Unpack Racoon 🦝

28 posts

Unpack Racoon 🦝 banner
Unpack Racoon 🦝

Unpack Racoon 🦝

@UNP4CK

👿 Malware & botnet hunter 🕵️ | CTI & IOC digging 🎯 | 📓 Self-taught & curious | 🔎 Hunting threats, one byte at a time 🎈

🌍 Katılım Ekim 2010
56 Takip Edilen608 Takipçiler
Sabitlenmiş Tweet
Unpack Racoon 🦝
Unpack Racoon 🦝@UNP4CK·
🌐 How we destroyed a turkish card operation, a thread: 🔷This morning I was casually scrolling through Telegram when I stumbled across a link dropping a "suspicious file"... 🔎Out of curiosity, I grabbed the file and sent it through triage (tria.ge/250429-s17btat… | 📸 Screen 1) for analysis. A few minutes later, the verdict came back: #XWorm. 📞I pinged my guy @Swezy_1337 — time to have some fun. ➡ For some context, Swezy developped a tool to RCE the malwares C2, so we can access the RDP pretty easily... (📸 Screen 2) 💣So we started reversing the binary and quickly noticed a shitty implementation in the C2 communication (146[.]103[.]25[.]63). 💢With this, we could easily use the tool from Swezy, and of course, get access to the RDP, thanks to some black magic👀 💻Once inside the VPS, we discovered what this "hacker" was up to. The dude was targeting hotel management systems, using the RAT to steal credit card details, booking records, and personal info from customers, for this, he use 2 tool (📸 Screen 3): 1️⃣ "#Nullpoint", a free Opensource #infostealer (available on github) 2️⃣and of course, XWorm V5.6, cracked... 📜Logs were full of stolen data (from stealers), some screenshots, clipboard dumps and databases dump. All routed back to a little CNC hosted on a Windows RDP in 🇱🇹 Lithuania by Space Hosting (AS15440). 👍 We wiped everything (and have a bit of fun with it). (📸Screen 4) ➡All the stolen victim data? Gone (womp womp). ➡RAT C2? Deleted. ➡Logs? Burned. ➡We even left a nice little note (you will see in screenshot below ahah). ➡And of course, we completely nuked the server — RIP the boot sector 😿 ⏲ An hours later, the "hacker" — a underage Turkish skid — started DMing us on Telegram, panicking. He had no clue what happened. We had his full name, email, server IPs, Telegram handle... 💤This idiot, in a way to appear strong and powerful, talked a little too much, and told us more about his rat method. In fact, he's having fun sending PDFs containing the malware via WhatsApp to quickly and easily infect hotels, of which we've only detected 2 so far: - 🏨Black Lotus Hotel İzmir - 🏨Luxus Grand Hotel 💥You don’t get to rat hotels and harvest cards while hiding behind your little obfuscated stub and think you’re safe. ➡You play dirty, you get reversed, pwned, and humiliated.😭 🔥It was fun.😀 👋cc/@abuse_ch @banthisguy9349 @redrabytes @swezy_1337
Unpack Racoon 🦝 tweet mediaUnpack Racoon 🦝 tweet mediaUnpack Racoon 🦝 tweet mediaUnpack Racoon 🦝 tweet media
English
15
97
504
46.9K
Unpack Racoon 🦝
Unpack Racoon 🦝@UNP4CK·
@hexicans We know this, and we've already identified the infrastructure behind it, but the fact remains that you were hosting and hiding them. So if you can stop crying, would be appreciated ^^.
English
0
0
0
17
Hexicans ツ
Hexicans ツ@hexicans·
@UNP4CK The man a re open the website (not on our infrastructure but unable to find the infrastructure) and not changed the legal mention…
English
1
0
0
27
Unpack Racoon 🦝
Unpack Racoon 🦝@UNP4CK·
To do a small update on this case: @Dyjix / @hexicans Was in cooperation with Lighttt, the guy that made the searcher, @Dyjix was in active cooperation trying to hide the website & secure it. when the ultimate proof was issues, the website was taken down (since Dyjix cant deny the proof), website is now taken down like this screen show (sorry it's in fr*nch), now we just need to wait untils @namesilo do something about the domains AstralSearcher.com.
