 All right. Our next speaker is not a newcomer to DEF CON. It sounds like this is his third time here. Give him a hand up. And we were talking. It sounds like we're going to hear some fun stories about OPSEC. We all love that, huh? All right. So big round of applause again for Tomer Barr. Hi, everybody. Who came here to have some fun? Yeah. So I'm going to give up this one, okay, for the one that will shout the loudest during the presentation. I will give you the sign when to shout. I will give you a sign. Okay. So let's begin. Okay. My name is Tomer Barr. I am currently leading a safe bridge labs as director of security research. And my main focus is on vulnerability research and nation state APT research. This is my third time in a row at DEF CON. So I'm so excited to be here. Thank you. Okay. So I will start by describing the research assumptions and approach. And then I will describe the operation security of our first APT threat actor and continue with several examples of large scale cyber crime threat actors. And then we'll turn to different state sponsored threat actors. So stay tuned. The research state of mind is focused on understanding the adversary, both the nation state and the cyber criminal that launch attacks on the western world. If we can win this mind game, we can understand their plans, motives, tactics, and techniques. So every research start with assumption, right? So let's describe them. The first assumption is that advanced threat actors is not necessarily the same as strong operation security. And you will see unbelievable mistake later on. The second assumption is that some threat actors are lazy and feel comfortable. Even after a research report was published about their specific activities. So they continue as usual. And last it will be a very good idea to study them in their backyards. So in order to understand their plans, their targets, to do damage control, and so on. And I developed this UPSEC meter. You can see it. And for comparing different threat actors operation security mistakes. And the grade is from zero bad points. It's the best to the 100 bad points. There are 10 categories. Each category can give 10 maximum points. And the categories measure how much data we can gather on victims. Attribute the attacker's identity and how much we can influence their campaign to do a take down, temporary take down, or a disinformation attack, and so on. So in the next hour, I will present those APTs. So whenever you see this symbol of the hour meter, just shout your grade from zero to 100. And at the end, you can get a flag. Okay. So our first threat actor is located in the Gaza Strip. It has been active since 2012. So they have a decade of malicious activity. Attacking both windows and Android targets. In 2017, it was first discovered. The threat actor has self developed a web panel with two-factor authentication login. The problem was that navigating directly to the inner pages resulted in full access to the system with no authentication required. So yeah, it's funny. On the right, you can see the exfiltrated keelogs of the victims. So it's blurred for privacy, right? Quantum leap to 2022, the threat actor is still active and masquerading as Google play up. And the malware was uploaded from Gaza by one of the victims or by the attacker themselves for testing purposes. And the certificate was also signed in Gaza. The malware has plenty of collection capabilities like SMS, call logs, contacts, record audio, and much more. And the exfiltration is done via HTTP post request. And the malware exfiltrated data to this URL via post. So the Laravel code, the backend code of the C2 server expects a post request. But when sending a get request instead, an error invokes and expose the MySQL DB credentials. So it's unbelievable, right? It's crazy. You should see me when I saw that. It was crazy. And all C2 servers are vulnerable. Here are the credentials of the Windows-based victim database. The former one was the Android victim database. So on 2017, the first stage malware code downloaded the second step malware. And the name was DDD.zip from the C2 server for U.net. And the name of the folder was five times the letter Z. On 2022, a sub-domain of the same domain was used. Up.palforU.net. And this time, the CCC directory holds all the victims exfiltrated data. So I will show a demo in a few moments how to download all the victims' data. I was able to map almost 8,000 victims. Most of them in the Gaza Strip, but others in other Middle Eastern countries. So the amount of exfiltrated data is huge. Almost 500 compressed megabytes is the average exfiltrated data for a day. And our estimation is that the total size of the exfiltrated data is between at least 2 terabytes to 3 terabytes. Another mistake which we will see it's very common among ultra-attractors is OpenDeer's C2 servers. So as we can see, the C2 server was updated at February 2022. Let's check if this is a one-time mistake. And of course not. The C2 server is OpenDeer and include a 12-megabyte file in the domain name of the C2 server