Normal view

Deepfake posting sites depicting famous women taken down by feds

16 June 2026 at 12:31

Thanks to Uncle Sam, anyone trying to find nonconsensual intimate deepfakes on CFake.com and SOCFake.com will be disappointed. The US Departments of Justice (DOJ) and Homeland Security has seized the two domain names under the TAKE IT DOWN Act.

The TAKE IT DOWN Act, signed in May 2025, is the first US federal statute criminalizing the publication of nonconsensual intimate imagery, including AI-generated forgeries. It imposes penalties of up to two years’ imprisonment, gives covered platforms 48 hours to remove flagged content, and grants the forfeiture powers the DOJ just used.

According to the seizure warrants, the digital forgeries depicted “politicians, first ladies of multiple countries, royalty, journalists, television presenters, athletes, entertainers, and others,” and visitors could browse them under tags including “rape,” “forced,” and “degradation”.

The authorities didn’t just snag the sites, though. They got the alleged operator of CFake.com, in an international effort.

The US alerted the Paris prosecutor’s office to a French national in Nice who was allegedly running CFake.com. French investigators counted roughly 300,000 images and 7,000 videos depicting 14,000 people across CFake.com, drawing four million monthly views from 200,000 user accounts.

They then arrested the IT professional, who had no prior criminal record. They also found around $64,000 in Ether cryptocurrency at his home in advertising revenue from the site.

The man will be tried on July 7 in Paris for carrying out illicit transactions online and providing nonconsensual sexual deepfakes. The former offence carries a potential seven years’ imprisonment and a €500,000 (approximately $580,000) fine. The latter could yield three years and a €75,000 ($87,000) fine.

Providers and accused providers of nonconsensual intimate deepfakes have also been held in the US. In April, James Strahler II from Ohio pleaded guilty to cyberstalking, producing child sexual abuse material, and publishing digital forgeries.

Strahler had downloaded produced over 700 images and animations posted to a child sexual abuse site, and had sent deepfake material to at least six adult women, including one sent to a victim’s coworkers.

Last month, the DoJ also arrested Cornelius Shannon and Arturo Hernandez under the TAKE IT DOWN Act for publishing thousands of deepfake images of prominent women and those not in the public eye.

Other countries are also taking action. Anthony Rontondo was arrested by Australian authorities in May last year for posting deepfaked pictures of prominent Australian women. He eventually received an AU$343,000 fine.

How prevalent are deepfakes?

These seizures and prosecutions are encouraging, but prosecutors trying to force non-consensual deepfakes offline face a rising tide of such material. Requests for and sharing of nonconsensual deepfake imagery have risen, with activity migrating across platforms. Deepfake incidents overall jumped 257% in 2024, and girls accounted for 94% of victims in reported AI-generated child sexual abuse cases.

Seizing a distribution point removes a storefront. It does not remove the AI models used to produce the material, the anonymous hosting providers downstream, or the demand that draws visitors in the first place.

What you can do

If you or someone you know are depicted in a nonconsensual deepfake, keep dated screenshots, URLs, and any communications as evidence before filing a takedown request and reporting it to the authorities.

Limit the high-resolution face images you and your children post publicly, since school portraits and social media profile pictures are the raw material these tools need.

Take advantage of expert advice to help protect yourself from non-consensual deepfakes:


Let’s face it, an incognito window can only do so much. 
 
Breaches, dark web trading, credit fraud. Malwarebytes Identity Theft Protection monitors for all of it, alerts you fast, and comes with identity theft insurance. 

Deepfake posting sites depicting famous women taken down by feds

16 June 2026 at 12:31

Thanks to Uncle Sam, anyone trying to find nonconsensual intimate deepfakes on CFake.com and SOCFake.com will be disappointed. The US Departments of Justice (DOJ) and Homeland Security has seized the two domain names under the TAKE IT DOWN Act.

The TAKE IT DOWN Act, signed in May 2025, is the first US federal statute criminalizing the publication of nonconsensual intimate imagery, including AI-generated forgeries. It imposes penalties of up to two years’ imprisonment, gives covered platforms 48 hours to remove flagged content, and grants the forfeiture powers the DOJ just used.

According to the seizure warrants, the digital forgeries depicted “politicians, first ladies of multiple countries, royalty, journalists, television presenters, athletes, entertainers, and others,” and visitors could browse them under tags including “rape,” “forced,” and “degradation”.

The authorities didn’t just snag the sites, though. They got the alleged operator of CFake.com, in an international effort.

The US alerted the Paris prosecutor’s office to a French national in Nice who was allegedly running CFake.com. French investigators counted roughly 300,000 images and 7,000 videos depicting 14,000 people across CFake.com, drawing four million monthly views from 200,000 user accounts.

They then arrested the IT professional, who had no prior criminal record. They also found around $64,000 in Ether cryptocurrency at his home in advertising revenue from the site.

The man will be tried on July 7 in Paris for carrying out illicit transactions online and providing nonconsensual sexual deepfakes. The former offence carries a potential seven years’ imprisonment and a €500,000 (approximately $580,000) fine. The latter could yield three years and a €75,000 ($87,000) fine.

Providers and accused providers of nonconsensual intimate deepfakes have also been held in the US. In April, James Strahler II from Ohio pleaded guilty to cyberstalking, producing child sexual abuse material, and publishing digital forgeries.

Strahler had downloaded produced over 700 images and animations posted to a child sexual abuse site, and had sent deepfake material to at least six adult women, including one sent to a victim’s coworkers.

Last month, the DoJ also arrested Cornelius Shannon and Arturo Hernandez under the TAKE IT DOWN Act for publishing thousands of deepfake images of prominent women and those not in the public eye.

Other countries are also taking action. Anthony Rontondo was arrested by Australian authorities in May last year for posting deepfaked pictures of prominent Australian women. He eventually received an AU$343,000 fine.

How prevalent are deepfakes?

These seizures and prosecutions are encouraging, but prosecutors trying to force non-consensual deepfakes offline face a rising tide of such material. Requests for and sharing of nonconsensual deepfake imagery have risen, with activity migrating across platforms. Deepfake incidents overall jumped 257% in 2024, and girls accounted for 94% of victims in reported AI-generated child sexual abuse cases.

Seizing a distribution point removes a storefront. It does not remove the AI models used to produce the material, the anonymous hosting providers downstream, or the demand that draws visitors in the first place.

What you can do

If you or someone you know are depicted in a nonconsensual deepfake, keep dated screenshots, URLs, and any communications as evidence before filing a takedown request and reporting it to the authorities.

Limit the high-resolution face images you and your children post publicly, since school portraits and social media profile pictures are the raw material these tools need.

Take advantage of expert advice to help protect yourself from non-consensual deepfakes:


Let’s face it, an incognito window can only do so much. 
 
Breaches, dark web trading, credit fraud. Malwarebytes Identity Theft Protection monitors for all of it, alerts you fast, and comes with identity theft insurance. 

The FCC Wants to Eliminate Burner Phones

15 June 2026 at 13:01

A proposed FCC rule would kill burner phones: phones whose accounts are not attached to a particular person.

The FCC plans to do this by legally forcing the country’s telecoms to store a wealth of personal information about essentially all phone customers, including a government issued identification number and their physical address, alarming privacy advocates and civil rights activists who compare the measures to those from authoritarian countries where it can be difficult to buy a mobile phone plan without giving up your identity.

