• XSS.stack #1 – первый литературный журнал от юзеров форума

Did they sent me a 0day ? or what else could it be ? Damage control

Отслеживать
churk

churk

(L2) cache
Пользователь
Регистрация
15.05.2023
Сообщения
318
Реакции
61
Гарант сделки
7
Hello

I don't want to make it look like some posts from noobs, who think that every special service is behind their back for opening Tor and so.

I am darkweb veteran, more then decade on different forums and markets, with multiple identities.
And the thing from yesterday really made me worried.



On one email, which was used in high-profile political swatting ( and swatting which was in favor of political oposition in the country which is more and more repressive ), they have send me one link ( link like descripting something related to oposition and riots ).
Link is empty.
Html file is empty, site is fully empty.
I checked it at virus total and few other sites for the link scan, and it appears clean.

Domain is relatively new, and last changes on the site were couple of hours in the time of sending it.
Which makes it super suspicous.

Most suspicous thing is, that email on which I received it was made 30 minutes before they sent this link, and I just used it for high profile swatting.
Sending same mail to multiple receivers ( journalists and cops ).

Email address to which I did not sent anything ( but looks a lot like email of one jurnalist I also messaged from there ) sent me that empty link.

I opened it on Rdp, with antidetect and Socks5.
About that part I am not worried.
I am worried cause I also kept it in clipboard at host OS and from there I also sent it to few people to check what it is.


Need advice
Need someone who can seriously check the link

I need to know does it contain some sort of drive-by malware. Some loader or whatever.
If it contains, for which OS it works.

Is possible that they just take device and browser fingerprint, and IP.
In that case I dont care.

Serbia is country which is violent towards oposition and was already targeting jurnalists and oposition with unique spyware like predator and pegasus.

Can give more/all info
 
I also sent it to some friends to check out that link
And one of them opened it

On standard android

I just opened it on Rdp with socks5

But I had it in clipboard
Maybe some 0day can be started



I hope it was just to collext IP and browser fungerprint
 
churk сказал(а):
Link is empty.
Html file is empty, site is fully empty.

churk сказал(а):
I opened it on Rdp, with antidetect and Socks5.

highly likely the script checks the source IP and returns an empty result if the request comes not from some special country&city these people are interested in.
search for Socks proxy in your city, add that socks to your RDP's antidetect browser and try to open the link again.

also the script might check the useragent and if they do not have a compatible exploit they would return an empty page too.

churk сказал(а):
I hope it was just to collext IP and browser fungerprint
yes, it also could be a simple IP logger so the cops would be able to get the user info from the internet provider.
 
to quickly answer: no, storing the link on your host OS is not dangerous and you are fine. no, a with almost 99.999% certainty a 0day was not used on you. 0days are considered burnt after use, and they are not used nonchalantly on small fish.

if you could provide the html of the page, as well as the email, the email headers, from/replyto, content, links, etc, we could provide a definitive answer.

if there was no client side code when the page loaded, then it probably just collected ip and user agent IF it was actually intended for tracking purposes. police usually only ever attempt to retrieve ip so they can't make isp information requests. if you used a nonlogging socks5, then you're fine. also, if it is something intended for tracking, to prevent analysis once it loads once it could be deactivated from reloading, which would mean if anyone you sent it to opened it first then it became useless. for that, i would also imagine they whitelisted all incoming ips to a known region they believe you are in, to prevent socks, analysis, sharing, etc.

did you use the email address anywhere or for anything before receiving this email? typically when police send something to try to deanonymize, they'll send it in a phishing-styled manner where they will make it appear like a typical email you received, not something that would raise flags.
 
