@qurium.org.bsky.social
Prevention, Mitigation, Attribution. Open DM
The Big Bash Dubai 2022 #scamempire
20.03.2025 15:28 β π 0 π 0 π¬ 0 π 0
Just posted. Quantum AI investments are not a scam. Meta πΈπ³ #scamempire
https://www.facebook.com/reel/654852003661912
Get ready for the "Big bash" #scamempire
10.03.2025 18:28 β π 0 π 0 π¬ 1 π 0Ten years ago Boaelite (now Affilomania/Trafficon) published this video. What has really change at the #scamempire?
09.03.2025 12:10 β π 0 π 0 π¬ 0 π 0Coming soon... #scamempire
07.03.2025 08:09 β π 0 π 0 π¬ 0 π 0Landing pages used by affiliates of the #scamempire
06.03.2025 07:48 β π 0 π 0 π¬ 0 π 0
Tonight watch #scamempire
05.03.2025 09:44 β π 0 π 0 π¬ 0 π 0
#scamempire
05.03.2025 08:29 β π 0 π 0 π¬ 0 π 0βBy turning over the material to the media, I/we hope this issue gets enough attention for authorities to take action against these criminals. This problem is not impossible to solve. We all just need to care enough to do something about it.β - Source of the leak of #scamempire
05.03.2025 06:12 β π 0 π 0 π¬ 0 π 0Scam call centers are destroying lives across the world. Now weβre putting the spotlight on them. Coming soonβ¦ #ScamEmpire
04.03.2025 13:46 β π 0 π 0 π¬ 0 π 0"When Kehr meets Vextrio" shows how dating scams and disinformation use a common infrastructure.
https://www.qurium.org/forensics/when-kehr-meets-vextrio/ (1/4) π
Yesterday, Bullet Proof Hosting provider sclad{.}us aka Morningstars (AS215939) connected to UAC-0050 (CERT-UA#8453 and CERT-UA#8494 Alerts) announced "technical works" as their main upstream drop them.
18.08.2024 05:37 β π 0 π 0 π¬ 0 π 0
One month after the release of our Doppelganger investigation and the shutdown of Aeza at Datacamp, the ASNs that made it to the finish line have migrated to @packetbouncer @aurologiccom and @RoyaleHostingBV @stanvandeklippe
Many prefixes remain behind GRE tunnels.
The power of CSI (194.36.177{.}229) server of 1cent{.}host runs in AS210281. Can you figure out where do the GRE tunnels of this BPH terminate? @banthisguy9349
03.08.2024 08:44 β π 0 π 0 π¬ 0 π 0
MTU1448 update: Doppelganger Prefix sneaking away from Aurologic upstream to AS214891. Prefix now using AS56630 Melbikomas (LT) as upstream in Germany. route: 77.91.66.0/24
origin: AS214891
mnt-by: CENTHOST-MNT
last-modified: 2024-08-02T09:47:27Z
The answer is 1448. In a standard setup the maximum payload for a ICMP packet will be 1472 bytes (1500-20-8). 28 bytes for the IP (20) and ICMP (8) headers.
If you run GRE tunnels, you need to account for a 24 extra bytes overhead for Outer IP(20) and GRE(4).
1500-20-8-20-4=1448
Yesterday, AS198981 (netshield/1centhost) continued to serve Doppelganger domains but this time with @packetbouncer (Aurologic) as upstreams. This is not the kind of blocking we were expecting from you.
01.08.2024 06:05 β π 0 π 0 π¬ 0 π 0
This is why we think that Lethost bullet proof hosting that run DG is NOT just a costumer of Aeza (1/x)
30.07.2024 08:16 β π 0 π 0 π¬ 0 π 0
Suspended Cyberhub ASN that is part of the Doppelganger ecosystem has been just renamed to HellaAS (Hellenic Digital Services Ltd / Luxhost). Seems like "luxhost" is the new Aeza bullet proof hoster. π€¦
@Gi7w0rm @banthisguy9349 @SourcesOuvertes
In a new twist in the saga of Doppelganger, Aeza has decided to stop providing connectivity to two bullet proof hosters: Lethost and Sunhost. What a nice way to show the world that they handle "abuse". (1/3)
25.07.2024 09:01 β π 0 π 0 π¬ 0 π 0
Since the release of our forensic investigation about Doppelganger infrastructure there has been a few interesting developments. Once of them is that the F-domains @ TNSECURITY and NETSHIELD remain online thanks to one common upstream provider: Datacamp/CDN77
18.07.2024 06:07 β π 0 π 0 π¬ 0 π 0
It seems that TNSECURITY/EVILEMPIRE is no longer routing traffic from Germany. Nice to have now a much clear picture of where Lethost is coming from
16.07.2024 17:31 β π 0 π 0 π¬ 0 π 0Impressed of their setup or our report? Maybe both? @cymnu https://t.co/Ds8gNGobjK
14.07.2024 12:13 β π 0 π 0 π¬ 0 π 0
Hostinger today, DNS parking the F domains of DG. bikerspace[.]shop
btwidea[.]shop
cscerbr[.]shop
envhb[.]shop
summitslope[.]shop
vokei[.]shop
TNSecurity (aka Evilempire) is interesting for 4 things:
- Runs from Germany as downstream of @packetbouncer - Runs front proxies for Doppelganger
- It is a hotspot of malware distribution
- It was a "dorector"
@Gi7w0rm @ffforward @banthisguy9349
Let us check of few domains of DG campaign today that were registered with Namecheap and then moved to Hostinger DNS parking service. The service has been provided for months and tje domains have been pointed to:
AS215428 Mykyta Skorobohatko RU
AS216309 Tnsecurity Ltd RU
Just a couple of hours ago, all these domains has been used by Doppelganger. All controlled from:
- Hostinger DNS Parking service and - Served from "Evilempire" downstream of Aurologic in Germany.
Today, we make public our latest research on Doppelganger. https://www.qurium.org/alerts/russia/exposing-the-evil-empire-of-doppelganger-disinformation/
11.07.2024 06:16 β π 0 π 0 π¬ 0 π 0Meet Ben Rose from Supreme Media (Amashen) that runs "regulated financial traffic". π€£
15.05.2024 15:26 β π 0 π 0 π¬ 0 π 0Do you wonder who is promoting those scams impersonating personalities and media?
Read about how we found three affiliate networks behind those ads.
https://www.qurium.org/alerts/tell-of-spring-exposing-crypto-scam-affiliate-networks/ π(1/8)
