Indian Hack-for-Hire Exposed "Elephant Hunting"

Elephant Hunting

Posted by CyberDog on December 1, 2023 at 12:33pm

12306209278?profile=RESIZE_400xOur friends at SentinelLabs report that Hack-for-Hire threat actors go by many names, such as surveillance-for-hire, mercenaries, private-sector-offensive-actors (PSOAs), and nonstate offensive threat actors.  Such groups represent an exciting challenge for security researchers and network defenders. They should be considered a severe threat to all organizations, worthy of proactive tracking in ongoing intrusions and analysis of historical cases to understand their significant impacts.  Many public industry reports have highlighted attempts to track and disrupt mercenary threat actors, including our past work on Void Balaur and Meta’s Surveillance-for-Hire report.

Below, SentinelLabs shares findings from a review of highly unique, non-public, and technically verified data on the hack-for-hire efforts of the Appin business. After an extensive review of this data, brought to our attention by Reuters investigative journalists, we assess with high confidence that it correlates with previously known Appin intrusions, accurately depicts internal communications, and originated from inside the security arm of the Appin organization– formally known as Appin Software Security and informally as Appin Security Group (ASG).[1]

Introduction to Appin - Appin is considered the original hack-for-hire company in India, offering an offensive security training program alongside covert hacking operations since at least 2009.  Their past employees have since spread to form newer competitors and partners, evolving the Appin brand to include new names, while some have spread into cybersecurity defense industry vendors.  Appin was so prolific that a surprising amount of current Indian APT activity still links back to the original Appin group of companies in one form or another.  Campaigns conducted by Appin have revealed a noteworthy customer base of government organizations and private businesses spread globally.

Our analysis and observations corroborate the June 2022 reporting from Reuters, noting some of Appin’s customers are tied to significant litigation battles.  The group has conducted hacking operations against high-value individuals, governmental organizations, and other businesses involved in specific legal disputes.  Appin’s hacking operations and overall organization often appear informal, clumsy, and technically crude; however, their operations proved highly successful for their customers, impacting world affairs significantly.

Victims and Links to Previous Reporting - The extensive scope of unique targets and confirmed victims extends globally.  The data reveals victims across the United States, Canada, China, India, Myanmar, Kuwait, Bangladesh, the United Arab Emirates, Pakistan, and other locations.  The affected devices encompass those affiliated with both governmental entities and businesses across various industries.  It is important to note that the aforementioned list is not exhaustive, serving as a snapshot at a particular moment rather than a comprehensive compilation of all targets and victims.

12306210265?profile=RESIZE_584xVictim Beacon Source IPs Visualized

From a threat intelligence perspective, the data includes identifying specific victims of notable public interest.  Attacks on China and Pakistan from India-linked threat actors are not new; however, the confirmation that a local Indian hack-for-hire group was enlisted to conduct these campaigns is insightful on the attribution of presumably state-sponsored attacks out of India.  We can confirm some known victimology as well as observe additional previously undiscovered victims:

Pakistani Government Officials - These victims were successfully compromised and sent keylogger data from their machines to the Appin-owned and controlled server.  The keylogger data contained personal social media and email account logins, government website logins, and more mundane web browsing like travel, games, and pornography sites.  Pakistani targeting continued in the years following, as reported by ESET in 2013 and noted in the below Operation Hangover report.

Chinese Government Officials - Multiple cases in 2009 involved data theft operations against Chinese government officials.  These include the successful compromise of multiple PLA officers.  Around the same time, operators successfully compromised Military Liaison Officers with the same objective. Notably, these attacks were carried out shortly after Indian government officials made public statements they had observed cyber attacks on Indian government networks and attributed the activity to China.

