Unpacking BlackBasta Chat Leaks - bencrypted

Unpacking BlackBasta Chat Leaks

bencrypted
16 mins to read
linux
Home / Posts / Unpacking BlackBasta Chat Leaks

Key Points

  • The ransomware gang chats started September 19, 2023, detailing their extensive activities involving spam campaigns, target breaches, and infrastructure scaling.
  • They targeted organizations like baccaratus.local ($130.9M), belzona.com ($57M), and high-value entities like mymiratech.com ($3B), using tools like Cobalt Strike and VBS payloads.
  • Their infrastructure included multiple VPS, proxies (e.g., 94.228.169[.]123), and FTP servers, with automated deployment via Ansible.
  • Surprising detail: They managed to send over 15 million emails in spam campaigns, yet struggled with reversers and SOCKS bot reliability.

Overview

The ransomware gang’s operations, spanning over a year from September 19, 2023, reveal a sophisticated yet chaotic campaign. They started with initial breaches and scaled to massive spam runs, targeting a mix of small and large organizations. Their tools, like Cobalt Strike and VBS payloads, and infrastructure, including VPS and proxies, evolved to support their efforts, but challenges like reverser interference and SOCKS bot issues persisted.

Timeline

Here’s a high-level timeline of their activities:

  • September 19-20, 2023: Set up C2 servers and proxies, conducted initial breaches, and planned spam campaigns.
  • Late September to October 2023: Scaled spam to hundreds of thousands of emails, breached more targets, and refined tools.
  • November 2023 to Year-End: Targeted major organizations, received ransom payments, and adapted to security measures.
  • 2024: Focused on high-value targets, faced law enforcement, and shifted strategies, ending with 15 million emails targeting US healthcare.

Targets and Breaches

The gang hit various targets, from mid-sized firms like baccaratus.local (a $130.9M French jewelry firm) to potential billion-dollar prizes like mymiratech.com ($3B, US cybersecurity). Early successes included cracking baccaratus.local on September 19, extracting hashes and passwords like rravi:3737Intel@ and Les2mousquet'r, and later breaching belzona.com ($57M, UK) on September 20. They also eyed dentons.com ($3.6B) but held back, focusing on smaller networks first for testing.

Tools and Techniques

Their toolkit was diverse:

  • Cobalt Strike: Used for beaconing and credential extraction, with automated deployment via Ansible (Cobalt Strike Documentation). Profiles sourced from GitHub (GitHub Profile Generator), scaling to 50+ servers by 2024.
  • VBS Payloads: Core delivery method, with Download_VBS_slush.rar containing their VBS script, likely named Download.vbs or similar, featuring 3K unique builds by September 20, 2023, scaling to 10K by 2024, proxied through servers like 94.228.169.123 and 178.236.247.73.
  • DLL Payloads: Early attempts mentioned file.dll in the command undll32 file.dll, Museum, later refined for process injection by late 2023.
  • DOC Exploits: Planned upgrades with shellcode injections addressing NtProtectVirtualMemory issues, advancing to process injection by 2024 for enhanced evasion.
  • SOCKS Bots: Crypt updated to 1.7soc.7z by September 20, 2023, a compressed file containing their SOCKS bot, but reliability lagged (308 online vs. 1120 offline).
  • Spam Campaigns: Managed by @lapa, sent over 15M emails by year-end, leveraging proxytraff and SOCKS for delivery.

TTPs, Scripts, and Registry Keys

Here’s a rundown of the gang’s main Tactics, Techniques, and Procedures (TTPs), scripts, and registry keys, pulled straight from the logs, reflecting their attack lifecycle.

Tactics, Techniques, and Procedures (TTPs)

Initial Access via Phishing (T1566.001)

  • Details: Sent over 15M emails with VBS attachments (e.g., Download_VBS_slush.rar), targeting volume to bypass filters, tracked via hxxp://149[.]248[.]76[.]130/mg-stat[.]php?pp=ebe1a3686220c6a56071a.
  • Context: Started September 20, 2023, scaled to millions by 2024.

Credential Harvesting (T1003)

  • Details: Used keyloggers and secretsdump.py to extract VPN creds (e.g., paul.capper:Sydney01/DaNang19) and hashes (e.g., T5j32HNR).
  • Context: Early breaches (e.g., baccaratus.local, September 19, 2023) relied on this for entry.

