics techniques and procedures including hundreds of IOCs (Indicators of Compromise) in terms of the Pay-Per-Install Business Model circa 2008 - worth $1,500 and the second report which is also available on demand details the inner workings of the CAPTCHA-Solving Underground Market Business Model - which is also worth $1,500.

Similar my most recently -- now publicly available -- report on "Assessing The Computer Network Operation (CNO) Capabilities of the Islamic Republic of Iran - Report" capabilities including a complimentary social network graph - the proprietary Threat Intelligence reports can be requested online - and the user including the organization will receive a complimentary copy of the report - including a possible attribution vector - within 30 days prior to making a purchase.

How you can order a copy of the report?


Feel free to approach me at dancho.danchev@hush.com to inquire about making a purchase.

Stay tuned! Continue reading →

Are You On Silent Circle?

Dear blog readers,

I wanted to find out whether any of my blog readers might be using Silent Circle - and whether you might be interested in approaching me with your Silent Circle ID to get the conversation going?

Feel free to approach me at dancho.danchev@hush.com

Stay tuned! Continue reading →

Offensive Warfare 2.0 - The Future of Cyber Warfare - Hacking and Cyber Security Community - Public Registration Now Open!

Dear blog readers,

I wanted to let you know of  my newly launched hacking and security community - Offensive Warfare 2.0 - The Future of Cyber Warfare - Hacking and Cyber Security Community - with public registration now open.

How you can help?

- Register today!
- Share this post with friends and colleagues.
- Approach me at dancho.danchev@hush.com with your comments feedback and general suggestions

Stay tuned! Continue reading →

Historical OSINT - Massive Scareware-Serving Campaign Spotted in the Wild

doremisan7.net?uid=213&pid=3&ttl=319455a3f86 - 67.215.238.189

marketcoms.cn/?pid=123&sid=8ec7ca&uid=213&isRedirected=1 - 91.205.40.5 - Email: JeremyLRademacher@live.com
- MORE REDIRECTORS parked there
browsersafeon.com  A  91.205.40.5
online-income2.cn  A  91.205.40.5
applestore2.cn  A  91.205.40.5
media-news2.cn  A  91.205.40.5
clint-eastwood.cn  A  91.205.40.5
stone-sour.cn  A  91.205.40.5
marketcoms.cn  A  91.205.40.5
fashion-news.cn  A  91.205.40.5

LEADS TO
http://guard-syszone.net/?p=WKmimHVmaWyHjsbIo22EeXZe0KCfZlbVoKDb2YmHWJjOxaCbkX1%2Bal6orKWeYJWfZWVilWWenGOIo6THodjXoGJdpqmikpVuaGVvZG1kbV%2FEkKE%3D
206.53.61.73
http://www.virustotal.com/analisis/e664ff540556bcde19bb7eea967016f491bb024c3d66b455d22f1afb7bd36b3e-1256160669

http://yourspywarescan15.com/scan1/?pid=123&engine=pXT3wjTuNjYzLjE3Ny4xNTMmdGltZT0xMjUxMYkNPAFO - 85.12.24.12
http://www.virustotal.com/analisis/6e28a767b2f067285389758802e81379687f87864ecc85412e022ebe172c01d1-1256160825 Continue reading →

Historical OSINT - Yet Another Massive Scareware-Serving Campaign Courtesy of the Koobface Gang

It's 2010 and I've recently came across to yet another currently active scareware-serving campaign courtesy of the Koobface gang this time successfully introducing a CAPTCHA-breaking module potentially improving the propagation and distribution scale within major social networks.

In this post I'll discuss the campaign and provide actionable intelligence on the infrastructure behind it.

Related malicious domains known to have participated in the campaign:
hxxp://goscandir.com/?uid=13301 - 91.212.107.103 - hosting courtesy of AS29550 - EUROCONNEX-AS Blueconnex Networks Ltd Formally Euroconnex Networks
hxxp://ebeoxuw.cn/?uid=13301
hxxp://ebiezoj.cn/22/?uid=13301
hxxp://goscanhand.com/?uid=13301
hxxp://byxzeq.cn/22/?uid=13301

Sample malicious MD5 known to have participated in the campaign:
MD5: 16575a1d40f745c2e39348c1727b8552

Once executed a sample malware phones back to:
hxxp://in5it.com/download/Ipack.jpg - the actual executable

Related malicious MD5 known to have participated in the campaign:
MD5: 1d5e3d78dd7efd8878075e5dbaa5c4fd

Related malicious MD5 known to have participated in the campaign:
MD5: 6262c0cb1459adc8f278136f3cff2777

It's worth pointing out that prior to analyzing the campaign it appears that the Koobface gang has recently introduced a CAPTCHA-breaking module which basically relies on the active outsourcing of the CAPTCHA-breaking process potentially improving the Koobface spreading and propagation effectiveness.

Sample malicious URL known to have participated in the campaign:
http://peacockalleyantiques.com/.sys/?getexe=v2googlecheck.exe

Sample malicious MD5 known to have participated in the campaign:
MD5: cf9729bf3969df702767f3b9a131ec2c

Sample malicious URL known to have participated in the campaign:
http://peacockalleyantiques.com/.sys/?getexe=v2captcha.exe

Sample malicious MD5 known to have participated in the campaign:
MD5: f2d0dbf1b11c5c2ff7e5f4c655d5e43e

Once executed a sample phones back to the following C&C server IPs:
hxxp://capthcabreak.com/captcha/?a=get&i=0&v=14 - 67.212.69.230
hxxp://captchastop.com/captcha/?a=get&i=1&v=14 - 67.212.69.230 Continue reading →

Historical OSINT - Yet Another Massive Scareware Serving Campaign Courtesy of the Koobface Gang

It's 2010 and I've recently intercepted a currently circulating malicious and fraudulent scareware-serving campaign courtesy of the Koobface Gang this time successfully typosquatting my name within its command and control infrastructure.