The proposed change would drastically shake up how people obtain phone plans in the U.S., and have all sorts of privacy and cybersecurity knock-on effects. The FCC is proposing the data collection partly as a way to combat scammers, with telecoms being required to collect other information on business and foreign customers like the intended use case of their bulk phone plan purchase and their IP address. But the changes would mean telecoms collect data on all new and renewing customers, and the FCC provides a long list of other things that the collected data could help authorities with.

Alternate link.

Who Runs the Ransomware Group ‘The Gentlemen?’

10 June 2026 at 16:03

A cybercrime group known as The Gentlemen has emerged as the second most active ransomware gang by victim count, rapidly attracting a talented pool of hackers through an aggressive recruitment strategy that promises affiliates 90 percent of any ransom paid by victims. This post examines clues pointing to a real life identity for the administrator of The Gentlemen ransomware group.

A graphic created and shared by The Gentlemen ransomware group administrator Hastalamuerte on Breachforums in May 2026. Credit: ke-la.com.

Experts at the security firm Check Point Software have been closely covering exploits of The Gentlemen, a so-called “ransomware-as-a-service” (RaaS) offering that pays affiliates handsomely to help spread the group’s malware.

“A 90/10 affiliate revenue split — compared to the industry standard 80/20 — is accelerating the group’s growth by attracting experienced operators from competing programs,” the researchers wrote in April.

Check Point found The Gentlemen are the second most active ransomware group by victim count so far this year, claiming at least 332 published victims since the group’s inception in mid-2025 and more than 240 in 2026 alone.

According to Check Point, the group targets Internet-facing devices (VPNs, firewalls) as their entry point, and once inside moves quickly to encrypt entire networks within hours.

Check Point says the administrator and primary operator of the ransomware group uses the nickname Zeta88 on the Russian-language cybercrime forums, and that this individual was previously known under the moniker Hastalamuerte. Check Point noted that a breach of the group’s backend infrastructure made it clear that Hastalamuerte/Zeta88 is the person who assembles the locker and RaaS panel, manages payments, and is essentially the administrator of the entire program who receives 10 percent of all ransoms.

WHO IS HASTALAMUERTE?

The cyber intelligence firm Intel 471 shows that the user Hastalamuerte is a Russian and English speaking person who registered on almost a dozen cybercrime forums between 2019 and the present day, including Exploit, Breachforums, Ramp_V2, BHF, Raidforums, and Nulled.

Intel 471 reveals that Hastalamuerte registered on Breachforums in January 2025 from an Internet address in Izhevsk, the capital city of Russia’s Udmurt Republic. Likewise, the user Zeta88 signed up at the English-language cybercrime forum Breached in August 2022 from a different Internet address in Izhevsk.

Intel 471 finds Hastalamuerte registered on Raidforums in 2020 using the email address hastalamuerte1488@protonmail.com (1488 is a common combination of two numeric symbols associated with white supremacy). A lookup on this address at the open source intelligence service Epieos shows it is connected to an account at Apple and to a phone number ending in 04.

Epieos says that Protonmail address is also linked to a GitHub account under the username SantaMuerte. That account is marked private, but a history of this user’s activity shows they are watching and developing a number of malware tools and exploits.

In April 2020, Hastalamuerte said on the crime forum Nulled that they could be contacted at the Telegram instant messenger name @hastalamuerte18, and the threat intelligence company Flashpoint finds this username is assigned the unique Telegram ID number 30907522 [full disclosure: Flashpoint is an advertiser on this blog].

The breach tracking service Constella Intelligence reports that Hastalamuerte’s Telegram ID is connected to another username — “bu4vs” — and to the Russian phone number 79127650004. Pivoting on this phone number in Constella fetches multiple records from hacked Russian government databases showing it is assigned to one Alexander Andreevich Yapaev, a 36-year-old from Izhevsk.

Constella reveals that phone number was used to create an account at the Russian social media platform Pikabu under the name “4apai18,” and shows Mr. Yapaev has signed up at a number of websites using the common surname Ivanov, or else “Chapaev” (the numeral 4 is often used as shorthand for a “ch” sound in Russian).

A search in Intel 471 for cybercrime forum members with the nickname SantaMuerte unearths an account by the same name created in 2020 on the Russian hacking forum Codeby. Intel 471 shows this user originally registered on Codeby with the not-so-subtle nickname Alexandr 4apaev.

Constella finds Mr. Yapaev regularly used the email address bu4vs@mail.ru. Meanwhile, Epieos shows this address is connected to a LinkedIn account for Alexander Yapaev, who lists himself as the head of B2B marketing at the company Uralenergo Udmurtia, one of Russia’s largest suppliers of electrotechnical and lighting products.

Mr. Yapaev did not respond to multiple requests for comment.

Nearly every time we publish one of these Breadcrumbs stories, readers are curious to know why it seems like so many cybercriminals from Russia apparently do little to hide their real life identities. The truth is that — Russian or not — most didn’t exactly set out to be arch criminals, but instead got drawn into the scene gradually over several years as their skills broadened and sharpened.

Another important dynamic is that the Russian government generally either co-opts or ignores cybercriminal activity within its borders so long as the hackers do not steal from or attack Russian businesses and citizens. As a result, successful cybercriminals in Russia are usually insulated from prosecution and arrest by foreign law enforcement agencies provided they occasionally pay off the right people and do not travel abroad. And cybercriminals who intend to strictly adhere to those unwritten rules may (at least initially) be less concerned about covering their tracks online.

But the simplest explanation is that cybercriminals of all nationalities tend to make a number of basic operational security mistakes early in their careers, when they are less savvy and have far less to lose by their carelessness. A review of Hastalamuerte’s early posts on the crime forums (circa 2019-2020) shows a relatively unsophisticated and low-skilled hacker still trying to learn the ropes and earn a positive reputation on these communities.

For example, in June 2020 Hastalamuerte’s Telegram account joined a multi-month training program (@pntst) to learn how to use popular penetration testing tools, and their candid posts to this hacker training camp show Hastalamuerte struggling to use these tools effectively. A Google-translated record of Hastalmuerte’s posts to @pntst is here.

Update, June 11, 10:23 a.m. ET:  The threat research group PRODAFT has released a detailed writeup on the history and current operations of The Gentlemen. PRODAFT said its findings match the same persona with “high confidence,” and found the administrator (Zeta88/Hastalamuerte) supplies affiliates with initial access directly, primarily Fortinet SSL-VPN credentials obtained through brute-force attacks or sourced from the group’s own leak database. They also discovered the administrator is using AI to develop and maintain the ransomware and associated tooling, as well as to assist with post-exploitation activity.

Understanding Illicit Ecosystems: Weaponizing Mainstream Apps and Social Infrastructure

Blogs

Blog

Understanding Illicit Ecosystems: Weaponizing Mainstream Apps and Social Infrastructure

As part of our ongoing series, we focus on the shared infrastructure that fuels threat actors; the intersection of mainstream social media, open-source messaging platforms, and gaming communities.

SHARE THIS:

Threat actors and their illicit communities do not exist in a vacuum. To scale their operations, coordinate financial fraud, deploy malware, and recruit new talent, threat actors must interface with the broader digital world. This means leveraging everyday, public digital spaces to facilitate illicit activity, effectively hiding in plain sight.

