Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

Who Wants to Support My Work Commercially?

January 25, 2022

Folks,

Who wants to dive deep into some of my latest commercially available research and stay on the top of their OSINT/cybercrime research and threat intelligence gathering game that also includes their team and organization?

Check out my latest project here where I'm currently doing my best to guarantee and deliver approximately 12 unique articles and OSINT research and analysis on a daily basis including the following currently active portfolio of research which I made available online exclusively for commercial purposes and to further empower you and your team and organization:

A Compilation of Currently Active and Related Scams Scammer Email Addresses – An OSINT Analysis
A Compilation of Currently Active Cyber Jihad Themed Personal Email Addresses – An OSINT Analysis
A Compilation of Currently Active Full Offline Copies of Cybercrime-Friendly Forum Communities – Direct Technical Collection Download -[RAR]
A Compilation of Personally Identifiable Information on Various Iran-based Hacker Groups and Lone Hacker Teams – Direct Technical Collection Download – [RAR]
A Koobface Botnet Themed Infographic Courtesy of my Keynote at CyberCamp – A Photo
Advanced Bulletproof Malicious Infrastructure Investigation – WhoisXML API Analysis
Advanced Mapping and Reconnaissance of Botnet Command and Control Infrastructure using Hostinger’s Legitimate Infrastructure – WhoisXML API Analysis
Advanced Mapping and Reconnaissance of the Emotet Botnet – WhoisXML API Analysis
Assessing The Computer Network Operation (CNO) Capabilities of the Islamic Republic of Iran – Free Research Report
Astalavista Security Newsletter - 2003-2006 - Full Offline Reading Copy
Compilations of Personally Identifiable Information Including XMPP/Jabber and Personal Emails Belonging to Cybercriminals and Malicious Threat Actors Internationally – An OSINT Analysis
Cyber Intelligence – Personal Memoir – Dancho Danchev – – Download Free Copy Today!
Cybercriminals Impersonate Legitimate Security Researcher Launch a Typosquatting C&C Server Campaign – WhoisXML API Analysis
Dancho Danchev – Cyber Intelligence – Personal Memoir – Direct Download Copy Available
Dancho Danchev’s “A Qualitative and Technical Collection OSINT-Enriched Analysis of the Iranian Hacking Scene Through the Prism of the Infamous Ashiyane Digital Security Team” Report – [PDF]
Dancho Danchev’s “Assessing The Computer Network Operation (CNO) Capabilities of the Islamic Republic of Iran” Report – [PDF]
Dancho Danchev’s “Astalavista Security Group – Investment Proposal” Presentation – A Photos Compilation
Dancho Danchev’s “Building and Implementing a Successful Information Security Policy” White Paper – [PDF]
Dancho Danchev’s “Cyber Jihad vs Cyberterrorim – Separating Hype from Reality” Presentation – [PDF]
Dancho Danchev’s “Cyber Jihad vs Cyberterrorism – Separating Hype from Reality – A Photos Compilation
Dancho Danchev’s “Exposing Koobface – The World’s Largest Botnet” Presentation – A Photos Compilation
Dancho Danchev’s “Exposing Koobface – The World’s Largest Botnet” Presentation – [PDF]
Dancho Danchev’s “Exposing the Dynamic Money Mule Recruitment Ecosystem” Presentation – A Photos Compilation
Dancho Danchev’s “Exposing the Dynamic Money Mule Recruitment Ecosystem” Presentation – [PDF]
Dancho Danchev’s “Intell on the Criminal Underground – Who’s Who in Cybercrime for ” Presentation – [PDF]
Dancho Danchev’s “Intell on the Criminal Underground – Who’s Who in Cybercrime for ?” – A Photos Compilation
Dancho Danchev’s – Cybercrime Forum Data Set – Free Direct Technical Collection Download Available – GB – [RAR]
Dancho Danchev’s Blog – Full Offline Copy Available – Volume – [PDF]
Dancho Danchev’s Blog – Full Offline Copy Available – Volume – [PDF]
Dancho Danchev’s Blog – Full Offline Copy Available – Volume – [PDF]
Dancho Danchev’s Blog – Full Offline Copy Available – Volume – [PDF]
Dancho Danchev’s Blog – Full Offline Copy Available – Volume – [PDF]
Dancho Danchev’s Blog – Full Offline Copy Available – Volume – [PDF]
Dancho Danchev’s Blog – Full Offline Copy Available – Volume – [PDF]
Dancho Danchev’s Blog – Full Offline Copy Available – Volume – [PDF]
Dancho Danchev’s Blog – Full Offline Copy Available – Volume – [PDF]
Dancho Danchev’s Blog – Full Offline Copy Available – Volume – [PDF]
Dancho Danchev’s Blog – Full Offline Copy Available – Volume – [PDF]
Dancho Danchev’s Blog – Full Offline Copy Available – Volume – [PDF]
Dancho Danchev’s Blog – Full Offline Copy Available – Volume – [PDF]
Dancho Danchev’s Blog – Full Offline Copy Available – Volume – [PDF]
Dancho Danchev’s Comeback Livestream Today – Join me on Facebook Live!
Dancho Danchev’s CV – Direct Download Copy Available
Dancho Danchev’s Cybercrime Forum Data Set for – Upcoming Direct Technical Collection Download Available
Dancho Danchev’s Primary Contact Points for this Project – Email/XMPP/Jabber/OMEMO and PGP Key Accounts
