What Are Koobface Botnet Masters Leded (Ded Mazai) and Anton Nikolaevich Korotchenko (Антон Николаевич Коротченко) Koobface Botnet Master KrotReal Up To?

0
January 01, 2025

Dear blog readers,

In this post I'll post some recent actionable intelligence on the Koobface botnet's master Leded (Ded Mazai) and Anton Nikolaevich Korotchenko (Антон Николаевич Коротченко) Koobface Botnet Master KrotReal.

Leded primary email address account: mrpinkesq@yahoo.com

Primary domain: hxxp://moblave.com; hxxp://mobpaty.com

Related domain registrations:

hxxp://xmob-erotic.com
hxxp://xerotic-mob.com
hxxp://kinozal3d.com
hxxp://mob-vids.com
hxxp://mob-dating.net
hxxp://mob-dating.com
hxxp://mob-dating.org
hxxp://mobcelebrity.net
hxxp://mobcelebrity.org
hxxp://tube4mob.com
hxxp://mob-ka-next.com
hxxp://mljsprivate.biz
hxxp://xmusic-mp3.com
hxxp://z-erovideo.com
hxxp://z-kinozal3d.com
hxxp://eromfpre.com
hxxp://x-onlinekino.com
hxxp://mp3prosto.com
hxxp://prostofiles.com
hxxp://online-kinoteatr.biz
hxxp://mobile-vista.org
hxxp://perfect-erotic.org
hxxp://cool-erotic.org
hxxp://super-erotic.org
hxxp://amazing-erotic.org
hxxp://good-erotic.org
hxxp://nice-erotic.org
hxxp://getgdz.net
hxxp://v2mlcelery.com
hxxp://mob-ka.com
hxxp://salosbros.com
hxxp://horomob.com
hxxp://horomob.net
hxxp://horomob.org
hxxp://erotic-mobile.com
hxxp://android-igru.biz
hxxp://rusx.mobi
hxxp://horomob.biz
hxxp://mtswapservice.com
hxxp://eromfpre.com
hxxp://v2mlcelery.com

Sample photos of Leded:



hxxp://v2mlemerald.com
hxxp://v2mllavender.com
hxxp://v2mlmint.com
hxxp://mobcelebrity.com
hxxp://tube4mob.com
hxxp://mob-dating.com
hxxp://mobpaty.com
hxxp://mob-vids.com
hxxp://mobcelebrity.org
hxxp://mob-tube.com
hxxp://mob-dating.org
hxxp://mob-ka.org
hxxp://top-ero.org
hxxp://top-files.org
hxxp://top-films.org
hxxp://top-girls.org
hxxp://top-musics.org
hxxp://moblave.com
hxxp://mob-dating.net
hxxp://mobcelebrity.net
hxxp://mob-ka-next.com
hxxp://v2mlaqua.com
hxxp://v2mlamber.com
hxxp://v2mlamethyst.com
hxxp://x-onlinekino.com
hxxp://v2mlpurple.com
hxxp://z-kinozal3d.com
hxxp://z-erovideo.com

hxxp://xmusic-mp3.com
hxxp://v2mlorange.com
hxxp://v2mlgrey.com
hxxp://mobile-vista.org
hxxp://perfectgirlsmobile.org
hxxp://v2mljs.org
hxxp://v2mlviolet.com
hxxp://v2mlmagenta.com
hxxp://badabooom.com
hxxp://horomob.com
hxxp://mob-ka.com
hxxp://horomob.net
hxxp://horomob.org
hxxp://mob-ka.net
hxxp://getgdz.net
hxxp://peretrax-js.com
hxxp://xmob-erotic.com
hxxp://xerotic-mob.com
hxxp://mobpaty.org
hxxp://v2mlblack.biz
hxxp://v2mlbrown.com
hxxp://v2mlyellow.com
hxxp://v2mlpink.org
hxxp://v2mltraffer.org
hxxp://v2mlgreen.org
hxxp://v2mljsbs.org
hxxp://eroticvideo.biz
hxxp://v2mlblue.org
hxxp://no-day.com
hxxp://mp3prosto.com
hxxp://v2mlred.com
hxxp://prostofiles.com
hxxp://ero-film.com
hxxp://peretrax.com
hxxp://fustmove.com
hxxp://mtswapservice.com
hxxp://kinozal3d.com
hxxp://pillowerotic.com
hxxp://erotic-mobile.com
hxxp://android-igru.biz
hxxp://online-kinoteatr.biz
hxxp://ml404js.biz
hxxp://android-mobile.biz
hxxp://cool-erotic.org
hxxp://good-erotic.org
hxxp://super-erotic.org
hxxp://beautiful-erotic.org