The Clearnet Threat Landscape: Hiding in Plain Sight

When conceptualizing the cybercriminal underground, it is easy to focus exclusively on Tor-based onion sites or restricted-access dark web forums and marketplaces. However, a massive portion of modern illicit activity thrives on the clearnet. Threat actors heavily utilize commercial social media and public messaging networks to coordinate fraud, deploy malware, and run public relations campaigns for their operations.

At first glance, conducting illicit operations on highly monitored, mainstream platforms seems counterintuitive. However, the massive, continuous volume of legitimate traffic on the clearnet provides a form of operational security. By blending into the noise, threat actors can maintain a highly accessible digital presence. This visibility is crucial for their business models: it allows them to maintain a low barrier to entry for potential recruits and targets who know exactly what markers to look for, or who are systematically funneled into these spaces.

How Threat Actors Weaponize Consumer Platforms

The misuse of mainstream communication tools has changed how threat actors interact. Rather than waiting for users to seek out the dark web, cybercriminals are actively meeting their targets or co-conspirators on platforms designed for daily socialization.

Discord

Originally built to connect gaming communities, Discord’s rapid growth and robust infrastructure have inadvertently made it a target for malicious activity. Cybercriminals treat the platform as a multi-functional tool for both technical infrastructure, social engineering, and radicalization.

On a technical level, advanced persistent threats (APTs) and other threat actors exploit Discord’s content delivery network (CDN) to host and distribute malware. Because traffic to Discord domains is generally trusted by corporate networks, threat actors can potentially use it to deliver payloads—such as infostealers and remote access trojans (RATs)—bypassing standard security perimeters.

Beyond hosting malware, extremist groups across various ideological spectrums often target the platform’s demographic, which skews heavily towards younger tech-savvy users. This group provides an impressionable pool of adolescents who may be susceptible to grooming, indoctrination, and recruitment into illicit operations.

Case Study: The Targeting and Recruitment Mechanics of “The Com”

While monitoring The Com, Flashpoint analysts have observed the systematic use of platforms like Discord, Roblox, and Minecraft to run predatory extortion pipelines. The mechanics of this ecosystem takes place through a multi-phase methodology:

  1. Platform Scouting: Recruiters patrol servers on popular youth-centric gaming platforms, such as Discord, Roblox, and Minecraft. They look for minors showing signs of social isolation, depression, disordered eating, or a desire to belong.
  2. Building Trust and “Love Bombing”: Initial engagements are seemingly harmless. However, trust is built quickly to establish a sense of indebtedness. Recruiters offer gifts such as in-game perks/currency, premium subscriptions, or other digital items. In some cases, a romantic facade is used to establish a connection. In either scenario, “love bombing” creates an immediate feeling of psychological obligation in the target.
  3. Platform Migration: Once rapport is established, the recruiter moves the target away from the game and into an encrypted app or private Discord server, following a public-to-private strategy. By moving the interaction away from the original platform’s safety controls, the recruiter can isolate the target in a more controlled environment.

Once isolated, perpetrators coerce victims into sending sensitive imagery or CSAM. This material is immediately compiled and weaponized as leverage for blackmail via doxxing. This creates a severe psychological trap in which the victim feels compelled to partake in escalating illegal activity to keep their previous actions hidden. This drives the victim to transition from a victim into an aggressor to escape their own abuse.

Telegram

While many social media and messaging platforms can serve as an initial funnel for engagement, Telegram has been known to be used from time to time as an operational hub for the broader illicit ecosystem. Since the arrest of Pavel Durov, Telegram has begun working more closely with law enforcement, leading to several key arrests and major disruptions due to their cooperation. 

The platform occupies a unique space in threat intelligence and open source intelligence (OSINT). While the vast majority of its user base is entirely benign, its minimal moderation policy and robust channel architecture have made it vital to public and private intelligence gathering.

Telegram functions as an open marketplace and real-time coordination center for a vast spectrum of threat actors. Flashpoint has observed it being used by:

  1. State-sponsored APT groups and hacktivists
  2. Geopolitical actors and mercenary groups distributing battlefield intelligence and propaganda
  3. Cybercriminal syndicates coordinating financial fraud schemes, check fraud, and the sale of compromised data.

Furthermore, threat actors routinely use other public-facing platforms like X (formerly Twitter) alongside Telegram to amplify their impact. They leverage the broad reach of social media to broadcast proof of their compromises, hype up ransomware leaks, and exert public pressure on corporate victims during extortion cycles. Concurrently, Telegram often acts as the backend repository where the stolen data is hosted, discussed, and monetized.

Monitor the Clearnet Using Flashpoint

The evolution of illicit ecosystems demonstrates that the lines between the dark web and the clearnet have intersected. Whether analyzing the activities of extremist and threat actor groups or tracking the predatory pipelines of The Com, defenders must look beyond traditional intelligence sources.

Because malicious actors rely heavily on consumer messaging apps and social platforms to coordinate attacks, leak data, and target people, monitoring these public-to-private pipelines is an essential component of threat intelligence. Uncovering these physical and cyber threats requires best-in-class threat intelligence and OSINT investigations capable of parsing the massive noise of the clearnet to find the signals of illicit coordination.

Request a demo to see how Flashpoint empowers security teams to monitor these decentralized threat landscapes to proactively protect their critical assets.

Check out the rest of our “Understanding Illicit Ecosystems” series:
Understanding Illicit Ecosystems: The Hybrid Threat of “The Com”
Understanding Illicit Ecosystems: XSS and the Current State of the Russian-Speaking Underground

See Flashpoint in Action

The post Understanding Illicit Ecosystems: Weaponizing Mainstream Apps and Social Infrastructure appeared first on Flashpoint.

Understanding Illicit Ecosystems: The Hybrid Threat of “The Com”

Blogs

Blog

Understanding Illicit Ecosystems: The Hybrid Threat of “The Com”

In this post, we dive into the decentralized architecture of “The Com,” exposing its hybrid ecosystem of hacking, extortion, and real-life violence—and how it fuels a ruthless pipeline of cyber-fraud cycles and adolescent exploitation.

SHARE THIS:
Default Author Image
May 26, 2026

What is “The Com”?

The Community, more widely known as “The Com” is a sophisticated hybrid threat ecosystem in which cybercrime serves as the venture capital for domestic terrorism. Existing since the early 2010s, it operates in the “edgesphere”, a grey area where mainstream social media overlaps with underground criminal networks, blending nihilistic violent extremism (NVE) with high-level financial fraud. In The Com, cybercrime against Fortune 500 companies is the primary revenue stream used by members to fund a domestic terror network that aims to radicalize youth and encourage real-world violence.

However, The Com poses more than just financial risk, it is a self-serving victim-to-perpetrator pipeline. It uses stolen capital to recruit adolescents, who they view as a disposable workforce, turning them from a victim to a perpetrator. Despite being a decentralized web of individuals rather than a traditional threat actor organization, The Com has managed to grow by hiding in the gaps between corporate security, parental oversight, and law enforcement.

How The Com is Structured

The Com is often mischaracterized as a single, formal organization. In reality, its ecosystem is unstructured and lacks a shared culture or leadership. However, the various factions within the ecosystem are extremely organized, supporting three broad categories of criminal activity: cybercrime, exploitation of minors, and real-world physical violence.

Federal investigations have shown that The Com includes a mix of adults and minors, men and women. While the exact number of members is difficult to determine, Flashpoint estimates that the broader ecosystem of The Com is in the thousands. While being a global threat, its most active core members are concentrated in Western English-speaking countries: the United Kingdom, the United States, and Canada.