Последнее редактирование:
vei сказал(а):
to quickly answer: no, storing the link on your host OS is not dangerous and you are fine. no, a with almost 99.999% certainty a 0day was not used on you. 0days are considered burnt after use, and they are not used nonchalantly on small fish.

if you could provide the html of the page, as well as the email, the email headers, from/replyto, content, links, etc, we could provide a definitive answer.

if there was no client side code when the page loaded, then it probably just collected ip and user agent IF it was actually intended for tracking purposes. police usually only ever attempt to retrieve ip so they can't make isp information requests. if you used a nonlogging socks5, then you're fine. also, if it is something intended for tracking, to prevent analysis once it loads once it could be deactivated from reloading, which would mean if anyone you sent it to opened it first then it became useless. for that, i would also imagine they whitelisted all incoming ips to a known region they believe you are in, to prevent socks, analysis, sharing, etc.

did you use the email address anywhere or for anything before receiving this email? typically when police send something to try to deanonymize, they'll send it in a phishing-styled manner where they will make it appear like a typical email you received, not something that would raise flags.
I will explain you all
And send you link, also if you want I can can give you even access to that Email and to that antidetect account.
To check the headers and so from gmail.


For swating, for each action, new email is being made.
So literally I made this mail, sent couple of emails for fake bomb threats to cops and jurnalists ( in total like 20 something different emails )

It was 30 minutes old mail.
But it directly contacted cops for the fake bomb threat.


Half hour later, they sent me from gmail address ( which writes the same name as one of the jurnalists which are in the receiver list, but is not same email address ).
Link about some article about this specific swating and riots


This empty link
 
vei сказал(а):
to quickly answer: no, storing the link on your host OS is not dangerous and you are fine. no, a with almost 99.999% certainty a 0day was not used on you. 0days are considered burnt after use, and they are not used nonchalantly on small fish.

if you could provide the html of the page, as well as the email, the email headers, from/replyto, content, links, etc, we could provide a definitive answer.

if there was no client side code when the page loaded, then it probably just collected ip and user agent IF it was actually intended for tracking purposes. police usually only ever attempt to retrieve ip so they can't make isp information requests. if you used a nonlogging socks5, then you're fine. also, if it is something intended for tracking, to prevent analysis once it loads once it could be deactivated from reloading, which would mean if anyone you sent it to opened it first then it became useless. for that, i would also imagine they whitelisted all incoming ips to a known region they believe you are in, to prevent socks, analysis, sharing, etc.

did you use the email address anywhere or for anything before receiving this email? typically when police send something to try to deanonymize, they'll send it in a phishing-styled manner where they will make it appear like a typical email you received, not something that would raise flags.
Yes
But I also sent it to some friends to check it out.
And one of them actually opened the link on his host OS without vpn and without anything.


Thankfully he is not in same jurisdiction as me.




It have every possible redflag it can have
The email, and link, and context.
It is high profile swating, together with oposition
 
vei сказал(а):
to quickly answer: no, storing the link on your host OS is not dangerous and you are fine. no, a with almost 99.999% certainty a 0day was not used on you. 0days are considered burnt after use, and they are not used nonchalantly on small fish.

if you could provide the html of the page, as well as the email, the email headers, from/replyto, content, links, etc, we could provide a definitive answer.

if there was no client side code when the page loaded, then it probably just collected ip and user agent IF it was actually intended for tracking purposes. police usually only ever attempt to retrieve ip so they can't make isp information requests. if you used a nonlogging socks5, then you're fine. also, if it is something intended for tracking, to prevent analysis once it loads once it could be deactivated from reloading, which would mean if anyone you sent it to opened it first then it became useless. for that, i would also imagine they whitelisted all incoming ips to a known region they believe you are in, to prevent socks, analysis, sharing, etc.

did you use the email address anywhere or for anything before receiving this email? typically when police send something to try to deanonymize, they'll send it in a phishing-styled manner where they will make it appear like a typical email you received, not something that would raise flags.
And I mean their suspecting it is being sent by serbian person who for sure uses vpn/socks


So I don't think they would whitelist just some region
 
admin


Напишите ответ...
  • Вставить:
Прикрепить файлы
Верх