Mar 03 2024

Tor Tools

Category: Dark Web,Security Tools,Web Securitydisc7 @ 8:37 am

🧅Tor Tools

🔹Nipe – Script to redirect all traffic from the machine to the Tor network.

🔹OnionScan – Tool for investigating the Dark Web by finding operational security issues introduced by Tor hidden service operators.

🔹Tails – Live operating system aiming to preserve your privacy and anonymity.

🔹Tor – Free software and onion routed overlay network that helps you defend against traffic analysis.

🔹dos-over-tor – Proof of concept denial of service over Tor stress test tool.

🔹kalitorify – Transparent proxy through Tor for Kali Linux OS.

Tor: From the Dark Web to the Future of Privacy


Tor: From the Dark Web to the Future of Privacy

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Tor Project

Nov 14 2023

Hackers Selling Exploits For Critical Vulnerabilities On The Dark Web

Category: Dark Web,Information Securitydisc7 @ 1:31 pm

Dark forums and Telegram channels have become great places for threat actors to sell critical vulnerabilities and exploits.

These vulnerabilities and exploits were associated with the Elevation of Privilege, Authentication Bypass, SQL Injection, and Remote Code Execution in products like Windows, JetBrains software, Microsoft Streaming Service Proxy, and Ubuntu kernels.

Recent discoveries state that these vulnerabilities were sold in underground forums even before the Vendor officially assigned them.

One such example was the Microsoft Streaming Server vulnerability (CVE-2023-36802) that was on sale in February, though the CVE was officially assigned in September 2023.

Key Vulnerabilities

According to the reports shared with Cyber Security News, several critical and high-severity vulnerabilities were sold in the underground forums, which certain ransomware groups used to gain initial access and lateral movement inside the victim network.

Critical Vulnerabilities

CVE-2023-34362: MOVEit RCE Vulnerability (Exploited By Cl0p Ransomware Group)

This vulnerability was published in NVD on June 02, 2023. However, it was observed to be exploited by threat actors since May 2023. This vulnerability had a severity of 9.8 (Critical) and was patched by Progress. 

This vulnerability arises due to insufficient sanitization of user-provided data, which enables unauthenticated remote attackers to access the MOVEit application. With this vulnerability, the Cl0p ransomware group targeted more than 3000 organizations in the US and 8000 organizations worldwide.

CVE-2023-3519: Citrix ADC And Gateway Vulnerability (Exploited By Unknown Threat Actor)

NVD published this vulnerability on June 19, 2023, and Citrix patched it in July 2023. However, threat actors were seen to be exploiting this vulnerability in June 2023, which affected Netscaler ADC and Gateway versions.

A threat actor can use this vulnerability to execute remote code on affected Citrix ADC and Gateway systems to steal sensitive information without any authentication. The severity of this vulnerability was given as 9.8 (Critical).

Exploits Vulnerabilities Dark Web

CVE-2023-42793: JetBrains Unauthenticated RCE (Exploited By North Korean Threat Actors)

This vulnerability could allow an unauthenticated threat actor to access the TeamCity server and execute remote code,, which could compromise the source code and add to a supply chain attack.

This vulnerability was published in NVD in September 2023 and was found to be sold in the underground forums in October 2023. This authentication bypass leading to RCE vulnerability was given a severity of 9.8 (Critical).

Exploits Vulnerabilities Dark Web

According to Microsoft, this vulnerability was potentially used by North Korean nation-state threat actors like Diamond Sleet and Onyx Sleet to install malware and backdoors on their targets.

complete report about the vulnerabilities sold on the underground market, their associated threat groups, and other information has been published.

Users of these products are recommended to patch the affected versions accordingly and take precautionary measures to prevent them from getting exploited by threat actors.

The Darkest Web: Drugs, Death and Destroyed Lives . . . the Inside Story of the Internet’s Evil Twin

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Hackers Selling Exploits, The Darkest Web

Jan 21 2023

Is this website Safe : How to Check Website Safety to Avoid Cyber Threats Online

Category: Dark Web,Web SecurityDISC @ 9:41 am

is this website safe ? In this digital world, Check website safety is most important concern since there are countless malicious websites available everywhere over the Internet, it is very difficult to find a trustworthy websiteWe need tobrowse smart and need to make sure the site is not dangerous by using Multiple approaches.

In general, it is good to type the website URL instead of copy-paste or clicking an URL. Also, check to see the website working with HTTP OR HTTPS.