In this post I'll provide actionable intelligence behind the campaign and will discuss in-depth the infrastructure behind it.

Sample malicious and fraudulent domains known to have participated in the campaign:
hxxp://qjcleaner.eu/hitin.php?affid=02979

Sample malicious MD5 known to have participated in the campaign:
MD5: 8df3e9c50bb4756f4434a9b7d6c23c8c

Once executed a sample malware phones back to:
hxxp://212.117.160.18/install.php?id=02979

which is basically our dear friends at AS44042 ROOT-AS root eSolutions

Parked at the same IP where Crusade Affiliates continue serving a diverse set of fake security software are also more scareware domains.

It's also worth pointing out that the Koobface gang has recently started typosquatting various domains using my name. Koobface gang is typosquatting my name for registering domains (for instance Rancho Ranchev; Pancho Panchev etc.) including hxxp://mayernews.com - which is registered to Danchev Danch (1andruh.a1@gmail.com). Continue reading →

Astalavista Security Group 2.0 - The Underground - Official Launch Announcement

Dear blog readers, I wanted to let you know that I've recently launched a currently active Indiegogo crowd-funding campaign regarding my favorite working place throughout the 90's - Astalavista Security Group and I wanted to find out whether you might be interested in spreading the word regarding the campaign including a possible donation.

Consider going through the following already published Updates and making a donation:

01. New Update - Official Campaign Announcement
02. New Update - Official Astalavista 2.0 - Press Release Launch
03. New Update - Official Astalavista 2.0 - Statement of Work
04. New Update - Official Astalavista 2.0 - The Big Idea
05. New Update - Official Astalavista 2.0 - The Fanciful Story

Feel free to reach me at dancho.danchev@hush.com

Stay tuned! Continue reading →

Historical OSINT - Massive Scareware Serving Campaign Spotted in the Wild

With scareware continuing to proliferate I've recently intercepted a currently active malicious and fraudulent blackhat SEO campaign successfully enticing thousands of users into interacting with the rogue and malicious software with the scareware behind the campaign successfully modifying the HOSTS on the affected host potentially exposing the user to a variety of fake search engines type of rogue and fraudulent and malicious activity.

In this post I'll provide actionable intelligence on the infrastructure behind the campaign.

Sample malicious URL known to have participated in the campaign:
hxxp://guardsys-zone.com/?p=WKmimHVmaWyHjsbIo22EeXZe0KCfZlbVoKDb2YmHWJjOxaCbkX1%2Bal6orKWekJXIZWhimmVummWIo6THodjXoGJdpqmikpVuZ21uaHFtb1%2FEkKE%3D

Sample malicious MD5 known to have participated in the campaign:
MD5: 665480a64d4f72a33120251c968e9c28

Once executed the sample modifies the HOSTS and redirects them to the following domains:
hxxp://google-reseach.com/gfeed/click.php?q=&p=1 - 66.36.243.201
hxxp://google-reseach.com/search.php?&aff=32210&saff=0&q=

Related malicious rogue and fraudulent URL known to have participated in the campaign:
hxxp://88.85.73.139/landing/

Sample rogue and fraudulent payment processed used in the campaign:
hxxp://safetyself.com/safereports/ - 88.85.73.139 Continue reading →

Historical OSINT - Profiling the Loads.cc Enterprise

Remember loads.cc? In this post I'll provide actionable intelligence on the popular DDoS for hire service circa 2008 and offer in-depth perspective on the tactics utilized by the gang behind the service for the purpose of earning fraudulent revenue in the process of monetizing access to malware-infected hosts.

Sample malicious and fraudulent infrastructure known to have participated in the campaign:
hxxp://loads.cc - hxxp://ns1.udnska.cn (72.21.52.99), interestingly, hxxp://sateliting.cn is the C&C for hxxp://loads.cc service.

Related malicious and fraudulent URLs known to have participated in the campaign:
hxxp://sateliting.cn/?&v=exp6&lid=1033
hxxp://sateliting.cn/?&v=iron&lid=1033
hxxp://sateliting.cn/?&v=1810kj&lid=1033
hxxp://sateliting.cn/?&v=Loko&lid=1033
hxxp://sateliting.cn/?&v=mporlova&lid=1033
hxxp://satelit-ing.cn/?&v=mporlova&lid=1033
hxxp://sateliting.cn/?&v=gto&lid=1033

Related malicious IPs known to have responded to sateliting.cn:
hxxp://50.117.116.117
hxxp://216.172.154.34
hxxp://50.117.122.90
hxxp://205.164.24.45
hxxp://50.117.116.205
hxxp://50.117.116.204
hxxp://65.19.157.227

Related malicious MD5s known to have participated in the campaign:
MD5: eb0e25f2ac8f50590e3a00dcf766ef02
MD5: 48cf9b8b063715bb53e691da61601a73
MD5: 0b63dc08da40fcaf532847cfa5d9fc12
MD5: 0abaffe7d19c382d6dc94e40b27f199b
MD5: 0844b755c7e26c8051ab23369f720a4b
MD5: 2f3e270c37b48523e3e89ab76a012092 Continue reading →

Exposing Yet Another Currently Active Fraudulent and Malicious Pro-Hamas Online Infrastructure

Love them or hate them - the ubiquitous beautiful girl utilizing fake bogus and rogue Facebook accounts scam campaign courtesy of Hamas targeting Israeli soldiers has to come to an end.

