Brutkey

BrianKrebs
@briankrebs@infosec.exchange
A web-based control panel, allegedly for the Badbox 2.0 botnet, at the ip address 45.134.212.95. This users panel lists seven authorized users, all but one of which have email addresses ending in the chinese email service qq.com. Two of the users on this list map directly to domains tied to the Badbox 2.0 botnet. d4fbd142bd9e98a4.png An illustration showing the head of a robot with arrows pointing down to two computer screens below. The robot's head has antennae sticking out diagonally from the top of its square head, almost resembling a TV box. 0d9f831201e3d70d.png Hilariously, a user by the name “Richard Remington” briefly appeared in the group’s Telegram server to post a crude “Happy New Year” sketch that claims Dort and Snow are now in control of 3.5 million devices infected by Aisuru and/or Kimwolf. Richard Remington’s Telegram account has since been deleted, but it previously stated its owner operates a website that caters to DDoS-for-hire or “stresser” services seeking to test their firepower. The sketch is done in blue pen ink on a white composition notebook held sideways, so that the lines are vertical. If includes several childish stick figure drawings depicting people allegedly tied to Aisuru and Kimwolf, and in the center are two hands clasped, with one hand labeled "Snow" and the other "Dort." 06dd57aadbcb77d0.png A screenshot of various e-commerce sites selling unofficial Android TV boxes that all ship with proxy malware built-in and with no discernible security built-in. 311815180d3f4fa8.png A screenshot of the Hellcat ransomware website, showing the member roster. The site is a black background with Red and white lettering, and includes 9 profiles with the person's nickname. Rey is the first one listed in the upper left corner of the list. 11129d2e4ccd9394.png A screenshot of the Walmart website shows 397 results for Superbox devices. They look like small wireless routers, include a remote, and come in bright metallic blue or black. 29f86e57caceca48.png A screenshot of the Mozilla Monitor tool showing "10 sites are selling your information" screen, listing BeenVerified, Instant Checkmate, PeopleSmart and others. 396cc5627cbe4537.png An organization chart published by the news publication correctiv.org shows photos of the Neculiti brothers and their connections to MIRhosting in the Netherlands. ccdd9bba9daec7c5.png a phishing message tied to the newly registered phishing domain npmjs[.]help, which is a tld away from NPM's real login page, npmjs.com. npm <support@npmjs.help> 08:47 (55 minutes ago) to marsup ¥ Inbox © ® O <& Reply Actionsv Hi, marsup! As part of our ongoing commitment to account security, we are requesting that all users update their Two-Factor Authentication (2FA) credentials. Our records indicate that it has been over 12 months since your last 2FA update. To maintain the security and integrity of your account, we kindly ask that you complete this update at your earliest convenience. Please note that accounts with outdated 2FA credentials will be temporarily locked starting September 10, 2025, to prevent unauthorized access. Update 2FA Now 1f you have any questions or require assistance, our support team is available to help. You may contact us through this link. Preferences - Terms - Privacy - Sign in to npm 4741db62197a025b.png A graphic shared by Estonian email intelligence firm Koli-Lõks OU shows the difference in mass email campaigns sent by ActBlue and WinRed. The graphic shows ActBlue's blue line relatively flat and very low relative to the volume of WinRed messages hitting their spamtraps, particularly in the final week of July 2025, when WinRed started massively hitting spamtraps in an fourfold increase. 92527b2c8b9fe8e6.png