Dancho Danchev’s Privacy and Security Research Compilation – Medium Account Research Compilation – [PDF]
Dancho Danchev’s Private Party Videos – Direct Video Download Available
Dancho Danchev’s Private Party Videos – Part Three – Direct Video Download Available
Dancho Danchev’s Private Party Videos – Part Two – Direct Video Download Available
Dancho Danchev’s Random Conference and Event Photos – A Compilation
Dancho Danchev’s Random Personal Photos and Research Photos Compilation – A Compilation
Dancho Danchev’s Research for Unit-.org – Direct Download Copy Available
Dancho Danchev’s Research for Webroot – Direct Download Copy Available
Dancho Danchev’s RSA Europe Conference Event Photos – A Photos Compilation
Dancho Danchev’s Security Articles and Research for ZDNet’s Zero Day Blog – Full Offline Copy Available – [PDF]
Dancho Danchev’s Security/OSINT/Cybercrime Research and Threat Intelligence Gathering Research Compilations – [PDF]
Dancho Danchev’s Twitter Archive – Direct Download – [ZIP]
Dancho Danchev’s Upcoming Cybercrime Research OSINT and Threat Intelligence Gathering E-Book Titles – Sample E-Book Covers
Dancho Danchev’s Video Keynote Presentation – “Exposing Koobface – The World’s Largest Botnet” – Video Download Available
Dancho Danchev’s Random Personal Photos and Research Photos Compilation – Part Three – A Compilation
Dancho Danchev’s Random Personal Photos and Research Photos Compilation – Part Two – A Compilation
Exposing A Virus Coding Group – An OSINT Analysis
Exposing a Boutique Fraudulent and Rogue Cybercrime-Friendly Forum Community – WhoisXML API Analysis
Exposing a Currently Active “Jabber ZeuS” also known as “Aqua ZeuS” Gang Personal Email Portfolio – An OSINT Analysis
Exposing a Currently Active CoolWebSearch Rogue and Malicious Domains Portfolio – An OSINT Analysis
Exposing a Currently Active CoolWebSearch Rogue and Malicious Domains Portfolio – Part Two – An OSINT Analysis
Exposing a Currently Active CoolWebSearch Rogue and Malicious Domains Portfolio – Part Four – An OSINT Analysis
Exposing a Currently Active CoolWebSearch Rogue and Malicious Domains Portfolio – Part Three – An OSINT Analysis
Exposing a Currently Active CoolWebSearch Rogue and Malicious IPs Portfolio – An OSINT Analysis
Exposing a Currently Active CoolWebSearch Rogue and Malicious IPs Portfolio – Part Two – An OSINT Analysis
Exposing a Currently Active Cyber Jihad Domain Portfolio – An OSINT Analysis
Exposing a Currently Active Cyber Jihad Domains Portfolio – WhoisXML API Analysis
Exposing a Currently Active Cyber Jihad Social Media Twitter Accounts – An OSINT Analysis
Exposing a Currently Active Domain Portfolio Belonging to Iran’s Mabna Hackers – An OSINT Analysis
Exposing a Currently Active Domain Portfolio Managed and Operated by Members of the Ashiyane Digital Security Team – WhoisXML API Analysis
Exposing a Currently Active Domain Portfolio of Currently Active High-Profile Cybercriminals Internationally – WhoisXML API Analysis
Exposing A Currently Active Domain Portfolio of Cybercrime Friendly Forum Communities – An OSINT Analysis
Exposing A Currently Active Domain Portfolio of Cybercrime Friendly Forum Communities – Part Two – An OSINT Analysis
Exposing A Currently Active Domain Portfolio of Cybercrime Friendly Forum Communities – Part Three – An OSINT Analysis
Exposing a Currently Active Domain Portfolio of Tech Support Scam Domains – An OSINT Analysis
Exposing a Currently Active Free Rogue VPN Domains Portfolio Courtesy of the NSA – WhoisXML API Analysis
Exposing a Currently Active Iran-Based Lone Hacker and Hacker Group’s Personal Web Sites Full Offline Copies – Direct Technical Collection Download – [RAR]
Exposing a Currently Active Kaseya Ransomware Domains Portfolio – WhoisXML API Analysis
Exposing a Currently Active Koobface Botnet C&C Server Domains Portfolio – Historical OSINT
Exposing a Currently Active List of Iran-Based Hacker and Hacker Team’s Handles – An OSINT Analysis
Exposing a Currently Active List of Iran-Based Hacker and Hacker Team’s Handles – Part Two – An OSINT Analysis
Exposing a Currently Active List of Iran-Based Hacker and Hacker Team’s Handles – Part Three – An OSINT Analysis
Exposing a Currently Active List of Iran-Based Hacker and Hacker Team’s Handles – Part Two – An OSINT Analysis
Exposing a Currently Active Money Mule Recruitment Domain Registrant Portfolio – Historical OSINT
Exposing a Currently Active NSO Spyware Group’s Domain Portfolio – WhoisXML API Analysis
Exposing a Currently Active Portfolio of Personal Web Sites Belonging to Iran-Based Hackers and Hacking Teams and Groups – An OSINT Analysis
Exposing a Currently Active Portfolio of Personal Web Sites Belonging to Iran-Based Hackers and Hacking Teams and Groups – Part Two – An OSINT Analysis
Exposing a Currently Active Portfolio of Ransomware-Themed Protonmail Personal Email Address Accounts – An OSINT Analysis
Exposing a Currently Active Portfolio of RAT (Remote Access Tool) C&C Server IPs and Domains – An OSINT Analysis