In this post I'll provide actionable intelligence on a currently active Pro-Hamas malicious and fraudulent infrastructure and will discuss in-depth the tactics techniques and procedures of the cybercriminals behind it and will offer in-depth perspective on a currently active Pro-Hamas hosting provider - "Nepras for Media & IT" which is basically a legitimate front-end company currently involved in a variety of Pro-Hamas malicious and fraudulent malware-serving and propaganda spreading online infrastructure provider directly related to yet another Pro-Hamas franchise - "Modern Tech Corp".

Sample Facebook Profile Names involved in the campaign:
Elianna Amer
Aitai Yosef
Karen Cohen
Amit Cohen
Loren Ailan
Verena Sonner
Lina Kramer

Sample profile photos of Pro-Hamas fake and rogue Facebook accounts:

Sample malicious and fraudulent URL known to have participated in the campaign:
hxxp://apkpkg.com/android/?product=yeecallpro - 50.63.202.43; 50.87.148.131; 50.63.202.56

Related malicious MD5s known to have participated in the campaign:
MD5: 8f1b709ae4fb41b32674ca8c41bfcbf7
MD5: 95a782bd8711ac14ad76b068767515d7
MD5: 5b2aac6372dea167c737b0036e1bd515
MD5: f6ffa064a492e91854d35e7f225b1313
MD5: b3e40659ae0a0852e2f6eb928d402d9d
MD5: 7a9503152b4c8c1ee80ac7daf5405a91

Related malicious and fraudulent domains known to have participated in the campaign:
hxxp://goldncup.com
hxxp://glancelove.com - 204.11.56.48; 198.54.117.1; 198.54.117.198; 198.54.117.200; 198.54.117.197; 192.64.118.163
hxxp://autoandroidup.website
hxxp://mobilestoreupdate.website
hxxp://updatemobapp.website

Related malicious IPs known to have participated in the campaign:
hxxp://107.175.144.26
hxxp://192.64.114.147

Related malicious MD5s known to have participated in the campaign:
MD5: 4f9383ae4d0285aeb86e56797f3193f7
MD5: 95a782bd8711ac14ad76b068767515d7
MD5: b3e40659ae0a0852e2f6eb928d402d9d
MD5: f6ffa064a492e91854d35e7f225b1313
MD5: 8f1b709ae4fb41b32674ca8c41bfcbf7
MD5: 5b2aac6372dea167c737b0036e1bd515
MD5: 7a9503152b4c8c1ee80ac7daf5405a91

Related malicious and fraudulent phone-back C&C server IPs:
hxxp://endpointup.com/update/upfolder/updatefun.php
hxxp://droidback.com/pockemon/squirtle/functions.php

Related malicious and fraudulent domains known to have participated in the campaign:
hxxp://androidbak.com
hxxp://droidback.com
hxxp://endpointup.com
hxxp://siteanalysto.com
hxxp://goodydaddy.com

Related emails known to have participated in the campaign:
info@palgoal.ps
support@nepras.com
mtcg@mtcgaza.com

Related fraudulent and malicious domains known to have been registered using the same email - info@palgoal.ps:
hxxp://7qlp.com
hxxp://all-in1.net
hxxp://androidmobgate.com
hxxp://arabstonight.com
hxxp://collectrich.com
hxxp://krmalk.com
hxxp://motionsgraphic.com
hxxp://orchidcollege.com
hxxp://paltrainers.org
hxxp://rosomat.net
hxxp://stikerscloud.com

Related fraudulent and malicious domains known to have been registered using the same email - support@nepras.com:
hxxp://acchd.net
hxxp://ahlulquran.com
hxxp://alalbait.ps
hxxp://alnorhan.com
hxxp://alowini.com
hxxp://alresalah.news
hxxp://alshibl.com
hxxp://alwanbook.com
hxxp://arqamschools.com
hxxp://azarcnc.com
hxxp://boxmarket.org
hxxp://bstcover.com
hxxp://caades.org
hxxp://detour-bs.com
hxxp://driverup2date.com
hxxp://drmazen.com
hxxp://drmazen.ps
hxxp://eta-water.com
hxxp://fares-alarab.com
hxxp://feker.net
hxxp://fekerjaded.net
hxxp://fekerjaded.com
hxxp://gaza-health.com
hxxp://gcstv.tv
hxxp://hairgenomics.com
hxxp://idco.center
hxxp://islamicbl.com
hxxp://khaledjuma.net
hxxp://kingtoys.ps
hxxp://learningoutcome.net
hxxp://lemaghi.com
hxxp://lsugaza.org
hxxp://mailsinfo.net
hxxp://majallaa.com
hxxp://manara.ps
hxxp://mobilyapp.com
hxxp://mtsc.tech
hxxp://nepras.net
hxxp://nepras.ps
hxxp://nsms.ps
hxxp://osamaalnajjar.com
hxxp://osratyorg.com
hxxp://panorama-pvs.com
hxxp://pay2earn.net
hxxp://pharmahome.net
hxxp://saqacc.com
hxxp://saudifame.com
hxxp://scc-online.net
hxxp://sondooq.net
hxxp://syada.org
hxxp://takafulsys.com
hxxp://taqat.work
hxxp://taqat.jobs
hxxp://technologylotus.com
hxxp://thoraya.net
hxxp://vgsat.com
hxxp://yabous.net
hxxp://yourav.net