called Tawaji or something like this .zip file, which includes the full backend logic. Because if you try to download the backend code from just by surfing, you cannot do it because it's a PHP or SPX or something like this. It's not downloadable. But when they leave a compressed folder of all of the stuff, all of the content in the website, I can download it. So I get the source code of the C2 server. Thank you, thank you. So the upload philogic is done well using a unique ID to randomize the uploaded file name and make it difficult for hackers to find a potential web shell they uploaded because you cannot predict the file name. And the upload itself is limited to a specific file type by a white list, which is good. But on the other end, the Node.js revealed the upload path of where the files will be uploaded to, which is bad practice eventually. Okay, so let's see a little demo. So we will serve to the CCC directory. You can see all of the files arranged by date, so it's very convenient. We will download one of them, the smallest one. It's like 150 megabytes. And then there is a password. I brute-force it. And it will extract all of the files. I will sort it and see the, I will show you the file types that are included. It's like screen captures and images from the phone, from the Android phone. And also a lot of voice recording using the microphone of the Android device. So you see a lot of files in just one day. I have like one ear of that stuff. And I will just open one of them and show you that it's working. Just a second. Is it moving on? Sorry. Never mind. Believe me, it's working. It's demo. Even if it's pre-recorded, it's not working. Okay, so that's your time to shout. What do you think the score should be? I give it 47. I see you, I see you. You are leading. You are leading. Okay, for now, for now. Okay, so as you can see, they failed because I was able to build a victim hit map, understand the attack vector, access the C2 backend code, and so on. Okay, so different retactors will do different mistakes. So we can compare them using the OPSEC meter. Okay, moving on to a different retactor. This time, it will be, I will focus on a threat attack or cyber crime activity in Iran. And I will describe the five steps that are required of the infection chain, one by one, and the OPSEC mistake they have made. But generally speaking, they are up to stealing credit cards. It's a large scale cyber crime. And let's describe it. So on the left is a partial list of the C2 server that were alive at the time of the check. It was the middle of January this year. And one of them stored the entire code on the pay.zip file at the C2 server. So the same mistake like we saw earlier. So I downloaded the zip file. And the victims are found in different second hand online market sites. One of the sites is called divar.ir. And the left script extract phone numbers from published ads on divar. So if you want to sell something, I know your car or something like this, you just publish an ad with your phone number and they have an API to extract all of the phone numbers of victims in Iran. The script on the right will send them a threat phishing text message via telegram. Okay, this is funny. The full victim list is textual and downloadable. Phone numbers are available in the users.lst file which is downloadable. But even more funny, the C2 server internal files are exposed. Even the bash history command output is available to download. So I don't believe it. I found plenty of smishing glues. Threat of arrest in 72 hours and in Iran it's scary. COVID-19 payments and even dating site. When the victim tried to chat, he will be threatened to pay or his details will be sent to the government. And he is redirected to a payment site. And the sites are all open here. So the payment allegedly can only be done via an Android app. You can see it on the bottom left. It's done automatically. And it's a dual attack. So they spy on the SMS to get the two factor authentication codes and also redirect the payment on the attacker fake site to fish his victim credit card. So the malware, the Android malware just exfiltrate all the SMS messages. And decompiling the Android malware, we can see that the resource files hold the phishing URL back there. And here is the PHP page that uploads the victim SMS. This is the back end code to the server using out coded text file name. This is not a bad practice. And exfiltrated SMS are also textual, predictable and downloadable. So it's very convenient. And the file name here is Lydia team.txt. Please remember the Lydia, we'll come to it later. And we can also see, it's hard to see, I know, the incoming SMS messages. And in this case, they tried 16 different phishing glue messages in order to infect this specific victim. So it's crazy. And this is a fake payment site masquerading as a legit government pay site. So at the top, you can see the IP address, they even don't have the domain name for the C2 server. But below that, it's the URL of a real payment site in Iran. So the victim is allegedly redirected