{ "id": "3b44c70d-4898-4267-87bb-06b406a60f5c", "created_at": "2026-04-06T00:08:39.774627Z", "updated_at": "2026-04-10T03:35:29.144921Z", "deleted_at": null, "sha1_hash": "7e0950d2da0c4bba63aa78994a986147d496656a", "title": "/var/log/notes", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3015924, "plain_text": "/var/log/notes\r\nArchived: 2026-04-05 20:29:17 UTC\r\nBy Jeff White (karttoon)\r\nAfter I published a blog at $dayjob on how I came to realize that what I thought was a sample of Agent Tesla\r\nturned out to actually be a new malware called OriginLogger, a fellow threat researcher botlabsDev reached out\r\nsome months later. They had noticed that the two GitHub repositories I referenced for the profile \"0xFD3\" each\r\nhad a commit from a different account which exposed some new e-mail addresses to pivot on. Holy shit. I was\r\nunaware this was even a thing so looking into this further showed that each repository received an update from a\r\ndifferent account on the same days the respective code was initially committed. This crucial piece of info took me\r\ndown a fun little rabbit hole that I wanted to share wherein I was able to identify an individual who may be the\r\ndeveloper behind one of the most prominent keylogger malware families - OriginLogger and Agent Tesla.\r\nStarting with the two GitHub repositories, I wanted to show both of the commit logs and the connections that\r\nresulted from them.\r\nFor the first one, Chrome-Password-Recovery, we see a commit by \"Omer Demir\" with an e-mail address of\r\n\"omer.demir-@hotmail.com\" on March 11th, 2020. This was six months before the builder I found in the original\r\nblog, which was compiled in 2020 as well and that authenticated against the domain which led me to this GitHub\r\nprofile originally.\r\nChrome-Password-Recovery $ git log commit 5d0c09a9c3e23004a08017dfc916196ac8971983 (HEAD -\u003e master,\r\norigin/master, origin/HEAD) Author: Omer Demir \u003c33671489+0Fdemir@users.noreply.github.com\u003e Date: Wed\r\nMar 11 04:23:11 2020 +0300 Update README.md commit 305ef43b4b138660bdfd1cdee638cce47e487769\r\nAuthor: Omer Demir \u003comer.demir-@hotmail.com\u003e Date: Wed Mar 11 04:14:39 2020 +0300 first commit commit\r\nffbe0189c30804844e767dcfc2fa38aef1813b1d Author: Omer Demir\r\n\u003c33671489+0Fdemir@users.noreply.github.com\u003e Date: Wed Mar 11 03:50:52 2020 +0300 Initial commit\r\nChecking the e-mail against the usual database leak sites revealed that the e-mail has been observed in breaches\r\nfor \"ledger.com\", \"leet.cc\", and Tumblr. This also provided a bit more information about the account - specifically\r\na middle name, address, and phone number located in Turkey. This is an important piece of information as will be\r\ndiscussed shortly.\r\nName Omer Faruk Demir Email omer.demir-@hotmail.com Address Miralay Rafet Sokak 34360 Istanbul Turkey\r\nPhone 5464200269\r\nFor the other repository, OutlookPasswordRecovery, there is a commit by account \"0Fdemir\" with the e-mail\r\n\"ssfenks@windowslive.com\" on the 15th of November, 2017 - three years prior to the above. At this point, seeing\r\nthe \"0Fdemir\" moniker and recalling the \"0xfd3\" one, I realized the hex code used is representative of \"Omer\r\nFaruk Daemir\" or \"0xFD\". Definitely a cool moniker in my book but more importantly it links both accounts.\r\nhttp://ropgadget.com/posts/originlogger.html\r\nPage 1 of 12\n\nOutlookPasswordRecovery $ git log commit c6816ce933dd42d81048e658a58720f9f1f75cb3 (HEAD -\u003e master,\r\norigin/master, origin/HEAD) Author: 0Fdemir \u003c33671489+0Fdemir@users.noreply.github.com\u003e Date: Wed Nov\r\n15 01:00:06 2017 +0300 Update README.md commit 0f5208d79a3178c1e45ebbcf8afac19298374741 Author:\r\n0Fdemir \u003c33671489+0Fdemir@users.noreply.github.com\u003e Date: Wed Nov 15 00:44:03 2017 +0300 Update\r\nREADME.md commit b459361e74b28584ef487d4929f5707663055265 Author: 0Fdemir\r\n\u003c33671489+0Fdemir@users.noreply.github.com\u003e Date: Wed Nov 15 00:43:39 2017 +0300 Update REEDME.md\r\ncommit 67b9632d6bf147eb5ccec3e4f7fb8a8a0bee7d3d Author: 0Fdemir \u003cssfenks@windowslive.com\u003e Date:\r\nWed Nov 15 00:42:38 2017 +0300 nocommit commit f431ace4378c2db84e14f59cc3086b6eee4dd09d Author:\r\n0Fdemir \u003c33671489+0Fdemir@users.noreply.github.com\u003e Date: Wed Nov 15 00:37:19 2017 +0300 Initial\r\ncommit\r\nThis e-mail address is likewise observed in database leaks and was seen using the username of \"agenttesla\" from a\r\nforum dump.