Unpack Racoon 🦝 tweet media
Unpack Racoon 🦝@UNP4CK

🔷An investigations on @Dyjix, the shadiest french host: ➡️On the surface, it’s just another “serious” hosting provider. Clean branding, professional image, standard corporate talk. But once you start connecting the dots, the picture changes fast. 🔎For context, Axel Hauguel, the person behind @Dyjix, is not new to this space. He previously operated infrastructure like AS Constant Moulin (AS203168) that @banthisguy9349 reported for month. This AS was repeatedly associated with abusive hosting (malware, botnets, DDoS tooling, etc). That alone already raises questions. But the current situation goes further. 📊Over the past months, France has been hit by a wave of cyberattacks, leading to massive leaks of personal data from various services (telecoms, administrative platforms, etc). From this ecosystem, a new type of tool emerged: “searchers”. 💻A searcher is basically a database aggregation system built on stolen data dumps. You input something as simple as: – full name – phone number – email address And it returns highly sensitive personal information: – home addresses – identity-related data – linked accounts – sometimes family or behavioral traces depending on the leaks 🎯In practice, it’s industrialized doxxing. And it’s not theoretical use. ➡️These tools are widely used to target real people: teachers, journalists, public figures, streamers, and sometimes completely unrelated private individuals. Harassment, intimidation, and privacy violations are a direct consequence, In some cases, these types of tools lead to burglaries like with the @tir_ff databreach. ⚠One of the most known examples is AstralSearcher. After losing its original domain due to takedown actions by the @Interieur_Gouv / @CNIL, it didn’t disappear. It moved. ➡️And according to multiple infrastructure traces and historical data (including @censysio observations), parts of its operation appear to have resurfaced under infrastructure linked to @Dyjix. *To be honest, ive kinda wasted time with this investigations since the owner leak it on the /legal/ page* 🔁At that point, the “we don’t know what’s hosted on our servers” narrative becomes hard to defend. Especially when the same ecosystem keeps appearing around malware infrastructure, abusive tooling, and now services built directly on stolen personal data. 🧩This is where the pattern becomes hard to ignore. Same names. Same infrastructure circles. Same type of services. At some point, it stops looking like coincidence and starts looking like a business model. 🧠Dyjix may present itself as a neutral hosting provider. But the reality, based on repeated associations, looks a lot closer to a facade enabling high-abuse infrastructure. 📌In that tweet, I mentioned only 25% of what I know about this host, and believe me, that's just the tip of the iceberg. If there were a police investigation, I would be happy to share what I've been able to gather. 💬If @Dyjix, @Hexicans, or @Landry__J want to respond, please do so :) 👋cc/@abuse_ch @banthisguy9349 @redrabytes @swezy_1337 @CNIL

English
2
0
0
554
NameSilo
NameSilo@namesilo·
@UNP4CK Our Abuse team investigated and wasn't able to find evidence of abuse. Can you please share on here and we'll share it with them to investigate again?
English
1
0
0
113
Unpack Racoon 🦝
Unpack Racoon 🦝@UNP4CK·
probably bgp.he.net magic i guess, because everything is magic on your ASN: Censys & Shodan detect thing that doesnt exist for you, bgp.he.net can traceroute but not you, everything magical, pretty weird for someone who did network study but who i am to judge
English
0
0
2
126
Hexicans ツ
Hexicans ツ@hexicans·
@UNP4CK I don't know how do you can do it from HE because IP is null routed from the router. And I cannot trace route from local network.