Command and Control (T1071)

  • Details: Employed Cobalt Strike for beaconing and C2, proxied via NgINX (ports 2351, 8080); later shifted to dark web hosts (e.g., orders44vz5yl7y6xajzxsdo2n6niaqu73ty4tx6ncwqnc752yzae4ad[.]onion).
  • Context: Automated with Ansible, custom kits by November 2023.

Persistence via Process Injection (T1055)

  • Details: Initially used undll32 file.dll, Museum, refined for process injection by late 2023; DOC exploits with NtProtectVirtualMemory fixes by 2024.
  • Context: Enhanced evasion against EDR, noted in November 2023 logs.

Data Exfiltration (T1041)

  • Details: Leveraged ESXi lock fronts (e.g., 179.60.149.5/SH/WEB/, epo:$E14GErufwFBsaf) for virtualization control and data extraction.
  • Context: Late 2023, scaled up for high-value targets like dentons.com (500GB extracted, March 2024).

Defense Evasion via Proxying (T1090)

  • Details: Used NgINX proxies and SOCKS servers (e.g., 185.244.216.102:1080, proxy1:888000VdskajeFVC) to mask C2 traffic.
  • Context: Rotated to dark web by 2024 to dodge takedowns.

Resource Development (T1587)

  • Details: Built 3K VBS builds (e.g., Download_VBS_slush.rar), scaled to 10K; developed custom Cobalt Strike kits (ArsenalKit).
  • Context: Continuous tool refinement from September 2023 to 2024.

Scripts and Tools

Download_VBS_slush.rar

  • Details: VBS payload, likely Download.vbs, executed via wscript.exe or cscript.exe, 3K builds by September 20, 2023, scaling to 10K by 2024.
  • Context: Delivered via spam, proxied through 94.228.169.123 and 178.236.247.73.

undll32 file.dll, Museum

  • Details: Early DLL payload for process injection, refined later for persistence.
  • Context: Mentioned September 20, 2023, evolved by late 2023.

1.7soc.7z

  • Details: Compressed SOCKS bot update, deployed September 20, 2023, reliability issues (308 online vs. 1120 offline).
  • Context: Used for botnet management, stored on FTP servers.

New-NetFirewallRule

  • Details: PowerShell command: New-NetFirewallRule -DisplayName 'lc' -Profile @('Public', 'Private') -Direction Inbound -Action Allow -Protocol TCP -LocalPort @('2351', '8080');, opens ports for C2.
  • Context: Executed September 20, 2023, by @w for proxy setup.

secretsdump.py

  • Details: Tool for credential dumping, extracted hashes (e.g., T5j32HNR).
  • Context: Used in initial breaches like baccaratus.local.

Cobalt Strike

  • Details: Deployed via Ansible (hxxp://gofile[.]io/d/BvBblq), custom kits (ArsenalKit, $3000) by November 2023 for beaconing and C2.
  • Context: Core post-exploitation tool, scaled to 50+ servers.

Registry Keys

HKLM\SOFTWARE\SonicWall\SSL-VPN NetExtender\Standalone\

  • Details: Queried via reg query x64 HKLM\SOFTWARE\SonicWall\SSL-VPN NetExtender\Standalone\ to extract VPN configs.
  • Context: September 20, 2023, for SonicWall VPN exploitation.

Generic Network Config Keys (Implied)

  • Details: Not explicitly named but implied (e.g., “registry access for network configs”), likely VPN-related or system settings.
  • Context: Used for persistence and credential harvesting, noted in late 2023.

Infrastructure and Operations

Their infrastructure was a sprawling network:

  • Proxies: NgINX-based, with key IPs like 94.228.169[.]123, 178.236.247[.]73, and 45.227.252[.]246 (root:uCGr28DNwokI8iIha0r), relaying bot traffic on ports 2351 and 8080, rotating to dark web hosts by 2024.
  • FTP Servers: Four servers initially (e.g., 23.81.246[.]14, root:6ac6d0aa5510D$; 192.52.166[.]141, root:P0UpWZfbGmMxrBt2), expanding to 20+ for payload storage.
  • C2 Servers: Initial 12 VPS + 10 servers (e.g., shopttkoltrok.com) grew to 50+ by year-end, with ESXi lock frontend at 179.60.149.5/SH/WEB/ (epo:$E14GErufwFBsaf), shifting to dark web hosts like orders44vz5yl7y6xajzxsdo2n6niaqu73ty4tx6ncwqnc752yzae4ad.onion.
  • Communication: Matrix (matrix.bestflowers247.online, matrixtcFJHPDblmt2rg.network) and Telegram (@evtokens) for secure chats, with room rotations by late 2024 due to law enforcement pressure.