Exposing a Currently Active Rock Phish Domain Portfolio – Historical OSINT
Exposing a Currently Active SolarWinds Rogue and Malicious C&C Domains Portfolio – An OSINT Analysis
Exposing a Currently Active WannaCry Ransomware Domains Portfolio – WhoisXML API Analysis
Exposing a Personal Photo Portfolio of Iran Hack Security Team – An OSINT Analysis
Exposing A Personal Photos Portfolio of Ashiyane Digital Security Group Team Members – An OSINT Analysis
Exposing a Personal Ransomware-Themed Email Address Portfolio – An OSINT Analysis
Exposing a Personal Ransomware-Themed Email Address Portfolio – Part Two – An OSINT Analysis
Exposing a Portfolio of Ashiyane Digital Security Team Hacking Tools – Direct Technical Collection Download – [RAR]
Exposing a Portfolio of Personal Photos of Iran-Based Hacker and Hacker Teams and Groups – An OSINT Analysis
Exposing a Rogue Domain Portfolio of Fake News Sites – WhoisXML API Analysis
Exposing Bulgarian Cyber Army Hacking Group – An OSINT Analysis
Exposing HackPhreak Hacking Group – An OSINT Analysis
Exposing Personally Identifiable Information on Ashiyane Digital Security Group Team Members – An OSINT Analysis
Exposing Random Koobface Botnet Related Screenshots – An OSINT Analysis
Exposing Team Code Zero Hacking Group – An OSINT Analysis
From the “Definitely Busted” Department – A Compilation of Personally Identifiable Information on Various Cyber Threat Actors Internationally – An OSINT Analysis – [PDF]
Introducing Astalavista.box.sk’s “Threat Crawler” Project – Earn Cryptocurrency for Catching the Bad Guys – Hardware Version Available
Introducing Dancho Danchevs’s “Blog” Android Mobile Application – Google Play Version Available
Malware – Future Trends – Research Paper – Copy
Person on the U.S Secret Service Most Wanted Cybercriminals Identified Runs a Black Energy DDoS Botnet – WhoisXML API
Profiling a Currently Active CoolWebSearch Domains Portfolio – WhoisXML API Analysis
Profiling a Currently Active Domain Portfolio of Fake Job Proposition and Pharmaceutical Scam Domains – An OSINT Analysis
Profiling a Currently Active Domain Portfolio of Pay-Per-Install Rogue and Fraudulent Affiliate Network Domains – An OSINT Analysis
Profiling a Currently Active Personal Email Address Portfolio of Members of Iran’s Ashiyane Digital Security Team – An OSINT Analysis
Profiling a Currently Active Personal Email Addresses Portfolio Operated by Cybercriminals Internationally – An OSINT Analysis
Profiling a Currently Active Portfolio of Rogue and Malicious Domains – An OSINT Analysis
Profiling a Currently Active Portfolio of Scareware and Malicious Domain Registrants – Historical OSINT
Profiling a Currently Active Portfolio of Scareware Domains – Historical OSINT
Profiling a Currently Active Portfolio of Spam Domains that Hit ZDNet.com Circa – An OSINT Analysis
Profiling a Currently Active Scareware Domains Portfolio – An OSINT Analysis
Profiling a Money Mule Recruitment Registrant Emails Portfolio – WhoisXML API Analysis
Profiling a Portfolio of Cybercriminal Email Addresses – WhoisXML API Analysis
Profiling a Portfolio of Personal Photos Courtesy of Koobface Botnet Master Anton Korotchenko – An OSINT Analysis
Profiling a Portfolio of Personal Photos of Behrooz Kamalian Team Member of Ashiyane Digital Security Team – An OSINT Analysis
Profiling a Portfolio of Personally Identifiable OSINT Artifacts from Law Enforcement and OSINT Operation “Uncle George” – An OSINT Analysis
Profiling a Rogue Fast-Flux Botnet Infrastructure Currently Hosting Multiple Online Cybercrime Enterprises – WhoisXML API Analysis
Profiling Iran’s Hacking Scene Using Maltego – A Practical Case Study and a Qualitative Approach – An Analysis
Profiling Russia’s U.S Election Interference – WhoisXML API Analysis
Profiling the “Jabber ZeuS” Rogue Botnet Enterprise – WhoisXML API Analysis
Profiling the Emotet Botnet C&C Infrastructure – An OSINT Analysis
Profiling the Internet Connected Infrastructure of the Individuals on the U.S Sanctions List – WhoisXML API Analysis
Profiling the Liberty Front Press Network Online – WhoisXML API Analysis
Profiling the U.S Election Interference – An OSINT Analysis
Random Photos from the “Lab” Circa up to Present Day – A Compilation
Sample Random Cybercrime Ecosystem Screenshots – A Compilation of Images – Direct Technical Collection Download – An Analysis
Sample Random Cybercrime Ecosystem Screenshots – A Compilation of , Images – An Analysis
Sample Random Cybercrime Ecosystem Screenshots – A Compilation of , Images – An Analysis
Sample Random Cybercrime Ecosystem Screenshots – A Compilation of Images – An Analysis
Security Researchers Targeted in Spear Phishing Campaign – WhoisXML API Analysis
Shots from the Wild West – Random Cybercrime Ecosystem Screenshots – An OSINT Analysis – Part Three
The Pareto Botnet – Advanced Cross-Platform Android Malware Using Amazon AWS Spotted in the Wild – WhoisXML API Analysis
Who’s Behind the Conficker Botnet? – WhoisXML API Analysis
Who’s on Twitter?

