{
	"id": "4fcf8e5c-107d-48cd-960f-8012abb8eecd",
	"created_at": "2026-04-06T00:22:11.847188Z",
	"updated_at": "2026-04-10T03:23:51.69481Z",
	"deleted_at": null,
	"sha1_hash": "9584f894853c32af1a6ccef60a52ef7a16cccdbf",
	"title": "/var/log/notes",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4620730,
	"plain_text": "/var/log/notes\r\nArchived: 2026-04-05 21:38:54 UTC\r\nBy Jeff White (karttoon)\r\nThreat researchers...Hear me and rejoice!\r\nA dump of the Black Basta ransomware group's chat messages has surfaced! Totalling almost 200K entries and\r\nspanning a little over a year from late 2023 to late 2024. These moments are always a great insight into the inner\r\nworkings of these well established organizations that we so rarely are able to see. They're worth the read even if\r\nyou're just a slight bit curious, it's a treasure trove of information!\r\nThe logs were posted early on February 20th and were mostly in Russian which meant a lot of us scrambled to\r\nfind ways to quickly translate it so that we could better analyze the conversations. After that was squared away\r\nand, while the translators were roaring, I started conducting typical searches for reliable patterns (IP, domain, url,\r\nhash, coins, etc) which is a typical method to zero in on a starting point to begin reading the translated content. I'd\r\nflag messages and add 1 hour to each side of the message so that I can get a little more context. While doing this,\r\none pattern that I kept noticing when looking at the Russian text were strings like \"ftp4\", \"ftp3\", and \"ftp1\".\r\nhttp://ropgadget.com/posts/blackbasta_leaks.html\r\nPage 1 of 26\n\n4) MAIN FTP4 138.201.81.174 root 7hQfaOF5*6q1SOljCbh#eKa@hI pass 2:\r\nXn7Y4zq1uU$!gG#Fjwgl$26exubE\u0026QM\r\nPivoting on those types of labels (\"FTP4\") would lead to messages like the below, providing a potentially related\r\nonion address and new IP address.\r\nftp4 6y2qjrzzt4inluxzygdfxccym5qjy2ltyae7vnxtoyeotfg3ljwqtaid.onion 179.60.150.111 это ☝️у нас фтп от\r\nблога куда мы выкладываем дату.\r\nThis repeated pattern started to pique my interest since it was a clear naming structure of servers which might\r\nimply more importance. Plus, when you stop to think about it objectively, what would a ransomware group need a\r\nlarge amount of FTP servers and storage for? The loot of course! This made it feel like a good starting point for\r\nsome analysis and to see what could be derived simply through the chats between threat actors.\r\nThis blog is going to cover that specific avenue of research I went down while reading through this cache of data.\r\nI'll piece together some of their infrastructure based on messages and then take a look at the infrastructure itself.\r\nIt's easy to get lost in the volume of messages within these leaks so this will help to highlight how you can hone in\r\non disparate data to generate some actionable intelligence.\r\nBut before diving in further, I wanted to drop a couple of points and/or lessons learned from going through this\r\nexercise, incase its helpful for others in the future.\r\nFind and test a way to bulk translate a large amount of messages reliably and quickly -- you never know\r\nwhen you might need to!\r\nAs new translations from different engines came out, the differences were very noticeable. Try not to rely\r\non one translation as keywords might significantly change the context, eg one might say \"Gasket\" while the\r\nother says \"Proxy\".\r\nPatterns are your friend. Give in to grep and regex as your lord and savior. The better you are with them,\r\nthe easier it is to slice and dice large amounts of random data.\r\nOnce the leak occurs, any live services should be considered compromised and tainted. Recent activity you\r\nsee could be another researcher. I know of at least one such instance in this leak where a site was access by\r\nnumerous folks on Twitter who stumbled on the same messages within a day of the leak.