\r\nIn June 2015, two years prior to the aforementioned GitHub commit, I observed a post by user \"sifenks\", which is\r\nassociated to the e-mail address \"ssfenks@windowslive.com\", to the \"nulled.cr\" forum titled \"[FREE] [FUD]\r\nAgent Tesla Keylogger [Beta]\". The post is an advertisement for an early version of Agent Telsa keylogger that\r\ncould be downloaded at \"http://www.agenttesla.com/en/download/free/\". In the post, it also stated the following:\r\nP.S.: Agent Tesla that my last project beta version with you! Please leave a message for requests , needs , bugs and\r\nerrors. Program is tested. Each function working flawlessly. If you like and If you want to continuousness for\r\nAgent Tesla, please donate... Enjoy! P.S.2: Please close all AV! P.S.3: Please dont use Virustotal, jotti etc...\r\nFocusing in on the wording here, Sifenks stated \"my last project\" and requests for users to message their account\r\nfor \"requests , needs , bugs and errors\". This implies to me that the Sifenks account is a developer.\r\nGoing back a little further, this user was also observed in 2014 posting an earlier version of Agent Tesla on the\r\nhackforums.net website wherein they quickly responded to users and fixed bugs in the code that they found. One\r\nconsumer of Agent Tesla posted \"Before i talk with my error, i have to say sifenks is the most active person that\r\nresponds to your problems! All in the other keyloggers, the keylogger creator hasn't spoke once!\".\r\nhttp://ropgadget.com/posts/originlogger.html\r\nPage 2 of 12\n\nIn 2018, a few months before Agent Tesla announced they were closing up shop and to instead use OriginLogger,\r\nBrian Krebs released an article titled \"Who is Agent Tesla?\" in which he details that the earlier version of Agent\r\nTesla, in 2014, was made available on a Turkish-language WordPress site (\"agenttesla.wordpress.com\") before\r\nthey eventually migrated to \"agenttesla.com\". Brian reported that the subsequent domain was registered in 2014\r\nby a person named \"Mustafa can Ozaydin\" in Antalya, Turkey who used the e-mail address\r\n\"mcanozaydin@gmail.com\" before they were hidden behind WHOIS privacy services in 2016.\r\nI'll be honest and say that it was a bit of an emotional roller coaster researching this and then finding out Krebs\r\nhad written an article years ago about the very same topic. D'oh! As I started to read it though, I realized it's an\r\nentirely different person...What the hell? Brian's research here was solid, I recreated his steps and it all seemingly\r\nlined up so I was left wondering who the heck this other guy was and how he related to mine. It turned from a\r\nsimple OSINT attribution exercise into a proper mystery.\r\nIn Brian's research he linked the Gmail address that registered the domain to a YouTube account by a Turkish\r\nindividual with the same name who uploaded tutorials on using the Agent Telsa web panel. Brian went on to state\r\nthat the administrator of the 24x7 live support channel for Agent Tesla had the same profile picture as a Twitter\r\naccount \"MCanOZAYDIN\". This information was used to eventually identify Mustafa's LinkedIn profile. This\r\nprofile listed Mustafa as a \"systems support expert\" for a hospital in Istanbul, Turkey at the time of his writing.\r\nI decided to see if I could find any social media profiles for Omer and started by looking at Mustafa's Twitter\r\naccount. One of the things I like to do when researching Twitter accounts is to look at the followers and following,\r\nwhich are displayed in the order in which they followed. It was a win in this scenario and one of the early\r\naccounts followed by Mustafa is for an Omer Demir.\r\nhttp://ropgadget.com/posts/originlogger.html\r\nPage 3 of 12\n\nPivoting off of this account name \"omerfademir\" led me to a Facebook profile with the same profile picture\r\n(uncropped) and name.\r\nhttp://ropgadget.com/posts/originlogger.html\r\nPage 4 of 12\n\nA couple of interesting points to note, even if the profile is otherwise light on information. He listed self-employment in 2014, the year that Agent Tesla came out, and he studied at Anadolu University. Mustafa's\r\nLinkedIn also showed that he attended Anadolu University and both men started the same year in 2013. Taking it a\r\nstep further with that connection, in one of the previously mentioned forum posts by the \"sifenks\" account, which\r\nwas advertising an early version of Agent Tesla in 2015, a user reported a bug that stated they were receiving the\r\nfollowing message - \"The remote name could not be resloved: '48982689868.home.anadolu.edu.tr\". It's unknown\r\nif they knew each other before college, but it stands to reason they knew each other while at university.\r\nhttp://ropgadget.com/posts/originlogger.html\r\nPage 5 of 12\n\nThe profile also provides a clearer picture of the individual with additional photos and stated they were from\r\nSamsun, narrowing down the geography.\r\nThis led me back to LinkedIn to see if I could find a profile there with all of this new information. Filtering by\r\n\"Omer Faruk Demir\" resulted in 182 hits, adding location to 51 hits, and then alumni from Anadolu University to\r\n18 hits. With the remaining hits, visual inspection and relative age comparison I was able to find his account. It\r\nprovides a bit more background information, such as skills and knowledge, but further solidified the link to the\r\nFacebook profile and closed the loop.\r\nSpecifically, the timing they both attended Anadolu University, hailing from Samsun, studying in the languages\r\nused by Agent Tesla and OriginLogger, and finally the way the career experience is listed on both sites.\r\nhttp://ropgadget.com/posts/originlogger.html\r\nPage 6 of 12\n\nComparing the LinkedIn for each individual, I'd say Mustafa's work experience shows him in more of a support\r\nrole and less focused on development or coding whereas Omer's shows he has the skills and knowledge necessary\r\nto write the code for Agent Tesla and OriginLogger.\r\nBased on this, I would surmise that Mustafa may have acted more in a support capacity for Agent Tesla, maybe\r\nkeeping the business side running smoothly while Ă–mer worked on developing the malware itself. Once the Brian\r\nKrebs article came out and Agent Tesla suddenly closed down a few months later, it would appear Omer used the\r\ncode to continue development under a new brand - OriginLogger.\r\nNot too long after my blog came out, OriginLogger added a new exfiltration method for Discord...and\r\nthen...silence. Updates stopped, the marketplaces to purchase it vanished, good and bad guys alike were asking\r\n\"does anyone know where to find this??\", and then the builder got pirated.\r\nFast-forward to late September 2023, it re-emerges on my radar at a new marketplace site - http://originpro.nl.\r\nhttp://ropgadget.com/posts/originlogger.html\r\nPage 7 of 12\n\nNote the giant \"Join Telegram\" button they've added to the new marketplace site? Of course fam.\r\nEveryone will be shocked to see the admin is none other than the one and only 0xFD aka Omer Faruk Demir.\r\n:surprised_pikachu: But, if nothing else, at least they are done hiding now which helps connect all of the other\r\nresearch together.\r\nhttp://ropgadget.com/posts/originlogger.html\r\nPage 8 of 12\n\nI spent a few days reading through the chat history and found a couple of nuggets I'll share. The first one is that\r\n0xFD states there have been no updates to OriginLogger because its feature complete.\r\nhttp://ropgadget.com/posts/originlogger.html\r\nPage 9 of 12\n\nSo what's 0xFD been up to if not working on OriginLogger then? Apparently a new product called \"OriginLoader\"\r\nwhich is touted as an HTTP based botnet that comes complete with keylogging and all the usual bells and\r\nwhistles.\r\nhttp://ropgadget.com/posts/originlogger.html\r\nPage 10 of 12\n\n0xFD doesn't like when people don't understand the difference between these two products and has to break it\r\ndown repeatedly for potential customers. They are also very fond of crowdsourcing ideas for new features to add\r\nto either product. At this point, it's a hallmark of their character - always placing the customer first.\r\nOriginLoader will be one to keep an eye on and see if it continues to evolve and be as successful as the other\r\nproducts.\r\nFinally, in one post they share a video on installing the panel for OriginLoader and within the video, every\r\ninstance where they open the file explorer is blurred out...except the very first frame of the video :facepalm:. It\r\nshows the file names for OriginLoader and further strengthens the idea that the developer is someone of Turkish\r\norigin due to the language pack.\r\nhttp://ropgadget.com/posts/originlogger.html\r\nPage 11 of 12\n\nAnnnnnd that's a wrap! It was a fun OSINT rabbit hole to go down...*gets on soapbox* now please stop calling\r\nOriginLogger Agent Tesla.\r\nOlder posts...\r\nSource: http://ropgadget.com/posts/originlogger.html\r\nhttp://ropgadget.com/posts/originlogger.html\r\nPage 12 of 12\n\n http://ropgadget.com/posts/originlogger.html \nSo what's 0xFD been up to if not working on OriginLogger then? Apparently a new product called \"OriginLoader\"\nwhich is touted as an HTTP based botnet that comes complete with keylogging and all the usual bells and\nwhistles. \n Page 10 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "http://ropgadget.com/posts/originlogger.html" ], "report_names": [ "originlogger.html" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434119, "ts_updated_at": 1775792129, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7e0950d2da0c4bba63aa78994a986147d496656a.pdf", "text": "https://archive.orkl.eu/7e0950d2da0c4bba63aa78994a986147d496656a.txt", "img": "https://archive.orkl.eu/7e0950d2da0c4bba63aa78994a986147d496656a.jpg" } }