Stay tuned!

Continue reading →

Exposing a Portfolio of Pay Per Install Rogue and Fraudulent and Malicious Affiliate Network Domains - An OSINT Analysis

January 24, 2022

Dear blog readers,

I've decided to share with everyone an in-depth historical OSINT analysis on some of the primary pay per install rogue fraudulent and malicious affiliate network based rogue and fraudulent revenue sharing scheme operating malicious software gangs that are known to have been active back in 2008 with the idea to assist everyone in their cyber campaign attribution efforts.

Sample portfolio of pay per install rogue fraudulent and malicious affiliate network domains known to have been in operation in 2008 include:

vipsoftcash[.]com

iframevip[.]com

avicash[.]com

softmonsters[.]biz

cashboom[.]biz

loader[.]cc

luxecash[.]com

iframepartners[.]com

installsforyou[.]biz

topsale2[.]ru

cashcodec[.]com

go-go-cash[.]com

oxocash[.]com

3xl-cash2[.]com

3xlpartnership[.]com

installs4sale[.]com

profitclick[.]org

megatraffer[.]com

oemcash[.]com

goldencashworld[.]biz

topsale[.]us

installsmarket[.]com

profit-cash[.]biz

ADWSearch[.]com

ovocash[.]com

loadsprofit[.]com

exerevenue[.]com

adwaredollars[.]com

yabucks[.]com

installing[.]cc

installconverter[.]com

topsale[.]us

bakasoftware[.]com

goldencashworld[.]net

niftystats[.]com

royal-cash[.]com

dogmasoftware[.]com

3xlsoftware[.]com

rashacash[.]com

3xltop[.]com

vipinstall[.]cn

installercash[.]com

spicycodec[.]com

softwareprofit[.]com

codecmoney[.]biz

trafcash[.]com

smilecash[.]biz

bucksloads[.]com

traffic-converter[.]biz

eupays[.]com

seocash[.]us

vipppc[.]ru

cashwrestler[.]com

VipSoftCash[.]com

vscstatistics[.]com

vipsoftcashstats[.]com

Spy-Partners[.]com

vippirog[.]com

cashbotnet[.]com

installsforyou[.]biz

profit-cash[.]biz

bestcash[.]biz

VisitPay[.]com

partnerka[.]com

spy-partners[.]com

download4money[.]com

luxecash[.]net

iframe911[.]com

LOADBUCKS[.]BIZ

Cashpanic[.]com

longbucks[.]com

drugrevenue[.]com

evapharmacy[.]ru

bucksloads[.]com

spydevastator[.]com

softcash[.]org

3xlsoftware[.]com

rashacash[.]com

3xlcash[.]com

spicycodec[.]com

buckster[.]ru

trafficconverter2[.]biz

bucksware[.]com

bucksware-admin[.]com

mac-codec[.]com

traffic-converter[.]biz

klikadult[.]com

goldencash[.]com

payperinstall[.]org

pay-per-install[.]com

pay-per-install[.]org

zangocash[.]com

iframebiz[.]com

webmaster-money[.]org

cash4toolbar[.]com

toolbar4cash[.]com

bluechillies[.]com

adwaredollars[.]com

iframestat[.]org

snapinstalls[.]com

installercash[.]com

installcash[.]org

earnperinstall[.]com

dollarsengine[.]com

installercash[.]com

vombacash[.]com

softahead[.]com

iframestat[.]org

antispy[.]ws

sexprofit[.]com

evapharmacy-login[.]biz

vipsoftcash[.]com

glavmed[.]com

Sample name servers known to have been used by the same rogue fraudulent and malicious pay per install affiliate network domains include:

ns1[.]cgymwmlcaa[.]com A 85[.]17[.]136[.]135

ns1[.]cdpvaqnlod[.]com A 85[.]17[.]136[.]135

ns1[.]ccytvpbsdg[.]com A 85[.]17[.]136[.]135

ns1[.]cbfkzhtyik[.]com A 85[.]17[.]136[.]135

ns1[.]cezqtessjo[.]com A 85[.]17[.]136[.]135

ns1[.]cfsiqejclo[.]com A 85[.]17[.]136[.]135

ns1[.]catjepzcft[.]com A 85[.]17[.]136[.]135

ns1[.]dhxkycjmrg[.]net A 85[.]17[.]136[.]135

ns1[.]dglcxlcfmk[.]net A 85[.]17[.]136[.]135

ns1[.]damqrgldev[.]net A 85[.]17[.]136[.]135

ns1[.]dfhatnjfjw[.]net A 85[.]17[.]136[.]135

ns1[.]ddzmuatncz[.]net A 85[.]17[.]136[.]135

ns1[.]cgymwmlcaa[.]com A 72[.]232[.]184[.]10

ns1[.]cdpvaqnlod[.]com A 72[.]232[.]184[.]10

ns1[.]ccytvpbsdg[.]com A 72[.]232[.]184[.]10

ns1[.]cbfkzhtyik[.]com A 72[.]232[.]184[.]10

ns1[.]cezqtessjo[.]com A 72[.]232[.]184[.]10

ns1[.]cfsiqejclo[.]com A 72[.]232[.]184[.]10

ns1[.]chyaicpvxo[.]com A 72[.]232[.]184[.]10

ns1[.]catjepzcft[.]com A 72[.]232[.]184[.]10

ns1[.]dhxkycjmrg[.]net A 72[.]232[.]184[.]10

ns1[.]dcorbtfyni[.]net A 72[.]232[.]184[.]10

ns1[.]dglcxlcfmk[.]net A 72[.]232[.]184[.]10

ns1[.]detjstniup[.]net A 72[.]232[.]184[.]10

ns1[.]damqrgldev[.]net A 72[.]232[.]184[.]10

ns1[.]dfhatnjfjw[.]net A 72[.]232[.]184[.]10

ns1[.]dbsjxuvijx[.]net A 72[.]232[.]184[.]10

ns1[.]ddzmuatncz[.]net A 72[.]232[.]184[.]10

cgymwmlcaa[.]com A 195[.]2[.]253[.]247

cezqtessjo[.]com A 195[.]2[.]253[.]247

cfsiqejclo[.]com A 195[.]2[.]253[.]247

chyaicpvxo[.]com A 195[.]2[.]253[.]247

cdpvaqnlod[.]com A 195[.]2[.]253[.]246

ccytvpbsdg[.]com A 195[.]2[.]253[.]246

cbfkzhtyik[.]com A 195[.]2[.]253[.]246

catjepzcft[.]com A 195[.]2[.]253[.]246

http://catjepzcft[.]com

http://damqrgldev[.]net

http://catjepzcft[.]com

http://damqrgldev[.]net

catjepzcft[.]com

damqrgldev[.]net 195[.]2[.]253[.]248

dcorbtfyni[.]net A 195[.]2[.]253[.]248

damqrgldev[.]net A 195[.]2[.]253[.]248

dbsjxuvijx[.]net A 195[.]2[.]253[.]248

ddzmuatncz[.]net A 195[.]2[.]253[.]248

dhxkycjmrg[.]net A 195[.]2[.]253[.]249

dglcxlcfmk[.]net A 195[.]2[.]253[.]249

detjstniup[.]net A 195[.]2[.]253[.]249

dfhatnjfjw[.]net A 195[.]2[.]253[.]249

dhxkycjmrg[.]net NS ns1[.]dhxkycjmrg[.]net

ns1[.]dhxkycjmrg[.]net A 72[.]232[.]184[.]10

ns1[.]dhxkycjmrg[.]net A 85[.]17[.]136[.]135

dcorbtfyni[.]net NS ns1[.]dhxkycjmrg[.]net

dglcxlcfmk[.]net NS ns1[.]dhxkycjmrg[.]net

detjstniup[.]net NS ns1[.]dhxkycjmrg[.]net

damqrgldev[.]net NS ns1[.]dhxkycjmrg[.]net

dfhatnjfjw[.]net NS ns1[.]dhxkycjmrg[.]net

dbsjxuvijx[.]net NS ns1[.]dhxkycjmrg[.]net

ddzmuatncz[.]net NS ns1[.]dhxkycjmrg[.]net

Related pay per install rogue fraudulent and malicious domains known to have been used back in 2008 for various rogue fraudulent and malicious purposes include:

drawn-cash[.]com

vippay[.]com

bucksware-admin[.]com

www[.]system-protector[.]net

sys-scan-1[.]biz

sys-scan-wiz[.]biz

topsale2[.]ru

earning4u[.]com

flashdollars[.]com

installing[.]cc

siteload[.]cn A 94[.]247[.]2[.]54

hostnsload[.]cn

siteinstall[.]cn

hostnsinstall[.]cn

jjupsport[.]ru

installz[.]cn

adware-help[.]com

fliporn[.]com

dailybucks[.]org

installloader[.]com

installaga[.]cn

georgenatas[.]in

naemnitibo[.]in

tirosanare[.]in

mialo-goodle[.]info

nailcash[.]com

ultraantivirus2009[.]com

nailcash[.]com A 64[.]86[.]17[.]9

virusalarmpro[.]com A 64[.]86[.]17[.]9

vmfastscanner[.]com A 64[.]86[.]17[.]9

mysuperviser[.]com A 64[.]86[.]17[.]9

virusmelt[.]com A 64[.]86[.]17[.]9

payvirusmelt[.]com A 64[.]86[.]17[.]9

updvmfnow[.]cn A 64[.]86[.]17[.]9

mysupervisor[.]net A 64[.]86[.]17[.]9

Related personal email accounts known to have been used for various related pay per install rogue fraudulent and malicious affiliate network domain registrations include:

pvc6168@sina[.]com

windinv@yahoo[.]com

new@loveplus[.]in

johnson8402@post[.]com

lmunozv1@live[.]com

ididid828@gmail[.]com

onlineprivacy@aol[.]com

alex@bnetworks[.]us

milen[.]radumilo@gmail[.]com

ztao72945@gmail[.]com

redsunray@hotmail[.]com

WINDINV@YAHOO[.]COM

tvmt2000@yahoo[.]com

325214476@qq[.]com

adxluxe@gmail[.]com

SexPicker@gmail[.]com

domainaccount@protonmail[.]com

ancientholdings@fastmail[.]fm

newseowork12@gmail[.]com

oem[.]myrian@gmail[.]com

229848501@qq[.]com

bdmailhere@gmail[.]com

danny9@gmail[.]com

phone49012@yahoo[.]com

miok2001@mail[.]ru

zuev@cmedia-online[.]ru

daniel[.]bastien@gmail[.]com

domainadmin1900@gmail[.]com

larsonown@gmail[.]com

ppcseo2@gmail[.]com

sima[.]jogminaite@inbox[.]lt

topsaleus@gmail[.]com

Stay tuned!

Continue reading →

January 24, 2022

This presentation aims to detail Dancho Danchev's perspective into gathering threat intelligence processing it and enriching and disseminating it to users vendors and organizations globally heavily relying on a threat intelligence "rock star" model and methodology where the ultimate goal for this case study would be to take down Iran-based hackers and hacking groups and their entire online operations and attempt to shut them down and take them offline citing possible malicious use and actual abuse of international Internet laws and regulations and ultimatetely attempt to make an impact in terms of tracking them down and offering never-published and discussed personally identifiable information on their whereabouts and malicious online activities.

Continue reading →

Exposing the Internet-Connected Infrastructure of the REvil Ransomware Gang - An In-Depth OSINT Analysis

January 24, 2022

Dear blog readers,

In this post I've decided to do an in-depth OSINT analysis on the recently busted REvil ransomware gang and decided to elaborate more and emphasize on the key fact in specific how come that a single ransomware group with several publicly accessible and easy to shut down C&C (command and control) server domains including several randomly generated Dark Web Onion URLs could easily result in millions of damage and who really remembers a situation when getting paid for getting hacked including the basic principle that you should never interact with cybercriminals but instead should passively and proactively monitor them could result in today's modern and unspoken ransomware growth epidemic and the rise of wrong buzz words as for instance ransomware-as-a-corporation where you basically have the bad guys obtain initial access to an organization's network and then hold its information encryption leading us to the logical conclusion who on Earth would pay millions of dollars to avoid possible bad reputation damage including to fuel growth into a rogue and fraudulent scheme as as for instance the encryption of sensitive company information and leaking it to the public in exchange for financial rewards.