Domestic Targeting - There are also many cases of domestic targeting.  For example, in one case, the Intelligence organization within a local police force enlisted Appin to conduct defacement attacks on specific Sikh websites and to steal login credentials of email accounts belonging to Sikhs in India and the US. One such inbound request reviewed contained a formal request document for Appin to break into the personal Gmail account of a specific individual labeled as a domestic terrorist target.  In an unrelated campaign, the group also used the domain speedaccelator[.]com for an FTP server, hosting malware used in their malicious phishing emails, one of which was used on an Indian individual later targeted by the ModifiedElephant APT.

KitM Mac Spyware - In 2013, F-Secure analyzed and reported (1,2,3) on the technical details of Mac spyware initially discovered on the machine of an Angolan activist while visiting the Oslo Freedom Forum (“a global gathering of activists united in standing up to tyranny.”).  This Mac spyware was quite unique at the time, and ultimately dubbed KitM (‘Kumar in the Mac’, referring to the certificate issued under the name ‘Rajinder Kumar’, used to sign all of the samples), and used Appin-owned and operated infrastructure.  The newly reviewed data provided some of the context behind this campaign and confirmed actor attribution to Appin.

Operation Hangover - One of the more interesting links to previous reporting is the overlap with Operation Hangover.  This 2013 report was a unique deep dive into threat activity around an industrial espionage campaign against the Norwegian telecommunications corporation Telenor and other private companies.  The authors note multiple strong links between the Appin organization and the attacks observed in the wild.  Our new findings confirm that the malware and attack infrastructure noted in the Operation Hangover report were owned and controlled by Appin, such as taraanasongs[.]com and others highlighted here.

Below is a graphic depicting the process of acquiring Operation Hangover-related domains.  In late October 2009, an operator requested a “new domain for phishing and exe upload” from their manager.  After approval, The manager forwarded the request, which went to the executive staff and finance manager.  A day later, the operator acknowledged the new domain (taraanasongs[.]com), and the manager informed the executive staff of its acquisition.

12306210672?profile=RESIZE_584xAppin Operator Requesting Purchase of taraanasongs[.]com

Infrastructure Acquisition and Use - Leading hack-for-hire organizations are faced with essential segmentation requirements to limit the discovery of their infrastructure.  If a researcher were to discover what connects all points of their infrastructure together, it would risk the entire set of customer operations.  Appin’s method of acquiring and managing infrastructure for years was handled through a particular outside contractor.  At the time, this individual would register the domains and set up hosting solutions for a project as needed.  Appin operators would request a server type, including some technical requirements, and which operator is assigned for its use.  The consultant would then purchase the server, set it up as instructed, provide credentials for remote access to the operator and Appin leadership, and conclude the interaction with an invoice detailing payment.  Based on the data reviewed, the consultant made the purchases through a collection of repeated personal and business-branded email accounts, in addition to overlapping registration and hosting details.

12306210680?profile=RESIZE_584xInvoice to Appin for Malicious FTP Domains and VPS Servers

The types of servers requested generally centered around a handful of primary purposes.

Exfiltration – Often referred to as FTP or Data Transfer servers in the early years, malware would use these as the destination for exfiltrating stolen data. One may also find the logs of an Appin-owned and operated exfiltration server useful for victim identification. For example, as previously noted, those originating from devinmartin[.]net highlight a global victim spread. Data was uploaded to this specific FTP server with accounts:

  • stealth@devinmartin[.]net
  • keylogs@devinmartin[.]net
  • radar@devinmartin[.]net
  • 123456@devinmartin[.]net
  • devinmartin@devinmartin[.]net
  • revolution@devinmartin[.]net
  • devinmart@devinmartin[.]net
  • reloaded@devinmartin[.]net
  • cinema@devinmartin[.]net
  • lux@devinmartin[.]net

12306212263?profile=RESIZE_710xData Exfiltration Logs from the C2 server, with Victim IPs Redacted

C2 and Delivery Servers – Malware command and control or hosting malware for download. 12306212293?profile=RESIZE_584xC2 / Delivery Server bluecreams[.]com and Linked Malware Visualized

Phishing – Hosted web pages for credential phishing. The same phishing pages were often available through multiple target-named subdomains and URLs.

