Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

Dear blog readers,

I recently spend some time working with NotebookLM based on all of my content from 2005 to 2025 and I wanted to share the results with everyone.

Sample photos:

Sample videos:

Dear blog readers,

This is Dancho.

I wanted to share with everyone the news that as of today I'm joining forces with Treadstone 71 as an OSINT Analyst. 

I also wanted to share the news of our latest flagship research entitled "Coordinated Inauthentic Behaviour Deceptive Amplification Comprehensive Analysis of Cross-Platform Synthetic Influence Operations Targeting @officialrezapahlavi and @pahlavireza" where I was responsible for the technical collection data mining data enrichment and analysis and presenting the final results of our report.

Here are some sample graphs from the report:

Dear blog readers,

This is the second week of sandboxing the new and novel malware samples that I have access to and extract and share and enrich all the malware command and control phone back domains. 

I hope that you will find this relevant and informative.

Sample malware C&C (command and control) phone back domains from this week's sandboxing include:

hxxp://212.ip.gl.ply.gg
hxxp://a.goatgame.co
hxxp://a0920080.xsph.ru
hxxp://bendavo.su
hxxp://cim.co.com
hxxp://classic-dave.gl.at.ply.gg
hxxp://clearsolutions.uk.com
hxxp://conxmsw.su
hxxp://cover-phantom.gl.at.ply.gg
hxxp://doddyfire.linkpc.net
hxxp://dstat.one
hxxp://elumadns.hopto.org
hxxp://exposqw.su
hxxp://fatisabi.linkpc.net
hxxp://fuu.tfuuuk.com
hxxp://hho.uk.com
hxxp://hov.multiatend.com.br
hxxp://hvu.uk.com
hxxp://infoprokaps.ddns.net
hxxp://job-citizenship.gl.at.ply.gg
hxxp://know-studied.gl.at.ply.gg
hxxp://krs.kievteplo.kiev.ua
hxxp://krs.tfba.me
hxxp://la-supreme.gl.at.ply.gg
hxxp://loganwolverin2026.duckdns.org
hxxp://memory-scanner.cc
hxxp://msf.uk.com
hxxp://narroxp.su
hxxp://needforrat.hopto.org
hxxp://needleexperience.xyz
hxxp://nft.uk.com
hxxp://nobles.locker
hxxp://open88-vip.com
hxxp://ozonelf.su
hxxp://pitchz.locker
hxxp://ptn.kievteplo.in.ua
hxxp://ptn.passadisco.com.br
hxxp://qdqwrqwrwqrqw.net
hxxp://salat.cn
hxxp://ser.nrovn.xyz
hxxp://squatje.su
hxxp://squeaue.su
hxxp://suzoo.ryxuz.com
hxxp://taodianla.com
hxxp://transfer.sh
hxxp://unembel.locker
hxxp://upaste.me
hxxp://vestcast.co
hxxp://vicareu.su
hxxp://vlxx.bz
hxxp://whitepepper.su
hxxp://windirautoupdates.top
hxxp://wndlogon.hopto.org
hxxp://wto.azl.one
hxxp://wto.mir-massage.kiev.ua
hxxp://www.ojang.pe.kr
hxxp://yip.su

hxxp://bendavo.su - Email: sbakuga@inbox.ru
hxxp://whitepepper.su
hxxp://vicareu.su 

Stay tuned. 

Dear blog readers,

On November 19th 20025 the Silent Ransomware Operator's Dark Web Onion made an interesting posting in what appears to be a compromised Dark Web Onion with a specific post detailing the activities of the Silent Ransomware operators. 

I decided to dig a little bit deeper and also provide an enriched analysis.

Зубков, Владислав Сергеевич
Телефон: 79038429329
Дата рождения: 09.03.1996
Город: Тула, Россия
Инстаграм: vladi_tula
ВК: slaw71

Иванов, Иван Сергеевич
Телефон: 79153700392, 74957113532
Дата рождения: 03.04.1991
Город: Москва, Россия
 

Несветаев, Даниил Павлович
Телефон: 79508749805, 79031156929, 79510857967, 79606919091
Дата рождения: 03.01.2000
Город: Курск, Россия
ВК: xvidis

Солдатов, Владимир ВладимировичТелефон: 79514754980, 79124043093
Дата рождения: 21.09.1992
Город: Миасс, Россия
ВК: ВОВА 12345 СОЛДАТОВ

Аверин, Алексей Иванович
Телефон: 79534255483
Дата рождения: 23.01.1996
Город: Тула, Россия
Инстаграм: alexey.averin, averina1exei
ВК: a1exiiu

Фомичёв, Кирилл Алексеевич
Телефон: 79997815534, 79509266372, 79066268794, 79509028210, 79612672856
Дата рождения: 18.12.1996
Город: Тула, Россия
Инстаграм: kirill_fomichev71
ВК: diger71 

hxxp://business-data-leaks.com - Email: tatodavi1997@finefreemail.com

Related domains:

hxxp://ucheck.info

hxxp://arculufi.com

hxxp://business-data-leaks.com

hxxp://layerzeronetworks.net

hxxp://parcelpathways.com 

Related domains:

hxxp://blackpass.online

hxxp://blackpass.link

Related domains:

hxxp://blackpass.one
hxxp://blackpass.sale
hxxp://blackpass.im
hxxp://blackpass.lu
hxxp://blackpass.io
hxxp://blackpass.ws
hxxp://blackpass.name
hxxp://blackpass.biz 

Dear blog readers,

I recently came across to a relatively interesting and novel malware as a service malicious software provider that specialized in Android based malware releases with several releases currently in the works and available commercially within the cybercrime ecosystem with the vendor currently possessing a pretty decent social media presence so I decided to provide some personally identifiable information about their online whereabouts. 