Understanding the Key Pillars of The Com

While The Com is a decentralized ecosystem, its internal structure is defined by a high degree of operational alignment. Individual crews and networks within each pillar exhibit a shared psychology and standardized tradecraft that ensures their criminal activities remain effective and repeatable.

However, Flashpoint notes that members of these pillars do not operate alone. Their interaction with members of other pillars (extortion and real-world violence) amplifies the intended threat.

HACKER Com: The Economic Engine of The Com

Hacker Com acts as the ecosystem’s economic engine and primary technical arm. Its primary function is to hack major corporations and commit financial fraud to fund the broader community’s activities and lifestyle.
Seeing themselves as the elite technical tier of The Com, Hacker Com members are motivated primarily by financial gain and the thrill of outsmarting corporate security infrastructures. Notable crews within this pillar include Scattered Spider, LAPSUS$, ShinyHunters, and DragonForce.

TTPs Used by HACKER Com

The following tactics, tools, and procedures (TTPs) have been observed by HACKER COM groups:

Social Engineering (Vishing)

Hacker Com members capitalize on TTPs that target human vulnerabilities instead of relying solely on software and other exploits. Vishing is a signature move of the Scattered Spider crew, whose native English-speaking members call corporate IT helpdesks impersonating employees of that company. 

Analysts note these threat actors are likely Gen Z who socially engineer older support staff by mimicking the impatient attitudes and vernacular of young tech executives, essentially hacking the generation gap. They leverage this form of social engineering to convince support staff to reset passwords or even re-enroll new multifactor authentication (MFA) devices, which grants them access to the victims’ networks.

Supply Chain Targeting

Crews in this pillar have also successfully breached major targets by attacking their trusted vendors. For instance, Lapsus$ compromised Okta by targeting its third-party contractor, Sykes, while Scattered Spider has repeatedly targeted Okta’s identity services to pivot into their clients’ networks.

Living-off-the-land (LOTL)

Once inside a network, threat actors avoid detection by using legitimate, preexisting software and other remote admin tools such as AnyDesk, Ngrok, and Teleport to maintain persistence and move laterally. They often gamify this access, mocking victims for allowing them to simply “log in” using standard admin tools rather than having to hack their way in via complex exploits. They treat the ease of access as a testament to the victim’s incompetence.

SIM Swapping

A SIM swap attack is a foundational TTP used by financially motivated actors that involves social engineering mobile carriers to hijack a target’s phone number, usually resulting in the takeover of high-value cryptocurrency accounts.

EXTORT Com: The Ideological Engine of The Com

The Extort Com pillar functions as a machine designed for psychological control, coercion, and sexual exploitation of minors. Its goals intersect squarely with NVE ideologies, resulting in a marketplace and production center for CSAM and extreme violence, where members often trade these materials as a form of social currency.

Targets are migrated from public channels, which include social media and video games such as Roblox and Minecraft, to private ones maintained by The Com. Once moved, the dynamic shifts from recruitment to active exploitation, which is done to ensure the victim’s compliance.

IRL Com: The Enforcement Engine of The COM

The “In Real Life” (IRL) pillar serves as the physical enforcement arm of the ecosystem, effectively bridging the gap between virtual threats and reality. Sometimes referred to by law enforcement as “IRL Terror,” members often turn online animosity and disputes into real-world harm against people and their property.

Protect Against Converging Threats Using Flashpoint

The evolution of The Com represents a fundamental shift in the global threat landscape. It is not enough to view cybercrime as a purely financial risk or domestic extremism as a purely ideological one, the two have merged into a self-sustaining engine where stolen corporate capital fuels the radicalization and exploitation of the next generation.

As The Com continues to professionalize its tradecraft and expand its reach, the boundary between our digital and physical worlds will only continue to thin. To protect against this decentralized threat, organizations will require a mutli-layered defense strategy that is powered by intelligence that is sourced at the heart of these groups. Request a demo to learn more.

Request a demo today.

The post Understanding Illicit Ecosystems: The Hybrid Threat of “The Com” appeared first on Flashpoint.

Who is the Kimwolf Botmaster “Dort”?

28 February 2026 at 13:01

In early January 2026, KrebsOnSecurity revealed how a security researcher disclosed a vulnerability that was used to build Kimwolf, the world’s largest and most disruptive botnet. Since then, the person in control of Kimwolf — who goes by the handle “Dort” — has coordinated a barrage of distributed denial-of-service (DDoS), doxing and email flooding attacks against the researcher and this author, and more recently caused a SWAT team to be sent to the researcher’s home. This post examines what is knowable about Dort based on public information.

A public “dox” created in 2020 asserted Dort was a teenager from Canada (DOB August 2003) who used the aliases “CPacket” and “M1ce.” A search on the username CPacket at the open source intelligence platform OSINT Industries finds a GitHub account under the names Dort and CPacket that was created in 2017 using the email address jay.miner232@gmail.com.

Image: osint.industries.

The cyber intelligence firm Intel 471 says jay.miner232@gmail.com was used between 2015 and 2019 to create accounts at multiple cybercrime forums, including Nulled (username “Uubuntuu”) and Cracked (user “Dorted”); Intel 471 reports that both of these accounts were created from the same Internet address at Rogers Canada (99.241.112.24).

Dort was an extremely active player in the Microsoft game Minecraft who gained notoriety for their “Dortware” software that helped players cheat. But somewhere along the way, Dort graduated from hacking Minecraft games to enabling far more serious crimes.

Dort also used the nickname DortDev, an identity that was active in March 2022 on the chat server for the prolific cybercrime group known as LAPSUS$. Dort peddled a service for registering temporary email addresses, as well as “Dortsolver,” code that could bypass various CAPTCHA services designed to prevent automated account abuse. Both of these offerings were advertised in 2022 on SIM Land, a Telegram channel dedicated to SIM-swapping and account takeover activity.

The cyber intelligence firm Flashpoint indexed 2022 posts on SIM Land by Dort that show this person developed the disposable email and CAPTCHA bypass services with the help of another hacker who went by the handle “Qoft.”

“I legit just work with Jacob,” Qoft said in 2022 in reply to another user, referring to their exclusive business partner Dort. In the same conversation, Qoft bragged that the two had stolen more than $250,000 worth of Microsoft Xbox Game Pass accounts by developing a program that mass-created Game Pass identities using stolen payment card data.

Who is the Jacob that Qoft referred to as their business partner? The breach tracking service Constella Intelligence finds the password used by jay.miner232@gmail.com was reused by just one other email address: jacobbutler803@gmail.com. Recall that the 2020 dox of Dort said their date of birth was August 2003 (8/03).

Searching this email address at DomainTools.com reveals it was used in 2015 to register several Minecraft-themed domains, all assigned to a Jacob Butler in Ottawa, Canada and to the Ottawa phone number 613-909-9727.

Constella Intelligence finds jacobbutler803@gmail.com was used to register an account on the hacker forum Nulled in 2016, as well as the account name “M1CE” on Minecraft. Pivoting off the password used by their Nulled account shows it was shared by the email addresses j.a.y.m.iner232@gmail.com and jbutl3@ocdsb.ca, the latter being an address at a domain for the Ottawa-Carelton District School Board.

Data indexed by the breach tracking service Spycloud suggests that at one point Jacob Butler shared a computer with his mother and a sibling, which might explain why their email accounts were connected to the password “jacobsplugs.” Neither Jacob nor any of the other Butler household members responded to requests for comment.