to a legit government site. But it's a fake page and the credit card is stolen. This is the back end code for stealing the credit card. The details are collected and sent to the attacker telegram group. And the subject of each exfiltration is new card received. I don't know if you can see it, but there is a typo there. And it will help us later. User credentials are exfiltrated as well. And querying the telegram group, this is where it becomes interesting, using the telegram bot API includes a valid invite. So it can see mark in blue. And just copy pasted and I'm a new member of their private groups. Yeah. It was very interesting. In this case, thank you. In this case, the victim SMS data and credit card are split into three groups. And they have all the data there. The data telegram group is misconfigured to display all group members and hackers without even joining the group. Thank you. The SMS and data group are not private. All members are administrators. Everybody is welcome to join. But without access to the messages themselves, so it's a problem. I joined with my real name, Tomer Bar, to all groups and stayed there for a while. But there was no access to the messages by new members. You can see my name here at the top. I used my real name, my real telegram account. And all of the other are Iranian hackers, right? So I didn't have access to the messages. But the card group is not private. And all data is accessible using the telegram bot API called get updates. I will use it a lot during this research. And then I found the group they called so good. And it is like the main group. And pay attention to the user, Babazor. Username is one of the threat actors. We will focus on it later on. And so good allows access to all messages without being required to join. So I was able to join, but I didn't need to. Hundreds of credit card details are listed. And on the left, we can see that one of the site was detected by Chrome to be a malicious site. And they exchanged messages between themselves. Let's do that. Let's do that. And on the right, we can see shared malware files. And even attackers' voice messages between themselves. I don't know if I'll see language, but it's interesting. And a deeper analysis, you can see it's amazing, revealed massive activity. Hundreds of malware samples and hundreds and thousands of C2 servers infrastructure. So it's kind of a big infrastructure, so I was curious. And believe me, this is just the tip of the iceberg. Let's continue. A simple Google search reveals that Lydia team, the name of the file that we mentioned before, is a user who is active in the professor phishing telegram group. So he has an academy degree. And which includes 15,000 members. Searching for new card received in Google with the intentional typo, seen before, returned with a second group, Zalem phishing. And the result includes stolen credit card. So in Google, you can get the stolen credit card, yeah? And Baba Zoro is our own so good team member, is the owner of Zalem phishing telegram group with 30,000 members. So it's a big shot there. And I found many Iranian phishing group. Some of them have a few members. And those was the most interesting group. But up to 80,000 members for just one group. And the large group are usually used for exchanging or selling phishing kits or stolen goods. And I was able to join all of this group. And much more. Like 20 groups. And I had like 100%. But there was just one group called the must leak, which requires approval by admin. So I said, I sent him a joint request with my real name, Israeli, and got an approval. So I have 100%. Okay, so let's go technical. Decompiling the malware. Focus on the Lydia TXT class. It's the Android malware with the name of Lydia. And the exfiltrated SMS data are messages, sorry, were uploaded to the C2 server. And the randomization of the name was done on the malware side. So no victim unique data was used. So if the malware upload the file name, victim.txt, it will be victim.txt on the C2 server. And the file name was a number with a five digit. So very hard to guess. And I developed a brute force tool to download all the exfiltrated files. The Android C2 server is based on a fire-based API and also telegram-based API developed in Python. And one of the attacker is, let's do attribution. We know it's Iranian. But who is it? One of them is called Amir Ranjabar. And his testing is on malware, on his own machine. So never do it. Never do it. And one of the SMS is from an Austin provider confirming his newly registered domain, which is the C2 server. And it's called sanayran.xyz. So now we know it's darker, right? Maybe it's in charge on the C2 server's infrastructure or maintenance, I don't know. But we have his name. But that's not it. I have his SMS's because he ran it on his Android device. So I have his account number, international bank of Iran. And his phone number. I have two phones. One ends with 85 if you can see it. And full address at home if you can want to visit him. And the attacker also offer hacking services in a, I don't