Lure Sites – A fascinating technique was the use of referenced “honeypots.”  These sites would often be themed around a specific topic and lure the target to interact for credential phishing or malware delivery.  One such example is islam-jindabad.blogspot[.]com, which remains online at the time of this writing. It was created in 2009 and called a “honey pot” by Appin operators.  The domain led to a second domain that delivered malware after clicking an image.  The destination address of these images is gmail-loginchk.freehostia[.]com/raj1.php 12306212686?profile=RESIZE_710xMalicious Lure Site, Directs to Malware Download

VPS Server – Generic multi-purpose server for non-attributable access to victim machines and attack infrastructure administration.  Typically accessed through SSH.  Additionally, a non-standard server type was also used by Appin covert communications.  The business used specific websites for customer project tracking and data sharing.  This was variously referred to as GoldenEye, Commando, or MyCommando. It acted as a place where customers could log in to view and download campaign-specific data and status updates, communicate securely, and manage other aspects of their projects.

12306213071?profile=RESIZE_710xCovert Communications Login

This is the same “Secured Project Management Portal” highlighted in an Appin marketing presentation, first shared by Reuters in their June 2022 mercenary hacker investigative report.

12306213281?profile=RESIZE_584xAppin Marketing Document Showing Covert Communications Portal

Malware and Exploit Development - Appin used the California-based freelancing platform Elance (now known as Upwork) to purchase malware from external software developers while using internal employees to develop those projects and their own tools.  Appin posted elance jobs under the username “appinsecuritygroup” and a profile set with an Appin executive's full name and appinonline[.]com email address.  An example of Elance's use is purchasing the USB Propagator tool from the freelancer “alexstinger.”  The original job posting was titled “Creation of Advanced Data Backup Utility.”  The same tool is also referenced in the Operation Hangover report.  The original version was purchased in 2009 for $500 after troubleshooting and source code delivery.  The Elance job statement was completed on July 15th, 2009.

12306214096?profile=RESIZE_584xSource files delivered by “alexstinger” 12306214480?profile=RESIZE_710xSnapshot of source code delivered by “alexstinger”

Appin advertised on Elance for many other software projects as well, including ones titled:

  • Audio Recording Software on Windows
  • Creation of a code obfuscator for C, Visual C++
  • Exploits for research purposes on MS Office and IE
  • MS Office Exploits to upgrade our IPS/Antivirus!
  • R&D in vulnerability research in Eastern Europe


A summary of the job post for “R&D in vulnerability research in Eastern Europe” shows the following.


To outsource research in exploits and vulnerabilities on a monthly retainer basis to expert organizations in Eastern Europe

Skills Required

Vulnerability and Exploits Gathering, Exploit Development


Developing exploits on existing vulnerabilities or customization of exploit samples on the internet related to MS Office (Word, Excel, PowerPoint 2007/2003, etc), Adobe PDF, Browsers IE 6/7, Mozilla Firefox, and Opera.

Minimum Expectation

At least two exploits a month. Exploits should be customizable with payloads, Minimum detection from AV, and Weekly reports on successes/failures.


$1,000 monthly

A recurring problem with these job postings was that freelancers quickly rejected them after noting the low payment amount and questioning whether they were intended for malicious use.  Appin used a large amount of private spyware and exploit services over the years, too.  For example, in 2010 they purchased mobile spyware services through Vervata, the business behind the FlexiSPY mobile stalkerware. When this transaction was conducted, the domain mobilebackup[.]biz was used by operators for installing guides, downloading software, and reviewing victim mobile device data.  While this is historical data, it remains the case that FlexiSPY stalkerware is still marketed and sold today.

12306214852?profile=RESIZE_710xArchived snapshot of Vervata homepage, FlexiSPY product offering at the time 12306215296?profile=RESIZE_584xArchived Flexispy Login Portal 2010

Appin later pursued the purchase of exploits from leading private vendors at the time, including Vupen and Core Security.  Business interests also involved the opportunity for Appin to act as an exploitative reseller for Vupen to the Indian government.

