The Inner Workings of Aleksei Belan’s Criminal Network

Aleksei Belan is part of the Federal Bureau of Investigation (FBI) Most Wanted List. He was charged for several cybercriminal activities connected to a massive Yahoo! database compromise involving at least 500 million user accounts.¹

Rogue Tor Browser: When Search for Anonymity Leads to Exposure Instead

Many users dream of browsing the Web without anyone’s prying eyes—something the Tor browser can help them accomplish.¹ So what happens then when they end up downloading a rogue installer, especially one that spies on them instead?²

Exposing Bulgaria’s Kyulev Data Leak Hacker

A Bulgarian data leaker managed to access and steal the sensitive data of several high-profile targets. To make matters worse, the hacker had been seen offering access to the compromised database.

To assist the cybersecurity community and law enforcement sector, WhoisXML API threat researcher Dancho Danchev analyzed the threat actor’s digital footprints.

Domain Shadowing IoC Expansion Led to Thousands of Possible Connections

Threat actors have been known to hide behind legitimate Internet services¹ to spread malware and lure victims to phishing sites and other malicious campaigns.

A Closer Look at Active Cyber Jihad Web Properties

Cyber jihad refers to the way extremist terrorists use the Internet to wage war against their enemies.¹ Typical targets include the U.S., Western European countries, and Israel.

Experts say waging war is no longer limited to the physical world but has crossed over to the virtual realm. And 67 domains identified as indicators of compromise (IoCs) to recent cyber jihad attacks prove that.

Behind the Flashpoint Intel Site Compromise

Back in 2019, the Flashpoint Intel site suffered from a zero-day attack that caused visitors with JavaScript enabled on their systems to be redirected to an external website with a malware-laced pop-up.¹

Insights into an Active Malicious Spam Domain Portfolio

Age clearly doesn’t matter when it comes to cyber threats, as proven by spam. Malicious spam emails cost businesses as much as US$20.5 billion a year.¹

Probing Networks of Cybercrime-Friendly Forums

Malicious actors may lurk inside online forums to learn and share tactics. Some may even publish the compromised data of their victims on cybercrime-tolerant forums.

Looking into these online platforms may help law enforcement agencies and the cybersecurity community investigate threat actor behaviors and trace their activities.

On the Frontlines of the Syrian Electronic Army’s Digital Arsenal

Possibly one of the first public Internet armies, the Syrian Electronic Army is notorious for stealing user credentials to deface websites. Among their suspected victims are U.S. government websites, media outlets, PayPal, and eBay. Two of its members were indicted in 2018.¹

Selling Stolen Credit Cards Is Still a Thing

Monetary gain is a primary goal for almost any cybercriminal. And one of the ways they go about earning money without investing a dime is by stealing credit card details.¹ In fact, peddling stolen credit card numbers with their corresponding CVVs in underground markets can earn operators millions.²

The Inner Workings of the Russian Business Network

VeriSign dubbed the Russian Business Network (RBN) as “the baddest of the bad”¹ in a report. And the fact that it played host to sites owned by the most notorious spammers, malware operators, phishers, distributed denial-of-service (DDoS) attackers, and other cybercriminals proved that.²

Probing an Active Digital Trail of Iranian Hackers

The cybersecurity community and law enforcement agencies have been tracking the activities of Iran-based hackers for quite some time now.

Shedding Light on the Darkode Forum

The Darkode Forum, which started operating in 2007, was taken down through a global effort in 2015.¹ But the community came back online in 2019.²

Uncovering the Current Workings of Guccifer 2.0

Guccifer 2.0¹ is the person or group behind the now infamous Democratic National Committee (DNC) hack back in 2016.²

What Is Anonymous International Up to Now

Anonymous International is infamous for launching much-publicized hacking attacks against political targets since 2006.¹ And they haven’t stopped to this day.²

URL Shortening Gone Wrong with GCHQ

In 2016, cybersecurity researchers discovered that British spies were using a free URL shortener to try gathering intelligence and influencing online activists during the protests in Iran since 2009.¹

Is the Bakasoftware Operation Still Up and Running?