Related domains registered using "Nepras for Media & IT" infrastructure:
hxxp://googlemapsservice.com
hxxp://lipidgenomics.com
hxxp://akalgroup.net
hxxp://rami-kerenawi.com
hxxp://bestyleperfumes.com
hxxp://azarcnc.com
hxxp://go-2web.com
hxxp://jettafood.com
hxxp://mushtahatours.com
hxxp://pal4news.net
hxxp://pcr-shate.com
hxxp://saqacc.com
hxxp://shahidvideo.com
hxxp://shop8d.net
hxxp://spermgenomics.com
hxxp://tawjihips.com
hxxp://vidioarb.com
hxxp://yourav.net
hxxp://yourdialerpal.com
hxxp://freedombeacon.info
hxxp://neprastest.info
hxxp://nirmaali.com
hxxp://zaibaq-hearing.com
hxxp://bramgsoft.com
hxxp://hairgenomics.com
hxxp://dietgenomix.com
hxxp://arcadialanguages.com
hxxp://himoudco.com
hxxp://moltkaa.com
hxxp://toyoorjanna.com
hxxp://facebootshe.com
hxxp://facebootshe.net
hxxp://somoood.com
hxxp://alnorhan.com
hxxp://alwatantoday.net
hxxp://elianali.com
hxxp://sspal.net
hxxp://hi-galaxy.com
hxxp://youthn.net
hxxp://gmamalaysia.com
hxxp://cbspgaza.com
hxxp://madarikmedia.com
hxxp://website-testnew.com
hxxp://childworldsociety.com
hxxp://netmarketpal.net
hxxp://albwwaba.com
hxxp://saudib.info
hxxp://pwaha.com
hxxp://smilymedia.com
hxxp://ftyatalghad.com
hxxp://coldymedia.com
hxxp://kh-alsendawy.com
hxxp://scoutsyalla.com
hxxp://almofker.com
hxxp://rawnaqmedia.net
hxxp://pro-stud.com
hxxp://shawa-plast.com
hxxp://eta-water.com
hxxp://host4tech.net
hxxp://fekerjaded.com
hxxp://audioodrivers.com
hxxp://trsanweb.com
hxxp://3almpro.com
hxxp://neprasweb.info
hxxp://thaqefnafsak.net
hxxp://newpal21.com
hxxp://ads4market.net
hxxp://qcpalestineforum.net
hxxp://alothmanx.com
hxxp://detourbs.com
hxxp://engash.com
hxxp://anafenyx.com
hxxp://dar-pal.com
hxxp://loyal-hands.com
hxxp://sahabacomplex.net
hxxp://logintest.info
hxxp://mapartnr.com
hxxp://hejazeceramics.com
hxxp://gazaapeal.com
hxxp://tawzzef.com
hxxp://gazaappeal.com
hxxp://oqpizza.com
hxxp://arqamschools.com
hxxp://nafhacenter.com
hxxp://halaalmasry.com
hxxp://q9polls.com
hxxp://q8-polls.com
hxxp://palalghadschool.com
hxxp://servesni.com
hxxp://rose2020.com
hxxp://km-pal.com
hxxp://cfpalestine.com
hxxp://ipad2me.com
hxxp://arabsdownload.com
hxxp://projectsinturkey.com
hxxp://newmassa.com
hxxp://charitysys.info
hxxp://nepraswebsite.com
hxxp://iquds.com
hxxp://yabous.net
hxxp://appsapkandroid.us
hxxp://alltech4arab.com
hxxp://hadaf.info
hxxp://plmedgroup.com
hxxp://modhish.net
hxxp://mltaka.com
hxxp://ajelapp.com
hxxp://khmap.com
hxxp://cupsport.net
hxxp://arshdnytech.com
hxxp://gmaedu.net
hxxp://lemaghi.com
hxxp://creativityjob.com
hxxp://imes-group.net
hxxp://rawnaqmedia.com
hxxp://alwanbook.com
hxxp://fifafoot.com
hxxp://sportarabs.com
hxxp://el-qalam.com
hxxp://bawadirsoft.com
hxxp://palalghad-school.com
hxxp://mixedwork.com
hxxp://plmedgroup.com
hxxp://alowini.com
hxxp://detour-bs.com
hxxp://earningoutcome.net
hxxp://shahedcom.com
hxxp://sport-kora.com
hxxp://torathshop.com
hxxp://newsolararabian.com
hxxp://h3sk.com
hxxp://gh-gaza91.com
hxxp://watanps.com
hxxp://mobilyapp.com
hxxp://nfs-pal.com
hxxp://yousef123.com
hxxp://alhato.com
hxxp://alyawmpress.net
hxxp://technologylotus.com
hxxp://qavalues.com
hxxp://ask2play.net
hxxp://hamasld.com
hxxp://bhscfood.com
hxxp://nmanews.com
hxxp://ifcdoha4.com
hxxp://sparkpowerco.net
hxxp://archour.com
hxxp://nmanews.net
hxxp://academy-uk.net
hxxp://turkey-gate.com
hxxp://learningoutcome.net
hxxp://smattrix.com
hxxp://eradaa.net
hxxp://paltoday.com
hxxp://sugar-salt.net
hxxp://boutiqobasket.com
hxxp://ethadalpadia.com
hxxp://fonoungallery.com
hxxp://fonoungallery.com
hxxp://smattrix.com
hxxp://gazawiit.com
hxxp://alfarisnt.com
hxxp://lama-film.net

Related domains registered using "Nepras for Media & IT" infrastructure:
hxxp://lovemagazineofficial.com
hxxp://masmo7.com
hxxp://mnwrna.com
hxxp://androidbak.com
hxxp://fastdroidmob.com
hxxp://treestower.com
hxxp://aymanjoda.com
hxxp://advflameco.com
hxxp://mahmoudzuaiter.com
hxxp://libyatoda.com
hxxp://mtcpal.com
hxxp://khfamilies.com
hxxp://ch2t0.com
hxxp://dwratcom.com
hxxp://faker4.com
hxxp://orubah.com
hxxp://orchidcollege.com
hxxp://yasser-arafat.com
hxxp://wf-hall.com
hxxp://maharaty.net
hxxp://addoja.net
hxxp://arb10.com
hxxp://ajel-news.com
hxxp://rosomat.net
hxxp://sahifty.net
hxxp://looktik.com
hxxp://pstent.com
hxxp://newsmagasine.com
hxxp://gazass.com
hxxp://dooownloads.com
hxxp://androidmobgate.com
hxxp://koora-fast.com
hxxp://fitlifee.com
hxxp://share-crowd.com

