A CIPHER CORTEX RESEARCH PROGRAM

Intercept Cell Research

Threat dispatches, scam investigations, adversary infrastructure reporting, and investigator-ready technical readouts.

Intercept Cell Research is a Cipher Cortex research program.

Research Streams

Latest Research

Know Your Adversary: TeamPCP

TeamPCP has carried that handle since late 2025. Three days ago the FBI formally attributed the campaign in FLASH-20260702-01. They poisoned Trivy, KICS, and LiteLLM to steal cloud credentials — then wormed npm and GitHub. Here is the full adversary bio, what the flash adds, and the C2 IP still answering after the domains died.

Read dispatch →

The Blight Still Blooms: 83 Live Miasma Dead Drops — and the Victims You Can Name Without Decrypting

JFrog documented the Red Hat npm hijack. We mapped what they left behind: 83 public GitHub dead drops still live four days later, encrypted exfil you cannot read — and compromised accounts you can identify from repo ownership alone. You do not need the attacker's private key to know who got hit.

Read dispatch →

EarnAndWithdraw.com: Pig Butchering Destination Platform with Fake Activity Feed

We intercepted a pig butchering destination platform promising 10-20% monthly USDT returns. The operator hardcoded a fake activity feed in JavaScript that generates fabricated deposits and withdrawals every 3-7 seconds, creating false social proof for victims directed here after weeks of relationship building via dating apps and "wrong number" texts. Domain registered March 13, 2026. Backend misconfigured with 500 errors on every API endpoint. This is where the slaughter happens.

Read dispatch →

Behind the Firewall: Inside Handala's Origin Server, Hidden Domains, and the Architecture They Built to Outlast Every Ban

Handala's DDoS-Guard protection has a hole in it. The www. subdomain was never routed through the CDN. Hitting the origin server directly — 185.208.156.82, Global-Data System IT Corporation, Zürich — returns a live WordPress installation with its REST API wide open. From there: a complete operational timeline dating to December 18, 2023, a predecessor domain (handala.cx) that predates the known infrastructure by seven months, a dedicated bounty platform (handala-redwanted.to) running Microsoft IIS on Windows Server in Amsterdam, a Telegram persona named Akhira, and a four-month operational blackout in 2025 that ended exactly when their n8n automation server came online. We went through the firewall. Here is what was behind it.

Read dispatch →

The Boy With His Back Turned: Exposing Handala, Its MOIS Handlers, and the Bangkok Footage They Thought Was Tel Aviv

Handala is not a hacktivist group. It is a MOIS operational cluster — Void Manticore — running rotating personas under a refugee cartoon's name. Its parent in the Ministry of Intelligence's Domestic Security Directorate is FBI-wanted, EU-sanctioned, and personally directed an attack against Iranian journalists as revenge for his Treasury designation. The cell's channel admin is a 27-year-old from Tabriz who has used his own birthdate as a password across his accounts. Their flagship wiper will not execute on machines named "HANDALA" — operator safety infrastructure embedded in production malware. And when they tried to intimidate Israel with evidence of airport surveillance access, they accidentally published ceiling photographs from Suvarnabhumi Airport, Bangkok. Here is the full picture: operators, infrastructure, tooling, and every OPSEC failure the open record contains.

Read dispatch →

Forked and Burned: Hunting Live Stealer Operators Through GitHub

Open-source malware is an assembly line. Developers publish fully functional infostealers on GitHub under the fiction of "educational purposes." Script kiddies fork them, paste in their own Discord webhooks and Telegram bot tokens, and deploy. They rarely consider that their exfiltration infrastructure is now permanently indexed in a public repository. We systematically scanned forks of popular stealer projects and found live operators with active Telegram bots and Discord channels still receiving stolen data. One operator — a Dutch-speaking actor operating as "Stonertje420" — committed a compiled Go-based stealer binary, a live Telegram bot, and a Discord webhook to GitHub nine days ago. A second finding: an Enigma Stealer Telegram bot still active with a PHP webhook pointing to a multi-subdomain C2 network on a DGA-style .sbs domain.

Read dispatch →

Work With Cipher Cortex

Intercept Cell Research informs Cipher Cortex investigations, diligence reviews, and external threat intelligence services. If your organization needs help investigating fraud, impersonation, executive exposure, suspicious remote workers, or adversary infrastructure, request a briefing.