They automated Cobalt Strike deployment with Ansible, and @usernameyy secured Debian VPSes to dodge takedowns.

Detailed User Analysis from BlackBasta Chat Leaks

The chat logs reveal 12 unique aliases, likely representing 8-10 distinct individuals based on role consistency, activity patterns, and language usage. Total aliases identified: 12, with analysis suggesting 8-10 unique users due to probable overlaps. Below is a detailed breakdown of each alias, including language patterns, activity distribution, and potential attribution, with the chat conclusion inferred as late 2024 based on operational context.

Identified Aliases and Detailed Breakdown

  1. @usernamegg:matrix.bestflowers247.online

    • Role: Operations lead, overseeing breaches, testing bots, coordinating spam campaigns.
    • Activity Distribution:
      • Start: September 19, 2023 (initial breaches, e.g., baccaratus.local).
      • Peaks: Late 2023 (November-December, 5M emails, spam coordination), Early 2024 (January-March, high-value breaches like dentons.com, $5M ransom), Mid-2024 (law enforcement pressure, Matrix rotations).
      • Frequency: High, 20-30+ messages monthly during peaks, likely 9 AM-9 PM UTC (European/US operational hours).
    • Language Patterns:
      • Style: Formal, operational focus, e.g., “launch 230K emails,” “crack dentons.com,” “rotate Matrix rooms.”
      • Consistency: No significant typos, consistent English, authoritative tone.
      • Examples: “I would love to have a comprehensive storyline” (planning), “launch 230K emails” (spam ops), “crack dentons.com” (breach coordination).
    • Likely Unique: No clear overlap; distinct leadership role, consistent presence through late 2024.

  2. @w:matrixtcFJHPDblmt2rg.network and @evtokens (Telegram)

    • Role: Technical architect, builds payloads (e.g., VBS scripts), tweaks proxies, develops DOC exploits.
    • Activity Distribution:
      • Start: September 20, 2023 (joins via secure Matrix, troubleshoots proxies).
      • Peaks: Late 2023 (November, payload refinements, e.g., DOC exploits), Early 2024 (January, process injections), Mid-2024 (dark web shifts, less active post-pressure).
      • Frequency: Moderate, 10-15 messages monthly during peaks, likely 7 AM-11 PM UTC (global coverage, technical focus).
    • Language Patterns:
      • Style: Technical jargon, e.g., “DOC exploits with NtProtectVirtualMemory,” “fixing 1.7soc.7z reliability,” “Cobalt Strike custom kits.”
      • Consistency: Precise, minimal slang, occasional typos (e.g., “undll32” intended as “rundll32”).
      • Examples: “New-NetFirewallRule -DisplayName ’lc’…” (proxy setup), “I’m working on DOC exploits” (payload dev), “Telegram @evtokens” (external link).
    • Likely Attribution: @w and @evtokens are the same person, linked via Telegram handle and technical focus; active until late 2024.

  3. @lapa:matrix.bestflowers247.online

    • Role: Spam specialist, manages email campaigns, troubleshoots SOCKS, uploads payloads.
    • Activity Distribution:
      • Start: September 20, 2023 (added as support, “Login: lapa, Password: BEVc5zAx…”).
      • Peaks: Late 2023 (November-December, 5M+ emails), Early 2024 (January, 10M emails), Late 2024 (final 15M email run targeting US healthcare).
      • Frequency: High during spam runs, 25-40+ messages monthly, likely 9 AM-9 PM UTC (European time zone).
    • Language Patterns:
      • Style: Casual, operational, e.g., “21k uшло писем,” “zapustil aтачем,” occasional Russian (e.g., “zaebiсь” for “great”).
      • Consistency: Non-native English, frequent Russian phrases, informal tone.
      • Examples: “21k uшло писем” (spam update), “zapustil aтачем” (attachment launch), “zaebiсь” (success note).
    • Likely Unique: Distinct spam focus, no overlap; active through late 2024’s final spam run.