know, like professional hackers. And using the same phone number. So we have a cross that it's a real phone number. It appears that leading team is selling and promoting their phishing and Android malware services with three possible plans. So you can choose from a basic plan to a full phishing as a service plan. And they offer dozens of phishing kits for customers. Let's say customers. For example, Instagram account phishing, but you can see a list of all the sites that they duplicate and are used as a phishing loose. And they use a pyramid structure. The bot is given for use in return for 20% of the collected credit card. So I Google translate it and this is the translation to English. And the SMS spy, I gave it a 65. What do you think? Save it. This one, this one. Yeah. Second. Okay. Okay, let's continue. So I ask myself if this telegram bot API is commonly used by other threat actors. And the reason and the answer is totally positive, right? So a simple pivoting on the API.telegram.org, the official site using virus total graph. Provide me with positive answer. We have found actually two types. Executable with hard coded telegram bot API tokens and chat IDs. And also C2 back end code kits that were uploaded to virus total by, I don't know who, but it's there. So it's easy to find it. And the second type is more, I found it more interesting and I developed an automated script to download all chat and check if they are still active because it can be like uploaded like six months ago or something like this. And I got a lot of active groups and I have their tokens so I can control some of their activity. And the first interesting case, this is a new threat actor. It's called, they call themselves Ukraine logs. So think about the former attack and this group used malware to steal cryptocurrency from Victor machines. And it's a very large scale operation. We'll see it in a minute. And they used dozens of malware and loaders. But one of the interesting one was a loader that download and execute Mars stealer, which is a fourth of a Vidaar stealer, if you know it. And Mars stealer actually steals two factor authentication and cryptocurrency. And the code is packed with unknown packer. And the main function was actually so complex and it was even too big to even been displayed in idograph. So it was a very sophisticated packer. But I just try it on and locating the correct address in which to place the break point was quite easy. It's like old school. And after that I have the unpacked version. So I started to analyze it and found that this info stealer is interesting because of three checks that is doing anti detection checks. First it uses anti-emulation against Windows Defender. I didn't know that at that time. But Windows Defender and they knew. Windows Defender is using a fixed computer name used by the emulator. So if they just check what is the computer name, if it's equal to HAL 90H, they know that they are in an emulator. So that's a good practice. But the second one is it's exit if it's being run from Russia and nearby countries. So we have a little bit of a tribution here. But trust me, we'll get much more info later. And so they just check their language and decide if it's Russian or not. And the third one was exploration check. So it was limited to one month from compile time. And if you try to run it as a researcher after this month, it won't do it. And it's packed. So it can be difficult for some. And the attack is still ongoing. This is a tool to de-obsticate strings that I wrote. And the sample is not public. And the C2 server was not known until now, but I will publish all the details today. Also found the telegram group API key used by this group to exfiltrate screen captures. The loader also downloads and executes the final GoLang info stealer from a legit site. And the GoLang malware is a cookie stealer. It's very complex. It steals off of the tokens. In fact, a lot of victims in large scale, mostly via YouTube links. So I will give some example. But let's first discuss the GoLang malware. So I don't know how much of you tried to reverse engineer GoLang malware, but it's a nightmare. And there are some tools. And Jags at recon presented one that is better than what I used here because it was before. But we can see that I used an IDA script. When running it, I had an 8300 unrecognized function. And after running it, the rename function button, the script was able to detect 2,000 of them. So it was very helpful, but still complex. And as I said, the infection vector is through publishing YouTube links to an encrypted executable. And as we can see, there were 20,000 results on the right, only for the 0909 password encrypted malware instance. So there were different instances. And only for that instance, there are 20,000 different YouTube links. And this detector also is smart. And it's published the link on a crypto app-related site. So it's logical because they want to steal cryptocurrency and wallets. So people that are interested in crypto movies, so probably they will have a better chance to