hxxp://your-tree.org
hxxp://beautifulerotic.net
hxxp://sweet-erotic.org
hxxp://amazing-erotic.org
hxxp://nice-erotic.org
hxxp://ml18js.org
hxxp://ml-15-js.org
hxxp://ml19js.org
hxxp://mlvjs19.org
hxxp://m-dating.org
hxxp://perfect-erotic.org
hxxp://adultvideoxxx.org
hxxp://apk-ml.org
hxxp://mega-erotic.org
hxxp://russiangirlsvideo.org
hxxp://erovideoclip.com
hxxp://salosbros.com
hxxp://gdz2014.org
hxxp://horomob.biz
hxxp://ml13js.biz
hxxp://ml12js.biz
hxxp://mljsprivate.biz
hxxp://mljs14.biz
hxxp://mob-xxx.biz
hxxp://ero-video.biz
hxxp://mljs16.biz
hxxp://ml17js.biz
hxxp://rusx.mobi

Sample screenshots from the The United Club Of Adult Web Masters in St. Petersburg:














Continue reading →

Exposing the Rogue Cyberheaven Compromised Chrome VPN Extensions Ecosystem - An Analysis

0
January 01, 2025

Here we go. It appears that the individuals behind the successful compromise of the Cyberheaven VPN Chrome extensions are currently busy or at least have several other upcoming and in the works campaigns targeting several other vendors of Chrome VPN extensions.

The first example is hxxp://censortracker.pro which apparently aims to target the legitimate (hxxp://censortracker.org).

Relate domains:

hxxp://cyberhavenext.pro - 149.28.124.84
hxxp://api.cyberhaven.pro - 149.248.2.160

Parked at 149.28.124.84:
hxxp://graphqlnetwork.pro
hxxp://yescaptcha.pro
hxxp://iobit.pro
hxxp://videodownloadhelper.pro
hxxp://uvoice.live
hxxp://castorus.info
hxxp://bookmarkfc.info
hxxp://cyberhavenext.pro
hxxp://parrottalks.info
hxxp://primusext.pro
hxxp://yujaverity.info
hxxp://internxtvpn.pro
hxxp://censortracker.pro
hxxp://vpncity.live
hxxp://wayinai.live
hxxp://moonsift.store
hxxp://readermodeext.info
hxxp://ext.linewizeconnect.com
hxxp://ussc.intl.justalkcloud.com