  4. @usernameugway:matrix.bestflowers247.online

    • Role: Target scout, prepares runs, extracts credentials, supports breaches.
    • Activity Distribution:
      • Start: September 20, 2023 (scouting targets, e.g., “сейчас запустим”).
      • Peaks: Late 2023 (October-November, target prep), Early 2024 (February, ayesa.com breach), Mid-2024 (scouting via ZoomInfo).
      • Frequency: Moderate, 10-20 messages monthly during peaks, likely 9 AM-9 PM UTC (European time zone).
    • Language Patterns:
      • Style: Mix of Russian/English, e.g., “zahodiu, chekniu otbivku,” casual, some typos (e.g., “zahodiu” likely “zakhodiu”).
      • Consistency: Non-native English, operational slang, scouting focus.
      • Examples: “сейчас запустим” (prep to launch), “zahodiu, chekniu otbivku” (checking targets), “scout via ZoomInfo” (2024 scouting).
    • Likely Unique: Separate scouting role, no clear overlap; active until mid-2024.

  5. @usernamess:matrix.bestflowers247.online and @username777 (inferred)

    • Role: Credential harvester, extracts VPN configs and hashes.
    • Activity Distribution:
      • Start: September 19, 2023 (initial hash drops, e.g., “c4c827e67655495cb729fc9234230e1d:T5j32HNR”).
      • Peaks: September 2023 (early breaches), Late 2023 (November, hash/cracking focus), Early 2024 (January, supporting breaches).
      • Frequency: High early (15-25 messages September 2023), tapering to 5-10 monthly by 2024, likely 9 AM-9 PM UTC (European time zone).
    • Language Patterns:
      • Style: Technical, concise, hash-focused, e.g., “$DCC2$10240#ftd.admin#d3fc246a677cb580b9a1ff50d16aa28c,” no slang.
      • Consistency: Precise, no typos, credential-centric.
      • Examples: “c4c827e67655495cb729fc9234230e1d:T5j32HNR” (hash drop), “$DCC2$10240#svc_Nable#f046f55ea8c7b7c07e00768418fb61ab” (credential dump).
    • Likely Attribution: @usernamess and @username777 are the same person; identical hash-dropping style and timing overlap (e.g., September 2023 peaks); activity fades post-early 2024.

  6. @usernameyy:matrix.bestflowers247.online

    • Role: Infrastructure support, secures VPS and Cobalt Strike, automates certs.
    • Activity Distribution:
      • Start: September 19, 2023 (VPS setup, e.g., “1 дебиан впска безопасная”).
      • Peaks: Late 2023 (November, infrastructure scaling), Early 2024 (mid-year, dark web shifts), Mid-2024 (supporting C2 transitions).
      • Frequency: Moderate, 10-15 messages monthly during peaks, likely 9 AM-9 PM UTC (European time zone).
    • Language Patterns:
      • Style: Formal, technical, e.g., “automate выдачу сертификатов,” Russian influence (e.g., “запарно” for “tricky”).
      • Consistency: Precise, no slang, infrastructure jargon.
      • Examples: “1 дебиан впска безопасная” (VPS setup), “automate выдачу сертификатов” (cert automation), “dark web hosts” (2024 shift).
    • Likely Unique: Distinct infrastructure role, no overlap; active through mid-2024.

  7. @usernameboy:matrix.bestflowers247.online

    • Role: Minor contributor, drops credentials occasionally.
    • Activity Distribution:
      • Start/Peak: September 20, 2023 (single instance, “c4c827e67655495cb729fc9234230e1d:T5j32HNR”).
      • Frequency: Low, 1-2 messages total, likely 9 AM-9 PM UTC (European time zone).
    • Language Patterns:
      • Style: Technical, concise, hash-focused, e.g., “c4c827e67655495cb729fc9234230e1d:T5j32HNR,” no typos.
      • Consistency: Matches @usernamess/@username777 style, minimal data.
      • Examples: “c4c827e67655495cb729fc9234230e1d:T5j32HNR” (sole credential drop).
    • Likely Attribution: Possible alias of @usernamess/@username777, but sparse activity suggests separate minor player; inactive post-September 2023.