Related domains registered using the "Modern Tech Corp" Pro-Hamas fraudulent and malicious infrastructure:
hxxp://atfalocom.com
hxxp://bopfile.com
hxxp://djadet.com
hxxp://ecsrs.com
hxxp://egp-gaza.com
hxxp://infoocean.net
hxxp://katakeety.com
hxxp://katakeety.net
hxxp://linefood.com
hxxp://mtcpal.net
hxxp://nawrastv.net
hxxp://shobbaik.com
hxxp://tashbik.biz
hxxp://tashbik.com
hxxp://vansac-english.com
hxxp://woodrom.com
hxxp://alfareeq.info
hxxp://tashbik.info
hxxp://cashbacksave.com
hxxp://nerab.com
hxxp://download4android.com
hxxp://altartosi.net
hxxp://fostanews.com
hxxp://silverdai.com
hxxp://selhelou.com
hxxp://albassam-co.com
hxxp://almanar-studio.com
hxxp://facekooora.com
hxxp://holylandcar.com
hxxp://qneibi.com
hxxp://shaheen-flower.com
hxxp://strong-k.com
hxxp://pioneerfoodco.com
hxxp://sinokrotex.com
hxxp://zawiaa.net
hxxp://amwwal.com
hxxp://abuamra.com
hxxp://madridista-arab.com
hxxp://donia-fm.com
hxxp://donia-fm.net
hxxp://lmasatfnya.com
hxxp://dolphinexpress1.com
hxxp://dolphinexpress1.info
hxxp://dolphinexpress1.net
hxxp://radiosurif.com
hxxp://sahaba-radio.com
hxxp://odmint.com
hxxp://ylapin.com
hxxp://ylapin.net
hxxp://mypage-pro.com
hxxp://mohdsheikh.com
hxxp://altelbany.com
hxxp://dolphinariumtours.com
hxxp://artsofali.com
hxxp://menalmuheetlelkhaleej.com
hxxp://alghaidaa.com
hxxp://ajwad-marble.com
hxxp://istakbel.com
hxxp://istaqbel.com
hxxp://istaqbil.com
hxxp://istaqbl.com
hxxp://istqbl.com
hxxp://estakbel.com
hxxp://estaqbel.com
hxxp://estaqbil.com
hxxp://estaqbl.com
hxxp://estqbl.com
hxxp://massrefy.com
hxxp://massrify.com
hxxp://amwwaly.com
hxxp://amwwaly.info
hxxp://amwwaly.net
hxxp://nawrastv.com
hxxp://stepcrm.com
hxxp://imraish.com
hxxp://zawiaa.com
hxxp://3la-kefak.com
hxxp://bsaisofamily.com
hxxp://imraish.com

Related malicious MD5s known to have participated in the campaign:
MD5: 10f27d243adb082ce0f842c7a4a3784b01f7248e
MD5: b8237782486a26d5397b75eeea7354a777bff63a
MD5: 09c3af7b0a6957d5c7c80f67ab3b9cd8bef88813
MD5: 9b923303f580c999f0fdc25cad600dd3550fe4e0
MD5: 0b58c883efe44ff010f1703db00c9ff4645b59df
MD5: 0a5dc47b06de545d8236d70efee801ca573115e7
MD5: 782a0e5208c3d9e8942b928857a24183655e7470
MD5: 5f71a8a50964dae688404ce8b3fbd83d6e36e5cd
MD5: 03b404c8f4ead4aa3970b26eeeb268c594b1bb47

Related certificates known to have participated in the campaign:
10:EB:7D:03:2A:B9:15:32:8F:BF:68:37:C6:07:45:FB:DF:F1:87:A6
9E:52:71:F3:D2:1D:C3:22:28:CB:50:C7:33:05:E3:DE:01:EB:CB:03
44:52:E6:4C:97:4B:6D:6A:7C:40:AD:1E:E0:17:08:33:87:AA:09:09
67:43:9B:EE:39:81:F3:5E:10:33:C9:7A:D9:4F:3A:73:3B:B0:CF:0A
89:C8:E2:E3:4A:23:3C:A0:54:A0:4A:53:D6:56:C8:2D:4A:8D:80:56
B4:D5:0C:8B:73:CB:A9:06:8A:B3:F2:49:35:F8:58:FE:A2:3E:2E:3A

Related malicious MD5s known to have participated in the campaign including C&C phone-back locations:
MD5: 8f1b709ae4fb41b32674ca8c41bfcbf7 - once executed the sample phones back to the following malcious domain - hxxp://jonalbertwebsite.000webhostapp.com
MD5: 95a782bd8711ac14ad76b068767515d7 - once executed the sample phones back to the following malicious domains - hxxp://107.175.144.26/apps/d/p/op.php -> hxxp://app-measurement.com/config/app/1:487050065789:android:6a899b85b4fafd55?app_instance_id=76d4b711c98c3632398d47cb8d5777a3&platform=android&gmp_version=11200
MD5: 5b2aac6372dea167c737b0036e1bd515
MD5: f6ffa064a492e91854d35e7f225b1313 - once executed the sample phones back to the followin malicious domain - hxxp://192.64.114.147/apps/d/p/op.php
MD5: b3e40659ae0a0852e2f6eb928d402d9d
MD5: 7a9503152b4c8c1ee80ac7daf5405a91

Related malicious MD5s known to have participated in the campaign:
MD5: f1b709ae4fb41b32674ca8c41bfcbf7
MD5: 95a782bd8711ac14ad76b068767515d7
MD5: 5b2aac6372dea167c737b0036e1bd515
MD5: f6ffa064a492e91854d35e7f225b1313
MD5: b3e40659ae0a0852e2f6eb928d402d9d
MD5: 7a9503152b4c8c1ee80ac7daf5405a91

Related malicious URL known to have participated in the campaign:
hxxp://bit.ly/2M7E2Zg Continue reading →

Upcoming Personal Hacking Memoir - Soliciting Feedback and Research Question

Continue reading →

Flashpoint Intel Official Web Site Serving Malware - An Analysis

UPDATE: Flashpoint Intel issued a response to my research.