Is this website Safe : How to Check Website Safety to Avoid Cyber Threats Online

Investigating: is this website safe

In order to find, is this website safe , we need to figure it out if the URL received from an unknown source and we would recommend cross-checking the URL before clicking on it. Copy the URL to analyzers that available over the Internet and ensure it’s Integrity. 

If it is a shortened URL you can unshorten itwith the siteand then analyze the actual URL.

Methods to analyze Websites

To check website safety, the first and the most recommended method is to check online page scanners, which uses the latest fingerprinting technology to show web applications are up to date or infected by malware.

Like this number of scanners available

Website reputation check needs to be done to find the trustworthiness of website with WOT .


Ensure SSL is there before making a purchase

In order to check website safety, Ensure the website availability with https before entering the payment card details. We can audit the HTTPS availability with the SSL analyzer URL’s available over the internet.

Also, there is a range of certificates available over the Internet from low assured (domain validation) to the Most trusted Extended validation certificates, you can refer the URL for more details. 

Moreover, we can verify their prompt installation with various popular checkers available

Google Safe Browsing: is this website safe

According to Google, in order to check, is this website Safe, Browsing is a service that Google’s security team built to identify unsafe websites across the web and notify users and webmasters of potential harm.

In this Transparency Report, Google discloses details about the threats we detect and the warnings we show to users.

We share this information to increase awareness about unsafe websites, and we hope to encourage progress toward a safer and more secure web.

Safe Browsing also notifies webmasters when their websites are compromised by malicious actors and helps them diagnose and resolve the problem so that their visitors stay safer.

Safe Browsing protections work across Google products and power safer browsing experiences across the Internet.

Check the Browsing Website have Any unsafe Content or not –   Google Safe Browsing

To Report Malicious websites

Please report the dangerous URL to the services mentioned below. They are arranged in categories which should make it relatively easy to decide which services you should report the site to.

Services which blacklist Dangerous sites

Check the Blacklist IP Address 

There are some awesome tools to Check the website IP Address has been listed in the Global Blacklist Database.

Multirblis a free multiple DNSBL (DNS BlackList aka RBL) lookup and FCrDNS (Forward Confirmed reverse DNS aka iprev) check tool to confirm,  is this website Safe.

Check the Website Safety & Reputation

analyzes a website through multiple blacklist engines and online reputation tools to facilitate the detection of fraudulent and malicious websites. This service helps you identify websites involved in malware incidents, fraudulent activities, and phishing websites.

Important tools for Check the Website Reputation and confirm is this website Safe


Cyber criminals are using various sophisticated techniques to fool online users to drop malware and other cyber threats to cause unbearable damages. so beware of the malicious website, don’t blindly open the website and check the website safety before open it.

Web Application Security: Exploitation and Countermeasures for Modern Web Applications

Checkout our previous posts on Web Security

InfoSec books | InfoSec tools | InfoSec services

Tags: Website Safety

Jan 02 2023

Cyber Crime: The Dark Web Uncovered

Category: Cybercrime,Dark Web,Information SecurityDISC @ 2:54 pm

Cyber Crime: The Dark Web Uncovered

11 of the world’s top cyber security experts gather to discuss how to protect ourselves against cybercrime. Includes interviews with Rob Boles, Jesse Castro, Michael Einbinder-Schatz, Rick Jordan, Konrad Martin, Rene Miller, Paul Nebb, Will Nobles, Adam Pittman, Leia Shilobod, and Peter Verlezza.

Directors Jeff Roldan Starring 11 Top Cyber Security Experts

Genres Documentary SubtitlesEnglish [CC] Audio languagesEnglish

Tags: cyber crime, dark web

Nov 27 2022

Nearly 500 million WhatsApp User Records Sold Online

Category: Dark Web,Hacking,Social networkDISC @ 10:06 am

The 2022 database is said to contain WhatsApp user data from 84 countries with Egypt having the largest chunk of stolen phone numbers.

In what is becoming a rather common trend, a threat actor is claiming to sell 487 million WhatsApp users’ mobile phone numbers on a popular hacking community forum which surfaced as an alternative to popular and now-sized Raidforums.

The 2022 database is said to contain WhatsApp user data from 84 countries with Egypt having the largest chunk of stolen phone numbers (45 million), Italy with 35 million, and the US with 32 million. 

