INTERCEPT CELL RESEARCH

Dispatches

Short-form intelligence reporting on adversary infrastructure, scam activity, threat actors, and external digital risk — published at TLP:CLEAR with defanged indicators where applicable.

TLP:CLEAR · 2026-07-05

Know Your Adversary: TeamPCP

TeamPCP has carried that handle since late 2025. Three days ago the FBI formally attributed the campaign in FLASH-20260702-01. They poisoned Trivy, KICS, and LiteLLM to steal cloud credentials — then wormed npm and GitHub. Here is the full adversary bio, what the flash adds, and the C2 IP still answering after the domains died.

Read dispatch →

TLP:CLEAR · 2026-04-10

EarnAndWithdraw.com: Pig Butchering Destination Platform with Fake Activity Feed

We intercepted a pig butchering destination platform promising 10-20% monthly USDT returns. The operator hardcoded a fake activity feed in JavaScript that generates fabricated deposits and withdrawals every 3-7 seconds, creating false social proof for victims directed here after weeks of relationship building via dating apps and "wrong number" texts. Domain registered March 13, 2026. Backend misconfigured with 500 errors on every API endpoint. This is where the slaughter happens.

Read dispatch →

TLP:CLEAR · 2026-03-12

Behind the Firewall: Inside Handala's Origin Server, Hidden Domains, and the Architecture They Built to Outlast Every Ban

Handala's DDoS-Guard protection has a hole in it. The www. subdomain was never routed through the CDN. Hitting the origin server directly — 185.208.156.82, Global-Data System IT Corporation, Zürich — returns a live WordPress installation with its REST API wide open. From there: a complete operational timeline dating to December 18, 2023, a predecessor domain (handala.cx) that predates the known infrastructure by seven months, a dedicated bounty platform (handala-redwanted.to) running Microsoft IIS on Windows Server in Amsterdam, a Telegram persona named Akhira, and a four-month operational blackout in 2025 that ended exactly when their n8n automation server came online. We went through the firewall. Here is what was behind it.

Read dispatch →

TLP:CLEAR · 2026-03-11

The Boy With His Back Turned: Exposing Handala, Its MOIS Handlers, and the Bangkok Footage They Thought Was Tel Aviv

Handala is not a hacktivist group. It is a MOIS operational cluster — Void Manticore — running rotating personas under a refugee cartoon's name. Its parent in the Ministry of Intelligence's Domestic Security Directorate is FBI-wanted, EU-sanctioned, and personally directed an attack against Iranian journalists as revenge for his Treasury designation. The cell's channel admin is a 27-year-old from Tabriz who has used his own birthdate as a password across his accounts. Their flagship wiper will not execute on machines named "HANDALA" — operator safety infrastructure embedded in production malware. And when they tried to intimidate Israel with evidence of airport surveillance access, they accidentally published ceiling photographs from Suvarnabhumi Airport, Bangkok. Here is the full picture: operators, infrastructure, tooling, and every OPSEC failure the open record contains.

Read dispatch →

TLP:CLEAR · 2026-03-06

Forked and Burned: Hunting Live Stealer Operators Through GitHub

Open-source malware is an assembly line. Developers publish fully functional infostealers on GitHub under the fiction of "educational purposes." Script kiddies fork them, paste in their own Discord webhooks and Telegram bot tokens, and deploy. They rarely consider that their exfiltration infrastructure is now permanently indexed in a public repository. We systematically scanned forks of popular stealer projects and found live operators with active Telegram bots and Discord channels still receiving stolen data. One operator — a Dutch-speaking actor operating as "Stonertje420" — committed a compiled Go-based stealer binary, a live Telegram bot, and a Discord webhook to GitHub nine days ago. A second finding: an Enigma Stealer Telegram bot still active with a PHP webhook pointing to a multi-subdomain C2 network on a DGA-style .sbs domain.

