Qilin Ransomware caught with politically motivated fake document (and old data) in post.

by Dominic Alvieri

March 8th, 2025

Was it a breach or not?

The Ministry of Foreign Affairs of Ukraine was breached...in 2022 which is not what one devious up and coming ransomware group would like you to think. The post below is from Qilin Ransomware.

Original Qilin Ransomware MFA of Ukraine post.

Did the Kremlin Call?

Qilin shuffled document samples for the first 10 minutes after their MFA of Ukraine post which peaked my interest. Originally listing 82 samples (the first 12 I retrieved and verified) then 31 and finally 104 if that hasn't changed. I regularly go back and check for updates and double check my research but it is usually the deletions that catch your eye. Most of the data samples are from 2022 or earlier. Qilin did release samples dated in 2025. All but one was removed which is one of the dozen I already had.

The only sample dated after 2025 is fake.

The document references a January 31st, 2025 missile strike by Russian troops at the Bristol Hotel in Odessa, Ukraine. Have I mentioned that I hate politics? The fake document is signed by an official who has never been an ambassador of Ukraine to Moldova.

All of the remaining documents are dated between 2019 & 2022 which were previously leaked in 2022 on Telegram after a breach of the MFA of Ukraine in that year.

Most of the majors players have made some political reconfirmations recently

I've actually always hated politics and this has the big stink of a political pressure move.

RansomHub also recently released a tox profile message stating never to target CIS states. LockBit loves Trump and has said so and posted several times. Once again hate is a strong word but...

Can you do me a favor...

Stay safe online and off.

Seek deep and ye shall find

by Dominic Alvieri

February 1st, 2025

@AlvieriD

Malware, credential phishing, fake meme coins, exposed data...

Build a better mousetrap and the world will beat a path to your door. Deep Seek created a major storm when they came to market mainstream and have drawn unwanted attention ranging from questions about outright intellectual property theft to security vulnerabilities including exposed databases and a rash of bad actors jumping on the DeepSeek bandwagon.

First a note about authenticity because the documents and all the api call logs (Microsoft) speak for themselves. Some docs

Deep Seek credential phishing

/deepseeklogin[.]com (left)

This credential phishing site is actually not bad and will get some people to commit. You can easily spot the incorrect url and missing official links.

Show us the malware already

Here is one example from Who said what? /deepsekk[.]sbs

I do apologize there is a new MD5 I forgot to copy and am unable to find it now or access my own account but is on Virus Total and if memory servers the file is deepseek_v5.35.dmg

There is no $DEEP or $SEEK meme coins

Crypto scammers jumped on quickly. Toe scam examples are $DEEP and $SEEK.

Enough said

Hacked social media

This DeepSeek R1 account below is a hacked account with 35K followers on X. This isn.t the only hacked or fake account on social media.

Hundreds of new domains every day

Small sample courtesy of DNPedia.

The current total of questionable domains registered is now over 2,000

Other

Always check the other category. The only official site is /deepseek[.]com

Here are a few other active examples -

/deepseek-ai[.]com

/deepseek[.]ai

/deepseek[.]org

/deepseek[.]cyou

/deepseeklogin[.]com

Please avoid any of these sites. Personally I am not a fan of DeepSeek. Logging keystrokes.

Enough said again. Stay safe online and off.

The Cyber Show

Saturday, March 8, 2025

The Kremlin, Politics and Ransomware