12306215853?profile=RESIZE_400xVupen and Appin Exploit Subscription Agreement Document

As noted, some malware was developed internally, including a keylogger.  Associated data and communications reveal an employee's initial intention to share their development of the keylogger to Appin leadership in August 2009.  In a reviewed message, the employee noted a new keylogger being built, which can upload logs to the FTP server.  Tests were conducted over the following weeks and months to showcase the keylogger’s capabilities. Here is one such file in which the developer tested the keylogger’s functionality, which is being detected by third-party antivirus solutions.  The data redacted included the developer’s personal email address.

12306216055?profile=RESIZE_400xKeylogger Beaconing, Detected by AV

Months later the keylogger was being used in live operations, including in a campaign targeting the Pakistan government.  Government victim data included personal email addresses and instant messaging activity, browsing for new jobs in the Pakistan Navy, reading/printing ISPR news, and other personally sensitive online activity.

The Hack-For-Hire Business - Although hack-for-hire organizations in India and elsewhere have evolved markedly over the years as both the technology available to them and the ecosystem in which they operate have changed, a clear snapshot of Appin’s activity starting from around the early 2000s provides invaluable insight into the inner workings of such businesses.  Ignoring Appin’s many business offerings related to network penetration testing, website security auditing, training, and more, we can focus on the part most interesting to cyber defenders and threat intelligence analysts: the hack-for-hire offerings.  Below is a proposed offering of Appin’s ‘Special Services Division’ to India’s Chhattisgarh Police Cyber Investigation Cell.

12306215886?profile=RESIZE_584xAppin Special Services Division Offering (original text)

While a full review of the business structure is outside the scope of this report, a few relevant cybersecurity observations are useful to list:  Offensive security services provided to customers well over a decade ago included data theft across many forms of technology, often internally referred to as “interception” services.  These included keylogging, account credential phishing, website defacement, and SEO manipulation/disinformation.  They would also accommodate other technical requests from a customer on-demand, such as cracking passwords from stolen documents.

Operations Security (OPSEC) is taken seriously in theory but was inadequately executed in practice.  Operators, developers, and leadership were disciplined not to discuss project specifics (targets, customers, tools, etc.) through weak communication channels. However, it appears that leadership repeatedly initiated the failure to abide by those standards.  Examples include analysts refusing to write down confidential technical information related to sensitive operations while leadership openly discussed and documented the exact details.

The roles of individual operators are often built uniquely around their skill sets rather than formal responsibilities based on a structured role.  This includes operators and developers mixing tasks depending on the individual’s interests and career tenacity.  There is a strong, financially incentivized push from leadership to all individual operators and developers for innovative ideas that can better achieve success on behalf of their customers. This includes finding new tools and techniques to accomplish the desires of the customer.  Some OPSEC gaps originate from the resulting unchecked innovation.

A Day in the Life - While the operator and developer roles proved fluid over time, we can glimpse the leadership’s priorities based on weekly task lists handed down to the early ‘development’ group.  Tasks were assigned to individuals, including the following objectives:

  • Individual A:

Build fully functional & undetectable malicious documents using exploits.

Resolve issues of malware not collecting specific messaging software logs.

Coordinate with exploit developers (internal) for other ongoing campaigns.

  • Individual B:

Build and finish the new network lateral movement solution.

Rebuild “FTP Backup trojan” to make it fully undetectable.

  • Individual C:

Build a new process with exploit developers (internal) for weekly use of new fully-undetectable attack tools.

Troubleshoot phishing website problems, such as specific language characters not recording correctly.

Educate operators on other internal tools - It’s ultimately unsurprising to learn of tasks and the individuals assigned to them; however, it is useful when contextualizing the overlapping technical links and improvements between campaigns, such as version updates of the FTP Backup trojan.