Hexicans ツ tweet media
English
1
0
0
135
Unpack Racoon 🦝
Unpack Racoon 🦝@UNP4CK·
🔷An investigations on @Dyjix, the shadiest french host: ➡️On the surface, it’s just another “serious” hosting provider. Clean branding, professional image, standard corporate talk. But once you start connecting the dots, the picture changes fast. 🔎For context, Axel Hauguel, the person behind @Dyjix, is not new to this space. He previously operated infrastructure like AS Constant Moulin (AS203168) that @banthisguy9349 reported for month. This AS was repeatedly associated with abusive hosting (malware, botnets, DDoS tooling, etc). That alone already raises questions. But the current situation goes further. 📊Over the past months, France has been hit by a wave of cyberattacks, leading to massive leaks of personal data from various services (telecoms, administrative platforms, etc). From this ecosystem, a new type of tool emerged: “searchers”. 💻A searcher is basically a database aggregation system built on stolen data dumps. You input something as simple as: – full name – phone number – email address And it returns highly sensitive personal information: – home addresses – identity-related data – linked accounts – sometimes family or behavioral traces depending on the leaks 🎯In practice, it’s industrialized doxxing. And it’s not theoretical use. ➡️These tools are widely used to target real people: teachers, journalists, public figures, streamers, and sometimes completely unrelated private individuals. Harassment, intimidation, and privacy violations are a direct consequence, In some cases, these types of tools lead to burglaries like with the @tir_ff databreach. ⚠One of the most known examples is AstralSearcher. After losing its original domain due to takedown actions by the @Interieur_Gouv / @CNIL, it didn’t disappear. It moved. ➡️And according to multiple infrastructure traces and historical data (including @censysio observations), parts of its operation appear to have resurfaced under infrastructure linked to @Dyjix. *To be honest, ive kinda wasted time with this investigations since the owner leak it on the /legal/ page* 🔁At that point, the “we don’t know what’s hosted on our servers” narrative becomes hard to defend. Especially when the same ecosystem keeps appearing around malware infrastructure, abusive tooling, and now services built directly on stolen personal data. 🧩This is where the pattern becomes hard to ignore. Same names. Same infrastructure circles. Same type of services. At some point, it stops looking like coincidence and starts looking like a business model. 🧠Dyjix may present itself as a neutral hosting provider. But the reality, based on repeated associations, looks a lot closer to a facade enabling high-abuse infrastructure. 📌In that tweet, I mentioned only 25% of what I know about this host, and believe me, that's just the tip of the iceberg. If there were a police investigation, I would be happy to share what I've been able to gather. 💬If @Dyjix, @Hexicans, or @Landry__J want to respond, please do so :) 👋cc/@abuse_ch @banthisguy9349 @redrabytes @swezy_1337 @CNIL
English
1
3
13
2.8K
Unpack Racoon 🦝
Unpack Racoon 🦝@UNP4CK·
@hexicans "not like this time", A full Censys report + website screenshot is not enough for you ? you are pathetic
English
1
0
0
114
Hexicans ツ
Hexicans ツ@hexicans·
@UNP4CK Always available to cooperate (when we have abuse e-mail and enough information, not like this time ... :))
English
2
0
0
120
Unpack Racoon 🦝
Unpack Racoon 🦝@UNP4CK·
Ohhhhh, Interesting coincidence. The site was working perfectly fine 3 hours ago, and suddenly, right after being publicly exposed, the IPv4 get blackholed and everything goes offline. What timing. As usual, you’ll probably never admit your role in all this. But at least this garbage is finally down, so I’ll give credit where it’s due. Thanks for the minimal cooperation Axel, it's kinda sad that we Always need to go public whenever you do a thing but eh, at lease Astral is now taken down. Next time you try to hide a service like this, do it correctly !
English
1
0
0
142
Hexicans ツ
Hexicans ツ@hexicans·
@UNP4CK Your diagnosis is false. The IPV4 is unreachable and blackholed in the DFZ. We have also blackholed IPv6 some hour ago and the website is now offline. Happy to help. But prefer to respond to abuse e-mail. :) Bye
Hexicans ツ tweet media
English
1
0
0
175
Unpack Racoon 🦝
Unpack Racoon 🦝@UNP4CK·
Here’s an interesting technical observation regarding @Dyjix and @Hexicans’ claims about AstralSearcher. From a standard IP, you can’t traceroute or reach the server anymore. At first glance, it looks offline or gone. But here’s the funny part. When the same checks are performed through a Cloudflare Worker — meaning from infrastructure inside Cloudflare’s AS — the IP suddenly responds. Yes, it pings. Don’t believe me? Check for yourself: check-host.net/check-report/4… The only probes getting a response are the ones originating from Cloudflare. That strongly suggests the server was not actually taken down, but rather hidden behind routing restrictions allowing access only through Cloudflare-linked infrastructure. In other words: Publicly invisible. Still reachable. Still serving traffic. This raises serious questions about whether the service was truly removed, or simply concealed. I’m sure authorities like @CNIL and @Interieur_Gouv may find these infrastructure observations worth looking into. This is a direct proof that, you, @hexicans, helped cybercriminal, like always.