Read dispatch →

TLP:CLEAR · 2026-03-05

The Workers Who Aren't There: Mapping DPRK IT Fraud Infrastructure

North Korea has deployed thousands of IT workers into Western companies under stolen identities. They pass interviews with AI-spoofed faces, ship laptops to facilitator-run farms in Nashville and elsewhere, then VPN in from Pyongyang. The DOJ indicted 14 operatives in December 2024 for generating $88 million through this scheme alone. We mapped their front company network — five seized domains all sharing InterServer and Asia Web Services infrastructure, registered through NameCheap, each cloning a legitimate software firm's website pixel-for-pixel. The same operatives run a parallel campaign called Contagious Interview: fake recruiters on LinkedIn lure developers into running trojanized video-call apps that deploy BeaverTail and InvisibleFerret malware targeting 13 cryptocurrency wallet browser extensions. We are tracking every persona, selector, and front company in our DPRK IT Worker Database.

Read dispatch →

TLP:CLEAR · 2026-03-02

Diplomatic Mail and Open Databases: Iranian Government Infrastructure Exposed

Passive reconnaissance of Iranian government internet-facing infrastructure reveals systemic security failures across civilian, diplomatic, and IT organizations. The Ministry of Foreign Affairs' mail server — handling diplomatic communications between Tehran and its embassies — runs Exim 4.98 with three high-severity CVEs including remote SQL injection and a heap buffer overflow. A government IT network block at 185.37.55.0/24 contains a host vulnerable to SMBGhost (CVE-2020-0796, CVSS 10.0) with SMB exposed to the internet, a 10-year-old unpatched MS15-034 RCE on IIS, an internet-facing MariaDB seven years past end-of-life, and a VMware ESXi 6.0 hypervisor. The Presidential office, Foreign Ministry, National Iranian Oil Company, and state news agency IRNA all share the same commercial hosting with cPanel management ports exposed. Iran's own CERT website sits on the same shared infrastructure. Meanwhile, every military and intelligence domain — IRGC, Army, Basij, Atomic Energy, Police — is completely unreachable from outside Iran, hidden behind the national firewall.

Read dispatch →

TLP:CLEAR · 2026-02-28

The Panels Left Open: Mapping Nine Exposed Malware Operations in a Single Sweep

A single Shodan hunting session turned up nine distinct malware operations with their control panels exposed to the internet: a PoisonX stealer on Swiss bulletproof hosting leaking PHP paths, a custom RAT called Whack with its full binary protocol recoverable from exposed JavaScript, a Turkish RAT with an open FastAPI Swagger endpoint, twin stealer servers on a phishing-linked ISP, a Brazilian Portuguese Steam account stealer on Google Cloud, a Korean payment card operation with OTP authentication and business hours, and more. Several had no authentication at all.

Read dispatch →

TLP:CLEAR · 2026-02-27

The Server That Attacked Itself: Tracing a Live Ransomware Operation Through Luxury Hotel and Airline Infrastructure

Starting from a single exposed open directory on a UK server, we mapped a network of six compromised Kaleidovision KL4 music scheduling systems, background music infrastructure for Schroders, Cathay Pacific, and The Beaumont Hotel, all implanted with the same custom Go reverse SOCKS5 proxy. The servers double as staging platforms, malware depots, and proxy nodes. One exposed MySQL general query log captured a complete database ransom operation. Another MySQL instance remains wide open with root access, PE executables stored in tables, and artifacts from multiple unrelated threat actors. The implant was updated across all nodes within hours of publication.

Read dispatch →

TLP:CLEAR · 2026-02-27

You Changed the Password. You Forgot Everything Else: 200 GoPhish Panels Exposed

We found 200 GoPhish phishing platforms indexed on Shodan and probed all of them. None were running default credentials. But the operators left everything else exposed: active credential-harvesting pages, co-hosted business infrastructure, open databases, Docker admin panels, RDP endpoints, and full mail servers sitting alongside their phishing tools. You changed the password. You forgot everything else.

Read dispatch →

TLP:CLEAR · 2026-02-27

140 Beacons: Mapping Exposed Cobalt Strike Infrastructure Across the Open Internet

We scanned the public internet for exposed Cobalt Strike beacon configurations using Shodan and extracted complete malleable C2 profiles from 140 live servers. We clustered operators by watermark and public key, identified a Chinese-speaking threat actor impersonating Google across two US-hosted servers, found an Azure-hosted server silently deploying MSI payloads through post-exploitation, and mapped domain fronting through Baidu CDN and Cloudflare nameservers. Every server ran a cracked license.

Read dispatch →