have wallets on their computers. And also on video sharing platforms. So if you are using it, be careful. And back to the info stealer loader code. This is very interesting, I think. I used the Telegram API, a different one, GetChat, and got an invite link. I was able to join the attacker telegram group and become the 10th member for months. And I was able to download all past messages, even before I joined, and get in real-time all messages from now on. So I'm like in between. And on the left, you can see the configuration of the malware. We can see that it was configured to collect, it's hard to see, but it was configured to collect screen captures and victims environmental data such as OS, IP, and hardware ID. In the middle and on the right, you can see the exfiltrated victim screenshot and exfiltrated environmental data from the attacker telegram group. So we have a match. And using a simple tool to download all victim screen captures, and I have 35,000 script captures of different victims. So it's like open for almost everyone. We can see some example of the stolen data, which include both cryptocurrency and you can see also NFT theft, they like NFT a lot. And hundreds of wallets were exfiltrated and top balances can reach thousands of US dollars. And the attacker also exfiltrated the 12-word passphrase of wallets like MetaMask and the password. So from that point, the attacker can control the victim's wallet. 27% of the victims are located in the US. The exfiltrated cookies are for wide range of services like beginning with PayPal, Amazon, games, bank, cryptocurrency wallets, Google Pay, and stake.com which runs crypto betting platform. So let's speak about the attribution. The first indication of the attacker origin is that all C2 server were located in Russia. So it's not surprising, right? In addition, the spoken language of the attackers is Russian, and they tried to hide it by replacing it with English after a while, but I have all the messages so I know they are Russian. And I was able to discover the attacker's IP located in Russia, the exact IP. And the first 8,000 of the exfiltrated data messages originated from the same IP in Russia which was used by the attackers for testing purposes. Again, don't do it. And later as a C2 server. On the bottom, we can see that this is a red line info stealer that connects to the same IP address of the 8,000 messages. And it's also using the red line stealer bot ID Onyx 0.1. So I used another telegram bot API function. It's called get chat administrator. And we found that the group has six administrators. So nine hackers myself, but six of them are administrator. And one of them is Onyx 0.1. And the second is called P2 memory. And then I found that Onyx is a creator of threads for selling stolen tokens. And the second admin is P2 memory. And they are chatting with each other. And I don't know their real identity, but they are real people. So let's speak about a little bit about takedown. The bot is administrator. And I could create, edit or revoke the invite link so nobody can join. And I can also temporarily take it down by blocking all members. Or I can even set a web hook to automatically transfer all messages to savebridge.com, which you can see was done successfully. So all of the victim messages, I didn't try to catch them. Just stop them from reaching the real C2. And they temporarily lost all victims. But probably they could easily recover from this attack. So I gave them the same score. You know, don't need to shout anymore. We have different mistakes. Okay. This one is very, very interesting because I'm monitoring them for almost a year now. It's still going on. And those are Turkish threat actors. They call themselves Ekmek, Tekensi or something like this. In English it means the bread boat. And they're referring all the stolen cryptocurrency as bread. Bring me bread and so on. So the bread boat. And they steal cryptocurrency with a different approach from the Ukran log. Ukran logs try to infect machine and steal the cryptocurrency wallets. They are using zero infections techniques. So let's describe them. So the PHP code redirects the exfiltrated data from the C2 web server to a telegram group. In addition, the PHP code saves it to a local C2 server file named test.txt. And the victims clicks on the connect wallet button as you can see on the top left. And enter the metamask passphrase this time. And this is a phishing page which writes the passphrase to the test.txt local file. Okay. The attackers are working very hard to promote their phishing glues. So they are paying Google for advertising their phishing sites. And the C2 server is the third result in my Google search above. So they are doing good work. And they also target victims using telegram and other social networks via Twitter ads for example. As we can see on the right, the ads include a link to their metamask phishing site. So by now, you know the drill. I joined via the invite link and download all messages. But after a short while, they sent me a message in Turkish, which I don't