Unpack Racoon 🦝 tweet mediaUnpack Racoon 🦝 tweet media
English
1
0
0
267
Unpack Racoon 🦝
Unpack Racoon 🦝@UNP4CK·
"Not routed publicly" and "suspended" are not the same thing. A suspended IP means: → Prefix withdrawn from BGP ✅ → 0/872 peers ✅ → ROA removed or invalidated ✅ What we actually see on AS212815 right now → Prefix still announced ❌ → 12/872 peers still propagating it ❌ → ROA Signed and Invalid (meaning you signn) ❌ Try again.
English
1
0
2
276
Hexicans ツ
Hexicans ツ@hexicans·
@UNP4CK Doing traceroute and you see the IP is not routed.
English
1
0
0
232
Unpack Racoon 🦝
Unpack Racoon 🦝@UNP4CK·
😂 You're asking me for the details? You linked bgp.he.net/AS212815 yourself. Open it. Look at your own prefix table. 45.13.119.185/32 — AS212815 — Dyjix SAS That's your ASN. That's your IP. It's been sitting in your own BGP announcements the whole time. An ISP that doesn't know what IPs are in its own Autonomous System is either incompetent or performing. You went from "we already suspended it 48h ago" to "can you tell us what to suspend?" in a single reply, stop playing dumb Axel. Which one is it? The IP is 45.13.119.185. The prefix is /32. The ASN is 212815. It's your infrastructure. It's been public since day one. bgp.tools, bgp.he.net, RIPE, Censys, pick one. I'm not your abuse team. You are, now stop playing the dumb man. You host "Searcher" website targetting teacher and help for burglaries and now you play the dumb. You are pathetic.
English
1
0
2
324
Hexicans ツ
Hexicans ツ@hexicans·
@UNP4CK Can you give the details to help me to find the server to suspend ? You speak, but you not give any information.
English
1
0
0
298
Unpack Racoon 🦝
Unpack Racoon 🦝@UNP4CK·
Funny how it’s *never* you, right? According to your response, the IP was supposedly dropped. But the data suggests something else: not removed, deliberately hidden. How do I know? I’ve been working on this investigation for over 2 weeks. Initially, I was planning to expose another hosting provider, but sadly, unlike Dyjix, they actually took action. Because this investigation took time, multiple tools were involved: infrastructure monitoring, website snapshots, route analysis, and more. And here’s the interesting part: no downtime was ever detected after the migration to @Dyjix. None. Which is funny, because if the IP had actually been dropped and Lighttt had to migrate elsewhere, we should have observed downtime during the transition. But we didn’t. So your 99.99% uptime marketing is incredibly accurate… and the service never actually left your infrastructure. The IP no longer appears in the global routing table, yet the service remains reachable through infrastructure consistent with Dyjix, routed exclusively behind Cloudflare. The site is still online. Traffic still flows. Nothing appears suspended. And the cherry on top? AstralSearcher’s /legal page still references Dyjix. Nice advertisement. So to summarize: Dyjix is still being referenced. The service never appears to have gone down. Yet somehow, it’s always “someone else.” Interesting.
Unpack Racoon 🦝 tweet media
English
1
0
4
349
Hexicans ツ
Hexicans ツ@hexicans·
@UNP4CK We have not receive any abuse, and we have already suspend the malicious IP 48h ago : #_prefixes" target="_blank" rel="nofollow noopener">bgp.he.net/AS212815#_pref… .
English
2
1
1
522
Unpack Racoon 🦝
Unpack Racoon 🦝@UNP4CK·
The evidence is already public. Moving this to email just feels like an attempt to bury the discussion and save your public branding. If you need a proper abuse report to suspend the service, I’ll gladly write one, send the email and i will send a screenshot here, so the CNIL can have a follow-up too ^^ But let’s not pretend I don’t recognize the strategy here. It’s the exact same playbook we saw with Constant Moulin: stall, redirect to private channels, and hope the heat dies down.
