The Kremlin, Politics and Ransomware

Qilin Ransomware caught with politically motivated fake document (and old data) in post.

by Dominic Alvieri

March 8th, 2025

@AlvieriD

Was it a breach or not?

The Ministry of Foreign Affairs of Ukraine was breached...in 2022 which is not what one devious up and coming ransomware group would like you to think. The post below is from Qilin Ransomware. 

Original Qilin Ransomware MFA of Ukraine post.

Did the Kremlin Call?

Qilin shuffled document samples for the first 10 minutes after their MFA of Ukraine post which peaked my interest. Originally listing 82 samples (the first 12 I retrieved and verified) then 31 and finally 104 if that hasn't changed.  I regularly go back and check for updates and double check my research but it is usually the deletions that catch your eye. Most of the data samples are from 2022 or earlier. Qilin did release samples dated in 2025. All but one was removed which is one of the dozen I already had.

The only sample dated after 2025 is fake.

The document references a January 31st, 2025 missile strike by Russian troops at the Bristol Hotel in Odessa, Ukraine. Have I mentioned that I hate politics? The fake document is signed by an official who has never been an ambassador of Ukraine to Moldova.

All of the remaining documents are dated between 2019 & 2022 which were previously leaked in 2022 on Telegram after a  breach of the MFA of Ukraine in that year.

Most of the majors players have made some political reconfirmations recently

I've actually always hated politics and this has the big stink of a political pressure move.

RansomHub also recently released a tox profile message stating never to target CIS states. LockBit loves Trump and has said so and posted several times. Once again hate is a strong word but...

Can you do me a favor...

Stay safe online and off.

I Lost My Device

 Hacking an Account with MFA? Brute Forcing, using MFA Fatigue, Phishing...

by Dominic Alvieri

February 7th, 2025

@AlvieriD

SS7 probably has something to do with it 

There must be a lot of great hackers nowadays with all the high profile social media account takeovers to start 2025. The NASDAQ stock market, TIME Magazine and Jupiter have all had their X accounts hacked to push crappy fake meme coins. 

Sadly it isn't as difficult as it sounds. 

What is your favorite method?

SMS or Short Message Service based text messages MFA is one of the top MFA methods used. SMS and voice calling have very poor authentication standards due to a technicality called SS7. Signaling System Number 7 or SS7 is a protocol used which in my hackers opinion allows phone numbers to be spoofed and messages to be hijacked.

You can use brute force, use man-in-the-middle or mobile (MiTMO) attacks, phishing, MFA fatigue or just SIM jack user's mobile but one of the easiest is the social engineering method.

The Master Social Engineer

Social engineering doesn't need a degree but it sure helps. One of the most effective and popular methods is to send an MFA code to the suspect and social engineer from there. Among the other easiest ways to bypass an accounts MFA is to socially engineer the security team claiming that you have lost your device...the device that has the MFA method tied to it. Obviously I have to leave a few details out depending on the tied method of authentication.

For the Security Teams Beware of - "I Lost my Device"

Security teams take note because the kids sure are taking advantage of this one. 

Stay safe, online and off.

Deep Seek and Destroy

 Seek deep and ye shall find

by Dominic Alvieri

February 1st, 2025

@AlvieriD

Malware, credential phishing, fake meme coins, exposed data...

Build a better mousetrap and the world will beat a path to your door. Deep Seek created a major storm when they came to market mainstream and have drawn unwanted attention ranging from questions about outright intellectual property theft to security vulnerabilities including exposed databases and a rash of bad actors jumping on the DeepSeek bandwagon. 

First a note about authenticity because the documents and all the api call logs (Microsoft) speak for themselves. Some docs 

Deep Seek credential phishing

/deepseeklogin[.]com (left)

This credential phishing site is actually not bad and will get some people to commit. You can easily spot the incorrect url and missing official links.

Show us the malware already

Here is one example from Who said what?  /deepsekk[.]sbs

I do apologize there is a new MD5 I forgot to copy and am unable to find it now or access my own account but is on Virus Total and if memory servers the file is deepseek_v5.35.dmg 

There is no $DEEP or $SEEK meme coins

Crypto scammers jumped on quickly. Toe scam examples are $DEEP and $SEEK.

Enough said

Hacked social media

This DeepSeek R1 account below is a hacked account with 35K followers on X. This isn.t the only hacked or fake account on social media. 