Moving Forward - Our examination of the Indian hack-for-hire group Appin underscores the enduring and substantial threat posed by such entities to businesses, governments, and individuals over an extended period exceeding a decade.  The research findings underscore the group’s remarkable tenacity and proven track record of successfully executing attacks on behalf of a diverse clientele.  Our study's technical insights and infrastructure offer a valuable resource for mapping associated malicious activities and reevaluating past incidents with a renewed perspective.

The resilience of these groups, coupled with their capacity to attract new clients despite heightened public scrutiny, emphasizes the urgent need for enhanced international cooperation and the establishment of robust legal frameworks to address this escalating challenge effectively.  In light of advancing technologies and the growing demand for digital espionage and cybercrime services, it is imperative for governments, businesses, and high-risk individuals to proactively implement measures to protect themselves against these formidable, adaptable, and thriving hack-for-hire threat actors.

Historical Indicators of Compromise - Note some of the following indicators have since been used for legitimate reasons or sinkholed. Therefore, we advise caution if considering these as active indicators in their current state.

IPs 64.186.132[.]165 65.75.243[.]251 65.75.250[.]66 69.197.147[.]146 75.127.111[.]165 75.127.78[.]100 75.127.91[.]16 84.243.201[.]254 212.72.189[.]74

Domains abdupdates[.]com alr3ady[.]net antivirusreviewratings[.]com authorisedsecurehost[.]com bksrv3r001[.]com bluecreams[.]com bookshopmarket[.]com brandsons[.]net braninfall[.]net c00lh0sting[.]com c0ttenc0unty[.]com cr3ator01[.]net crowcatcher[.]com crvhostia[.]net currentnewsstore[.]com customauthentication[.]com devinmartin[.]net directsupp0rt[.]com divinepower[.]info draganheart[.]com easyhost-ing[.]com easyslidesharing[.]net f00dlover[.]info filetrusty[.]net follow-ship[.]com forest-fire[.]net foxypredators[.]com freensecurehost[.]com freesecurehostings[.]com freewebdomainhost[.]com freewebuserhost[.]com gauzpie[.]com gmail-loginchk[.]freehostia[.]com h3helnsupp0ort[.]com hatemewhy[.]com hostingserveronline[.]net hotmasalanewssite[.]com islam-jindabad[.]blogspot[.]com jasminjorden[.]]com jasminjorden[.]com karzontheway[.]com kungfu-panda[.]info matrixnotloaded[.]com msfileshare[.]net msoftweb[.]com myt3mple[.]com newamazingfacts[.]com nitr0rac3[.]com pc-technsupport[.]com piegauz[.]net r3gistration[.]net reliablensecurehost[.]net s0pp0rtdesk[.]com s3rv1c3s[.]net secuina[.]net securenhost[.]com server003[.]com server006[.]com serverrr[.]com serviceaccountloginservicemail[.]info servicesaccount[.]com sliderocket[.]com speedaccelator[.]com spidercom[.]info t3rmin3[.]com taraanasongs[.]com thedailynewsheadline[.]com tow3r[.]info updatemypc[.]net updatesl1nk[.]com vall3y[.]com wearwellgarments[.]eu webjavaupdate[.]com webmicrosoftupdate[.]net