The open source intelligence service Epieos finds jacobbutler803@gmail.com created the GitHub account “MemeClient.” Meanwhile, Flashpoint indexed a deleted anonymous Pastebin.com post from 2017 declaring that MemeClient was the creation of a user named CPacket — one of Dort’s early monikers.

Why is Dort so mad? On January 2, KrebsOnSecurity published The Kimwolf Botnet is Stalking Your Local Network, which explored research into the botnet by Benjamin Brundage, founder of the proxy tracking service Synthient. Brundage figured out that the Kimwolf botmasters were exploiting a little-known weakness in residential proxy services to infect poorly-defended devices — like TV boxes and digital photo frames — plugged into the internal, private networks of proxy endpoints.

By the time that story went live, most of the vulnerable proxy providers had been notified by Brundage and had fixed the weaknesses in their systems. That vulnerability remediation process massively slowed Kimwolf’s ability to spread, and within hours of the story’s publication Dort created a Discord server in my name that began publishing personal information about and violent threats against Brundage, Yours Truly, and others.

Dort and friends incriminating themselves by planning swatting attacks in a public Discord server.

Last week, Dort and friends used that same Discord server (then named “Krebs’s Koinbase Kallers”) to threaten a swatting attack against Brundage, again posting his home address and personal information. Brundage told KrebsOnSecurity that local police officers subsequently visited his home in response to a swatting hoax which occurred around the same time that another member of the server posted a door emoji and taunted Brundage further.

Dort, using the alias “Meow,” taunts Synthient founder Ben Brundage with a picture of a door.

Someone on the server then linked to a cringeworthy (and NSFW) new Soundcloud diss track recorded by the user DortDev that included a stickied message from Dort saying, “Ur dead nigga. u better watch ur fucking back. sleep with one eye open. bitch.”

“It’s a pretty hefty penny for a new front door,” the diss track intoned. “If his head doesn’t get blown off by SWAT officers. What’s it like not having a front door?”

With any luck, Dort will soon be able to tell us all exactly what it’s like.

Update, 10:29 a.m.: Jacob Butler responded to requests for comment, speaking with KrebsOnSecurity briefly via telephone. Butler said he didn’t notice earlier requests for comment because he hasn’t really been online since 2021, after his home was swatted multiple times. He acknowledged making and distributing a Minecraft cheat long ago, but said he hasn’t played the game in years and was not involved in Dortsolver or any other activity attributed to the Dort nickname after 2021.

“It was a really old cheat and I don’t remember the name of it,” Butler said of his Minecraft modification. “I’m very stressed, man. I don’t know if people are going to swat me again or what. After that, I pretty much walked away from everything, logged off and said fuck that. I don’t go online anymore. I don’t know why people would still be going after me, to be completely honest.”

When asked what he does for a living, Butler said he mostly stays home and helps his mom around the house because he struggles with autism and social interaction. He maintains that someone must have compromised one or more of his old accounts and is impersonating him online as Dort.

“Someone is actually probably impersonating me, and now I’m really worried,” Butler said. “This is making me relive everything.”

But there are issues with Butler’s timeline. For example, Jacob’s voice in our phone conversation was remarkably similar to the Jacob/Dort whose voice can be heard in this Sept. 2022 Clash of Code competition between Dort and another coder (Dort lost). At around 6 minutes and 10 seconds into the recording, Dort launches into a cursing tirade that mirrors the stream of profanity in the diss rap that Dortdev posted threatening Brundage. Dort can be heard again at around 16 minutes; at around 26:00, Dort threatens to swat his opponent.

Butler said the voice of Dort is not his, exactly, but rather that of an impersonator who had likely cloned his voice.

“I would like to clarify that was absolutely not me,” Butler said. “There must be someone using a voice changer. Or something of the sorts. Because people were cloning my voice before and sending audio clips of ‘me’ saying outrageous stuff.”

Further reading:

Jan. 8, 2026: Who Benefited from the Aisuru and Kimwolf Botnets?

Jan. 20, 2026: Kimwolf Botnet Lurking in Corporate, Govt. Networks

Jan. 26, 2026: Who Operates the Badbox 2.0 Botnet?

Feb. 11, 2026: Kimwolf Botnet Swamps Anonymity Network I2P

Mar. 19, 2026: Feds Disrupt IoT Botnets Behind Huge DDoS Attacks

Who Operates the Badbox 2.0 Botnet?

26 January 2026 at 17:11

The cybercriminals in control of Kimwolf — a disruptive botnet that has infected more than 2 million devices — recently shared a screenshot indicating they’d compromised the control panel for Badbox 2.0, a vast China-based botnet powered by malicious software that comes pre-installed on many Android TV streaming boxes. Both the FBI and Google say they are hunting for the people behind Badbox 2.0, and thanks to bragging by the Kimwolf botmasters we may now have a much clearer idea about that.

Our first story of 2026, The Kimwolf Botnet is Stalking Your Local Network, detailed the unique and highly invasive methods Kimwolf uses to spread. The story warned that the vast majority of Kimwolf infected systems were unofficial Android TV boxes that are typically marketed as a way to watch unlimited (pirated) movie and TV streaming services for a one-time fee.

Our January 8 story, Who Benefitted from the Aisuru and Kimwolf Botnets?, cited multiple sources saying the current administrators of Kimwolf went by the nicknames “Dort” and “Snow.” Earlier this month, a close former associate of Dort and Snow shared what they said was a screenshot the Kimwolf botmasters had taken while logged in to the Badbox 2.0 botnet control panel.

That screenshot, a portion of which is shown below, shows seven authorized users of the control panel, including one that doesn’t quite match the others: According to my source, the account “ABCD” (the one that is logged in and listed in the top right of the screenshot) belongs to Dort, who somehow figured out how to add their email address as a valid user of the Badbox 2.0 botnet.

The control panel for the Badbox 2.0 botnet lists seven authorized users and their email addresses. Click to enlarge.

Badbox has a storied history that well predates Kimwolf’s rise in October 2025. In July 2025, Google filed a “John Doe” lawsuit (PDF) against 25 unidentified defendants accused of operating Badbox 2.0, which Google described as a botnet of over ten million unsanctioned Android streaming devices engaged in advertising fraud. Google said Badbox 2.0, in addition to compromising multiple types of devices prior to purchase, also can infect devices by requiring the download of malicious apps from unofficial marketplaces.

Google’s lawsuit came on the heels of a June 2025 advisory from the Federal Bureau of Investigation (FBI), which warned that cyber criminals were gaining unauthorized access to home networks by either configuring the products with malware prior to the user’s purchase, or infecting the device as it downloads required applications that contain backdoors — usually during the set-up process.

The FBI said Badbox 2.0 was discovered after the original Badbox campaign was disrupted in 2024. The original Badbox was identified in 2023, and primarily consisted of Android operating system devices (TV boxes) that were compromised with backdoor malware prior to purchase.

KrebsOnSecurity was initially skeptical of the claim that the Kimwolf botmasters had hacked the Badbox 2.0 botnet. That is, until we began digging into the history of the qq.com email addresses in the screenshot above.

CATHEAD

An online search for the address 34557257@qq.com (pictured in the screenshot above as the user “Chen“) shows it is listed as a point of contact for a number of China-based technology companies, including:

Beijing Hong Dake Wang Science & Technology Co Ltd.
Beijing Hengchuang Vision Mobile Media Technology Co. Ltd.
Moxin Beijing Science and Technology Co. Ltd.