Hundreds of new domains every day

Small sample courtesy of DNPedia. 

The current total of questionable domains registered is now over 2,000 

Other 

Always check the other category. The only official site is /deepseek[.]com

Here are a few other active examples -

/deepseek-ai[.]com

/deepseek[.]ai

/deepseek[.]org

/deepseek[.]cyou

/deepseeklogin[.]com

Please avoid any of these sites. Personally I am not a fan of DeepSeek. Logging keystrokes.

Enough said again. Stay safe online and off. 

How to Hack a Drone

Annoying drones invading your private property?

By Dominic Alvieri

December 25th, 2024

@AlvieriD

Hacking is Illegal and for Nerds

Stopping a common drone is easier than you think.

Hacking drones is not new. We're not firing up Kali and taking over a drone for an offensive campaign but merely expressing the defensive capabilities available to take down an illegal drone illegally invading your private property. You will be surprised by how easy it actually is.

I have always believed that anything that communicates from a point to another point can be intercepted or hacked. Drones are no different. It's been a few years since I have compromised a drone so this refresher was inspired from the recent panic of drone sightings in New Jersey.

In simplest terms most drones need to use Wi-Fi to communicate with and receive commands from the operator via the controller...so don't forget to log the MAC addresses.

nist.gov

Defensive Techniques 

The basic ways to defend against a drone offensive is to take control of the drone, shoot down, destroy or otherwise capture and stop the drone physically, disable drone communications and force a "Go Home" landing or otherwise disable the drone itself to force a landing.

Check the laws in your state or country

Drones over about a half of a pound must be registered in the United States and generally must be flown lower than 400 feet and controlled within your eye sight.

FAA

Dependency Confusion, if you will

Since most people don't have access to a high powered device to emit an electromagnetic pulse and wouldn't want to risk shooting a drone down most lean towards another path. 

I like to call it creating a dependency confusion. Dependency confusion can have multiple definitions and also be known as a substitution attack which is an attack path that creates and registers malicious packages publicly to mimic and fool users of privately coded packages. This is also called namespacing.

Roughly speaking most spoofings are also a form of dependency confusion. You would fool a device or service to connect to and receive commands form an apparent authorized device which you control.

GPS Frequencies

Detecting a drone using radio frequency sensors is quite easy if you were so inclined. By detecting the exact frequency you can obtain the serial number and MAC address of the drone and target it directly but you shouldn't have to get that granular. You would start with a radio frequency jammer.  

Generally speaking certain frequency bands will have more common household devices using it so this method will create unintended interference so check your local laws.

Drone frequency bands vary and include 433 and 915 MHz, 1.2 & 1.3GHz, 2.4 GHz and 5.8GHz.

Radio Frequency Analysers, Spoofers and Jammers

The goal is this simple hack to mask the signal between the drone and the controller and either force it into "Go Home" mode and either go to the pre programmed home location and fly away or land or crash where it currently is. 

Once again drones that use Wi-Fi communicate between the onboard unit and the controller and can have advanced RF Analysers detect their communication and even their MAC addresses but they are not commercially available. RF Spoofers and difficult to find and legally in the gray area. 

The simplest way is to jam the signal and confuse the drone. If that fails we can always open up Kali and get more granular in detail for another attack. Certain details have been left out for safety.

Stay safe, online and off.

Are You Trollin Me?

 Did Black Suit Ransomware just try to troll me?

by Dominic Alvieri

July 3rd, 2024

@AlvieriD

The story goes a little something like this...

/Conti_Royal_BlackSuit/
                       |_BlackSpade/

That random mixed letter and numbered social media account chimes in. To make a long story short several people both known and unknown to me recently mentioned the same thing, "...a guy from Black Suit started his own group and is responsible for a major incident. The group is called Black Spade."

Who is Black Spade?

The Royal (Ransomware) Flush

Black Spade would be the continuation of the group formed by a Conti member who created Royal Ransomware then rebranded to Black Suit then either is planning on spinning off or rebranding to this new alleged Black Spade group.

Black Suit was attributed to the recent damaging CDK cyber incident. A  CDK spokesperson originally said "it will take months to fully restore our network" and now they will be up and running by July 4th. Now that the incident appears over I think it is important to bring this to light. Bad actors with or without ransomware in general will lie, cheat and steal to get the money they feel entitled to. They will even try to bribe or fool a researcher, reporter or analyst into making false statements during a ransom negotiation to influence the outcome. Millions of dollars are at stake. 

