Results of a 1 year espionage operation in the Top-tier Russian underground communities

Top 10 Key Takeaways

  1. Analyzed traffic data comes from exclusively private Russian underground communities where various accounts with different backgrounds persuaded Threat Actors to click on specific links;
  2. During about 1 year of undercover operation, data from 550 unique hosts was collected;
  3. In total, connections from 68 different countries were collected;
  4. US is in first place while Russia is only in 4th place in the ranking of raw collected IP geo-locations;
  5. 57% use known VPN services, hosting providers, proxies or onion routing (of which only 13% use TOR);
  6. 43% use good IPs (no vpn or anonymization services).

How to engage Threat Actors during undercover operations in the cyber-crime battleground


Monitoring cyber crime forums is certainly very important but when information arrives on a forum it is often already too late or has already been exploited by some Threat Actor previously who exchanged it or sold it privately with his most trusted contacts or buyers.

To be able to get this privileged information in advance, fully understand fraud life-cycles and discover new vulnerabilities & malware that can be used against your organization, HUMINT activities during undercover operations are fundamental as a part of Cyber Intelligence activities.

This topic is poorly documented online and help on how to do it right…

Top 30 questions to understand the maturity of your Cyber Intelligence program

  1. Adversaries — What adversaries are likely to target financial services organizations?
  2. Financial (Motivation) — What are the financial motivations for targeting banks or financial services organizations?
  3. Nation State (Motivation) — What nation-state agendas may result in the targeting of financial services organizations?
  4. Ideological (Motivation) — What are the political, social, economic and ideological motivations for targeting financial services organizations?
  5. Malware & Tools — What malware or tools are likely to be used to target financial services organizations?
  6. Tactics, Techniques, and Procedures (TTPs) — What TTPs are likely to…

Magecart JS Web Skimmer is present on the same C2 related to Cerberus Banking Trojan.

Magecart Web Skimmer:

My analysis started from a Web skimmer that is impersonating hosted on hxxps://

JS content

The script is still there:

Batch script to automate collection, credential dumping, discovery and exfiltration techniques


Each time during a red team or a PT we always find ourselves performing manual reconnaissance actions before deciding how to move laterally or perform more aggressive post exploitation actions.

This article will give you a vision of how to automate the initial reconnaissance actions without user interaction by presenting “actionable” results. Let’s see how …


Automatically collected information:

A walkthrough to discover the best tool to run powershell scripts and commands without using powershell.exe

During last months, observing how the attackers and consequently the antivirus are moving, I thought of writing this article for all the pen testers and red teamers who are looking for the best technique to use their PowerShell scripts or command lines during post exploitation phase without running PowerShell.exe and thus avoiding being caught by the Next-Gen Antivirus, EDR or from the Blue Team or Threat Hunting team.

On the web I spent some time trying and analyzing the different tools suitable for this…

Different methods to run a command line via Excel file in order to spawn a Meterpreter reverse shell.


Here we are again talking about reverse shell and evasive methods for not being detected. From my last article (Undetectable C# & C++ Reverse Shells) many things have changed: some of the methods used are now monitored and detected from different AVs. So i have to find a new way to make my reverse shells hidden and undetectable. Lets see how…

…old and simple methods could be the best…

Open a Meterpreter Reverse Shell via SMB_Deliver Exploit

The Metasploit SMB delivery module serves .dll payloads via an SMB server and provides commands to retrieve and execute the generated payloads. This method is very simple and many articles have…

Technical overview of different ways to spawn a reverse shell on a victim machine


On December 2017 i wrote an article about some possible Insider Attacks that using in-memory PowerShell scripts which, months ago, were not detected by the major AV solutions. During last months, after warning all the vendors, they started to detect these attacks. Among the various attacks used in my article there was the opening of a reverse shell through the powersploit script executed directly in memory that is currently detected by most of AV vendors but…

..what would happen if that same behavior was done by…

Threat Intelligence via Twitter monitoring

TweetDeck Platform Overview

TweetDeck is a social media dashboard application for management of Twitter accounts. You can use this platform in order to monitor specific keywords and hashtag related to your interest.

TweetDeck gives you a dashboard that displays separate columns of activity from your Twitter accounts. For example, you might see separate columns for your home feed, your notifications, your direct messages and your activity — all in one place on the screen. You can also reorder these columns, delete them and add new ones from other Twitter accounts or for specific things like hashtags, trending topics, scheduled tweets and more.


In this article I will explain how you can simply create and configure Inoreader platform in order to follow all the cyber news, blogs, articles and keywords suited for your interest. In this way you will have a global and centralized overview of the main threats related to the cyber security world.

Platform interface:

Why the Security and Threat Intelligence are so important?

  • The perimeter to be monitored is getting bigger and bigger
  • Hacker groups are increasingly organized
  • Open sources and social are increasingly used
  • Steady increase of unknown threats
  • Constant evolution of the attackers methods
  • Public sources are difficult to manage

What is Inoreader?

Inoreader is a web-based content and RSS feed reader…

Bank Security

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store