OP 05 January, 2023 - 03:20 PM
(This post was last modified: 05 January, 2023 - 03:21 PM by BOUJEE. Edited 1 time in total.)
I've been scraping data from 130+ Telegram channels for months. Here's some stuff you might not know:
Some log vendors operate multiple Telegram clouds selling the same logs. They run the channels simultaneously, and they often keep the way they type the same. They post the same messages, and when their cloud gets a bad reputation, they either delete everything related to their identity and make a new one or just start a brand new cloud and sponsor it as if a friend owned it. This allows them to endlessly farm customers' money by shutting down and opening new clouds. So if you want to buy access from a cloud, check when the Telegram channel was created. Don't buy stuff from clouds running for less than six months.
Example: https://files.catbox.moe/s1olr8.png
Cheap lifetime vendors sell shit logs. Lifetime plans are only profitable for the vendor in the short term, especially if they go for cheap. If a cloud sells for $10, it's a huge red flag indicating that they are desperate for money, and you should get the fuck out of that cloud as fast as possible or farm their free logs, which are likely shit anyway.
Example: https://files.catbox.moe/lfihj0.png
You can use file signatures to spot clouds stealing from each other. Some vendors will download a pack of logs, rename it and upload it as their own. Changing the archive name doesn't change the file signature, so you can download some archives in bulk and perform some checks on their signatures. It's not uncommon to find fingerprints from other vendors inside text files.
You can determine the vector of infection through screenshot.png/jpg. Vendors are very generic when talking about how they spread, and this is often because they don't spread themselves. They may be stealing logs from someone else or buying installs (hiring someone operating a botnet to make the victims download and run their malware). This may give you an idea of how the victim got infected, but it isn't 100% accurate because malware can run after a delay and have persistence on the victim's system.
Post other tips if you got any.
Some log vendors operate multiple Telegram clouds selling the same logs. They run the channels simultaneously, and they often keep the way they type the same. They post the same messages, and when their cloud gets a bad reputation, they either delete everything related to their identity and make a new one or just start a brand new cloud and sponsor it as if a friend owned it. This allows them to endlessly farm customers' money by shutting down and opening new clouds. So if you want to buy access from a cloud, check when the Telegram channel was created. Don't buy stuff from clouds running for less than six months.
Example: https://files.catbox.moe/s1olr8.png
Cheap lifetime vendors sell shit logs. Lifetime plans are only profitable for the vendor in the short term, especially if they go for cheap. If a cloud sells for $10, it's a huge red flag indicating that they are desperate for money, and you should get the fuck out of that cloud as fast as possible or farm their free logs, which are likely shit anyway.
Example: https://files.catbox.moe/lfihj0.png
You can use file signatures to spot clouds stealing from each other. Some vendors will download a pack of logs, rename it and upload it as their own. Changing the archive name doesn't change the file signature, so you can download some archives in bulk and perform some checks on their signatures. It's not uncommon to find fingerprints from other vendors inside text files.
You can determine the vector of infection through screenshot.png/jpg. Vendors are very generic when talking about how they spread, and this is often because they don't spread themselves. They may be stealing logs from someone else or buying installs (hiring someone operating a botnet to make the victims download and run their malware). This may give you an idea of how the victim got infected, but it isn't 100% accurate because malware can run after a delay and have persistence on the victim's system.
Post other tips if you got any.