Is there a Black Spade? The Major Plot Twist

I really had the feeling I was being trolled. A pro level troll. Royal payback if you will. Contacted during a major incident with a major plot twist in the middle of alleged negotiations. I have never heard of such a thing. It is also rare for a group to willingly give their new spinoff and or rebrand name out beforehand. It defeats the purpose.

So is there a Black Spade? Not yet. The new Black Spade claims came somewhere a day or two before CDK's sudden positive change towards the cybersecurity incident. Once again CDK was never posted by Black Suit and they should be fully operational by Independence Day, July 4th which is tomorrow.

Once again two individuals mentioned the same name on the same day with bold new claims. The new group called "Black Spade" was a former/current Black Suit with a major victim. I asked for something concrete, an IoC, a new strain or anything that could back the claim. You just have to produce a ransom note, a data sample, post it or some evidence with a claim like that.

I had a feeling I was communicating with Royal who is still probably a little sore at me from the old Twitter days when Royal was online known as @LockerRoyal before being suspended.

I need some proof of compromise, a ransom note or something 

For those of you that do not follow threat actors as closely as I do here is a little back drop. Black Suit recently posted a record (for them) in posting 9 new victims in a day and another leaked school district that was originally posted before as their 10th post for the day. Black Suit hasn't ever posted 10 victims in a week or that frequently on a monthly basis. It did look like Black Suit was cleaning house and possibly preparing to rebrand and or exit. 

Skeptical I mentioned to both security researcher and I presume now to be the threat actor that I would put a feeler post out in a few hours mentioning the new threat group but I needed something solid to go forward with anything more. It's not a new ransomware group without a new strain so it isn't Black Spade Ransomware and it sounded somewhat feasible and a possible threat. 

My post above

Careful not to create a major stir I toned down the threat eliminating the possibility that this new group was a LockBit or AlphV BlackCat rebrand just in case it was used for leverage with potential victims during a ransom negotiation. The timestamp is underlined.

Their post roughly an hour later...

Roughly an hour after my post Black Suit posted Kadokawa. Kadokawa was the 11th post and 10th new victim for Black Suit within 2 days which is a first. The Black Suit post rate is well below that number.

The Ransomware News bot from VX Underground post with timestamp underlined.

The Black Suit Kadokawa post

It may have just been a wild coincidence with the poker reference but it didn't feel like it.

The Ace of Spades

...we prefer not to show all the aces we have prepared within the sleeve." 

No points for the poor Russian to English translation above but I did catch the reference. It may have been nothing, probably just another cybersecurity coincidence. 

"...we are only interested in money.' - Black Suit Ransomware

The Ugly Side of Cyber - Negotiations

CDK has never been posted by Black Suit or any other group to date. The original ransom request was believed to be $10 million with online rumors ballooning it to as high as $80 million. The truth is probably somewhere in between and closer to the lower figure. Ransomware groups and threat actors routinely ask for way more than they are willing to settle for. They over inflate their claims and use whatever other means are needed.

Just like that one of the two deleted their account and the next day fortunes turned for the encrypted.

CDK should be back fully operational by the time you read this. Once again CDK was never posted by Black Suit but confirmed the cyber incident and actor as being Black Suit. Kadokawa was leaked by Black Suit.

Is Black Spade for real? Is Black Spade coming? I'm not sure but if that name does come up make sure to do your due diligence.

Stay safe online and off.

Dominic Alvieri

@AlvieriD

How I Hacked Your Mother

Did you know I can hack you from several yard sale items?

by Dominic Alvieri

June 12th, 2024

@AlvieriD

Can You Help Me With My Smart Dryer?

Kids did I ever tell you how I prevented your mom from getting hacked?

Cybersecurity articles are either way too technical or way too simply not containing any concrete or actionable information the average person can utilize.

In the simplest terms any device that has been connected to the internet will leave a digital trail and be left stored in that devices memory. They don't just magically disappear...you have to remove them.

It can without wiping your old IoT device memory.

A Simple Question Asked and Not Answered

Whenever you dispose of any IoT device what must you do with the devices memory? 

36 out of 36 random people that I asked this question to failed to answer it correctly. You must successfully wipe clean your old device memory before selling or disposing of the device. Not one of the 36.