Parked at 149.248.2.160:
hxxp://chatgptextension.site
hxxp://api.graphqlnetwork.pro
hxxp://tkadmin9-new.tkv2.pro
hxxp://tkadmin12.tkv2.pro
hxxp://tkadmin9.tkv2.pro
hxxp://tkadmin7-new.tkv2.pro
hxxp://api.iobit.pro
hxxp://api.internetdownloadmanager.pro
hxxp://api.searchgptchat.info
hxxp://api.pieadblock.pro
hxxp://api.gptdetector.live
hxxp://tkadmin12-new.tkv2.pro
hxxp://tkapi8.tkv2.pro
hxxp://api.castorus.info
hxxp://tkadmin8.tkv2.pro
hxxp://tkadmin7.tkv2.pro
hxxp://api.searchaiassitant.info
hxxp://tkapi14.tkv2.pro
hxxp://tkadmin14-new.tkv2.pro
hxxp://tkapi13.tkv2.pro
hxxp://tkapi12.tkv2.pro
hxxp://api.ultrablock.pro
hxxp://tkadmin10.tkv2.pro
hxxp://tkadmin13.tkv2.pro
hxxp://api.internxtvpn.pro
hxxp://tkadmin13-new.tkv2.pro
hxxp://tkadmin11-new.tkv2.pro
hxxp://api.savechatgpt.site
hxxp://admin-main.tkpartner.pro
hxxp://api.wakelet.ink
hxxp://tkapi10.tkv2.pro
hxxp://tkadmin14.tkv2.pro
hxxp://tkadmin11.tkv2.pro
hxxp://tkapi9.tkv2.pro
hxxp://tkapi11.tkv2.pro
hxxp://api.yescaptcha.pro
hxxp://api.videodownloadhelper.pro
hxxp://api.parrottalks.info
hxxp://api.proxyswitchyomega.pro
hxxp://api.bookmarkfc.info
hxxp://api.dearflip.pro
hxxp://api.cyberhavenext.pro
hxxp://api.uvoice.live
hxxp://api.primusext.pro
hxxp://api.yujaverity.info
hxxp://api.censortracker.pro
hxxp://api.vidnozflex.live
hxxp://app.extensionpolicyprivacy.com
hxxp://api.tinamind.info
hxxp://admin-set.tkpartner.pro
hxxp://api.locallyext.ink
hxxp://api.vpncity.live
hxxp://app.policyextension.info
hxxp://api.wayinai.live
hxxp://api.moonsift.store
hxxp://api.readermodeext.info
hxxp://app.checkpolicy.site
hxxp://app.extensionpolicy.net
hxxp://api.linewizeconnect.com
hxxp://app.linewizeconnect.com
hxxp://app.extensionbuysell.com
hxxp://api.savgptforchrome.pro
hxxp://api.bardaiforchrome.live
hxxp://admin-new.tkv2.pro
hxxp://api.tkv2.pro
hxxp://api.searchcopilot.co
hxxp://api.chatgptextent.pro
hxxp://api.youtubeadsblocker.live
hxxp://api.geminiaigg.pro
hxxp://api.gpt4summary.ink
hxxp://api.blockadsonyt.vip
hxxp://api.chataiassistant.pro
hxxp://api.savegptforyou.live
hxxp://api.chatgptextension.site
hxxp://api.goodenhancerblocker.site
hxxp://admin.tkv2.pro
hxxp://redeem-p2p.org
hxxp://cdqk.link
hxxp://jokabet.co
hxxp://bc-game.link
hxxp://brunoplay.nl
hxxp://qgxl.link
hxxp://ws9.us
hxxp://t4q.us
hxxp://5kw.us
hxxp://r4o.us
hxxp://e4f.us
hxxp://mfkyb.biz
hxxp://gmpy.info
hxxp://zd4.us
hxxp://cayj.info
hxxp://vnpa.info
hxxp://elzd.info
hxxp://mefq.info
hxxp://afhc.info
hxxp://d4v.us
hxxp://eu1.us
hxxp://ouww.info
hxxp://tczc.info
hxxp://xwgc.info
hxxp://bipe.info
hxxp://bldx.info
hxxp://cw8.us
hxxp://xz9.us
hxxp://4jv.us
hxxp://o1v.us
hxxp://rh0.us
hxxp://v5j.us
hxxp://2vo.us
hxxp://fj6.us
hxxp://6zk.us
hxxp://k0r.us
hxxp://u9c.us
hxxp://g4v.us
hxxp://o7c.us
hxxp://ou2.us
hxxp://c9o.us
hxxp://i1z.us
hxxp://wdia.info
hxxp://j4j.us
hxxp://k9d.us
hxxp://6wu.us
hxxp://lj6.us
hxxp://g4c.us
hxxp://u6b.us
hxxp://j4o.us
hxxp://ah4.us
hxxp://zd8.us
hxxp://c9u.us
hxxp://t8x.us
hxxp://0iz.us
hxxp://8xu.us
hxxp://6od.us
hxxp://8na.us