UPDATE: SCMagazine picked up the story.

UPDATE: Anti-Malware.name picked up the story.

UPDATE: EnterpriseTimes picked up the story

UPDATE: Rambler News picked up the story.

It appears that Flashpoint's official Web site is currently embedded with malware-serving malicious script potentially exposing its visitors to a multi-tude of malicious software.

Original malicious URL hosting location:
hxxp://www.flashpoint-intel.com/404javascript.js
hxxp://www.flashpoint-intel.com/404testpage4525d2fdc

Related malicious URL redirection chain:
hxxp://www.flashpoint-intel.com -> hxxp://destinywall.org/redirect?type=555 - ; hxxp://ermoyen.tk/index/?4831537102803 -> hxxp://search.plutonium.icu/?utm_medium=7710edb9b -> hxxp://search.plutonium.icu/?utm_term=66793697539 -> hxxp://search.plutonium.icu/proc.php?37ba8df02c6d  -> hxxp://onwardinated.com/c/5a37c8ad-f104-11e5-9f1f -> hxxp://circultural.com/v/c3937168-5def-11e9-b07a -> hxxp://3daa61.circultural.com/l/8c579bd6-2433-11e

Second sample URL redirection chain:
hxxp://www.flashpoint-intel.com/ -> hxxp://destinywall.org/redirect?type=555&  -> hxxp://ermoyen.tk/index/?4831537102803 -> hxxp://search.plutonium.icu/?utm_medium=7710edb9b -> hxxp://search.plutonium.icu/?utm_term=66793698655 -> hxxp://search.plutonium.icu/proc.php?123dd67462ec -> hxxp://onwardinated.com/c/5a37c8ad-f104-11e5-9f1f  -> hxxp://circultural.com/v/d45c2e40-5def-11e9-bd47

Related legitimate URL known to have participated in the campaign:
hxxp://boards.greenhouse.io/flashpoint/jobs/4125871002?gh_jid=4125871002

Related malicious URL redirection chain:
hxxp://unanimous.live/ - 104.28.24.233- hxxp://jsc.adskeeper.co.uk/a/d/adw.toolbar.com.333699.js
hxxp://destinywall.org/redirect?type=555& - 176.123.9.53 -> hxxp://ermoyen.tk/index/?4831537102803 - 37.230.116.105

Related malicious URLs known to have participated in the campaign:
hxxp://oussercondition.tk/index/?4831537102803
hxxp://testify.newsfeed.support/esuznxifqk?c=15&amp
hxxp://impress.newsfeed.support/esuznxifqk?c=20&amp

hxxp://minently.com/RnSda/rDN3/ojdn/-nsy7qV12UzKdEclLfy6SOfF-12z43GPMrEyUTBKdtGlCYlxwB8e?qDo=MS_WW_AGG_Desktop&subid=6679367743860375570&ext1=1608
hxxp://minently.com/RnSda/rDN3/uSJk/-nsy7qV12UzKdEclLfy6SOfF-12z43GPMrEyUTBKdtGlCYlxwB8e/_jVh7fd2lUHCfkQjLfPyHo_ZayrHiuU?ori=6x&ex=6&pbi=5cb1e1a50b08e2.738349245
hxxp://minently.com/RnSda/rDN3/uSJk/-nsy7qV12UzKdEclLfy6SOfF-12z43GPMrEyUTBKdtGlCYlxwB8e/_jVh7fd2lRfKJxF0KvzyETF1t74kzXE?ori=6x&ex=6&pbi=5cb1e1ac8e8cd8.865930185 - 205.147.93.131
hxxp://search.plutonium.icu/?utm_term=6679367743860375570&clickverify=1&utm_content=fdc2c69a9 - 99.198.108.198
hxxp://minently.com/RnSda/rDN3/uSJk/-nsy7qV12UzKdEclLfy6SOfF-12z43GPMrEyUTBKdtGlCYlxwB8e/_jVh7fd1kUSXfhYjK_7yHXZI1b-Xzt8?ori=6x&ex=6&pbi=5cb1e2e0ebe9a2.271109695 - 205.147.93.131
hxxp://click.monetizer-return.com/?utm_medium=f0b5c66dbbca0c7df1803313f76c9a781d4f8
e57 - 198.143.165.221
hxxp://play.superlzpre.com/red/?code=RY6GVO6HT5VM&a=6679370333725656167&pubid=1608 - 217.13.124.95

Related malicious domains known to have participated in the campaign:
hxxp://destinywall.org - 176.123.9.53
hxxp://hellofromhony.org
hxxp://hellofromhony.com
hxxp://thebiggestfavoritemake.com
hxxp://destinywall.org
hxxp://verybeatifulpear.com
hxxp://strangefullthiggngs.com
hxxp://stopenumarationsz.com

Related malicious and fraudulent IPs known to have participated in the campaign:
hxxp://onwardinated.com - 52.85.88.105; 52.85.88.202; 52.85.88.224; 52.85.88.151; 52.85.58.244; 52.85.58.217 ; 52.85.58.236 ; 52.85.58.52
hxxp://205.147.93.131
hxxp://99.198.108.198
hxxp://217.13.124.95
hxxp://143.204.247.69
hxxp://143.204.214.90