The complete list of countries is included in the original report by Cybernews which also contains the exact amount of numbers up for sale. According to the threat actor, they are willing to sell the US dataset for $7000, the UK one for $2500, and the German one for $2000. 

Nearly 500 million WhatsApp User Records Sold Online

Upon being requested, the threat actor also shared a sample of data with researchers who then confirmed that the numbers included in the sample were in fact WhatsApp users. The exact sample contained 1097 UK and 817 US mobile numbers. 

The seller did not reveal their process for obtaining the database and simply said they “used their strategy” to collect the data. Whatever the method used, the damage that can be caused by this leakage should not be taken lightly.

Such data is readily bought by attackers to use for smishing and vishing attacks. It is advised that you cautiously interact with unknown calls, unsolicited calls, and messages. Impersonation and fraud are also common worries associated with mobile number leakage. 

Meta has refused to comment on this for now, while in their report, Cybernews speculates that this information could have been obtained by harvesting information at scale, also known as scraping, which violates WhatsApp’s Terms of Service. 

However, can confirm that, at the time of writing, the listing was deleted from the hacker forum. Another listing was published in which another threat actor is claiming to sell details of WhatsApp users.

Unfriended: Dark Web

Nearly 500 million WhatsApp User Records Sold Online

Tags: dark web, WhatsApp User

Oct 10 2022

Dark web carding site BidenCash gives 1.2M payment cards for free

Category: Dark WebDISC @ 10:36 pm

BidenCash, a popular dark web carding site, released a dump of more than 1.2 million credit cards to promote its service.

Operators behind the popular dark web carding market ‘BidenCash’ have released a dump of 1,221,551 credit cards to promote their underground payment card shop. Multiple security firms, noticed the promotional activity, but the news was first reported by threat intelligence firm Cyble and the Italian firm D3Lab.

It is a great gift to fraudsters that can download for free the dump and use it for fraudulent activities.

The announcement of the availability of the dataset consisting of over 1.2 million credit and debit cards information on a notorious cybercrime forum mainly hosting Russian and English-speaking Threat Actors.


Tags: Dark web carding site

Aug 29 2022

NATO Investigates Dark Web Leak of Data Stolen from Missile Vendor

Category: Cyber Threats,Cyber War,Dark Web,Digital cold warDISC @ 1:23 pm

Documents allegedly belonging to an EU defense dealer include those relating to weapons used by Ukraine in its fight against Russia.

blue hacker hands over keyboard
Source: Andrey Khokhlov via Alamy Stock Photo

NATO is investigating the leak of data reportedly stolen from a European missile systems firm, which hackers have put up for sale on the Dark Web, according to a published report.

The leaked data includes blueprints of weapons used by Ukraine in its current war with Russia.

Integrated defense company MBDA Missile Systems, headquartered in France, has acknowledged that data from its systems is a part of the cache being sold by threat actors on hacker forums after what appears to be a ransomware attack.

Contradicting the cyberattackers’ claims in their ads, nothing up for grabs is classified information, MBDA said. It added that the data was acquired from a compromised external hard drive, not the company’s internal networks.

NATO, meanwhile, is “assessing claims relating to data allegedly stolen from MBDA,” a NATO official told Dark Reading on Monday.

“We have no indication that any NATO network has been compromised,” the official said.

Double Extortion

MBDA acknowledged in early August that it was “the subject of a blackmail attempt by a criminal group that falsely claims to have hacked the company’s information networks,” in a post on its website.

The company refused to pay the ransom and thus the data was leaked for sale online, according to the post.

Specifically, threat actors are selling 80GB of stolen data on both Russian- and English-language forums with a price tag of 15 bitcoins, which is about $297,279, according to a report from the BBC, which broke the news about the NATO investigation Friday. In fact, cybercriminals claim to already have sold data to at least one buyer.

NATO is investigating one of the firm’s suppliers as the possible source of the breach, according to the report. MBDA is a joint venture between three key shareholders: AirBus, BAE Systems, and Leonardo. Though the company operates out of Europe, it has subsidiaries worldwide, including MBDA Missile Systems in the United States.

The company is working with authorities in Italy, where the breach occurred.

MBDA reported $3.5 billion in revenue last year and counts NATO, the US military, and the UK Ministry of Defense among its customers.