Files SHA1 02e6ddbc715dfd7ce1838c4b4b0520c8 03636f6d4f0041859f009893eac67690 055ce289ee5d2c74e3a4de967f0ff82c 0936b73c4a0acae8fe9517e26536c058 0948c7444ff919ec7218ad04c29c8189 0a8435a4abe99c22b8e1a1673098821a 0aa0116bcfcf1da87af0ec393e2b8061 0c68acbe505877eee81aaaefd6be5d57 0cd662b540c642ac9a6972226a2ee8ae 0f65c1202881f5c0e3d512aa64162716 0f6e7efe4630bf314fd5d895f55bcd08 1782314da3da2f4fdcbda269ddfa7830 17d0705bcc65eb16f6c8aee6cc0c384f 182b4f223a20d10fa39a8577a7b285f8 186f71e7db3188347f3c7e3608e40a76 1a708fb0d40f0f66e75afe26f0754f3c 1ad6ac5126fbf79d92e211e7459a04fd 1c038adb34bd12940fc91d956eda0f85 1e33463abb80297907d2de0ddad75a94 20aa596a83117d12faebda225f4dcf25 21609c45130fbba1a8c07b6fe864bbc4 21b11f60bfd420475d81726587310204 22d559800aa213a7150fa8b2e54b2b21 2546f1229ddf1a45ab944a8a0da642ca 25472d552f3439d610a0ea0feea59b18 283b06e0931d58b320fb5222bd9e2327 28f7de0a63dd9f069e9892a7b9c1393e 2cf626da0f86b4ca0ce5ff12bbdd50b4 2fdb2e334bc32856898c4c5a9b7038bf 3625f274b26050e913d21280689580aa 3fa8a69d0e9f0163382d4733e7546061 40dc57f0e7eab28eac628cd7d58670f2 46110a31e7c579285ff9c2339c8e9dbf 463922075362745a02969f0cc34adb48 482840e161a8c5fb14fe57d13c7e58b1 48d0bca6196781e4030d2427e0cebb7c 4a4392583dd001c3729f8705e62f06d0 4ac3a570f006a1b0e016257d3be5018c 4d4c8e85691295de8552aab888979026 4ebe9891f10e93cbd18266b36f1b6e6e 51c984dac039092447879d40164fc949 572fb7ba509d5b2a57142149d6fb0dd7 596d1f7a84729cfb608b29f687ce318b 5b0172d4f6b3970cc460cbe0556b6466 5dddb3f57c9066b6d3d076f590d40d0a 5deabcd480ff2df5de3a93c081b76dda 5f04cf580b375ac90caf75930fd866e7 62cddd629043f07a7f2ec3bdbc825ff9 6588efd38e17d44e3ff1ab91afd0f2b2 672bb005aeaf5805c6d06c581a8d1b10 67caeeca9dc86cbc0f494d89c43aab4e 6b683fccfb118eb96af0cb8cfcc3b2f7 6cc8f81c50b8e86feea0dd800f3e8901 6cd6aa3065d51f3c14784b2abb87b2a4 6e6eb5af7488e5c9e1ada0efd624235f 6fc6214a9cc6bb1ed442beda98fe47e6 72a0da9442e1669e832c128936774c92 74e571f9accf9fe1b4ea6ee0e02a5180 75b61ceaf2dc1acce6de9c55103f7f05 77373d579ac6479adf7140340abeb667 77e88fa11cb0cf44c4691c04742d1b13 7835c1a2a0cb7249c82c9d283526188d 79b914e089fe7b1029dd38bb08d7dcd4 7a8c0735b6e631651a6618a789b86315 7baad0dba7909e810c55f4678c301d7e 8046761d8e617dc2dbbc3bc93fc91ed3 81c33d5c2d1d71d2639283be169ad235 82262bf6215659485d31df672562060d 849fda2210df92da8d6d45f692a583b0 862f6fe18ff2f493a8b3b927d51e82b3 8658145bdc3f0cae5357d4115b05543b 87f05d07b1c60b317d3fb60335745428 87f9beffa5b6198e5906efd971475dea 8a65479b077295d8420430e9f114b6a2 8ca0082df24a060c0edcd3a4875a63ab 903b160fc4e720ea884e4222b5dc3f7e 91c21e837620a005c8d5e1cb73e9bfb8 91f2bb5f6c2f3452724f831373474865 9225fc6926516f04bf87e44b3e9201e1 