Sample domains known to have been involved in the campaign include:

hxxp://craxsrat.com - Email: evlfdev@gmail.com
hxxp://craxsrat.net
hxxp://craxsserver.com
hxxp://craxsrat.com
hxxp://evlfdev.com
hxxp://spysolr.com 

Sample contact details:

Session ID:
05e476b08449c214be276c9eee0db24f5d5a2296da86432a122d3102242939fe3d

Jabber ID:
evfldev@draugr.de

Tox ID:
93BEB9028B77008BFE13A46F2B2290A75988036A77D3D6A315FFA986C45F84654FF298AB9031 

Sample social media accounts involved in the campaign include:

https://x.com/EvLFDev
https://www.facebook.com/craxsrat
https://t.me/EVLFDEV
https://github.com/EVLF
https://www.youtube.com/@EvLFDev
https://www.facebook.com/spysolr/
https://spysolr.com
https://vimeo.com/user204150405
https://x.com/spysolr
https://t.me/spysolr 

Sample video demonstrations:

Related screenshots:

Happy New Year and a lot of professional and personal success in 2026.

I've recently spend some time working on a personal project where based on the unique malware samples that I process and obtain on my own using my methodology I aim to extract relevant malware command and control (C&C) domains only and offer them in a static form including to offer additional enrichment in terms of their associated MD5 hash and the corresponding malware family. 

Here's the initial batch of processed malware samples and their corresponding MD5s and malware family including additional domain registrations enrichment.

Here's also a link to the DNS resolved and Geolocated MySQL database for Week 01. 

Sample malware command and control (C&C) domains extracted based on unique malware samples that I process and have access to using sandboxing include:

hxxp://212.ip.gl.ply.gg
hxxp://337598cm.nyash.es
hxxp://725822cm.nyash.es
hxxp://a0920080.xsph.ru
hxxp://aatcwo.biz
hxxp://acwjcqqv.biz
hxxp://anpmnmxo.biz
hxxp://api.lyra-connect.us
hxxp://banwyw.biz
hxxp://bendavo.su
hxxp://bghjpy.biz
hxxp://brsua.biz
hxxp://bumxkqgxu.biz
hxxp://burkinafaso.duckdns.org
hxxp://chukwunweikefrankokiteamaekeibeku.ydns.eu
hxxp://cikivjto.biz
hxxp://cjvgcl.biz
hxxp://classic-dave.gl.at.ply.gg
hxxp://colorfulequalugliess.shop
hxxp://conxmsw.su
hxxp://cover-phantom.gl.at.ply.gg
hxxp://cpclnad.biz
hxxp://ctdtgwag.biz
hxxp://cvgrf.biz
hxxp://damcprvgv.biz
hxxp://deoci.biz
hxxp://detectordiscusser.shop
hxxp://devnyash.top
hxxp://dlynankz.biz
hxxp://docs.npo-iskra.ru
hxxp://doddyfire.linkpc.net
hxxp://dstat.one
hxxp://dwrqljrr.biz
hxxp://ecxbwt.biz
hxxp://edurestunningcrackyow.fun
hxxp://elumadns.hopto.org
hxxp://energytulcea.ro
hxxp://ereplfx.biz
hxxp://esuzf.biz
hxxp://eufxebus.biz
hxxp://exposqw.su
hxxp://fatisabi.linkpc.net
hxxp://fjumtfnz.biz
hxxp://free-auto-clicker.com
hxxp://ftxlah.biz
hxxp://fwiwk.biz
hxxp://gcedd.biz
hxxp://gjogvvpsf.biz
hxxp://gnqgo.biz
hxxp://go.bestjacksonvillehotels.com
hxxp://go.tweethost.com
hxxp://graceland777.ddns.net
hxxp://gvijgjwkh.biz
hxxp://gytujflc.biz
hxxp://hehckyov.biz
hxxp://hlzfuyy.biz
hxxp://htwqzczce.biz
hxxp://ifsaia.biz
hxxp://ikechukwugrace.duckdns.org
hxxp://iuzpxe.biz
hxxp://jdhhbs.biz
hxxp://jhvzpcfg.biz
hxxp://jifai.biz
hxxp://jlqltsjvh.biz
hxxp://job-citizenship.gl.at.ply.gg
hxxp://jpskm.biz
hxxp://jwkoeoqns.biz
hxxp://kcyvxytog.biz
hxxp://kg5n.com
hxxp://kilimanjaro.run.place
hxxp://kilimanjaro.theworkpc.com
hxxp://knjghuig.biz
hxxp://know-studied.gl.at.ply.gg
hxxp://kvbjaur.biz
hxxp://la-supreme.gl.at.ply.gg
hxxp://lejtdj.biz
hxxp://loganwolverin2026.duckdns.org
hxxp://lpuegx.biz
hxxp://lrxdmhrr.biz
hxxp://mail.honesty-shippings.com
hxxp://mail.lwaziacademy.com
hxxp://mail.taikei-rmc-co.biz
hxxp://manaura-43718.portmap.host
hxxp://max-merchandise.gl.at.ply.gg
hxxp://mgmsclkyu.biz
hxxp://mjheo.biz
hxxp://mnjmhp.biz
hxxp://muapr.biz
hxxp://myups.biz
hxxp://narroxp.su
hxxp://nasap.net
hxxp://neazudmrq.biz
hxxp://needforrat.hopto.org
hxxp://needleexperience.xyz
hxxp://nffplp.com
hxxp://nnamoograce.duckdns.org
hxxp://nobles.locker
hxxp://npukfztj.biz
hxxp://nqwjmb.biz
hxxp://nwdnxrd.biz
hxxp://ocsvqjg.biz
hxxp://oflybfv.biz
hxxp://oh.whatisyourname.buzz
hxxp://opowhhece.biz
hxxp://oshhkdluh.biz
hxxp://overthinker1877.duckdns.org
hxxp://ozonelf.su
hxxp://pectx.biz
hxxp://pgfsvwx.biz
hxxp://pooreveningfuseor.pw
hxxp://przvgke.biz
hxxp://ptrim.biz
hxxp://pwlqfu.biz
hxxp://pywolwnvd.biz
hxxp://qaynky.biz
hxxp://qdqwrqwrwqrqw.net
hxxp://qncdaagct.biz
hxxp://qpnczch.biz
hxxp://qwdfewf.com
hxxp://reczwga.biz
hxxp://relevantvoicelesskw.shop
hxxp://rffxu.biz
hxxp://root.bhware.store
hxxp://rrqafepng.biz
hxxp://rynmcq.biz
hxxp://saytjshyf.biz
hxxp://ser.nrovn.xyz
hxxp://server.mobware.xyz
hxxp://several-tab.gl.at.ply.gg
hxxp://shpwbsrw.biz
hxxp://silentclickteam.cc
hxxp://sirrbef.cyou
hxxp://sislaps.ydns.eu
hxxp://squatje.su
hxxp://squeaue.su
hxxp://ssbzmoy.biz
hxxp://sxmiywsfv.biz
hxxp://taodianla.com
hxxp://tbjrpv.biz
hxxp://tnevuluw.biz
hxxp://transfer.sh
hxxp://troyka4100.dynu.net
hxxp://turkeyunlikelyofw.shop
hxxp://two-2.s3.cubbit.eu
hxxp://typgfhb.biz
hxxp://uaafd.biz
hxxp://unembel.locker
hxxp://upaste.me
hxxp://uphca.biz
hxxp://vcddkls.biz
hxxp://vestcast.co
hxxp://vicareu.su
hxxp://vjaxhpbji.biz
hxxp://vrrazpdh.biz
hxxp://vvu8ghu9oij25i4.hopto.org
hxxp://vyome.biz
hxxp://warkcdu.biz
hxxp://whjovd.biz
hxxp://whonixgateway.online
hxxp://wisemassiveharmonious.shop
hxxp://wllvnzb.biz
hxxp://wluwplyh.biz
hxxp://wndlogon.hopto.org
hxxp://anpmnmxo.biz
hxxp://free-auto-clicker.com
hxxp://ojang.pe.kr
hxxp://wxgzshna.biz
hxxp://xccjj.biz
hxxp://xlfhhhm.biz
hxxp://xnxvnn.biz
hxxp://xyrgy.biz
hxxp://yauexmxk.biz
hxxp://yhqqc.biz
hxxp://yip.su
hxxp://ytctnunms.biz
hxxp://yunalwv.biz
hxxp://ywffr.biz
hxxp://zgapiej.biz
hxxp://zjbpaao.biz
hxxp://znwbniskf.biz
hxxp://zrlssa.biz
hxxp://zyiexezl.biz 

Sample enriched with corresponding MD5s and malware family malware command and control (C&C) domains from this week's sandboxing activities include: 

Additional malware domains enrichment includes:

hxxp://vicareu.su - Email: sbakuga@inbox.ru
hxxp://bendavo.su - Email: sbakuga@inbox.ru

Related domain registrations for sbakuga@inbox.ru:

hxxp://diadtuky.su
hxxp://prebwle.su
hxxp://izzardtow.su
hxxp://coverxyzer.su
hxxp://lumma-market.su

Related domain registrations:

hxxp://qwdfewf.com - Email: geraregaettemu@mail.ru

Related domain registrations for geraregaettemu@mail.ru:

hxxp://igbyugfwbwb5.xyz
hxxp://random1125123.xyz
hxxp://olxcarder.xyz
hxxp://newoneazertyqsdf.xyz
hxxp://sdasfghgfds.su

Stay tuned.