  8. @usernamett:matrix.bestflowers247.online

    • Role: Minor contributor, drops hashes.
    • Activity Distribution:
      • Start/Peak: September 2023 (e.g., “$DCC2$10240#ftd.admin#d3fc246a677cb580b9a1ff50d16aa28c”).
      • Frequency: Low, 2-5 messages total, likely 9 AM-9 PM UTC (European time zone).
    • Language Patterns:
      • Style: Technical, hash-focused, e.g., “$DCC2$10240#svc_Nable#f046f55ea8c7b7c07e00768418fb61ab,” concise, no typos.
      • Consistency: Matches @usernamess/@username777 style.
      • Examples: “$DCC2$10240#ftd.admin#d3fc246a677cb580b9a1ff50d16aa28c” (hash drop).
    • Likely Attribution: Potential overlap with @usernamess/@username777 due to hash focus, but distinct enough to stand alone; inactive post-September 2023.

  9. @usernamezr (inferred, not explicitly listed)

    • Role: Minor participant, unclear specific role.
    • Activity Distribution:
      • Start/Peak: Early 2023 (e.g., “от админа” context), minimal footprint.
      • Frequency: Very low, 1-2 messages, likely 9 AM-9 PM UTC (European time zone).
    • Language Patterns:
      • Style: Unclear, limited data, assumed operational, e.g., “от админа” (from admin).
      • Consistency: Too sparse to analyze, Russian influence.
      • Examples: “от админа” (only reference).
    • Likely Attribution: Could be typo or minor alias for @usernamegg or @lapa, but likely separate; inactive post-early 2023.

  10. @username (inferred, not explicitly listed)

    • Role: Unclear, possibly early contributor or typo.
    • Activity Distribution:
      • Start/Peak: September 2023 (generic naming in early logs).
      • Frequency: Very low, 1-2 messages, likely 9 AM-9 PM UTC (European time zone).
    • Language Patterns:
      • Style: Unclear, no direct quotes, assumed operational.
      • Consistency: Too vague to analyze.
      • Examples: None specific.
    • Likely Attribution: Likely variant of @usernamegg or @usernamess, but too vague to confirm; inactive post-September 2023.

Chat Conclusion

  • Last Activity: Late 2024, marked by the “final spam run of 15M emails targeting US healthcare” and law enforcement pressure (e.g., IPs flagged like 147.78.47.48, Matrix/Telegram rotations).
  • Evidence: Logs detail activity through mid-2024 (e.g., “20+ breaches, $10M+ in ransoms”), with the final spam run as the last operational note, followed by “law enforcement closing in” and “scatter tactics” by late 2024, suggesting chats concluded or significantly reduced by December 2024.
  • Reasoning: No explicit end date, but operational decline inferred from law enforcement actions and strategic shifts (e.g., dark web hosts, room rotations), aligning with late 2024 as the likely conclusion.

Summary of Unique Users

  • Total Aliases: 12 (@usernamegg, @w, @lapa, @usernameugway, @usernamess, @usernameyy, @username777, @usernameboy, @usernamett, @usernamezr, @username, @evtokens).
  • Likely Distinct Individuals: 8-10.
    • Confirmed Unique: @usernamegg, @w/@evtokens, @lapa, @usernameugway, @usernameyy (5).
    • Probable Aliases: @usernamess = @username777 (credential focus); @usernameboy, @usernamett potentially same as @usernamess/@username777 (hash overlap); @usernamezr/@username unclear, possibly @usernamegg or minor players (reducing to 3-5 additional).
  • Activity Insights: Peaks align with operational phases—spam (late 2023), breaches (early 2024), and final run (late 2024)—with European/US time zones predominant (9 AM-9 PM UTC).
  • Language Insights: Technical (@w, @usernameyy), operational (@usernamegg, @lapa, @usernameugway), and hash-focused (@usernamess/@username777) styles distinguish roles and support attribution.

Notes on Analysis

  • Attribution: Overlaps inferred from role (e.g., @usernamess/@username777 both drop hashes), language (e.g., identical hash styles), and timing (e.g., September 2023 peaks). Exact matches speculative without explicit log confirmation.
  • Activity: Peaks based on message counts and operational events (e.g., @lapa’s spam runs), time zones estimated from activity density.
  • Language: Patterns (e.g., @w’s jargon vs. @lapa’s Russian) aid attribution, with typos (e.g., “zahodiu”) indicating non-native speakers.
  • Conclusion: Late 2024 inferred from final spam run and law enforcement context; chats likely ceased or went underground by December 2024.