hxxp://hw4.us
hxxp://s8r.us
hxxp://n1e.us
hxxp://p5c.us
hxxp://e5q.us
hxxp://yo8.us
hxxp://4dw.info
hxxp://d7p.info
hxxp://wy5.info
hxxp://z2q.info
hxxp://k9i.info
hxxp://kztw.info
hxxp://rdwr.info
hxxp://stzb.info
hxxp://hqtb.info
hxxp://jcdy.info
hxxp://hwnr.info
hxxp://ussn.info
hxxp://bfuy.info
hxxp://mhkz.info
hxxp://qoma.info
hxxp://yvbe.info
hxxp://bmpq.info
hxxp://adtw.info
hxxp://qfko.info
hxxp://azpf.info
hxxp://hpme.info
hxxp://kqno.info
hxxp://wkdn.info
hxxp://rzyn.info
hxxp://hhnr.info
hxxp://uqho.info
hxxp://yojy.info
hxxp://uomz.info
hxxp://gocf.info
hxxp://xuix.info
hxxp://irrb.info
hxxp://ehgi.info
hxxp://oqtb.info
hxxp://ezvp.info
hxxp://yevg.info
hxxp://tovo.website
hxxp://uggm.website
hxxp://ajxj.website
hxxp://ayeq.website
hxxp://nepy.website
hxxp://kjnh.website
hxxp://dbgz.website
hxxp://zoxj.website
hxxp://xduk.website
hxxp://xdje.website
hxxp://gpzn.website
hxxp://hxpc.website
hxxp://yemu.website
hxxp://nmfl.website
hxxp://ldiu.website
hxxp://vlei.website
hxxp://bktc.website
hxxp://znkn.website
hxxp://prcu.website
hxxp://vekn.link
hxxp://fswk.website
hxxp://carc.website
hxxp://vgcb.website
hxxp://zqvh.website
hxxp://sqhx.info
hxxp://htct.info
hxxp://qnmy.website
hxxp://stah.info
hxxp://dgwb.info
hxxp://fbro.website
hxxp://bzcr.info
hxxp://kgzg.website
hxxp://uspt.website
hxxp://dhfa.info
hxxp://jbza.website
hxxp://wdhy.website
hxxp://ridp.website
hxxp://lybg.website
hxxp://iktx.info
hxxp://wknj.info
hxxp://ghnt.info
hxxp://gnji.info
hxxp://fvre.info
hxxp://dobb.info
hxxp://qrsw.website
hxxp://xddj.website
hxxp://kgmy.info
hxxp://uthr.website
hxxp://jaer.website
hxxp://yvpr.info
hxxp://nxpj.info
hxxp://pbpp.info
hxxp://zmjp.website
hxxp://njki.info
hxxp://txsz.info
hxxp://isva.website
hxxp://flaa.website
hxxp://tifr.info
hxxp://dijl.website
hxxp://ntft.website
hxxp://yket.info
hxxp://rbft.website
hxxp://unkw.link
hxxp://nujt.link
hxxp://ubpm.link
hxxp://ucre.link
hxxp://mkjc.link
hxxp://hxkp.link
hxxp://itbk.link
hxxp://nqqo.info
hxxp://fwqx.info
hxxp://xwho.info
hxxp://kmic.info
hxxp://fwuf.info
hxxp://hmeq.link
hxxp://fjms.link
hxxp://zrdk.link
hxxp://enym.link
hxxp://vnaj.link
hxxp://caxh.link
hxxp://syzb.link
hxxp://bsve.link
hxxp://spoa.link
hxxp://bmtg.link
hxxp://dgzv.link
hxxp://cqui.info
hxxp://ebwu.info
hxxp://aznx.info
hxxp://lcni.info
hxxp://pcpf.info
hxxp://cped.link
hxxp://mcgz.link
hxxp://obea.me
hxxp://jtnd.me
hxxp://wyxug.com
hxxp://rpveb.com
hxxp://vkvs.link
hxxp://xclw.info
hxxp://chbw.link
hxxp://fwqs.info
hxxp://czek.link
hxxp://cnfs.info
hxxp://uywc.info
hxxp://fsns.link
hxxp://qeeq.info
hxxp://wdss.link
hxxp://niud.info
hxxp://ntzd.info
hxxp://xqvo.info
hxxp://ysga.info
hxxp://yobl.info
hxxp://peez.info
hxxp://anlk.info
hxxp://scwy.info
hxxp://pfhs.info
hxxp://hcki.info
hxxp://rhmj.info
hxxp://llgr.info
hxxp://vpcq.info
hxxp://kovh.info
hxxp://tumb.info
hxxp://nzda.info
hxxp://hxlj.info
hxxp://cvec.info
hxxp://wcyh.info
hxxp://svxu.info
hxxp://qoja.info
hxxp://wkms.info
hxxp://hbfo.info
hxxp://isxd.info
hxxp://dwwu.info
hxxp://ardx.info