In 2008, Bakasoftware reportedly made as much as US$5 million a year from scaring victims into downloading and installing their product to get rid of fake malware infections.¹ Many thought the operation had gone out the door yet WhoisXML API threat researcher Dancho Danchev may suggest otherwise. His findings include:

Tracing the Digital Footprint of Iran’s Mabna Hackers

The Mabna hackers victimized hundreds of organizations worldwide and were known to sell stolen sensitive information. After nine of its members were indicted¹ in the U.S., the elusive threat actors may have left breadcrumbs of their criminal activities in the form of DNS connections.

Exposing the Infrastructure Behind the Democratic National Committee System Intrusion

The high-profile cyberintrusion of the Democratic National Committee (DNC) computer system in 2015¹ disrupted the 2016 presidential election in the U.S. It remains one of the most popular cyber attacks, with top security firms performing different investigations.

Is Your Software a Top Impersonation Target?

Copycatting the world’s most popular software applications is a commonly used technique to lure users into visiting seemingly legitimate yet often malicious pages.

Exposing a Currently Active Ashiyane Digital Security Domain Infrastructure

An Iran-based hacker forum that was shut down in 2018 became active again last year.¹ While our initial investigation at that time uncovered 100+ digital properties related to the group, our most recent exploration exposes thousands more. 

The Current State of Malicious PPI Businesses and Affiliate Networks

Pay-per-install (PPI) and affiliate networks, which made headlines between 2008 and 2013, may not entirely be gone. Research by WhoisXML API threat researcher Dancho Danchev revealed that some of the domains registered using email addresses belonging to their operators remain active to this day.

Have You Seen These Roaming Mantis Connected Artifacts Wandering into Your Phone?

Roaming Mantis may have stolen the credentials or infected the devices of hundreds of thousands of people. The threat group did that through a smishing campaign targeting Android and iOS users. According to SEKOIA-IO,¹ more than 90,000 unique IP addresses have requested XLoader from Roaming Mantis’s command-and-control (C&C) servers as of mid-July 2022.

Profiling the Threat Actor Known as “Hagga” and His Work

The threat actor known as “Hagga,” first identified in the latter part of 2021,¹ has been using Agent Tesla to steal sensitive user information for some time now. Published reports have identified several indicators of compromise (IoCs)² believed to be part of Hagga’s criminal infrastructure.

KrotReal: Is the Koobface Bot Master Back in Business?

KrotReal, identified as the infamous Koobface Gang’s bot master, is seemingly back in business.¹ But instead of going after social media users, is he now targeting adult content viewers?

Koobface Makes a Comeback

The infamous Koobface Gang¹ is possibly causing malware mayhem again. After Facebook and cybersecurity researchers unmasked the perpetrators back in 2012, the gang members shut down their servers in a bid to avoid capture.²

Unlike Its Namesake, Aoqin Dragon Isn’t Mythical

Aoqin Dragon may not be as foolproof as it seems. Despite evading discovery for almost a decade,¹ cybersecurity researchers shed some light on the advanced persistent threat (APT) group’s inner workings.

Conti Ransomware: Still Alive and Kicking

Despite the heightened lookout for key members of Wizard Spider given the huge reward offered by the U.S. government,¹ Conti ransomware continues to plague individuals and businesses worldwide.

Predator Surveillance Software May Not Be Lawful at All

Predator has been found to illegally spy on journalists and politicians the world over since December 2021.¹ But the threat the app poses may not have died down despite its exposure.

GALLIUM APT Group and Other Threat Actors in Disguise

Threat actors were observed taking advantage of legitimate services by creating subdomains and using them as command-and-control (C&C) domains¹ and phishing site hosts².