The website for Beijing Hong Dake Wang Science is asmeisvip[.]net, a domain that was flagged in a March 2025 report by HUMAN Security as one of several dozen sites tied to the distribution and management of the Badbox 2.0 botnet. Ditto for moyix[.]com, a domain associated with Beijing Hengchuang Vision Mobile.

A search at the breach tracking service Constella Intelligence finds 34557257@qq.com at one point used the password “cdh76111.” Pivoting on that password in Constella shows it is known to have been used by just two other email accounts: daihaic@gmail.com and cathead@gmail.com.

Constella found cathead@gmail.com registered an account at jd.com (China’s largest online retailer) in 2021 under the name “陈代海,” which translates to “Chen Daihai.” According to DomainTools.com, the name Chen Daihai is present in the original registration records (2008) for moyix[.]com, along with the email address cathead@astrolink[.]cn.

Incidentally, astrolink[.]cn also is among the Badbox 2.0 domains identified in HUMAN Security’s 2025 report. DomainTools finds cathead@astrolink[.]cn was used to register more than a dozen domains, including vmud[.]net, yet another Badbox 2.0 domain tagged by HUMAN Security.

XAVIER

A cached copy of astrolink[.]cn preserved at archive.org shows the website belongs to a mobile app development company whose full name is Beijing Astrolink Wireless Digital Technology Co. Ltd. The archived website reveals a “Contact Us” page that lists a Chen Daihai as part of the company’s technology department. The other person featured on that contact page is Zhu Zhiyu, and their email address is listed as xavier@astrolink[.]cn.

A Google-translated version of Astrolink’s website, circa 2009. Image: archive.org.

Astute readers will notice that the user Mr.Zhu in the Badbox 2.0 panel used the email address xavierzhu@qq.com. Searching this address in Constella reveals a jd.com account registered in the name of Zhu Zhiyu. A rather unique password used by this account matches the password used by the address xavierzhu@gmail.com, which DomainTools finds was the original registrant of astrolink[.]cn.

ADMIN

The very first account listed in the Badbox 2.0 panel — “admin,” registered in November 2020 — used the email address 189308024@qq.com. DomainTools shows this email is found in the 2022 registration records for the domain guilincloud[.]cn, which includes the registrant name “Huang Guilin.”

Constella finds 189308024@qq.com is associated with the China phone number 18681627767. The open-source intelligence platform osint.industries reveals this phone number is connected to a Microsoft profile created in 2014 under the name Guilin Huang (桂林 黄). The cyber intelligence platform Spycloud says that phone number was used in 2017 to create an account at the Chinese social media platform Weibo under the username “h_guilin.”

The public information attached to Guilin Huang’s Microsoft account, according to the breach tracking service osintindustries.com.

The remaining three users and corresponding qq.com email addresses were all connected to individuals in China. However, none of them (nor Mr. Huang) had any apparent connection to the entities created and operated by Chen Daihai and Zhu Zhiyu — or to any corporate entities for that matter. Also, none of these individuals responded to requests for comment.

The mind map below includes search pivots on the email addresses, company names and phone numbers that suggest a connection between Chen Daihai, Zhu Zhiyu, and Badbox 2.0.

This mind map includes search pivots on the email addresses, company names and phone numbers that appear to connect Chen Daihai and Zhu Zhiyu to Badbox 2.0. Click to enlarge.

UNAUTHORIZED ACCESS

The idea that the Kimwolf botmasters could have direct access to the Badbox 2.0 botnet is a big deal, but explaining exactly why that is requires some background on how Kimwolf spreads to new devices. The botmasters figured out they could trick residential proxy services into relaying malicious commands to vulnerable devices behind the firewall on the unsuspecting user’s local network.

The vulnerable systems sought out by Kimwolf are primarily Internet of Things (IoT) devices like unsanctioned Android TV boxes and digital photo frames that have no discernible security or authentication built-in. Put simply, if you can communicate with these devices, you can compromise them with a single command.

Our January 2 story featured research from the proxy-tracking firm Synthient, which alerted 11 different residential proxy providers that their proxy endpoints were vulnerable to being abused for this kind of local network probing and exploitation.

Most of those vulnerable proxy providers have since taken steps to prevent customers from going upstream into the local networks of residential proxy endpoints, and it appeared that Kimwolf would no longer be able to quickly spread to millions of devices simply by exploiting some residential proxy provider.

However, the source of that Badbox 2.0 screenshot said the Kimwolf botmasters had an ace up their sleeve the whole time: Secret access to the Badbox 2.0 botnet control panel.

“Dort has gotten unauthorized access,” the source said. “So, what happened is normal proxy providers patched this. But Badbox doesn’t sell proxies by itself, so it’s not patched. And as long as Dort has access to Badbox, they would be able to load” the Kimwolf malware directly onto TV boxes associated with Badbox 2.0.

The source said it isn’t clear how Dort gained access to the Badbox botnet panel. But it’s unlikely that Dort’s existing account will persist for much longer: All of our notifications to the qq.com email addresses listed in the control panel screenshot received a copy of that image, as well as questions about the apparently rogue ABCD account.

Ofcom closes technical loophole used by criminals to intercept mobile calls and texts

Regulator acts on leasing of ‘global title’ numbers after industry efforts to tackle problem were ineffective

The UK communications regulator Ofcom is banning mobile operators from leasing numbers that can be used by criminals to intercept and divert calls and messages, including security codes sent by banks to customers.

Ofcom said it would stop the leasing of “global titles”, special types of phone numbers used by mobile networks to support services to make sure messages and calls reach the intended recipient.

Continue reading...

© Photograph: Andy Rain/EPA

© Photograph: Andy Rain/EPA

© Photograph: Andy Rain/EPA

JTAG – Micro-Controller Debugging

By: BHIS
27 August 2019 at 20:20

Raymond Felch // Being an embedded firmware engineer for most of my career, I quickly became fascinated when I learned about reverse engineering firmware using JTAG.   I decided to […]

The post JTAG – Micro-Controller Debugging appeared first on Black Hills Information Security, Inc..

PSCrypt ransomware: back in business

By: Bart
7 May 2018 at 13:45

PSCrypt is ransomware first discovered last year, in 2017, targeting users and organisations alike in Ukraine, and the malware itself is based on GlobeImposter ("GI") ransomware.

I've written about PSCrypt in the past, when it was distributed via Crystal Finance Millenium's hacked website: Crystal Finance Millennium used to spread malware

In this quick blog post, we'll take a look at the latest iteration of PSCrypt.


Analysis

A file named "xls.scr", which sports a fancy "energy" or "power" icon is responsible for loading PSCrypt on the machine, and was spread via a phishing campaign.

Figure 1 - Icon

The ransomware has the following properties:


As mentioned earlier, PSCrypt is based on GlobeImposter and as such, has very similar functionality.