Sample REvil ransomware gang publicly accessible C&C (command and control) servers include:

hxxp://decoder[.]re

hxxp://decryptor[.]cc - 136[.]243[.]214[.]30; 45[.]138[.]74[.]27

hxxp://decryptor[.]top

Related name servers known to have been used in the campaign include:

hxxp://1-you[.]njalla[.]no

hxxp://3-get[.]njalla[.]fo

hxxp://2-can[.]njalla[.]in

hxxp://1-you[.]njalla[.]no

Related responding IPs for hxxp://decryptor[.]cc:

2021/12/30 - 103[.]224[.]212[.]219

2021/10/23 - 198[.]58[.]118[.]167

2021/10/23 - 45[.]79[.]19[.]196

2021/10/23 - 45[.]56[.]79[.]23

2021/10/23 - 45[.]33[.]18[.]44

2021/10/23 - 72[.]14[.]178[.]174

2021/10/23 - 45[.]33[.]2[.]79

2021/10/23 - 45[.]33[.]30[.]197

2021/10/23 - 96[.]126[.]123[.]244

2021/10/23 - 45[.]33[.]23[.]183

2021/10/23 - 173[.]255[.]194[.]134

2021/10/23 - 45[.]33[.]20[.]235

2021/10/23 - 72[.]14[.]185[.]43

2021/10/08 - 78[.]41[.]204[.]37

2021/10/03 - 209[.]126[.]123[.]12

2021/09/24 - 78[.]41[.]204[.]28

2021/09/03 - 209[.]126[.]123[.]13

2021/08/19 - 78[.]41[.]204[.]38

2021/08/02 - 81[.]171[.]22[.]4

2021/07/27 - 81[.]171[.]22[.]6

2021/04/17 - 103[.]224[.]212[.]219

2020/11/10 - 45[.]138[.]74[.]27

2020/11/04 - 45[.]138[.]74[.]27

2020/09/14 - 136[.]243[.]214[.]30

2020/09/06 - 136[.]243[.]214[.]30

2020/08/30 - 212[.]22[.]78[.]23

2020/08/23 - 212[.]22[.]78[.]23

2020/07/30 - 212[.]22[.]78[.]23

2020/07/24 - 212[.]22[.]78[.]23

2020/07/07 - 212[.]22[.]78[.]23

2020/05/30 - 193[.]164[.]150[.]68

2020/05/20 - 193[.]164[.]150[.]68

2020/05/10 - 194[.]36[.]190[.]41

2020/05/08 - 194[.]36[.]190[.]41

2020/04/29 - 194[.]36[.]190[.]41

2020/04/06 - 194[.]36[.]190[.]41

2020/02/17 - 94[.]103[.]87[.]78

Related responding IPs for hxxp://decryptor[.]top (185[.]193[.]127[.]162; 192[.]124[.]249[.]13; 96[.]9[.]252[.]156):

2021/07/12 - 45[.]9[.]148[.]108

2020/09/18 - 185[.]193[.]127[.]162

2020/09/15 - 185[.]193[.]127[.]162

2020/08/07 - 185[.]193[.]127[.]162

2020/01/16 - 162[.]251[.]120[.]66

2019/12/23 - 45[.]138[.]96[.]206

2019/12/12 - 107[.]175[.]217[.]162

2019/10/07 - 96[.]9[.]252[.]156

2019/09/04 - 96[.]9[.]252[.]156

2019/07/15 - 91[.]214[.]71[.]139

Related MD5s known to have been involved in the campaign:

MD5: 57d4ea7d1a9f6b1ee6b22262c40c8ef6

MD5: fe682fad324bd55e3ea9999abc463d76

MD5: e87402a779262d1a90879f86dba9249acb3dce47

MD5: 4334009488b277d8ea378a2dba5ec609990f2338

MD5: 2dccf13e199b60dd2cd52000a26f8394dceccaa6

Stay tuned!

Continue reading →

Inquire About One-on-One or One-to-Many Virtual OSINT Training Today!

January 23, 2022

Folks,

Who's been following my work on this blog since December, 2005? Are you interested in OSINT training? One-on-one or one-to-many sessions? Drop me a line today at dancho.danchev@hush.com on behalf of you or your organization or team and let's help you take your team and organization to the next level.

Sample portfolio of services which I'm currently offering can be also seen here - https://disruptive-individuals.com including a copy of my CV here including the following two sample of my work here and here.

Check out some sample chapters from a free book on cyber attribution that I'm currently working on to get a better idea of what I have in mind including my style and methodology:

Stay tuned!

Continue reading →

My Participation in GCHQ's Top Secret "Lovely Horse" Program to Monitor Hackers Online - An Elaboration

January 23, 2022

Dear blog readers,

Did you know that you can actually find me in Snowden's archive by simply searching for my name where it will eventually lead you to a GCHQ Top Secret lawful surveillance program to monitor hackers online in specific their Twitter accounts?

Check out the following Medium article where I do my best to elaborate on my participation in the Top Secret GCHQ Program "Lovely Horse".