Exposing the “Haters” behind Patriot Front

Patriot Front is a well-known white supremacist group in the U.S.¹ Most recently, dozens of the group’s members disrupted a Pride event in Idaho, resulting in their arrest.²

Careful, the Next Premium SMS Offer You Subscribe to May Be Malicious

Avast recently reported that SMSFactory Android Trojan has affected around 165,000 users worldwide.¹ But so far, only a few digital properties have been publicized as indicators of compromise (IoCs).²

Father’s Day: Bad Guys’ Activities

Whois API researchers previously uncovered suspicious web properties related to Mother’s Day¹. Some of them were outright malicious, while others hosted questionable content. This Father’s Day, we detected a similar trend, indicating that the bad guys are also getting ready for the special occasion.

Exposing the Criminal Infrastructure of the Blood and Honor Hate Group

Blood and Honor is a well-known right wing extremist (RWE) group that originated from the U.K. founded in 1987. They began spreading their messages through music that supported their political ideology.¹

WhoisXML API security researcher Dancho Danchev used various OSINT tools to help law enforcement agents track the group members’ digital footprints. His investigation revealed:

Blurring the Lines between APTs and Cybercrime: Cobalt Mirage Uses Ransomware to Target U.S. Organizations

Cobalt Mirage, a well-known APT group, recently took a page out of cybercriminals’ modus operandi—using ransomware—to go after targets earlier this month.¹ So far, only 11 domains and two IP addresses have been publicized as indicators of compromise (IoCs).²

Cardano Joins the List of Favored Crypto Scam Targets

It’s no longer unusual for cybercriminals to go after cryptocurrency owners. We’ve seen scams targeting Bitcoin¹ and Ethereum² owners before. This time, they’re going after Cardano coin owners³ with a supposed giveaway promo.

These DeFi Domains Might Be Risky to Investors

In addition to cryptocurrency wallets and non-fungible token (NFT) companies, malicious actors recently targeted decentralized financial (DeFi) platforms. They got away with US$90 million.¹ One way some NFT companies may be addressing the threat is by defensive domain registration.²

Website Defacement: Age-Old but Still Works as Ongoing Campaigns Show

Threat actors typically employ website defacement to further their political, environmental, or even personal agenda. Through SQL injection, cross-site scripting (XSS), and other initial compromise tactics, they replace the content of target sites to display their specially crafted messages.

Threat Actors Might Be Interested in Elon Musk’s Twitter Purchase Too

Threat actors often ride on the latest news and current events to lure users to their specially crafted malicious websites. We’ve seen that happen with the onset of the COVID-19 pandemic¹ and the birth of the Black Lives Matter movement.²

We may see that happen again given the hype surrounding Elon Musk’s recent purchase of Twitter.³

Sinkholing May Not Spell the End for Malware Hosts and Botnets

Sinkholing has long proven effective in taking down cybercriminal operations like WannaCry.¹ The process has, in fact, more recently employed by Microsoft to thwart Strontium cyber attacks targeting Ukrainians.²

Behind the Bylines of Fake News and Disinformation Pages

Fake news and disinformation campaigns pose real risks to nations worldwide as evidenced by research done by Statista.¹ Their peddlers’ motivation? Political and financial gain, according to some opinions.²

Through the Spyglass: NSO Group Spyware Pegasus in Focus

The NSO Group gained infamy for its proprietary spyware Pegasus. In 2021, in fact, Apple sued the company for its alleged ties to threats targeting its service and device users.¹

Operation Dream Job: Same Tactics, New Vulnerability and Domains?

Operation Dream Job is a threat group that takes advantage of people’s hope to improve their careers. Instead of finding their dream jobs, however, victims could find themselves vulnerable to remote code execution (RCE).¹

What Are the DNS Artifacts Associated with APT36 or Earth Karkaddan?