Sample malicious MD5s known to have been involved in the campaign include:

b5f4ce10f08c734e7fec0028b0d27695ab9d0976c8250174edf2d7e1700313dc
a66ab39203c41336a04af8018239c292b63b0c7c67f9567b27beeeefc820b894
896108307f58fff94832f2c1c956a0d55e989976f7b438bea5829a18cf9bde8e
00c3eb47451af23873ef5360a9d3496a77b3deab0eb3f53f318d4496a1b093ad
c1bc36b29409c92144ca63a41326b2839299a73bed5cab3b809414fec45e2ee0
45b103f94e846302d00724d0aa8b5b2decb0f07a8a5a91ec38dab222779ed8d3

Continue reading →

Where Is Anton Nikolaevich Korotchenko (Антон Николаевич Коротченко) Also Known as Koobface Botnet Master KrotReal? - Part Five

0
December 30, 2024

An image is worth a thousand words. Related.













Continue reading →

What is Nassef from Darkode Up To? - Part Two

0
December 30, 2024

Dear blog readers,

I've decided to continue my elaboration and provide further actionable intelligence on a well known member of the Darkode cybercrime-friendly forum community Nassef.

Nassef is using xavi-linuxer@live.com as his personal email address account and is known to have registered the following domains using it - hxxp://tonymontana.cards - hxxp://tonymontana.cash - hxxp://tonymontana.biz.

He's also using the following email address account tonymontana_mexican@yahoo.com and is known to have registered the following domains using it:

hxxp://c2bit-power.com
hxxp://procarder.com
hxxp://novlops.cc
hxxp://freshcvv2.com
hxxp://sharkcc.com
hxxp://edumps.cc
hxxp://cvvlist.com
hxxp://cardinghispano.com
hxxp://dumps4you.com
hxxp://zanoled.com
hxxp://vic-socks.com
hxxp://dump-service.com
hxxp://thugcarders.com
hxxp://hotdumps.com
hxxp://dumpsvendor.com
hxxp://getbette.com
hxxp://crimemarket.com
hxxp://cardingmaestro.com


hxxp://ug-storecards.com
hxxp://cvvsite.com
hxxp://tonymontana.cc
hxxp://dumpsclinique.com
hxxp://source4dumps.cc
hxxp://skycvv.com
hxxp://carderprofit.cc
hxxp://styxmarket.com
hxxp://wt1shop.com
hxxp://scene-tools.com
hxxp://fraudsmarket.com
hxxp://cardersvilla.com
hxxp://bigcarder.com
hxxp://cardertools.com
hxxp://cvvsh0p.com
hxxp://fe-dumpstore.com
hxxp://profitbins.com
hxxp://carding-shop.com
hxxp://zonecvv.com
hxxp://torcrds.com
hxxp://shopvl.net
hxxp://prvtzone.com
hxxp://rdpwallmart.com
hxxp://xdedic.com
hxxp://smartstripes.biz
hxxp://cc-base.com

Related posts:

He's also known to be using renon66@mail.ru as his personal email where he is known to have registered the following domains:

hxxp://fe-dumpstore.com
hxxp://profitbins.com
hxxp://dump-service.com
hxxp://thugcarders.com
hxxp://torcrds.com
hxxp://shopvl.net
hxxp://cardertools.com
hxxp://cvvsh0p.com
hxxp://xdedic.com
hxxp://smartstripes.biz
hxxp://carding-shop.com
hxxp://zonecvv.com
hxxp://cc-base.com
hxxp://prvtzone.com
hxxp://rdpwallmart.com
hxxp://novlops.cc
hxxp://scene-tools.com
hxxp://fraudsmarket.com
hxxp://cardersvilla.com
hxxp://edumps.cc
hxxp://cvvlist.com
hxxp://c2bit-power.com
hxxp://procarder.com
hxxp://zanoled.com
hxxp://vic-socks.com
hxxp://freshcvv2.com
hxxp://sharkcc.com
hxxp://hotdumps.com
hxxp://dumpsvendor.com
hxxp://cardinghispano.com
hxxp://dumps4you.com
hxxp://ug-storecards.com
hxxp://source4dumps.cc
hxxp://getbette.com
hxxp://crimemarket.com
hxxp://cardingmaestro.com
hxxp://wt1shop.com
hxxp://cvvsite.com
hxxp://tonymontana.cc
hxxp://dumpsclinique.com
hxxp://bigcarder.com
hxxp://skycvv.com
hxxp://carderprofit.cc
hxxp://styxmarket.com

Continue reading →

Real Time OSINT on NSO Group and Bulgaria's Circles Commercial Spyware Developers - An Analysis

0
December 28, 2024

If an image is worth a thousand words so is real time OSINT methodology. More on Bulgaria's Circles here and here.




































Stay tuned.

Continue reading →
Subscribe to: Comments (Atom)