understand. And I was immediately kicked out. So I thought, is this the end? And then I figured out that they kicked out Tomer Baal, my user, but they don't kick out their bot. So I just wrote a script to automatically download updates using GetUpdates API and was able to monitor all the messages in the group until now for almost a year. And the script also transited the messages, the script that I wrote, transited the messages from Turkish to English, so it will be easier for me. And the bot API is probably revealing here the attackers ruining wallet address and passphrase. So I can control the wallet. And on the bottom, they are sharing additional wallet addresses. The main C2 server includes 1,400 phishing domain names. And from October 2021, and it's still active every day. Every day there are new domains. And the second phishing server, which is still active also, is implemented crypto scram with different techniques. The dumbest method is like promise to provide profit if you just send them your crypto. So don't do it. And the other C2 servers exfiltrate the passphrase to local files or to Google forms. I understand their attack in details. And the attacker's plans, the entire attack in details. They stole $30,000 in just two hours. And then the boss set a target of $100,000 for this day. And on the bottom we can see that they share the admin credentials to manage all their different C2 servers. But it's not legal to use it. And it's not required because they did a lot of mistakes. And all the Tractor Actors C2 servers reveals the stolen user passphrase. So this is just an example. But believe me. And this is another example of an unconfigured Laravel backend like we saw earlier. And exposing the db credentials and up key when the expected parameter is not provided. So they expected a special parameter. I didn't provide them that. And they just print the password. The same exposed data is accessible by a second method by browsing to the .env file which is textual and includes the same credentials. The Tractor Actors invested a lot of effort in phishing NFT and the attacker is bragging in telegram that he has stolen 25 Ethereum and at that time it was worth $75,000 using phishing glues on the famous NFT sites. As we can see the C2 server is open here and the main JavaScript includes the Tractor Actors wallet headers. They're using stolen credit cards in order to pay for the C2 server. And they also purchase stolen red line stealer credentials. They're also using different services in order to turn the stolen cryptocurrency into cash including virtual credit card and laundry sites. We can see the address here. We can see the attacker's wallet address and withdrawal operation. So I'm monitoring all of their activities. And they steal money directly from victim bank accounts in order to pay for Google hats to promote their phishing web like we saw earlier. Here is another example of their active phishing activity which is done a bit differently using additional telegram groups. They also build a pyramid scheme to recruit members. Each member is allegedly participating in mining cryptocurrency based on the Tron protocol but actually NFT and cryptocurrency is stolen. As we can see the print screen here demonstrates how the threat actor used public tools like SQL map to take over websites, legit websites. And they also upload web shares to different vulnerable sites. It was like a huge campaign. And the attacker shared the entire C2 server code using the telegram group that I am in. And I got all the databases. So the info table stores the victim private keys. And we can see that simple Google search is for what the admin hash reveals that it's the password 1, 2, 3, 4, 5, 6. Amazing. The login leads to a Chester Finish admin panel which is query the local collected victim wallets DB. The above cloud drive includes 300 gigabytes of victim exfiltrated data. It's not live anymore but I have all of it. I will give it to the proper relevant agencies to look up a little bit and report back to the victims. Let's speak about attribution. Believe me it will be funny. The entire conversation is telegram is Turkish so we know for sure they are Turkish. We can see that the attackers are not using VPNs to manage their C2 server and because they exchanged all of the C2 server code so I have it. So the C2, the C panel last login file includes the IP address from Turkey so that's the real address. But on 25 of June after more than eight months of monitoring, one of them published a competition at R10.net. It's a public site forum for the logo for the new site player.com which is just a phishing site and the username in the R10 forum is called Morat. Morat can attack. This led me to a bingo because I found a Twitter account with his photos and he tagged it as a blockchain account and a few days later he also got a message from his garage to collect his car with his real name and license plate number and so you can see that it's a real name and on the right when you surf on Chrome you can sign in with your account and you