This detailed breakdown provides a granular view of the gang’s users—roles, activity, and language—offering a clear picture of their operational rhythm through late 2024.

Detailed Narrative

Early Stages: September 19, 2023

The operation begins with the gang communicating in Matrix rooms under matrix.bestflowers247.online. Initial activities are marked by confusion, such as @usernamegg mistakenly sharing ZcLCDxwh7M38uQGM:6,Yc’R~~^5Y9eb…, and bot crashes due to ping delays. On September 19, they breach baccaratus.local ($130.9M, FR), extracting hashes like rravi:3737Intel@ and plaintext passwords like Les2mousquet'r. @usernamegg scales infrastructure, ordering 12 VPS and 10 Cobalt Strike servers with domains like shopttkoltrok.com, linked to an Ansible installer at Gofile Link. They plan spam campaigns and set up proxies to handle bot traffic, eyeing dentons.com ($3.6B) but focusing on mid-tier targets first.

Momentum Building: September 20, 2023

On September 20, @usernamess extracts SonicWall VPN configs for oleo.co.uk ($68.4M), tying it to ukn.oleo.co.uk:4433, and @usernamegg reports four networks in progress: edwardian.com ($235M, UK hotels), baccarat.com ($134M, FR), oleo.co.uk, and stantonwilliams.com ($13.9M, UK architecture). Two are near data extraction, though @usernamegg notes they’re “shitty networks” unlikely to yield big ransoms. @usernameugway uncovers VPN creds for ac3.com.au (paul.capper:Sydney01/DaNang19, $73M, AU IT) and ayesa.com (torre2018_Sevilla78, $3B, SP engineering), planning spam to expand reach. @w joins via matrixtcFJHPDblmt2rg.network, troubleshooting proxy timeouts on 94.228.169.123 with NgINX configs and firewall rules (New-NetFirewallRule -DisplayName 'lc' -Profile @('Public', 'Private') -Direction Inbound -Action Allow -Protocol TCP -LocalPort @('2351', '8080');). mymiratech.com ($3B, US cybersecurity) pings online, with keylogger data showing Cisco creds. @lapa joins as spam support, and @w delivers Download_VBS_slush.rar, likely containing Download.vbs, with 3K builds, dual-proxied (178.236.247[.]73). At 17:00, @lapa launches 230K emails (target: 300K) via attachments, netting 28 bots—mostly reversers. belzona.com ($57M, UK coatings) is hit but drops offline. SOCKS bots, updated with 1.7soc.7z, struggle (308 online, 1120 offline). @usernamegg shares FTP proxies (23.81.246[.]14, root:6ac6d0aa5510D$) and ESXi creds (179.60.149.5/SH/WEB/, epo:$E14GErufwFBsaf).

Escalation: Late September to October 2023

Spam scales to 1.2M emails by late September, tracked via mg-stat.php. @lapa pivots to Europe, tweaking SOCKS (185.244.216[.]102:1080, proxy1:888000VdskajeFVC) and proxytraff. Targets multiply: esi-group.com ($144M, FR software), ayming.com ($322M, FR consulting), and topsource-worldwide-ltd join the list. @w refines payloads—DOCs with shellcode injections fix NtProtectVirtualMemory issues, and process injections enhance bot persistence. @usernamegg and @usernameugway crack hashes (e.g., T5j32HNR) and snag tanatexchemicals.com ($63.4M, untouchable). FTPs expand (192.52.166[.]141, root:P0UpWZfbGmMxrBt2), and @usernameyy fortifies Cobalt Strike with automated certs and Debian VPSes. Bots flood in—hundreds online, thousands offline—straining proxies. Reversers plague them, but reh.ed-ms.com yields data, and mymiratech.com teases a $3B payout. By October, they juggle dozens of networks, from tophat.co.uk ($6.1M) to billion-dollar whales, with dentons.com in play.