Unpack Racoon 🦝 tweet media
English
1
1
4
610
Hexicans ツ
Hexicans ツ@hexicans·
@UNP4CK Hi ! Can you contact us over e-mail to get more information ? I am not aware about you what do you tell. Thanks !
English
1
0
0
745
Unpack Racoon 🦝 retweetledi
.
.@7N7·
hi. does your cybersecurity company need someone extremely well educated on infostealer related threat detection at the bleeding edge? im looking for a job. if youre interested, reach out to admin@\keysco\.re (or my signal @\vamp.01). preferably pl/eu/remote. my previous work speaks for itself, so id say that the max time from hire to deployment (if everything goes well) is around 1-2 weeks :-).
English
3
9
60
8.8K
Unpack Racoon 🦝 retweetledi
Swezy
Swezy@Swezy_1337·
Unpack Racoon 🦝@UNP4CK

🌐 How we destroyed a turkish card operation, a thread: 🔷This morning I was casually scrolling through Telegram when I stumbled across a link dropping a "suspicious file"... 🔎Out of curiosity, I grabbed the file and sent it through triage (tria.ge/250429-s17btat… | 📸 Screen 1) for analysis. A few minutes later, the verdict came back: #XWorm. 📞I pinged my guy @Swezy_1337 — time to have some fun. ➡ For some context, Swezy developped a tool to RCE the malwares C2, so we can access the RDP pretty easily... (📸 Screen 2) 💣So we started reversing the binary and quickly noticed a shitty implementation in the C2 communication (146[.]103[.]25[.]63). 💢With this, we could easily use the tool from Swezy, and of course, get access to the RDP, thanks to some black magic👀 💻Once inside the VPS, we discovered what this "hacker" was up to. The dude was targeting hotel management systems, using the RAT to steal credit card details, booking records, and personal info from customers, for this, he use 2 tool (📸 Screen 3): 1️⃣ "#Nullpoint", a free Opensource #infostealer (available on github) 2️⃣and of course, XWorm V5.6, cracked... 📜Logs were full of stolen data (from stealers), some screenshots, clipboard dumps and databases dump. All routed back to a little CNC hosted on a Windows RDP in 🇱🇹 Lithuania by Space Hosting (AS15440). 👍 We wiped everything (and have a bit of fun with it). (📸Screen 4) ➡All the stolen victim data? Gone (womp womp). ➡RAT C2? Deleted. ➡Logs? Burned. ➡We even left a nice little note (you will see in screenshot below ahah). ➡And of course, we completely nuked the server — RIP the boot sector 😿 ⏲ An hours later, the "hacker" — a underage Turkish skid — started DMing us on Telegram, panicking. He had no clue what happened. We had his full name, email, server IPs, Telegram handle... 💤This idiot, in a way to appear strong and powerful, talked a little too much, and told us more about his rat method. In fact, he's having fun sending PDFs containing the malware via WhatsApp to quickly and easily infect hotels, of which we've only detected 2 so far: - 🏨Black Lotus Hotel İzmir - 🏨Luxus Grand Hotel 💥You don’t get to rat hotels and harvest cards while hiding behind your little obfuscated stub and think you’re safe. ➡You play dirty, you get reversed, pwned, and humiliated.😭 🔥It was fun.😀 👋cc/@abuse_ch @banthisguy9349 @redrabytes @swezy_1337

English
0
4
6
1.4K
Unpack Racoon 🦝
Unpack Racoon 🦝@UNP4CK·
Explaining the method would serve no purpose other than causing harm and creating security risks. If we reveal our method, we expose it to potential cybercriminals, which could make things more dangerous than helpful. Our method is therefore private. You're free to think the tweet is "useless"... :)
English
0
1
14
1.2K
ʝœ
ʝœ@_Gendy_·
@UNP4CK if you’re not going to explain the method for the RDP, this post is useless..