have the pictures of your account, right? So if you can see on the right it's the picture of the other attacker. I have it from the print screen that they share between themselves. So these two members joined the Telegram group for a short while and they are four members. One of them is a member of the two HAC forms and also register domains and sometimes you get to know your adversaries more than you ever expected. So that's it, that's it. So this is his Telegram account and I will skip and I will speak a little bit about Tunisian threat actor which got the worst grade, 78 bad points. I will skip it because we have only five minutes. I have more interesting stuff later. So they do the same mistake, open the here, compress the files, but what was very terrible is that I got all of his victims, victim data, they have 12,000 victims but he registered the Telegram group with his real name. So I have his real name, not a nickname and I was able to find his LinkedIn account is working as a security consultant by day in a legit company and by night he's doing attacks against victims and I also found his Google certificates both on sending it on the Telegram attackers group and it's the same certificate on his public LinkedIn account. So on the bottom you can see the tab with his real name of his Facebook account. So I have a lot of crossing and it's a verified data. So I will skip two different Iranian nation state threat actors. They did Apple bypass, two-factor authentication bypass for iCloud. It's a new technique. I got all of the source code because of their operation security mistake and I will share all the slides and all the details on the site and also other platforms but I don't have enough time to speak about it. I want to speak four minutes about this threat actor. This actually is a good, I don't know if it's a good but it's the best operation security threat actor that I've ever seen and it's an Iranian nation state threat actor is the most persistent ones that I know of. It's been acting, it's been active since 2007 so 15 years of operation. That's a lot and I am monitoring, I first discovered it in 2015 and wrote a lot of reports on it and also did a takedown on 2015 and they lost all of their very targeted victims. They were oppositioners to the Islamic regime and they were very targeted for seven years and they lost, the Iranian lost all of the access to all of their victims and returned in 2017 with the learn from the mistakes and they got with a very secure, upset infrastructure so they used two mechanisms. One is very common, the DGA which is a domain generation algorithm. Each week 100 different domain names were used as a C2 server so sync call is much difficult from the 2015 version where there were just like three outcoded domain names but most interestingly is the second mechanism which is they use C2 signature verification in order to verify that they are speaking with the real C2 server because I reverse engineer the DGA code, understand what will be the next domain name, purchase those domain names before them and all the victims connected to my site but when they, I have only their IPs because when they download the signature files which is encrypted with the private key which I don't have, only the attackers have, they can verify that I'm not, this is not a legit site and just move on to the next server which will be verified. So this means that it's very hard to take them down and from 2017 until 2022 you can see that there were some reports about this group but no one is able to do anything to arm their operation and I worked for it about three years, it was like a live mission and recently I found the weakest link in the infi chain, the transmission of files from the C2 server in Europe to their attackers in Iran. So to make things short, I developed a script, I connect to the C2 server and downloads all of the victims data and I also found that they encrypted it in asymmetric key so I cannot open it because I don't have the right key but some of it was not encrypted and I have some metadata that I was able to deosucate and I have the user name, the host name of the victim, the path to the store on the C2 server, the toner version which is toner is the second step tool, it's a very sophisticated tool which allows them to monitor and surveillance all of the victims data and toner in French is thunder and the first tool is called lightning, so just one minute. So the lightning, the thunder comes after the lightning so I'll just finish with a demo, it's 20 seconds and I release you. Okay so you can see that I'm downloading, I get a list of all the files in the C2 server in real time with their sizes and the URL to download them and then I will run the same script with the all parameter and it will start downloading, it's a little bit small but believe me it will download all of the files, I will skip because it will be short, so I have a directory which is sorted by all the victims IPs and we can see all the infiltration data. Okay I'm finished, so sorry for this blast and thank you.