The following folders are excluded from being encrypted:

Avast, Avira, COMODO, Chrome, Common Files, Dr.Web, ESET, Internet Explorer, Kaspersky Lab, McAfee, Microsoft, Microsoft Help, Microsoft Shared, Microsoft.NET, Movie Maker, Mozilla Firefox, NVIDIA Corporation, Opera, Outlook Express, ProgramData, Symantec, Symantec_Client_Security, Windows, Windows App Certification Kit, Windows Defender, Windows Kits, Windows Mail, Windows Media Player, Windows Multimedia Platform, Windows NT, Windows Phone Kits, Windows Phone Silverlight Kits, Windows Photo Viewer, Windows Portable Devices, Windows Sidebar, WindowsPowerShell, Wsus, YandexBrowser, ntldr, spytech software, sysconfig, system volume information

This iteration of PSCrypt will encrypt all files, including executables, except those files with the following extensions:

.$er,.4db,.4dd,.4d,.4mp,.abs,.abx,.accdb,.accdc

As usual, a temporary batch file will be used to clear Volume Shadow Copies as well as Event Logs:

Figure 2 - Batch file

What's new in this iteration of PSCrypt is not only the changes implemented by/via GlobeImposter ransomware, but also the ransom note itself, as noted in Figure 3 and 4 below:

Figure 3 - Ransomware note, part 1

Figure 4 - Ransomware note, part 2

The title of the ransom note is "Ваші файли тимчасово зашифрувати! Не хвилюйтесь!", which translates to "Your files are temporarily encrypted! Do not worry!".


The Ukrainian version is rather lenghty, and is as follows:

☠ ВАШІ ФАЙЛИ ТИМЧАСОВО НЕДОСТУПНІ.☠
ВАШІ ДАНІ БУЛИ ЗАШІВРОВАННИ!
Для відновлення даних потрібно дешифратор.
Щоб отримати дешифратор, ви повинні, оплатити послуги розшифровки:
Оплата відбувається за коштами біткойн на кошелек № 1EoWxYTt7xCskTxjm47E2XNxgkZv1anDP9
Вартість послуги складає 150$
Оплату можна провести в терміналі IBox. або виберіть один з обмінних сайтів на сторінці - https://www.bestchange.ru/privat24-uah-to-bitcoin.html (приклад обмін Приват24 на BTC) також можете скористатися послугами https://e-btc.com.ua
Додаткова інформація:
Програма можемо дешифрувати один файл як доказ того, що у неї є декодер. Для цього необхідно надіслати зашифрований файл - вагою не більше 2 mb, и ваш уникальный идентификационный код, на пошту: systems32x@gmail.com
Более детальная инструкция по оплате: https://btcu.biz/main/how_to/buy
Увага!
Всі файли розшифровуються тільки після 100% оплати
Ви дійсно отримуєте дешифратор після оплати
Не намагайтеся видалити програму або запустити антивірусні інструменти це може ускладнити вам роботу
Спроби самодешіфрованія файлів приведуть до втрати ваших даних
Декодери інших користувачів не сумісні з вашими даними, оскільки унікальний ключ шифрування кожного користувача.
За запитом користувачів, надаємо контакти клієнтів, які вже користувалися послугами нашого сервісу.
ОБОВ'ЯЗКОВО ЗАПИШІТЬ РЕЗЕРВНІ КОНТАКТИ ДЛЯ ЗВ'ЯЗКУ:
systems32x@gmail.com - основний
systems32x@yahoo.com - резервний
Додаткові контакти:
systems32x@tutanota.com - (якщо відповіді не прийшло після 24-х годин)
help32xme@usa.com - (якщо відповіді не прийшло після 24-х годин)
Additional.mail@mail.com - (якщо відповіді не прийшло після 24-х годин)
З повагою
Unlock files LLC
33530 1st Way South Ste. 102
Federal Way, WA 98003
United States

Google Translation, so pretty loose - I've made some minor corrections however:

☠ YOUR FILES ARE TEMPORARILY UNAVAILABLE
YOUR DATA WAS LOCKED!
To restore data you need a decoder.
To receive a decoder, you must pay for decoding services:
Payment is made at the expense of bitcoin to wallet number 1EoWxYTt7xCskTxjm47E2XNxgkZv1anDP9
Service cost is $ 150
Payment can be made at the terminal IBox. or select one of the exchange sites on the page - https://www.bestchange.ru/privat24-uah-to-bitcoin.html (example exchange of Privat24 to the BTC), you can also use the services of https://e-btc.com.ua.
Additional Information:
The program can decrypt one file as proof that it has a decoder. To do this, you need to send an encrypted file weighing no more than 2 mb and your unique identification code by mail: systems32x@gmail.com
More detailed payment instructions: https://btcu.biz/main/how_to/buy
WARNING!
All files are decrypted only after 100% payment
You really get a decoder after payment
Do not try to uninstall a program or run antivirus tools, which can complicate your work
Attempts to self-decrypt files will result in the loss of your data
Other users' decoders are not compatible with your data, as the unique encryption key for each user.
At the request of users, we provide contact with customers who have already used the services of our service.
MUST REQUEST BACK TO CONTACTS FOR CONNECTION:
systems32x@gmail.com - basic
systems32x@yahoo.com - backup
Additional contacts:
systems32x@tutanota.com - (if the answer did not arrive after 24 hours)
help32xme@usa.com - (if the answer did not arrive after 24 hours)
Additional.mail@mail.com - (if the answer did not arrive after 24 hours)

The English version is rather short and to the point:

ALL DATA IS ENCRYPTED!
For decoding, write to the addresses:systems32x@gmail.com - Basic systems32x@yahoo.com - backup Additional contacts: systems32x@tutanota.com - (if the answer did not arrive after 24 hours) help32xme@usa.com - (if the answer did not arrive after 24 hours) Additional.mail@mail.com - (if the response did not arrive after 24 hours) 

The cost for restoring service is, interestingly enough, expressed in US dollars this time ($150), as opposed to Ukrainian currency in a previous iteration.

However, the images which included IBox instructions (as payment method) have been removed, and while IBox is still suggested as a service, there's also a new website introduced to pay via Bitcoin using E-BTC. 

E-BTC is a Ukrainian service which is "the most reliable and simple service for buying and selling Bitcoins and also the best partner for entering and withdrawing funds to the WEX stock exchange."

It also promises full anonymity.

Back to the ransomware. Encrypted files will have the .docs extension appended, for example Jellyfish.jpg becomes Jellyfish.jpg.docs.

Ransom note: .docs document.html
BTC Wallet: 1EoWxYTt7xCskTxjm47E2XNxgkZv1anDP9
Emails: systems32x@gmail.com, systems32x@yahoo.com, systems32x@tutanota.com, help32xme@usa.com, Additional.mail@mail.com

Extension: .docs

Fortunately, it appears no payments have been made as of yet: 1EoWxYTt7xCskTxjm47E2XNxgkZv1anDP9



Conclusion

The last iteration of PSCrypt was observed in 2017, but it appears it has now returned to try and coerce users and organisations to pay the ransomware.

As usual, follow the prevention tips here to stay safe, but the rule of thumbs are as always:

  • Do not pay, unless there is imminent danger of life
  • Create regular backups, and do not forget to test if they work

IOCs follow below.


IOCs


Ransomnix ransomware variant encrypts websites

By: Bart
28 April 2018 at 16:27


Ransomnix is a (supposedly Jigsaw, but not really) ransomware variant that holds websites for ransom, and encrypts any files associated with the website.

This ransomware was discovered in the second half of 2018, and there's a brief write-up by Amigo-A here as well: Ransomnix ransomware

In this blog post, we'll discuss a newer variant.