\r\nStrike while the iron is hot because things go down quickly. Have a solid plan to collect related files or data\r\nbefore they vanish for good. Make sure your collection techniques work reliably over TOR as well.\r\nDon't get tunnel vision looking for \"malware\" or other just indicators. Messages with things like linked\r\nscreenshots or paste's can prove extremely valuable.\r\nContextualize each interesting match with hours of chats before and after. Seeing how it came up in\r\nconversation is extremely valuable, what the response was, and what the subsequent messages can quickly\r\nlead you to many new places.\r\nhttp://ropgadget.com/posts/blackbasta_leaks.html\r\nPage 2 of 26\n\n[gets off soapbox]\r\nPivot Research:\r\nAs I was reading a lot of these conversations, the topic of FTP servers usually came up in two contexts. First was\r\nin a tech support/maintenance perspective discussing migrating IP's, storage, cost, etc. The second was support\r\naround the usage of them - how to upload files and get data published. This revealed lots of interesting insights\r\ninto how they effectively operate.\r\nTake this translated post below - it's a guide on how to post a new victim to the Black Basta DLS (Data Leak Site)\r\n- this is effectively the beginning of the extortion phase of ransomware attacks.\r\nA guide to publishing a blog. 1. Go to https://passwordsgenerator.net/ and uncheck the first checkbox for special\r\ncharacters. 2. Set the size to 40 and generate a new password. 3. Connect to FTP and create a folder with a new\r\nname. 3.1 Fill the date into this folder 4. In the blog in the Data folder name input enter the generated password. 5.\r\nIn the Public blog name input enter the company name. In the future there will be a public link like:\r\nhttps://stniiomyjliimcgkvdszvgen3eaaoz55hreqqx6o77yvmpwt7gklffqd.onion/?id=company. 6. In the Public ftp\r\nlink input enter the domain of the ftp server. ftp1:\r\nfmzipzpirdpfelbbvnfhoehqxbqg7s7efmgce6hpr5xdcmeazdmic2id.onion ftp2:\r\nr6qkkk55wxvy2ziy47oyhptesucwdqqqaip23uxuxregdgquqq5oxxlpeecad.onion ftp3:\r\nhttp://ropgadget.com/posts/blackbasta_leaks.html\r\nPage 3 of 26\n\nweqv4fxkacebqrjd3lmnss6lrmoxoyihtcc6kdc6mblbv62p5q6skgid.onion ftp4:\r\n6y2qjrzzt4inluxzygdfxccym5qjy2ltyae7vnxtoyeotfg3ljwqtaid.onion 7. Fill in the Total data \u0026 Data published\r\nitems. 8. Click the Unhide company button. Now the blog is published and anyone can download the date.\r\nThis message alone provides four labels and four onion addresses which allegedly feed the stnii* onion address\r\n(Black Basta's primary DLS site). Other chats show them discussing listed victims or fixing posts - typical website\r\nissues. You can't effectively extort victims and get paid if the website doesn't work!\r\n[23:56:17] AA: We won't get paid. [AA: if we don't publish. [23:56:22] AA: dat. [23:56:26] AA: Do you realize\r\nthat, brother? [23:56:33] Bio_2: so the gasket died. [Bio_2: when you were on vacation. [23:56:45] Bio_2: and\r\nyou couldn't pour anything in. [23:56:48] Bio_2: whatever I could get. [23:56:58] AA: We'll make a new gasket.\r\n[23:56:59] AA: and fill it up. [23:57:03] Bio_2: ++ [23:57:05] Bio_2:\r\nhttp://stniiomyjliimcgkvdszvgen3eaaoz55hreqqx6o77yvmpwt7gklffqd.onion/?id=BION_2 [23:57:07] Bio_2: it\r\nworks.\r\nAs you start reading more of the messages you can start piecing together the information for each server. FTP4\r\nhas had IP addresses \"138.201.81.174\" and \"179.60.150.111\", along with an onion address of\r\n\"6y2qjrzzt4inluxzygdfxccym5qjy2ltyae7vnxtoyeotfg3ljwqtaid.onion\". It hosted victim data for the\r\n\"stniiomyjliimcgkvdszvgen3eaaoz55hreqqx6o77yvmpwt7gklffqd.onion\" DLS.