92bfb44848a886b388576c60745aa605 963fbcdaec66a5fcd5664e932fa06f4d 9a9dc1bebfb0f6a713c5119f8c1b89a0 9b98e06c25c1ae3e8d0625b15a31fc75 9bf5982f68023900b678cfe08b76498e a053b31eaa11e2eedc0182a8e0051bf3 a1d78a37d6f278e99e0a904471cd448c a33175880547ab5296c302681290c922 a3ecdcf43f89074e4042d01987255a5f a5d3738287ec9d74ca9bcdd5fa2d9018 a6a9abbc67cbe071d6ed639fec3e1b84 a810399062152e79c0f1d5e6b0f8c1ea aa026aaa783f691c6da7c286af5439c7 aa8039e7b0c08c369820f450f2a12ef8 ad6cc39b31878c270bf1f4e106c1f773 ae03020fc96296a210d26e9efa0948c6 af41aaa36b787c95c0132551555dc8e1 af7ed912b633fcad5d4e9b52df9de72a b35702471ac848a23b33b4b3aaaddf04 b3ec88a92a5881e10f6dd46a2e43f419 b5724f5b127e118babbbd4f31f93da7b b5a53dfa9a2b5bdae9f5bd99b114cf75 b5d248e62a6c593d19104411b411146f b6a371b2dc3143e3c5df0abc2c0604a3 b7b6dd5bcb3dcd87b74d1485b356a560 b7d18dbe6cad4b54b588ec5eed3a8141 b86fd1cfe2de2ea841f8f522dee6370c b8baedf06d212a1769c17741a22dbabb bba2d1e279101d9df3ee135a997457c7 bba7accf299c87080a7c12f3913b851a bc04127266eab3c142fd9ab8bf16cae2 be4fcca6b05fcd65ca2d8e42c1f7f685 c14f235e08f6d855f5e73661fa758ff2 c4130bcfbec35b377b512ceb64221293 c43f52ec6902b9ee2be435072a9d3b2a c44e2798f7a6a18b7a61d811bd884981 c48e5210cf6fb3286f8bc66106456686 c5a9f8a833d8eafa50d81f04fed7d42a c7cb3ec000ac99da19d46e008fd2cb73 c8717112454bb0bee2d8afcba4c55c31 c95be0d57d7688861d685966069c18a2 cb3a7c4433e35ff3dfede853731c5004 cd6e61b12e08cab7f5a6201c6db5d6bd cdc425240cb1e38c8432501062ff704a ce157212cd908bc0d3b16949822dec6f d0e966b61e15490ad958b8db3a4a624b d2a1dc1cde78900927bd6a0ffc3a87a2 d6821dcf113e28e2c852febf5d0f2725 d8dcf2a53505a61b5915f7a1d7440a2e daf3f0ed5e86cb7c0f6553911051c39e ddef9714a67219b45eb0e6f66a447c11 de50630da67f860a402d5bd298f5224f e3ed385d2ce873eabe647c1c6de144eb e6b37e2113471b4b7acc833c99fc9c0f e7c72900ede1a3fcebc40e72163642d3 e952bba9789b7e2983d2441ba52d9a19 ecac2ce6e52c78718c0d0f7a99829136 ed67f4e36aabf56d8fb830463cbc5487 eddd399d3a1e3a55b97665104c83143b ef3b0ae4d6870291f6812ed77e23b558 f0dba8a8349552e5e632d395cd1be8ea f2036ae83a79f62c749913576ba63ba6 f211694aaf443b12b2eca9f5e7f25407 f2a46ad687356eb9099bc7269411f76a f4949579248c94ee81ed1a6a8c246126 f61db022aa5dfb59dbd53938c5a72a2c f6f131beb246d0c7f916c5c995ad91cd f8df4e8457d1c6f4f395701b0f9e839b f8ecfee30bda0ad37f69f407f9a4c781 f9cdf5bebdee5486d26cd0e1a6c3d336 fad0db73af342501a0568730b4a24d79 fb72b395080807571cd784be89415612 fdfcb23f537d4265bab7f28ec9b9e036


This article is presented at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or    

Weekly Cyber Intelligence Briefings:

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings



Submitted by radio on