Classified Info & Ukraine

Hackers claimed in their ad for the leaked data to have “classified information about employees of companies that took part in the development of closed military projects,” as well as “design documentation, drawings, presentations, video and photo materials, contract agreements, and correspondence with other companies,” according to the BBC.

Among the sample files in a 50-megabyte stash viewed by the BBC is a presentation appearing to provide blueprints of the Land Ceptor Common Anti-Air Modular Missile (CAMM), including the precise location of the electronic storage unit within it. One of these missiles was recently sent to Poland for use in the Ukraine conflict as part of the Sky Sabre system and is currently operational, according to the report.

This might provide a clue about the motive of threat actors; advanced persistent threats (APTs) aligned with Russia began hitting Ukraine with cyberattacks even before the Russian official invasion on Feb. 24.

After the conflict on the ground began, threat actors continued to throttle Ukraine with a cyberwar to support the Russian military efforts.

The sample data viewed by the BBC also included documents labelled “NATO CONFIDENTIAL,” “NATO RESTRICTED,” and “Unclassified Controlled Information,” according to the report. At least one stolen folder contains detailed drawings of MBDA equipment.

The criminals also sent by email documents to the BBC including two marked “NATO SECRET,” according to the report. The hackers did not confirm whether the material had come from a single source or more than one hacked source.

Nonetheless, MBDA insists that the verification processes that the company has executed so far “indicate that the data made available online are neither classified data nor sensitive.”



Cyber War

Tags: cyber threats, cyberwarfare, dark web

Jul 18 2022

Tor Browser 11.5 is optimized to automatically bypass censorship

Category: Dark Web,Web SecurityDISC @ 8:40 am

The Tor Project team has announced the release of Tor Browser 11.5, which introduces functionalities to automatically bypass censorship.

The Tor Project team has announced the release of Tor Browser 11.5, the new version of the popular privacy-oriented browser implements new features to fight censorship.

With previous versions of the browser, circumventing censorship of the Tor Network itself was a manual process that required users to dive into Tor Network settings and chose a bridge to unblock Tor. 

Experts pointed out that censorship of Tor isn’t uniform, this means that a certain pluggable transport or bridge configuration may work in one country could not work elsewhere.

The Tor Browser version 11.5 implements a new feature called “Connection Assist”, which was developed to assign automatically the bridge configuration that could allow users in a specific location to bypass censorship.

“In collaboration with the Anti-Censorship team at the Tor Project, we’ve sought to reduce this burden with the introduction of Connection Assist: a new feature that when required will offer to automatically apply the bridge configuration we think will work best in your location for you.” reads the announcement published by the Tor Project. “Connection Assist works by looking up and downloading an up-to-date list of country-specific options to try using your location (with your consent). It manages to do so without needing to connect to the Tor Network first by utilizing moat – the same domain-fronting tool that Tor Browser uses to request a bridge from”

Tor browser

Connection Assist downloading up-to-date list options that optimize the connection from the user’s country. To do this, the browser requests user consent.

Maintainers at the Tor Project pointed out that this is only version 1.0 of the Connection Assist, for this reason, they invite users to submit their feedback to help them improve the user experience in future releases.

“Users from countries where the Tor Network may be blocked (such as Belarus, China, Russia and Turkmenistan) can test the most recent iteration of this feature by volunteering as an alpha tester, and reporting your findings on the Tor forum.” continues the annoucement.

Another feature implemented in version 11.5 is making ‘HTTPS-Only Mode’ which is enabled by default for desktop, and HTTPS-Everywhere will no longer be bundled with Tor Browser.

The above features are all for desktop, the announcement provides updates for Androidrs because the Tor Browser for Android is quite behind desktop in terms of feature parity. 

Since the beginning of the year our priorities for Android have been three-fold:

  1. Start releasing regular updates for Android again
  2. Fix the crashes that many Android users have experienced
  3. Begin catching up with Fenix (Firefox for Android) releases

The latest version of the Tor Browser is available on the official download portal

Tor Browser Handbook: Quick Start Guide On How To Access The Deep Web, Hide Your IP Address and Ensure Internet Privacy (Includes a Tor Installation Guide for Linux & Windows + Over 50 Helpful Links)

DISC InfoSec

#InfoSecTools and #InfoSectraining



Ask DISC an InfoSec & compliance related question

Tags: Tor Browser

May 24 2022

Microsoft warns of new highly evasive web skimming campaigns

Category: Dark Web,Web SecurityDISC @ 8:03 am

Threat actors behind web skimming campaigns are using malicious JavaScript to mimic Google Analytics and Meta Pixel scripts to avoid detection.