\r\n[ftp4] type = sftp host = 138.201.81.174 user = ftp_white pass =\r\nHntCeYIUyxC2mPwOrmNiSnEKhBreZaXXyTqtJoVtNE898nwi_qPJuGKbLwZ_zEanSi6f0q5L8dc\r\nBelow is a message, which appears a few times, and seems to list the cost for servers/services. More importantly\r\nthough, it exposes a list of collected IP addresses which they control.\r\n95.217.43.112 40tb drives $280. 138.201.196.90 240$ 144.76.223.74 240$ 148.251.236.201 240$ 144.76.235.89\r\n240$ 138.201.81.174 40tb disks $280$ 95.217.225.177 40tb disks 280$ 138.201.31.166 220$ 136.243.93.236\r\n220$ 46.4.78.94 under panel 210$ 5.9.158.84 20tb disks 250$ ...\r\nIn the same message you can see discussion about migrating from one server/IP to another.\r\ngasket ( 178.236.246.148 It's been removed ) REPLACED TO --\u003e 95.216.97.206 148$\r\nAlong with subsequent replies giving further context on multiple servers.\r\n144.76.235.89 240$ \\\\\\\\\\\\\\\\\\\\\\\\\\\\ according to my docs - it's sox bot 2023!!! I think you can delete it!!!!\r\n138.201.81.174 40tb disks 280$ \\\\\\\\\\\\\\\\\\\\\\\\\\\\ old FTP can be deleted, I don't use it for a long time already!!!! it\r\ndoesn't work already! 95.217.225.177 40tb disks 280$ \\\\\\\\\\\\\\\\\\\\\\\\\\\\ it's ftp5 it doesn't even work it doesn't connect\r\nthere! you can delete it! 5.9.158.84 20tb disks 250$ \\\\\\\\\\\\\\\\\\\\\\\\\\\\ it's ftp3 it doesn't even work it doesn't connect! You\r\ncan delete it!\r\nThis process is repeated for every label, every domain, every onion address, and every IP until I have pieced\r\ntogether a decent collection of their infrastructure that I can pivot on. For this research, I focused on looking at the\r\nFTP server ecosystem as it's likely to be highly trafficked, especially given the success of Black Basta over the\r\nhttp://ropgadget.com/posts/blackbasta_leaks.html\r\nPage 4 of 26\n\ntime period in question with numerous victims being uploaded. Below are a few observations that stood out\r\nregarding them:\r\nThey rotate FTP servers a fair bit and migrate them to different IPv4 addresses, while keeping the\r\nadvertised onion address.\r\nThe FTP servers are setup in Primary/Secondary configurations for redundancy and backups.\r\nA lot of the FTP servers have non-onion domains attached to them. This may make direct backend access\r\neasier for affiliates.\r\nThey have good password hygiene both in using password generators for sufficiently complex passwords\r\nand changing them regularly.\r\nThe FTP servers, along with some other servers like proxies and CobaltStrike instances, shared a label of\r\nBraveX (where X was a number) possibly implying a cluster.\r\nThe servers with the Brave labels are referenced frequently with their non-onion FQDN, providing amusing\r\ncontext clues such as \"public blog download\" and \"data blog download\".\r\nBrave3 = downloaddotaviablogadd.io Brave4 = publicblogdownloaddotaviablog.su Brave5 =\r\ndatablogdownloaddotaviablog.su Brave6 = privatdatecomdote.su\r\nBelow are my notes on the servers I felt most relevant to this discourse and aggregated into a single list. These\r\nwere pieced together from commentary, maintenance messages, troubleshooting conversations, guides, purchase\r\norders, and anything else that provided additional context for grouping. Keep in mind these chat logs are a picture\r\nin time and represent only a subset of their overall communication as we know they used other mediums for\r\nconversations and even in-person meetings or phone calls.