***Important Disclaimer***

A proper forensic investigation should be done on a copy and not the original to avoid chance of corruption or tampering and it is usually copied as an image and then added as a data source to investigate further depending on the tool you are using. Please do your own research on how to properly conduct a forensic investigation but that is a key principle to strictly adhere to.

Secondly just to be safe I am leaving out the brand names of the devices researched. Remember that any device that connects to the internet will leave a digital trail. The credentials don't just disappear. 

Smartphone, Tablet, Camera, Printer...

I was driving around the other day and saw a yard sale sign and looking for a few things.

How is Your Smart Washer Connecting to the Internet?

The Yard Sale Hack

It didn't take long to see an old Android smartphone and a printer for sale. I asked the owner if she new that I could find all types of credentials and data left if she didn't clean the memory from her devices. She didn't know how to respond. I explained the research I was doing. She said she deleted all the photos on the phone so she was ok. ( yikes! ) I explained how to properly dispose of any IoT device. She agreed to the sales and research. I returned the devices in a few days and revealed my findings.

Digital Forensics

I've been hacking and breaking things for a long time but I also track and trace cyber criminals & cryptocurrencies and forensically go over all types of devices. Autopsy is one of my favorite tools but I use several depending on what type of device ( desk top hard drive, smartphone, printer, etc.) I am going to go over and what I am looking for. I used several tools and addons for this project so I won't bore you.

Different devices have different types of memory. The hard drive in your computer is obviously different from the memory and storage in your smartphone. That is a blog for another day. 

It's All in the Credentials

In short the printer had her Wi-Fi credentials in plain text and the smartphone had a treasure trove of information that could be used against her. I agreed not to expose any personal details except for the minimal details that we agreed upon so sorry no redacted screen shots.

                                                                       Sample of Autopsy

How I Prevented Your Mother From Getting Hacked

What is the Best Thing to do When Disposing of an IoT device?

The best single piece of advice when getting rid of old IoT devices is to wipe clean your old IoT device memory. Every single IoT device. It is just that simple. Your can remove and destroy the storage media which also works but isn't very practical with smartphones.

How?

Again in simple term depending on the type of storage media there is professional software like Eraser or other commercial tools available. For all other devices such as printers, assistants and other non-smartphone type devices they will have instructions usually in their settings and should be a factory reset as a worst case minimum.

 Check your devices manual and carefully go over their instructions. 

Stay safe online and off. 

Typosquatting with Mikhail

The Infrastructure Boss

by Dominic Alvieri

April 10th, 2024

@AlvieriD

What does a former Boris Yeltsin era Defense Minister for the Russian Federation have to do with cybercrime and ransomware today?

Since early 2023 I have been tracking a cybercrime infrastructure that now accounts for over 800 phishing websites pretending to be banks, software companies and cryptocurrencies deploying malware and dropping crypto stealers.

All of the 800+ phishing sites have two things in common. They are all registered with NiceNIC.NET and the WHOIS registrant organization is "Mihail Kolesnikov." 

Several countries of origin are used including Belize and Belgrade. A few websites were also registered under the correct spelling of Mikhail with the vast majority registered as "Mihail."

Hunters International is the latest ransomware and data extortion group to join.

Several of the websites were deploying bumblebee malware along with various stealers. Redline stealer and new versions of Rilide and Fletchen stealers. 

A quick look - Fletchen stealer features some of the same wide array of malicious activities as other stealers including credential theft, Wi-Fi login details, browser history and cookie retrieval along with several crypto clipper options. 

Fletchen stealer is written in Rust with simple panel access and is easy to navigate but script kiddies beware, you need technical abilities to encrypt the stealer.exe file.

Hunters International registered their clearnet leak site with the registrant organization of Mihail Kolesnikov in January of this year.

All of the malicious websites have been registered since 2022 and continue under the typosquatted registrant organization of Mihail Kolesnikov. 

Typosquatting Mikhail.

Clippers replace the destination address and replace them by generating a corresponding address with Fletchen stealer (pictured below) currently stealing Bitcoin, Ethereum, Litecoin USDC, USDT even Dogecoin and other cryptocurrencies.

"history",

"webRequests",

"tabs",

"clipboardWrite",

"clipboardRead",

"management",

"<all_urls>"

],

Former Rilide C2 domain /silent-scale.com

A full report will be out in the month or so detailing the Chinese registrations and Russian C2's associated with all of these "Mihail Kolesnikov" websites and malware.

Dominic Alvieri

X @AlvieriD