Microsoft security researchers recently observed web skimming campaigns that used multiple obfuscation techniques to avoid detection.

The threat actors obfuscated the skimming script by encoding it in PHP, which, in turn, was embedded in an image file, using this trick the code is executed when a website’s index page is loaded.

The experts also observed compromised web applications injected with malicious JavaScript masquerading as Google Analytics and Meta Pixel (formerly Facebook Pixel) scripts. Some skimming scripts also included anti-debugging mechanisms.

The term web skimming refers to the criminal practice to harvest payment information of visitors of a website during checkout. Crooks use to exploit vulnerabilities in e-commerce platforms and CMSs to inject the skimming script into the page of the e-store. In some cases, attackers can exploit vulnerabilities in installed third-party plugins and themes to inject malicious scripts.

web skimming attack-overview.png

“During our research, we came across two instances of malicious image files being uploaded to a Magento-hosted server. Both images contained a PHP script with a Base64-encoded JavaScript, and while they had identical JavaScript code, they slightly differed in their PHP implementation.” reads the analysis published by Microsoft. “The first image, disguised as a favicon (also known as a shortcut or URL icon), was available on VirusTotal, while the other one was a typical web image file discovered by our team.”

Microsoft also observed attackers masquerading as Google Analytics and Meta Pixel (formerly Facebook Pixel) scripts to avoid raising suspicion.

The attackers place a Base64-encoded string inside a spoofed Google Tag Manager code. This string decoded to 


web skimming attack-overview 2

Encoded skimming script in a spoofed Google Analytics code (Source Microsoft)

Experts noticed that the attackers behind the Meta Pixel spoofing used newly registered domains (NRDs) using HTTPS.

“Given the increasingly evasive tactics employed in skimming campaigns, organizations should ensure that their e-commerce platforms, CMSs, and installed plugins are up to date with the latest security patches and that they only download and use third-party plugins and services from trusted sources,” Microsoft concludes.

Web Scraping with Python: Collecting More Data from the Modern Web

👇 Please Follow our LI page…

DISC InfoSec

#InfoSecTools and #InfoSectraining



Tags: Web Scraping, web skimming

May 14 2022

He sold cracked passwords for a living – now he’s serving 4 years in prison

Category: Dark Web,Hacking,Password SecurityDISC @ 12:07 pm

In this article, it turns out to be the first name (in Latin script, anyway) of a convicted cybercriminal called Glib Oleksandr Ivanov-Tolpintsev.

Originally from Ukraine, Tolpintsev, who is now 28, was arrested in Poland late in 2020.

He was extradited to the US the following year, first appearing in a Florida court on 07 September 2021, charged with “trafficking in unauthorized access devices, and trafficking in computer passwords.”

In plain English, Tolpintsev was accused of operating what’s known as a botnet (short for robot network), which refers to a collection of other people’s computers that a cybercriminal can control remotely at will.

A botnet acts as a network of zombie computers ready to download instructions and carry them out without the permission, or even the knowledge, of their legitimate owners.

Tolpintsev was also accused of using that botnet to crack passwords that he then sold on the dark web.

What to do?

Tolpintsev’s ill-gotten gains, at just over $80,000, may sound modest compared to the multi-million dollar ransoms demanded by some ransomware criminals.

But the figure of $82,648 is just what the DOJ was able to show he’d earned from his online password sales, and ransomware criminals were probably amongst his customers anyway.

So, don’t forget the following:

  • Pick proper passwords. For accounts that require a conventional username and password, choose wisely, or get a password manager to do it for you. Most password crackers use password lists that put the most likely and the easiest-to-type passwords at the top. These list generators use a variety of password construction rules in an effort to generate human-like “random” choices such as jemima-1985 (name and year of birth) ahead of passwords that a computer might have selected, such as dexndb-8793. Stolen password hashes that were stored with a slow-to-test algorithm such as PBKDF2 or bcrypt can slow an attacker down to trying just a few passwords a second, even with a large botnet of cracking computers. But if your password is one of the first few that gets tried, you’ll be one of the first few to get compromised.
  • Use 2FA if you can. 2FA, short for two-factor authentication, usually requires you to provide a one-time code when you login, as well as your password. The code is typically generated by an app on your phone, or sent in a text message, and is different every time. Other forms of 2FA include biometric, for example requiring you to scan a fingerprint, or cryptographic, such as requiring you to sign a random message with a private cryptographic key (a key that might be securely stored in a USB device or a smartcard, itself protected by a PIN). 2FA doen’t eliminate the risk of crooks breaking into your network, but it makes individual cracked or stolen passwords much less useful on their own.
  • Never re-use passwords. A good password manager will not only generated wacky, random passwords for you, it will prevent you from using the same password twice. Remember that the crooks don’t have to crack your Windows password or your FileVault password if it’s the same as (or similar to) the password you used on your local sports club website that just got hacked-and-cracked.
  • Never ignore malware, even on computers you don’t care about yourself. This story is a clear reminder that, when it comes to malware, an injury to one really is an injury to all. As Glib Oleksandr Ivanov-Tolpintsev showed, not all cybercriminals will use zombie malware on your computer directly against you – instead, they use your infected computer to help them attack other people.

The Darkest Web

The Darkest Web (Allison Barton Book 2) by [Kristin Wright]

👇 Please Follow our LI page…

DISC InfoSec

#InfoSecTools and #InfoSectraining



Tags: cracked passwords, dark web, The Darkest Web

Apr 15 2022

How vx-underground is building a hacker’s dream library

Category: Cyber Attack,Cyber crime,Dark Web,Information SecurityDISC @ 12:59 pm
How vx-underground is building a hacker’s dream library

Editor’s Note: When malware repository vx-underground launched in 2019, it hardly made a splash in the hacking world. “I had no success really,” said its founder, who goes by the online moniker smelly_vx.

But over the last couple of years, the site’s popularity has soared thanks in part to its robust Twitter presence that mixes breaking cybersecurity news with memes. The site now bills itself as “the largest collection of malware source code, samples, and papers on the internet,” with about 35 million samples overall.

vx-undergound operator smelly_vx recently talked to Recorded Future analyst and product manager Dmitry Smilyanets about the site’s goals, finances, and plans for the future. The interview, which was conducted over email in English, has been lightly edited for clarity.

Dmitry Smilyanets: I would like to start from the very beginning — please introduce yourself.

smelly_vx: Hi. I am “smelly__vx“. I am the creator of vx-underground and the guy who runs/maintains a good portion of vx-underground’s website and the vx-underground Twitter account.

I am in my early 30s. I have a wife. I have a dog. I don’t think I can say anything else which is interesting or important.

DSTell me about the site’s background — how did it start, how did you build it into what it is today?

VX: About vx-underground — it was created to act as the successor to the legendary vxHeaven (created by the Ukrainian dude herm1t). When I was a teenager I discovered vxHeaven and learned tons from it. It was an invaluable asset. Around 2017 or so, when I was a software engineer, I got tired of writing malware (as a hobbyist) by myself.

I began looking for vxHeaven, or whatever it had become. I was unable to find anything, to my disappointment, and one day on some random IRC server I discovered, I was conveying my disappointment to a guy named Phaith and he said to me, “Well, if you miss it so much, why don’t you make your own?” I thought this was a good idea — why not make my own? And that is precisely what I decided to do. The issue I faced was that my background was in low-level development, I primarily did C/C++ development on the Windows platform. I did not have any skills in web development, web security, system administration, etc. I also did not have any contacts, I had been a “lone wolf” for nearly a decade at this point — I was a “nobody.” However, I decided this shouldn’t be a restraining factor so I bought some random bullshit hosting, purchased the domain name ‘vx-underground’ and got to work.

I officially made vx-underground in May 2019. I had no success really, I did not have a Twitter account or any contacts or any relationships in the information security industry. I made the vx-underground Twitter account in August 2019 and, interestingly, shortly after I made the account I was contacted by a guy named Bane. Bane was a member of a group called ThugCrowd. They had a large follower base on Twitter (20,000+), they had connections, they knew their way around things, blah blah blah. ThugCrowd was very kind to me and supported the idea of a new vxHeaven. They introduced me to some people who also liked the idea of a new vxHeaven.

Unsurprisingly, in October 2019, vx-underground was banned from a lot of web hosts. I had places which housed neo-Nazis, pornography, and gambling, deny my hosting.