APT36 or Earth Kardakkan has been targeting government entities, most especially in India, for a couple of years now. But so far, only a few digital properties have been publicized as indicators of compromise (IoCs).^{1, 2}

Behind the Innovative Marketing Rogue Scareware Distribution Network

Innovative Marketing made waves as a rogue scareware operator more than a decade ago.¹ But while law enforcement authorities successfully thwarted its large-scale business, its owners have yet to be captured.^{2, 3}

Danchev and WhoisXML API’s research team sought to determine if the company left digital breadcrumbs behind using Maltego and various WhoisXML API tools. He uncovered an expansive list of domains, IP addresses, and other web properties that could help the cybersecurity industry finally put an end to Innovative Marketing.

OSINT Analysis of the World’s Biggest Cybercriminal Infrastructures

WhoisXML API maintains a list of the most prominent cybercriminal groups around the globe in an effort to help fellow researchers and vendors and the authorities enrich their actionable threat intelligence.

Are Cybersquatters Going After the Car Manufacturing Sector?

The recent supply chain attack¹ causing Toyota to halt production for days and lose 13,000 in car outputs underscores how wide an organization’s attack surface can be. It also proves how scattered threat vectors can be—from insider mistakes, third-party vulnerabilities, and many others.

From Fake News Proliferation to Data Theft: Tracing the Red Cross Hack to a Misinformation Network

The cyber attack against the International Committee of the Red Cross (ICRC) exposed the data belonging to more than 500,000 people worldwide.¹ While no indicators of compromise (IoCs) have been publicized so far, an interesting link to a fake news network was revealed by security researcher Brian Krebs.²

Under the Hood of the Infraud Organization Cybercriminal Operation

While 36 alleged Infraud Organization members were recently captured and indicted¹, the incident may not spell the end of woes related to the gang.

We took a closer look at published indicators of compromise (IoCs) related to Infraud Organization, specifically 11 domains, six IP addresses, and three email addresses, which were used as jump-off points to uncover more potential artifacts and IoCs.

Exposing Void Balaur’s Internet-Connected Infrastructure

Void Balaur is a cybercriminal gang, believed to be operating from Latvia, that has been launching typosquatting and spear phishing attacks targeting users worldwide.

WhoisXML API researcher Dancho Danchev recently dove deep into the perpetrators’ campaigns aided by current and historical WHOIS records to find actionable intelligence for cybersecurity and law enforcement purposes.

2022 Olympic Winter Games: Prime Ground for Phishing Lures?

Major sporting events, such as the Olympic Games, have always gained the attention of threat actors. A noteworthy example is the OlympicDestroyer malware¹ that targeted the 2018 Winter Olympics.

DHL Was the Most-Phished Company in 2021, Will That Be True in 2022, Too?

Checkpoint research revealed that DHL was the most-phished brand in 2021,¹ which led us to wonder if the same will hold for 2022. We scoured the Web for domains and subdomains containing “dhl” and subjected these to further scrutiny to identify more connected artifacts.

An OSINT Analysis of Infraud Organization and Its Cybercriminal Infrastructure

WhoisXML API researcher Dancho Danchev recently delved deep into the Infraud Organization’s cybercriminal infrastructure. Infraud Organization is well-known for maintaining a cybercriminal forum that provides threat actors tons of stolen credit card information.¹ Danchev used WHOIS, IP, and DNS tools to identify more artifacts connected to the threat.

Web Search Results Reveal a Suspicious Network of Domains

Search engine scams continue to increase in volume despite the security efforts of major search engine services. The persistent effectiveness of blackhat SEO techniques and the growing list of suspicious or unwanted search results are just some of the pressing concerns that plague Internet users.

Malicious Valentine: Uncovering Thousands of Domains Connected to Romance-Themed Campaigns

Romance-themed campaigns have several faces—some pose as online dating sites¹ while others as fake applications.² These campaigns occur year-round, but Valentine’s Day could make more people vulnerable. In line with this, WhoisXML API researchers gathered and analyzed the IoCs of romance or Valentine-themed campaigns. Among our key findings are:

Exploring BlackTech IoCs Reveals Hundreds of Artifacts in 2022

The BlackTech APT Group struck again, this time with the new FlagPro malware and IoCs. Since the group used the same C&C servers and infrastructure for multiple campaigns in the past, WhoisXML API analyzed the new IoCs together with those reported in the past two years. We uncovered artifacts and possible domain and IP connections. Our analysis includes:

REvil Ransomware: What Can We Learn from Published IoCs in 2022?