Related malicious MD5s known to have participated in the campaign:
MD5: b28e98bb6ed0e0af8ec7a2d47ca6b053
MD5: f0dfab9f9a1a7e5dc8c00222292e401e
MD5: 6b986d4bc5475af102bfff4d28a5cf50
MD5: e963ed9b5c052d02c972e449142f7946
MD5: 7dee4f221d3b3779301f4b38061d6992

Related malicious MD5s known to have participated in the campaign:
MD5: 30f6d6bd507317dbcf1708edc449c970
MD5: 437cfb417c5a6e7fc3d446dcd35203fc
MD5: e1fd735fdf97cc734ec46d2b33aac8bf
MD5: b37b7d221526faa8ffbea52626e5ac87
MD5: 821a00b057a9fabe670174eab4b28e77

Related malicious MD5s known to have participated in the campaign:
MD5: 0bb4e038ce1fecb88be583d776cfa4a0
MD5: 7197f433b0d269848ae1d1e957a9b858
MD5: 1d72d5255bd2450fb04a7a2c68ff87bd
MD5: b3722ade8c3ee908b6f82ae81ae2d748
MD5: 89ddddb5b3a88ef3d6da57c72197e0cc
MD5: 6a490bbd341db8033ec86fc771f24926
MD5: b52d0377b2f741dd20e17dfad3ca58aa
MD5: 813e84f9bd30eed6390f5ce806916f2a
MD5: 81810b6e4c89c03260a6bac4a16ef3ba
MD5: c9cb7f2ea5b8a16f4fb4246825e8a3de

Related malicious and fraudulent URLs known to have participated in the campaign:
hxxp://notifymepush.info
hxxp://101newssubspush.info
hxxp://Bestofnewssubspush.info
hxxp://Burningpush.info
hxxp://Checkadvisefriends.info
hxxp://Checksayfriends.info
hxxp://Checksuefriends.info
hxxp://Conewssubspush.info
hxxp://Enewssubspush.info
hxxp://Examinenotifyfriends.]info
hxxp://Gonewssubspush.info
hxxp://Hitnewssubspush.info
hxxp://Inewssubspush.info
hxxp://Inspectnotifyfriends.info
hxxp://Justnewssubspush.info
hxxp://Livenewssubspush.info
hxxp://Metanewssubspush.info
hxxp://Newnewssubspush.info
hxxp://Notifymepush.info
hxxp://Nunewssubspush.info
hxxp://Pushmeandtouchme.info
hxxp://Scannotifyfriends.info
hxxp://Searchnotifyfriends.info
hxxp://Testnotifyfriends.info
hxxp://Thentouchme.info
hxxp://Topnewssubspush.info
hxxp://Touchthenpush.info
hxxp://Trynewssubspush.info
hxxp://Upnewssubspush.info
hxxp://Usenotifyfriends.info
hxxp://Wenewssubspush.info

Related malicious and fraudulent domains known to have responded to 109.234.39.160:
hxxp://ivreprsident.tk
hxxp://uvrirordre.tk
hxxp://offriractivit.tk
hxxp://ermoyen.tk
hxxp://iterrisque.tk
hxxp://derchef.tk
hxxp://echance.tk
hxxp://terminerespace.tk
hxxp://rofiterami.tk
hxxp://evenirweb.tk
hxxp://nviterinformation.tk
hxxp://xemple.tk
hxxp://isercarte.tk
hxxp://airelaisserquestion.tk
hxxp://derimage.tk
hxxp://alsoutenirdomaine.tk
hxxp://arderplan.tk
hxxp://rsentermonde.tk
hxxp://marquerexprience.tk
hxxp://germatire.tk
hxxp://rerlivre.tk
hxxp://ngersource.tk
hxxp://voyercasino.tk
hxxp://onctionnerfrance.tk
hxxp://raliserpage.tk
hxxp://nterespace.tk
hxxp://ectuerpartie.tk
hxxp://erguerre.tk
hxxp://nnatrevaleur.tk
hxxp://fierargent.tk
hxxp://irmertravers.tk
hxxp://dcidertemps.tk
hxxp://irebase.tk
hxxp://inerpied.tk
hxxp://limiterprsident.tk
hxxp://resteraffaire.tk
hxxp://laisserloi.tk
hxxp://treterre.tk
hxxp://iresuite.tk
hxxp://tenirair.tk
hxxp://rganiserargent.tk
hxxp://nelchoisirhistoire.tk
hxxp://grertte.tk
hxxp://oncernerpriode.tk
hxxp://ncerchoix.tk
hxxp://mpagnercas.tk
hxxp://permesure.tk
hxxp://urirproduit.tk
hxxp://relieu.tk
hxxp://sderplan.tk
hxxp://prparerchance.tk
hxxp://hergestion.tk
hxxp://disposerpouvoir.tk
hxxp://isirtat.tk
hxxp://dercoup.tk
hxxp://frersource.tk
hxxp://suivreobjet.tk
hxxp://itteranne.tk
hxxp://anisertude.tk
hxxp://pparatrecouleur.tk
hxxp://trouverplaisir.tk
hxxp://sterenfant.tk
hxxp://ttervente.tk
hxxp://ntirgestion.tk
hxxp://rouverdveloppement.tk
hxxp://nnelfalloirchoix.tk
hxxp://merdemande.tk
hxxp://nnellireapplication.tk
hxxp://ercoup.tk
hxxp://tgrertte.tk
hxxp://moyen.tk
hxxp://duirecorps.tk
hxxp://rerespecterministre.tk
hxxp://mposerconseil.tk
hxxp://nnatrevaleur.tk
hxxp://choisirfemme.tk
hxxp://nsidreran.tk
hxxp://rderdomaine.tk
hxxp://nuerweb.tk
hxxp://attrecentre.tk
hxxp://raiterbesoin.tk
hxxp://leresprit.tk
hxxp://ontenirforme.tk
hxxp://nirfonction.tk
hxxp://chergroupe.tk
hxxp://rtte.tk
hxxp://epied.tk
hxxp://erparis.tk
hxxp://liserpouvoir.tk
hxxp://rtagertype.tk
hxxp://reconnatrefemme.tk