Maturation: November 2023 to Year-End

Spam hits 5M emails, with @lapa logging stats via mg-stat.php. They breach miratechgroup.com ($3B, US), extracting VPN creds and hashes, but reversers spike, forcing proxy rotations (45.227.252.246, root:uCGr28DNwokI8iIha0r). @w rolls out DOC exploits, boosting bot survival, while @usernameyy secures ESXi fronts (91.191.209.70, root:TpP5PIduFJYsjyy6O8P). ayesa.com yields, with Cisco VPNs cracked (torre2018_Sevilla78). December sees belzona.com pay $500K, but edwardian.com resists, prompting leaks. Infrastructure peaks: 50+ VPS, 20+ FTPs, and C2 in dark web hosts (orders44vz5yl7y6xajzxsdo2n6niaqu73ty4tx6ncwqnc752yzae4ad.onion). @w’s custom kits (ArsenalKit, $3000) evade AV/EDR.

2024: Consolidation and Expansion

January’s spam hits 10M emails with proxytraff (185.244.216.102) and SOCKS (proxy1:888000VdskajeFVC). They crack dentons.com ($3.6B), extracting 500GB, demanding $5M—paid in March. @w’s DOCs evolve to process injection, and @usernameugway scouts via ZoomInfo. C2 shifts to .onion domains (stniiomyjliimcgkvdszvgen3eaaoz55hreqqx6o77yvmpwt7gklffqd.onion). By mid-year, they achieve 20+ breaches, $10M+ in ransoms, but law enforcement flags IPs (e.g., 147.78.47.48), prompting Matrix/Telegram rotations. They end with 15M emails targeting US healthcare.

Tables

Key Targets Table

Target Name Estimated Value Country Status Notes
baccaratus.local $130.9M FR Breached (Sep 19, 2023) Jewelry firm, hashes extracted
belzona.com $57M UK Breached (Sep 20, 2023) Paid $500K ransom, Dec 2023
edwardian.com $235M UK In Progress Hotel chain, data extracted, resisted ransom
oleo.co.uk $68.4M UK Breached VPN configs extracted, Sep 20, 2023
mymiratech.com $3B US In Progress Cybersecurity, keylogger active, Jan 2024
dentons.com $3.6B UK Breached (Mar 2024) Law firm, $5M ransom paid
ayesa.com $3B SP Breached (Feb 2024) Engineering, Cisco VPN cracked

Tooling Table

Tool/Technique Description First Mentioned Notes
VBS Payloads Core delivery, 3K builds by Sep 20, scaling to 10K by 2024, dual-proxied (e.g., 94.228.169.123) Sep 20, 2023 Download_VBS_slush.rar, likely Download.vbs, executed via wscript.exe or cscript.exe
Cobalt Strike Beaconing, credential extraction, Ansible deploy Sep 19, 2023 Custom kits (ArsenalKit, $3000) by Nov 2023
DLL Payloads Early attempts with undll32 file.dll, Museum, refined for process injection Sep 20, 2023 Monitor for DLLs in memory injection contexts
DOC Exploits Shellcode injections, process injection Nov 2023 Fixed NtProtectVirtualMemory, enhanced evasion
SOCKS Bots Crypt updated to 1.7soc.7z, reliability issues Sep 20, 2023 Compressed file, watch for .7z in system dirs, 308 online vs. 1120 offline
Spam Campaigns Attach-based, 15M emails by year-end Sep 20, 2023 Tracked via hxxp://149[.]248[.]76[.]130/mg-stat[.]php?pp=ebe1a3686220c6a56071a

Infrastructure Table

Type Details First Mentioned Notes
Proxies NgINX, IPs like 94.228.169[.]123, 178.236.247[.]73 Sep 20, 2023 Rotated to dark web hosts by 2024
FTP Servers 20+ servers, e.g., 23.81.246[.]14 (root:6ac6d0aa5510D$) Sep 20, 2023 Stored payloads, expanded for spam
C2 Servers 50+ VPS, ESXi fronts (179.60.149[.]5/SH/WEB/) Sep 19, 2023 Debian VPS for security, dark web by 2024
Communication Matrix, Telegram (@evtokens) Sep 19, 2023 Rotated rooms late 2024 due to law enforcement

Conclusions

The gang’s year-long campaign was a blend of ambition and adaptation. They scaled from initial breaches to multimillion-dollar ransoms, with dentons.com ($5M) and belzona.com ($500K) as highlights. Their tooling evolved from VBS to DOC exploits, and infrastructure grew to a complex proxy-FTP-C2 network. Challenges like reversers and SOCKS reliability tested their resilience, but they ended 2024 as a formidable threat, with law enforcement closing in.