REvil has been one of the biggest ransomware threats in 2021, pushing the U.S. Department of State to post a US$10 million reward to anyone who can identify and locate the gang’s leaders.¹ AlienVault made headway in identifying REvil-hosting domains.² We subjected these web properties to IP and DNS searches to identify more connected artifacts.

New Zloader Campaign: Where Do IoCs Lead Us?

A new Zloader campaign has been detected. It is believed to be the work of the MalSmoke cybercrime group. More than 2,000 unique victim IP addresses have downloaded the malware, which exploits a vulnerability in Microsoft’s digital signature verification method.

“Nickel” APT Group: What We Found Out About Microsoft’s Latest Domain Seizure

Microsoft recently seized 42 domains attributed to the China-based Nickel APT group.¹ We subjected these web properties to WHOIS queries to find more information.

Exposing the Connection between a Most Wanted Cybercriminal and the BlackEnergy DDoS Attack

Oleksandr Vitalyevich Ieremenko¹ is a Ukrainian national charged with several fraud-related and cybercrime cases in August 2015. Barely a year after the allegation, Ieremenko joined a cybercrime group led by Artem Viacheslavovich Radchenko and gained unauthorized entry into the U.S. Securities and Exchange Commission (SEC) network.

A Most Wanted Cybercriminal Runs a Profitable Android Malware Enterprise

Danil Potekhin,¹ a Russian national, managed to steal approximately US$17 million from users of several digital currency exchange platforms by defrauding several cryptocurrency exchange sites. Potekhin was then indicted² in September 2020 for conspiracy to commit computer fraud, unauthorized access to a protected computer, and aggravated identity theft, among other crimes.

Exposing Hundreds of Rogue VPN Domains Potentially Connected to the NSA

WhoisXML API DNS Threat Researcher Dancho Danchev identified domain intelligence related to several bogus free VPN service providers. Those bogus entities could seemingly be traced back to the National Security Agency (NSA) as part of an effort to monitor the online activities of suspicious Iran-based users. 

IoC Report Exposing a Currently Active Cyber Jihad Campaign’s Domain Portfolio

Cyber jihad, a term that loosely describes using the Internet as a communication, fundraising, recruitment, training, and planning tool in cyber attacks^[1], gained traction over the years. It has become a force to reckon with for many government institutions tasked to battle cyberterrorism. In fact, at the end of 2020 alone, three cyber-enabled campaigns targeting government institutions worldwide were brought down^[2].

CEO Impersonation Alert: A Look into the Top 100 CEOs of 2021

Total losses from BEC scams and CEO impersonation are estimated at tens of US$billion^[1][2] over the past years. In 2021, Elon Musk’s impersonators were able to amass about US$2 million^[3] from numerous victims. 

Exposing 1,100+ NSO Spyware Group’s Domains, IP Addresses, and MD5 Hashes

The NSO Spyware Group’s spyware dubbed “Pegasus” is known for its ability to be covertly installed on mobile phones running different versions of Android and iOS and spy on their owners’ activities.

Exposing 100+ Domains Possibly Belonging to the Ashiyane Digital Security Team

The Ashiyane Digital Security Team is known to be a gray hat network security company based in Iran.¹ It has been allegedly connected to several state-sponsored attacks against various countries over the years. 

IoC Report Exposing Potential Actors behind the Conficker Botnet

Conficker, which infected millions of systems in its heyday in 2008, continues to infect tens of thousands of devices. Dubbed as the “worm that nearly ate the Internet¹,” Conficker targets computers running on Microsoft operating systems (OSs), creating a colossal botnet that can be used to launch large-scale cyber attacks.