Related malicious and fraudulent domains known to have responded to 37.230.116.105:
hxxp://lpoursuivretat.tk
hxxp://gycazyuge.tk
hxxp://optygyty.tk
hxxp://hurevente.tk
hxxp://kofojok.tk
hxxp://expliopjipn.tk
hxxp://nijiscy.tk
hxxp://mprendreauteur.tk
hxxp://vertravers.tk
hxxp://truirefrance.tk
hxxp://lokodasre.tk
hxxp://prendrecorps.tk
hxxp://iokoivefikolf.tk
hxxp://hudabertee.tk
hxxp://larereffet.tk
hxxp://husanuie.tk
hxxp://pocokie.tk
hxxp://gysazatre.tk
hxxp://ssurercentre.tk
hxxp://iperuvre.tk
hxxp://ferfreau.tk
hxxp://poserscurit.tk
hxxp://jidytzae.tk
hxxp://jikogyda.tk
hxxp://tirsystme.tk
hxxp://thermesure.tk
hxxp://plaisijir.tk
hxxp://tyferet.tk
hxxp://irefrance.tk
hxxp://sedkorlor.tk
hxxp://serfille.tk
hxxp://ruiyrgion.tk
hxxp://permettretravers.tk
hxxp://lpouruiretat.tk
hxxp://fournirplupart.tk
hxxp://roposergenre.tk
hxxp://tircadre.tk
hxxp://reconnatrechef.tk
hxxp://oiril.tk
hxxp://enterguerre.tk
hxxp://irvaleur.tk
hxxp://irsocit.tk
hxxp://hugersoir.tk
hxxp://jokofasa.tk
hxxp://gyrecersa.tk
hxxp://ekotyfereen.tk
hxxp://kosazagerr.tk
hxxp://ioterexu.tk
hxxp://voirirguerre.tk
hxxp://stermain.tk
hxxp://kokofete.tk
hxxp://uiregy.tk
hxxp://lodokiv.tk
hxxp://nedfuheihg.tk
hxxp://koduhutr.tk
hxxp://husadere.tk
hxxp://gytedexen.tk
hxxp://jisazabyt.tk
hxxp://potycerer.tk
hxxp://lopotyre.tk
hxxp://huqerwerite.tk
hxxp://rtircouleur.tk
hxxp://tirhujmort.tk
hxxp://huderesen.tk
hxxp://expliqueren.tk
hxxp://uihytyf.tk
hxxp://ikiryve.tk
hxxp://jisazajic.tk
hxxp://hudasarete.tk
hxxp://potijife.tk
hxxp://lsejikog.tk
hxxp://gytlsentirsite.tk
hxxp://tiosuivremillion.tk
hxxp://kojerconseil.tk
hxxp://okinterlien.tk
hxxp://tenterargent.tk
hxxp://eordre.tk
hxxp://onterami.tk
hxxp://vrirvente.tk
hxxp://nerbesoin.tk
hxxp://nertiko.tk
hxxp://geolorge.tk
hxxp://gyvercherdroit.tk
hxxp://bokosabe.tk
hxxp://lsjifferde.tk
hxxp://dyjursite.tk
hxxp://lopofibut.tk
hxxp://cevoirguerre.tk
hxxp://atteindreair.tk
hxxp://ardermillion.tk
hxxp://koiterplace.tk
hxxp://travaillersite.tk
hxxp://cuperquipe.tk
hxxp://ferdplaisir.tk
hxxp://lsentirsite.tk
hxxp://tsuivremillion.tk
hxxp://eciotersystme.tk
hxxp://ortercration.tk
hxxp://koeioijfgel.tk
hxxp://ituerexemple.tk
hxxp://olravaillersant.tk
hxxp://poloeioijfgel.tk
hxxp://pliquerformation.tk
hxxp://tsortirgouvernement.tk
hxxp://vkojrguerre.tk
hxxp://kijiirraison.tk
hxxp://ndreterme.tk
hxxp://iterplace.tk
hxxp://oposerprojet.tk
hxxp://ldclarerplace.tk
hxxp://permort.tk

Related malicious and fraudulent domains known to have participated in the campaign (138.68.113.179; 172.64.196.39; 172.64.197.39; 104.27.170.199; 104.27.171.199):
hxxp://click.newsfeed.support
hxxp://soprano.newsfeed.support
hxxp://clarify.newsfeed.support
hxxp://theater.newsfeed.support
hxxp://impress.newsfeed.support
hxxp://urgency.newsfeed.support
hxxp://thinker.newsfeed.support
hxxp://glasses.newsfeed.support
hxxp://qualify.newsfeed.support
hxxp://warning.newsfeed.support
hxxp://scandal.newsfeed.support
hxxp://minimum.newsfeed.support
hxxp://general.newsfeed.support
hxxp://glimpse.newsfeed.support
hxxp://extreme.newsfeed.support
hxxp://officer.newsfeed.support
hxxp://silence.newsfeed.support
hxxp://capital.newsfeed.support
hxxp://voucher.newsfeed.support
hxxp://dentist.newsfeed.support Continue reading →

Introducing Unit-123.org - Cyber Threat Intelligence Portal

Dear blog readers, I wanted to take the time and effort and introduce you to my latest project called Unit-123.org where you can find quality research articles in a variety of topics that I will be publishing on a daily basis with the idea to bring back the spirit of my editorial years and to continue spreading quality data information and knowledge to a loyal base of users and readers.

Feel free to reach me at dancho.danchev@hush.com

Stay tuned! Continue reading →