Analysis

Several encrypted websites were discovered, which display the following message:

Figure 1 - Ransom message, part 1

Figure 2 - Ransom message, part 2

The full message is as follows:


JIGSAW RANSOMNIX 2018
I WANT TO PLAY A GAME!
Now Pay 0.2 BTC
OR
Payment will increase by
0.1
BTC each day after
00:00:00
Your Key Will Be Deleted
Your Bill till now 2.4000000000000004 BTC
Dear manager, on
Fri Apr 06 2018 02:08:34 GMT+0100 (GMT Summer Time)
your database server has been locked, your databases files are encrypted
and you have unfortunately "lost" all your data, Encryption was produced using
unique public key RSA-2048 generated for this server.
To decrypt files you need to obtain the private key.
All encrypted files ends with .Crypt
Your reference number: 4027
To obtain the program for this server, which will decrypt all files,
you need to pay 0.2 bitcoin on our bitcoin address 1VirusnmipsYSA5jMv8NKstL8FkVjNB9o (today 1 bitcoin was around 15000 $).
After payment send us your number on our mail crypter@cyberservices.com and we will send you decryption tool (you need only run it and all files will be decrypted during a few hours depending on your content size).
Before payment you can send us one small file (100..500 kilobytes) and we will decrypt it!
It's your guarantee that we have decryption tool. (use your reference number as a subject to your message)
We don't know who are you, All what we need is some money.
Don't panic if we don't answer you during 24 hours. It means that we didn't received your letter and write us again.
You can use one of that bitcoin exchangers for transfering bitcoin.
https://localbitcoins.com
https://www.kraken.com
You dont need install bitcoin programs - you need only use one of this exchangers or other exchanger that you can find in www.google.com for your country.
Please use english language in your letters. If you don't speak english then use https://translate.google.com to translate your letter on english language.
You do not have enough time to think each day payment will increase by
0.1 BTC and after one week your privite key will be deleted and your files will be locked for ever.

People use cryptocurrency for bad choices,
 but today you will have to use it to pay for your files!
 It's your choice!

The following JavaScript is responsible for keeping track of the price, and increasing it:

Figure 3 - JS function

The starting price is set at 0.2 BTC, but will increase every day with 0.1 BTC thanks to two functions: inprice and startTimer.
The function for calculating the time and date, startTimer, is a copy/paste from the following StackOverflow answer: The simplest possible JavaScript countdown timer?

Note that the start_date variable, 1522976914000, is the epoch timestamp in milliseconds, which converted is indeed Friday 6 April 2018 01:08:34, as mentioned in the ransom note.

Ransomware message details:

BTC Wallet: 1VirusnmipsYSA5jMv8NKstL8FkVjNB9o
Email: crypter@cyberservices.com 
Extension: .Crypt

Files will be encrypted, as claimed by the cybercriminals, with RSA-2048.

Unfortunately, it appears several people have already paid for decryption: 1VirusnmipsYSA5jMv8NKstL8FkVjNB9o


Disinfection

If possible, restore the website from a backup, and consequently patch your website, this means: install all relevant and security patches for your CMS, and plugins where applicable.

Then, change all your passwords. Better be safe than sorry.

It is currently unknown if decryption is possible. If you have an example of an encrypted file, please do upload it to ID Ransomware and NoMoreRansom, to see if decryption is possible, or if a decryptor can be developed.


Prevention

For preventing ransomware that attacks your websites, you can follow my prevention tips here.

General ransomware prevention tips can be found here.


Conclusion

Ransomware can in theory be installed on everything; whether it's your machine, your website, or your IoT device. Follow the prevention tips above to stay safe.

Remember: create backups, regularly, and test them as well.



IOCs

This is Spartacus: new ransomware on the block

By: Bart
15 April 2018 at 17:56

In this blog post, we'll analyse Spartacus, one of many new ransomware families popping up in 2018.


Analysis

This instance of Spartacus ransomware has the following properties:





Figure 1 - Spartacus ransomware message

The message reads:

All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us the e-mail:
MastersRecovery@protonmail.com and send personal ID KEY:
In case of no answer in 24 hours us to theese e-mail: MastersRecovery@cock.li

The user may send up to 5 files for free decryption, as "guarantee". There's also a warning message at the end of the ransomware screen:

Do not rename encrypted files.
Do not try decrypt your data using party software, it may cause permanent data loss.
Decryption of your files with the help of thrid parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Spartacus will encrypt files, regardless of extension, in the following folders:

Figure 2 - Target folders to encrypt

Generating the key:


Figure 3 - KeyGenerator

As far as I'm aware, Spartacus is the first ransomware who explicitly asks you to send the public key (ID KEY), rather than just sending an email, including the Bitcoin address straight away, or sending the key automatically.

Encrypted files will get the extension appended as follows:
.[MastersRecovery@protonmail.com].Spartacus 

For example:
 Penguins.jpg.[MastersRecovery@protonmail.com].Spartacus

It will also drop the ransomware note, "READ ME.txt" in several locations, such as the user's Desktop:

All your data has been locked us. You want to return? Write email MastersRecovery@protonmail.com or MastersRecovery@cock.li Your personal ID KEY: DvQ9/mvfT3I7U847uKcI0QU3QLd+huv5NOYT2YhfiySde0vhmkzyTtRPlcu73BAJILIPdALjAIy5NLxBHckfyV2XS+GXdjlHMx2V/VEfj4BrZkLB3BQtEdAqS1d2yzb/2+AqTNjsRfZ99ZWVxUZO3AeEZk5h0+3hNM5GogUN2oV5zHkbMZuDaXZxQr56r8UKnW7gmSycdcJh2ueZMuEP1tAuuzdZYgmZ05x9ZT8FX9HIo03rwsi6UiJlgUTZCkiilZjxYyG+qVE+Gjk4H7dnXbQP1PC3k2WICA9R4TYb9SCdv8U/e5sxbuKAbJgEZ114liwHLasmLvQfKYSbxMlbEg==

Interestingly enough, Spartacus also embeds what appears to be a hardcoded and private RSA key:

AQABxA4fTMirLDPi4rnQUX1GNvHC41PZUR/fDIbHnNBtpY0w2Qc4H2HPaBsKepU33RPXN5EnwGqQ5lhFaNnLGnwYjo7w6OCkU+q0dRev14ndx44k1QACTEz4JmP9VGSia6SwHPbD2TdGJsqSulPkK7YHPGlvLKk4IYF59fUfhSPiWleURYiD50Ll2YxkGxwqEYVSrkrr7DMnNRId502NbxrLWlAVk/XE2KLvi0g9B1q2Uu/PVrUgcxX+4wu9815Ia8dSgYBmftxky427OUoeCC4jFQWjEJlUNE8rvQZO5kllCvPDREvHd42nXIBlULvZ8aiv4b7NabWH1zcd2buYHHyGLQ==

Spartacus will delete Shadow Volume Copies by issuing the following command:

cmd.exe /c vssadmin.exe delete shadows /all /quiet

A unique mutex of "Test" will be created in order to not run the ransomware twice, and Spartacus will also continuously keep the ransomware screen or message from running in the foreground or on top, using the SetForegroundWindow function:

Figure 4 - Ransom will stay on top and annoy the user



Repeating, email addresses used are:

MastersRecovery@protonmail.com
MastersRecovery@cock.li

Decryption may be possible if the ransomware is left running, by extracting the key from memory.


Conclusion

Spartacus is again another ransomware family or variant popping up.

Figure 5 - Meme

Make sure to read the dedicated page on ransomware prevention to prevent Spartacus or any other  ransomware.



IOCs

❌