Nobody wanted to house malware samples, the only way I was going to get the ability to house malware samples was if I had become a company, and did paperwork and all sorts of bullshit. I did not like this idea. Luckily, and to my surprise, the people over at ThugCrowd introduced me to a group of people behind TCP.DIRECT. They also liked the idea of a new vxHeaven, as the main group of people behind it also had been on the vxHeaven forums ages ago. They assisted me with hosting, handling the web security, etc. This was very beneficial for me because, as TCP.DIRECT will confirm, I am a complete idiot with anything system administrative/web security related.

Following this introduction to TCP.DIRECT, vx-underground had essentially zero restraint. I was able to upload malware samples, malware papers, malware source code, etc. as much as I liked. The only thing I had to do then was add content and be consistent. Along the way I met a guy from the [Commonwealth of Independent States], Neogram, who assisted me with Russian translations and giving me a (metaphorical) tour of the CIS malware scene. This expanded my horizon and gave vx-underground better insight into current malware trends.

All of this happened very quickly, this ‘story’ encapsulates what happened between August 2019 and December 2019.

DSWhat are your mission and goals?

VX: I don’t know. vx-underground is a library, our goal is basically to… collect malware samples, papers, and code? It exists and that is it. The closest thing to a ‘goal’ we have is simple: “more papers, more samples, more code.” It is as simple as that.

DS: Are you financially motivated? How do you monetize your work? Is it lucrative?

VX: No, we are not financially motivated. vx-underground is fueled by passion and love for the ‘game.’ In 2021 vx-underground made $13,000 all from donations. Every time I tell people vx-underground does not make money I am always greeted with shock and surprise. It appears people are unable to comprehend someone would do something for passion rather than financial gain. This is disappointing.

More on this article “vx-underground” – building a hacker’s dream library

DS: One may say you are a threat actor group. Are you?

👇 Please Follow our LI page…

DISC InfoSec

#InfoSecTools and #InfoSectraining



Tags: Hacker library

Nov 24 2021

There’s More to Threat Intelligence Than Dark Web Monitoring

Category: Dark Web,Web SecurityDISC @ 10:06 am

Dark web monitoring seems to be a hot buzzword in discussions about cyberthreat intelligence (CTI) and how it helps cybersecurity strategy and operations. Indeed, dark web monitoring enables a better understanding of an attacker’s perspective and following their activities on dark web forums can have a great impact on cybersecurity readiness and

Accurate and timely knowledge of attackers’ locations, tools and plans helps analysts anticipate and mitigate targeted threats, reduce risk and enhance security resilience. So why isn’t dark web monitoring enough? The answer lies in both coverage and context.

When we talk about visibility beyond the organization, one needs to make sure the different layers of the web are covered. Adversaries are everywhere, and vital information can be discovered in any layer of the web. In addition, dark web monitoring alone provides threat intelligence that is siloed and out of context. In order to make informed and accurate
decisions, a CTI plan has to be both targeted, based on an organization’s needs and comprehensive, with extensive source coverage to support diverse use cases.

Be Wherever Adversaries Are

The internet as we know it is actually the open web, or the surface web. This is the top, exposed, public layer where organizations rarely look for CTI. The other layers are the deep web and the dark web, on which some sites are accessed through the Tor browser. Monitoring the deep/dark web is the most common source of CTI. However, to ensure complete visibility beyond the organization and optimal coverage for gathering CTI, all layers of the web should be monitored. Monitoring the dark web alone leaves an organization pretty much, well, in the dark.

The Shadow Brokers is a great example of why it is important to monitor more than just the dark web. In 2016, the Shadow Brokers published several hacking tools, including many zero-day exploits, from the “Equation Group,” which is considered to be tied to the U.S. National Security Agency (NSA). The exploits and vulnerabilities mostly targeted enterprise firewalls, antivirus software and Microsoft products. The initial publication of the leak was through the group’s Twitter account on August 13, 2016, and the references and instructions for obtaining and decrypting the tools and exploits were published on GitHub and Pastebin, both publicly accessible.

The WannaCry ransomware attack in May 2017 was also first revealed on Twitter, as were different reports on the attack.
Coverage of all layers of the web is necessary, yet even with expanded monitoring of additional layers of the web, an organization’s external threat intelligence picture remains incomplete and one-dimensional. There are additional threat intelligence sources to cover in order to get a complete threat intelligence view that is optimized for the needs of an
organization. These include:

Online Data Sources

Dark Web: Cicada 3301

Dark Web: Cicada 3301

Tags: dark web, Dark Web: Cicada 3301, deep web