\r\nLabels: FTP1 Main IPs: 179.60.150.124 Onions:\r\nfmzipzpirdpfelbbvnfhoehqxbqg7s7efmgce6hpr5xdcmeazdmic2id.onion Labels: FTP1 Proxy IPs: 23.81.246.105\r\nLabels: FTP2 Main, FTP1 Middle, Brave3, Brave7 IPs: 178.236.246.138 -\u003e 185.224.113.13 Domains:\r\nmegatron.top, megatron2.top, megatron3.top, publicblogdownloaddotaviablog.com, downloaddotaviablogadd.io\r\nOnions: r6qkk55wxvy2ziy47oyhptesucwdqqaip23uxregdgquq5oxxlpeecad.onion Labels: FTP2 Middle IPs:\r\n178.236.246.13 Labels: FTP3 Main IPs: 185.190.24.13 Onions:\r\n6y2qjrzzt4inluxzygdfxccym5qjy2ltyae7vnxtoyeotfg3ljwqtaid.onion Labels: FTP3 Middle, Brave5, Proxy IPs:\r\n178.236.246.147 -\u003e 185.224.133.15 Domains: downloaddotaviablog.su, downloaddotaviablog.com,\r\ndatablogdownloaddotaviablog.su, stuffsteven.top, stuffstevenpeters.top, stuffstevenpeters2.top Labels: FTP3\r\nProxy IPs: 192.52.166.115 Labels: FTP3 IPs: 5.9.158.84 Onions:\r\nweqv4fxkacebqrjd3lmnss6lrmoxoyihtcc6kdc6mblbv62p5q6skgid.onion Labels: FTP4 Main IPs: 138.201.81.174 -\r\n\u003e 179.60.150.111 Onions: 6y2qjrzzt4inluxzygdfxccym5qjy2ltyae7vnxtoyeotfg3ljwqtaid.onion Labels: FTP4\r\nMiddle IPs: 45.182.189.120 Labels: FTP5 Proxy IPs: 142.234.157.12 Labels: FTP5 IPs: 95.217.225.177 Labels:\r\nFTP6 Pad IPs: 23.81.246.165 -\u003e 192.52.166.141 Labels: FTP7 Pad IPs: 185.243.112.107 Labels: FTP9 Proxy IPs:\r\n104.243.37.25 Labels: FTP Routing, Proxy, Advert Pad IPs: 45.15.157.234 Labels: Brave2, fastflux IPs:\r\n5.182.86.108 -\u003e 5.42.76.214 Domains: downloaddotaviablog.com, privatdatecomdote.su, databasebb.top,\r\nonlylegalstuff.top Labels: Brave4, Proxy IPs: 95.217.40.220 -\u003e 65.108.98.161 Domains:\r\ndownloaddotaviablogadd.io, publicblogdownloaddotaviablog.su, greenmotor.top, greenmotors.top,\r\ngreenmotors2.top Labels: Brave6 IPs: 178.236.246.148 Domains: downloaddotaviablog.io, privatdatecomdote.su,\r\nhttp://ropgadget.com/posts/blackbasta_leaks.html\r\nPage 5 of 26\n\nthesiliconroad.top Labels: Basta Blog IPs: 138.201.199.104 Labels: Basta Blog 2 IPs: 95.216.39.254 Labels:\r\nCobaltStriker Server IPs: 104.200.72.124 Labels: CobaltStrike Server IPs: 172.93.101.47 Labels: None IPs:\r\n23.88.64.226 Onions: qlcquql6hx6qle4oib2euefnjoqi4uk7i2iofahu4d44n3d7hfs3oeid.onion\r\nThis provides a solid base to start pivoting on to seek out new information outside of the leaks. Also of note, you\r\ncan observe how some of the onion addresses and domains are hosted on multiple servers over time just by\r\nlooking for the overlaps in hosting. For example,\r\n\"6y2qjrzzt4inluxzygdfxccym5qjy2ltyae7vnxtoyeotfg3ljwqtaid.onion\" was seen referenced on FTP3 and FTP4,\r\nwhile servers Brave2 and Brave6 both at some point resolved to \"privatdatecomdote.su\" and\r\n\"downloaddotaviablog.com\". Most of these servers are no longer up so trying to do any kind of door knocking or\r\nmore introspective searches is, unfortunately, not really on the table. Likewise, as this activity is a bit older, things\r\nlike netflow become extremely difficult to source for trying to figure out how may be uploading data to them. But,\r\nsince not all of their infrastructure is hosted in RU, there is a possibility additional logs could be gathered from\r\nhosting companies which may shed further light on access. Either way, there are a good amount of domains so one\r\nof the first orders of business is to review the domain registrations and passive DNS.\r\nWhile going down the list of domains in my aggregate list and pulling up historical registrant information, I kept\r\nnoticing certain values re-appearing across the records. As a lot of the domains had some form of domain privacy,\r\nthe historical records sometimes only exposed one or two facets of the registrant but, given the context, we can\r\nrelate them together easy enough:\r\nEvgenii Khokhlov Potatpovskaya Rosha 8 KV 50 +7 916 511 46 15 geraregaettemu@mail.ru\r\nIt's entirely possible it's fraudulent registration information, which is a common occurrence, but the repeated usage\r\nof these values allows us to cluster them all the same. Googling any of these leads you to numerous posts\r\nconcerning site reputation and scams that contained at least one of these pieces of information.\r\nhttp://ropgadget.com/posts/blackbasta_leaks.html\r\nPage 6 of 26\n\nEven a tweet back in 2022, prior to the leak, linking the e-mail to a Ukraine aid scam.\r\nhttp://ropgadget.com/posts/blackbasta_leaks.html\r\nPage 7 of 26\n\nFocusing on the historical registrations associated to the name \"Evgenii Khokhlov\" reveals the following domains:\r\naefieiaehfiaehr.top aeufoeahfouefhg.top databasebb.top greenmotors2.top greenmotors5.top greentrees.top\r\nmarathones.top megatron3.top onlylegalstuff.top sauria.top stuffstevenpeters2.top teams-microsoft.top\r\nhttp://ropgadget.com/posts/blackbasta_leaks.html\r\nPage 8 of 26\n\nthesiliconroad1.top thesiliconroad2.top wdqwhfusad.top yeahweliftbro.cz\r\nThis was a relatively small list of domains but it had a high overlap with what I had already collected from the\r\nmessages. This also means we can assume further relations based on the naming structure, even if context wasn't\r\nderived from the leaked chat logs. For example, \"thesiliconroad1.top\" is mentioned in the below message, along\r\nwith some other obviously related domains.\r\nthesiliconroad1.top greenmotors5.top onlylegalstuff5.top stuffstevenpeters4.top databasebb3.top\r\nSo it's safe to assume \"thesiliconroad2.top\" is either a new iteration or an additional server in this cluster.\r\nSimilarly, we can draw some conclusions about these other domains - \"onlylegalstuff.top\" only contains legal stuff\r\nand \"yeahweliftbro.cz\" is an homage to their ideology of healthy living.\r\nSwitching over to e-mail we're provided with a much larger list of domains, albeit with a bit less overlap in the\r\nlogs; however, based on the names they all appear malicious in nature. This could be due to a number of reasons.\r\nFirst, we know from the logs that Black Basta, like most ransomware/cybercrime groups operate as a business and\r\ndo business with other entities for services they don't specialize in or want to do in-house. Second, for a lot of\r\nthese threat actors, they don't just have a singular job or hustle going, they diversify and dip their toes into many\r\nventures. Basically, someone running phishing campaigns for Black Basta may also run them for other groups so\r\nwe have to recognize that while it's badness, it might not be directly related badness.\r\nWhat does that mean for this list? Well, it could be that the individual used the e-mail for most of their\r\nregistrations, Black Basta related or not, but maybe used the Evgenii name when it was. It's also clear there are\r\nsome clusters of activity where the name gives the activity away - some of these activities might overlap with\r\nknown TTP's for Black Basta and using stolen credentials to gain access to victims and is yet another link worth\r\nexploring if you have case-related data to correlate against.\r\nI'm going to break up some of the domains into related clusters to highlight some interesting patterns but if you\r\nwant to see the full list, it can be found here:\r\nConsider this cluster for Scotiabank. Multiple auth related landing pages and secure login sites. Typical for\r\ncredential phishing against users of their service.\r\nhttp://ropgadget.com/posts/blackbasta_leaks.html\r\nPage 9 of 26\n\nauth-scotiabank.com auth-scotiabankcanada-online.com auth-scotiabankcanada-secure.com auth-scotiabankcanada.com auth-scotiacanada.com auth-scotiaonline-scotiabank-secure.com\r\nauthmobileapplscotiaonline.com scotiabankcanada-auth.com scotiabankcanada-secure.com scotiaonlurl.com\r\nsecure-scotiabankcanada.com securelogin-scotiabank.com securescotiabankmobile.com\r\nThis can be observed for other Canadian based banks as well, such as Royal Bank of Canada:\r\n1omniroyalbanksignin.com auth-rbcroyalbank-online.com auth-rbcsecure.com auth-royalbank-secure.com auth-royalbankrbc-online.com auth-securerbc.com https-rbc.com inforbcroyalbank-secure.com infosecure-rbcroyalbank.com login-rbcroyalbank.com login-royalbank.com login-royalbankrbc-secure.com login-secure-royalbankrbc.com rbc-accountreset.com rbcnotif.com rbcroyalbank-canada.com rbcroyalbank-infosecure.com\r\nrbcroyalbank-secureinfo.com rbcroyalbanksecure.com reactivatemycardstatus.com royalbank-secure-online.com\r\nroyalbankofcanada-rbc.com royalbankrbc-auth.com royalbankrbc-login.com royalblogin.com royalmenupage.com\r\nroyalusermanager.com secure-inforbcroyalbank.com secure-rbc-auth.com secure-rbcroyalbankinfo.com\r\nsecureinfo-rbcroyalbank.com\r\nThis pattern continues to repeat itself for a number of other banks and institutions, likely aligned to spam\r\ncampaigns targeting their respective user bases.\r\nbankofcyrpus.com banquenationale-nationalbank.com bmobankofmontreal-secure.com bmoverifyclientcard.com\r\nbnc-connexionsecure.com bnc-reset.com bncclientconnexion.com bncmessage.com bncsecure-banquenationale.com canadarevenueagency-deposit.com canadarevenueagency-securedeposit.com lloydsbank-livechat.com metrobank-livechat.com metroonlinesupport.com royalmail-redirect.com royalmail-slot.com\r\nEven containing some of the usual remote access service masquerading to trick users into inputting their\r\ncredentials.\r\nWhile the previously mentioned bank ones are likely targeting the banks customers, remote access services are\r\nusually for targeting employees of companies. These are the types of credentials which lead to compromise and\r\nsubsequent ransomware deployment.\r\nannydeskk.com annydessk.com any-deesk.com any-dessk.com teams-microsoft.top teams-microsotf.net teams-microstf.com\r\nIn addition to the potential credential theft, there are domains which indicate DDoS services that this threat actor\r\nmight provide or were paid to register.\r\nanonstress.su\r\n-\u003e\r\nhttp://ropgadget.com/posts/blackbasta_leaks.html\r\nPage 10 of 26\n\nddosforhire.su\r\n-\u003e\r\nhttp://ropgadget.com/posts/blackbasta_leaks.html\r\nPage 11 of 26\n\nipstresser.su\r\n-\u003e\r\nhttp://ropgadget.com/posts/blackbasta_leaks.html\r\nPage 12 of 26\n\nstr3ssed.su\r\n-\u003e\r\nhttp://ropgadget.com/posts/blackbasta_leaks.html\r\nPage 13 of 26\n\nWith all the domains collected, we can check them against historical resolutions and see if there are any further\r\ninfrastructure overlaps that might standout. Using the initial seed list of domains from the leak and subsequent\r\ndomains identified via registrant information, the next step is to pull passive DNS data for every domain. It's a\r\nsizable list of domains and the graph becomes a little intimidating when it first generates.\r\nhttp://ropgadget.com/posts/blackbasta_leaks.html\r\nPage 14 of 26\n\nWhen you start to zoom in on the outer edges, clusters start to emerge.\r\nThe question is how do we make sense of this or derive further value? If we presume that these registrations are\r\npossibly from an offered service and that those same services might be sold to other (non-Black Basta related)\r\nindividuals, then seeing IP overlaps will help to identify the clusters which may be of import. Take for example\r\nthis cluster of fake Microsoft Teams related pages.\r\nhttp://ropgadget.com/posts/blackbasta_leaks.html\r\nPage 15 of 26\n\nThey all resolved at one point to the same singular IP. Now looking at the domains this one IP resolved to, we can\r\nspot an outlier.\r\nhttp://ropgadget.com/posts/blackbasta_leaks.html\r\nPage 16 of 26\n\nThis domain appears to be for the INC Ransomware groups DLS site.\r\nhttp://ropgadget.com/posts/blackbasta_leaks.html\r\nPage 17 of 26\n\nWe can also identify unknown infrastructure that may be related to campaigns. In the below case, a new IP address\r\nto investigate related to the probable Canadian banking phish scams.\r\nhttp://ropgadget.com/posts/blackbasta_leaks.html\r\nPage 18 of 26\n\nFocusing back to our leaked domains, we can see that 3 of the known ones resolved to \"15.197.240.20\" and\r\nreasonably assume \"aefieiaehfiaehr.top\" and \"aeufoeahfouefhg.top\" are related, even if not discussed in any\r\nmessages.\r\nFollowing this process for the core set of domains reveals that most of the infrastructure was flagged already\r\nexcept for that IP.\r\nhttp://ropgadget.com/posts/blackbasta_leaks.html\r\nPage 19 of 26\n\nA quick check on VirusTotal relationships shows over 200 URLs and 50K communicating files. Randomly\r\npicking a few samples they all exhibited the same behavior and matched Simda Stealer YARA rules. Looking at\r\nthe strings output for a few does indeed imply a stealer.\r\n{BotVer: {Process: {Username: PROCESSOR_IDENTIFIER {Processor: {Language: %dx%d@%d {Screen:\r\ndd:MMM:yyyy {Date: HH:mm:ss {Local time: %c%d:%02d ... /login.php ... keygrab %02u.bmp\r\n*************************** [/pst] GetClipboardData ... keylog.txt passwords.txt %s%u.zip --------------------\r\n--------- Content-Disposition: form-data name=\"pcname\" name=\"file\" filename=\"report\"\r\nWhether it's related to Black Basta, or even the domain registrant, is unknown but it's yet another rabbit hole you\r\ncan go down.\r\nUsing these leaks and pulling on even a single thread in the sea of logs is a great way to unravel malicious\r\ninfrastructure and gain additional knowledge about how threat actors operate. With that, I'll concludes the pivoting\r\nfrom the infrastructure side of things but I would highly recommend continuing this path if the topic is of interest\r\nto you.\r\nBonus Content:\r\nWhile I don't plan to write anymore on this subject, I figured I would share a handful of screenshots from some of\r\nthe live infrastructure still out there. Not necessarily related to any of the above infrastructure but for other\r\nservices they leveraged in their operations.\r\nThe first I stumbled on while trying to identify tutorials they kept referring to in chat messages - this lead to an\r\nEvilProxy panel site which, along with hosting many guides for affiliates, acted as a central site to manage their\r\nhttp://ropgadget.com/posts/blackbasta_leaks.html\r\nPage 20 of 26\n\nphishing infrastructure.\r\nContinued...\r\nThe tutorials are relatively straight forward and sometimes contain hilariously corporate looking slides.\r\nhttp://ropgadget.com/posts/blackbasta_leaks.html\r\nPage 21 of 26\n\nWith active proxy hosts.\r\nThis next one was for Google docs shared in the chats which were still up, associated to an account, and used for\r\ntracking cold calls for verification of individuals.\r\nhttp://ropgadget.com/posts/blackbasta_leaks.html\r\nPage 22 of 26\n\nThanks Nur.\r\nhttp://ropgadget.com/posts/blackbasta_leaks.html\r\nPage 23 of 26\n\nhttp://ropgadget.com/posts/blackbasta_leaks.html\r\nPage 24 of 26\n\nA service for purchasing and managing proxies (using the onion address for \"nsocks.net\").\r\nFinally, I'll close out with some screenshots from GoblinCrypt, a service they use to generate\r\nCobaltStrike/Sliver/MSF/BR4 payloads in an attempt to avoid AV.\r\nhttp://ropgadget.com/posts/blackbasta_leaks.html\r\nPage 25 of 26\n\nPayloads:\r\nHappy hunting folks!\r\nOlder posts...\r\nSource: http://ropgadget.com/posts/blackbasta_leaks.html\r\nhttp://ropgadget.com/posts/blackbasta_leaks.html\r\nPage 26 of 26\n\n  http://ropgadget.com/posts/blackbasta_leaks.html   \nA service for purchasing and managing proxies (using the onion address for \"nsocks.net\").\nFinally, I'll close out with some screenshots from GoblinCrypt, a service they use to generate\nCobaltStrike/Sliver/MSF/BR4  payloads in an attempt to avoid AV. \n   Page 25 of 26",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"http://ropgadget.com/posts/blackbasta_leaks.html"
	],
	"report_names": [
		"blackbasta_leaks.html"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434931,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9584f894853c32af1a6ccef60a52ef7a16cccdbf.pdf",
		"text": "https://archive.orkl.eu/9584f894853c32af1a6ccef60a52ef7a16cccdbf.txt",
		"img": "https://archive.orkl.eu/9584f894853c32af1a6ccef60a52ef7a16cccdbf.jpg"
	}
}