English
1
0
2
1.2K
Unpack Racoon 🦝
Unpack Racoon 🦝@UNP4CK·
🌐 How we destroyed a turkish card operation, a thread: 🔷This morning I was casually scrolling through Telegram when I stumbled across a link dropping a "suspicious file"... 🔎Out of curiosity, I grabbed the file and sent it through triage (tria.ge/250429-s17btat… | 📸 Screen 1) for analysis. A few minutes later, the verdict came back: #XWorm. 📞I pinged my guy @Swezy_1337 — time to have some fun. ➡ For some context, Swezy developped a tool to RCE the malwares C2, so we can access the RDP pretty easily... (📸 Screen 2) 💣So we started reversing the binary and quickly noticed a shitty implementation in the C2 communication (146[.]103[.]25[.]63). 💢With this, we could easily use the tool from Swezy, and of course, get access to the RDP, thanks to some black magic👀 💻Once inside the VPS, we discovered what this "hacker" was up to. The dude was targeting hotel management systems, using the RAT to steal credit card details, booking records, and personal info from customers, for this, he use 2 tool (📸 Screen 3): 1️⃣ "#Nullpoint", a free Opensource #infostealer (available on github) 2️⃣and of course, XWorm V5.6, cracked... 📜Logs were full of stolen data (from stealers), some screenshots, clipboard dumps and databases dump. All routed back to a little CNC hosted on a Windows RDP in 🇱🇹 Lithuania by Space Hosting (AS15440). 👍 We wiped everything (and have a bit of fun with it). (📸Screen 4) ➡All the stolen victim data? Gone (womp womp). ➡RAT C2? Deleted. ➡Logs? Burned. ➡We even left a nice little note (you will see in screenshot below ahah). ➡And of course, we completely nuked the server — RIP the boot sector 😿 ⏲ An hours later, the "hacker" — a underage Turkish skid — started DMing us on Telegram, panicking. He had no clue what happened. We had his full name, email, server IPs, Telegram handle... 💤This idiot, in a way to appear strong and powerful, talked a little too much, and told us more about his rat method. In fact, he's having fun sending PDFs containing the malware via WhatsApp to quickly and easily infect hotels, of which we've only detected 2 so far: - 🏨Black Lotus Hotel İzmir - 🏨Luxus Grand Hotel 💥You don’t get to rat hotels and harvest cards while hiding behind your little obfuscated stub and think you’re safe. ➡You play dirty, you get reversed, pwned, and humiliated.😭 🔥It was fun.😀 👋cc/@abuse_ch @banthisguy9349 @redrabytes @swezy_1337
Unpack Racoon 🦝 tweet mediaUnpack Racoon 🦝 tweet mediaUnpack Racoon 🦝 tweet mediaUnpack Racoon 🦝 tweet media
English
15
97
504
46.9K
Unpack Racoon 🦝
Unpack Racoon 🦝@UNP4CK·
So, to begin with, we believe the stealer was empty because it was only meant for "testing" purposes. The VDS we infiltrated appeared to be relatively "new" within their infrastructure (which, according to the cybercriminal, contains 22 Windows VDS, 📸 Screen 1). This server was hosting a RAT through XWorm, but that’s not their primary attack method. Their typical procedure involves sending a malicious PDF, which is used to infiltrate hotel networks. It’s quite hard to measure the actual impact of our attack, but we know the "hacker" was seriously pissed off — haha. To summarize: Nullpoint isn’t their main stealer, which explains the low number of logs (and the fact that they’re quite old). However, XWorm was rather active on the server.
Unpack Racoon 🦝 tweet media
English
0
2
5
1.8K
Unpack Racoon 🦝
Unpack Racoon 🦝@UNP4CK·
🔎#Malware: DDOS:Linux/#xorddos 🦠Spreader: 23[.]160[.]56[.]113 (🇺🇸 AS26042 FiberState) 📥Downloader: http://172[.]82[.]91[.]106/p.txt (🇬🇧 AS212396 FyfeWeb) 🕸 C2: dd.vvbb321[.]com / 107.149.213.20:1430 (🇺🇸 AS54600 PEG TECH INC) 🗓 First seen: 2024-08-11 Big thanks to @redrabytes for this HoneyPot !❤️
Unpack Racoon 🦝 tweet mediaUnpack Racoon 🦝 tweet mediaUnpack Racoon 🦝 tweet media
English
1
0
7
2.6K