Stay tuned!

Continue reading →

Profiling the Blood and Honor Online Hate Group - An OSINT Analysis

January 23, 2022

As it's been a while since I've last posted a quality update I wanted to take the time and effort and elaborate more on a current project of mine which is the "International OSINT Journal Compilation on Online Terrorism Hate and Militarized Social Movements" which aims to expose and offer a massive information on currently active online terrorism hate and militarized social movements including actionable information on their online infrastructure.

In this post I'll elaborate more and offer actionable intelligence on the online infrastructure of the Blood and Honor hate group with the idea to help you get a better perspective of their online infrastructure and possibly assist you in your cyber campaign attribution efforts.

Sample personal email address accounts belonging to Blood and Honor International Groups include:

bloodandhonouraustralis@hotmail[.]com

bloodhonournsw@hotmail[.]com

bloodhonoursa@hotmail[.]com

bloodhonourqld@hotmail[.]com

bloodhonourvic@hotmail[.]com

bloodhonourwa@hotmail[.]com

bhvlaanderen@hotmail[.]com

bh_wallonie@hotmail[.]com

bloodandhonour_bulgaria@abv[.]bg

bandhcanada@yahoo[.]co[.]uk

bhhexagone@hotmail[.]fr

bh_hellas@yahoo[.]gr

support_28_zh@hotmail[.]com

nederland@bloodhonournederland[.]com

bloodandhonourhungary28@gmail[.]com

isdm2010@gmail[.]com

vfs@libero[.]it

bhportugal28@yahoo[.]com

brotherhood28serbia@hotmail[.]com

28slov@gmail[.]com

bhe_bloodhonour@yahoo[.]es

28sweden@hotmail[.]se

ehukraine@bhukraine[.]org

RAGEN[.]FURY@VIRGIN[.]NET

axis@bloodandhonourworldwide[.]co[.]uk

southlands28@hotmail[.]com

westcountrybloodandhonour@yahoo[.]co[.]uk

wycombe828@yahoo[.]com

bandhcentral@bloodandhonourcentral[.]co[.]uk

westmidsbandh@yahoo[.]co[.]uk

bnsm@bnsm[.]co[.]uk

general@bloodandhonourworldwide[.]co[.]uk

webmaster@bloodandhonourworldwide[.]co[.]uk

s[.]london-bh@hotmail[.]co[.]uk

bloodandhonour[.]yorkshire@hotmail[.]co[.]uk

northeast1488@hotmail[.]co[.]uk

highlanderdivision28@hotmail[.]co[.]uk

highlander[.]eastcoast@hotmail[.]com ;

bhamericandivision@yahoo[.]com

bhwales@googlemail[.]com

ulsterbg@hotmail[.]co[.]uk

Sample screenshots of logo of Blood and Honor Bulgaria include:

Stay tuned! Continue reading →

An Update on My Disappearance and Kidnapping Attempt Courtesy of Bulgarian Law Enforcement Officers from the City of Troyan Bulgaria Circa 2010 - An Analysis

January 22, 2022

Folks,

Check this out! An image is worth a thousand words.

Related Facebook profile IDs known to have been involved in the case:

https://www.facebook.com/profile.php?id=100005932519460 - Birthdate - 1976 - July 12

https://www.facebook.com/profile.php?id=100030506870037 - Birthdate - 1964 - August 21

Dancho Danchev's Disappearance - An Elaboration - Part Two
Dancho Danchev's Disappearance 2010 - Official Complaint Against Republic of Bulgaria
Dancho Danchev's Disappearance - 2010 - Official Complaint Against Republic of Bulgaria - Part Three
Dancho Danchev's Disappearance - 2010 - Official Complaint Against Republic of Bulgaria - Part Two
Deep from the Trenches in Bulgaria - Part Three
Deep from the Trenches in Bulgaria - Part Two
How I Got Robbed and Beaten and Illegally Arrested by a Local Troyan Gang in Bulgaria
A Profile of a Bulgarian Kidnapper – Pavlin Georgiev (Павлин Георгиев/Васил Моев Гачевски/Явор Колев) – An Elaboration on Dancho Danchev’s Disappearance circa 2010 – An Analysis

Continue reading →

Sample Portfolio of Dancho Danchev's Personal and Conference Event Photos - A Compilation - Part Two

January 20, 2022

Continue reading →

Exposing the Pay Per Install (PPI) Underground Market Fraudulent and Rogue Business Model - A Photos Compilation

January 20, 2022

Dear blog readers,

I've decided to share with everyone a photos compilation which I obtained and actually collected back in 2008 using Technical Collection for the purtpose of demonstrating the basics of the pay per install fraudulent anda rogue underground market business model with the idea to improve's situational awareness in the field of researching the pay per install underground business model.

Sample Pay Per Install Rogue and Fraudulent Underground Market Business Model Photos Compilation Photos: