Is Aquila (Dmitry) from WASM Forum Community the Author of the Carberp Banking Malware?
None
<p>The post <a href="https://ddanchev.blogspot.com/2026/04/is-aquila-dmitry-from-wasm-forum.html">Is Aquila (Dmitry) from WASM Forum Community the Author of the Carberp Banking Malware?</a> appeared first on <a href="https://ddanchev.blogspot.com/">Dancho Danchev's Blog – Mind Streams of Information Security Knowledge</a>.</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhe1NYNTzFHo0Kk82JdPugfZYP_8MblIKV2vfKYZkcAf7SnCh2dM0L1v7mzW2fDR2WqKHKU37IbjN8QgOX7yyCDp2A5bUb4HlKuEVvi9aCuWimFcgPWVfQ1qAYxAkP28Xlnr4z0tNvbmmD-NixNWyqGys9TGU77zAkVL93RbUO7g6n-jY3CRSFq/s520/Carberp_02.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img decoding="async" border="0" data-original-height="520" data-original-width="235" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhe1NYNTzFHo0Kk82JdPugfZYP_8MblIKV2vfKYZkcAf7SnCh2dM0L1v7mzW2fDR2WqKHKU37IbjN8QgOX7yyCDp2A5bUb4HlKuEVvi9aCuWimFcgPWVfQ1qAYxAkP28Xlnr4z0tNvbmmD-NixNWyqGys9TGU77zAkVL93RbUO7g6n-jY3CRSFq/s320/Carberp_02.png" width="145"></a></div><p>Dear blog readers,</p><p>I recently did something very interesting and I decided to share my results and findings.</p><p>What I did was the following. While doing a technical collection round for malicious software I came across to Carberp’s source where I decided to take a peek and found out some pretty interesting and relevant personally attributable IoCs (Indicators of Compromise) which led me to further pursue an OSINT enrichment process which led me to believe and conclude that there’s a high probability that Aquilla (Dmitry) from the WASM forum community could be one of the main authors of the Carberp banking trojan.</p><p>The most interesting part of this technical collection round which then turned into IoCs extraction and then OSINT enrichment based on the successfully found hardcoded IoCs in Carberp’s publicly accessible and leaked source code is that I think I have managed to establish a direct connection between the hardcoded C&Cs and Is Aquila (Dmitry) from the WASM forum community.</p><p><b>Here’s the interesting part and the actual hardcoded C&C IoCs I found in Carberp’s publicly accessible source code:</b></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDN4WAQbo6sjHTb2GNvCRGkTk9RYCJ5Jnb3NDJchj1ygSxEKovWxz4jC39INslkbnuClVSy2IS1DoLGGGnfPTtszgq_lHqpOqXFjvpxa-3r87sp82fgjDPrss6995AySldvSUDCtzZ6lfv8d4bF37PXy0mj5UIKLg5OqC2-Y5vmM1o0iA1eBCv/s469/Carberp_05.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img decoding="async" border="0" data-original-height="65" data-original-width="469" height="44" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDN4WAQbo6sjHTb2GNvCRGkTk9RYCJ5Jnb3NDJchj1ygSxEKovWxz4jC39INslkbnuClVSy2IS1DoLGGGnfPTtszgq_lHqpOqXFjvpxa-3r87sp82fgjDPrss6995AySldvSUDCtzZ6lfv8d4bF37PXy0mj5UIKLg5OqC2-Y5vmM1o0iA1eBCv/s320/Carberp_05.png" width="320"></a></div><p>hxxp://178.63.11.137 (Primary test C2)<br>hxxp://94.240.148.127 (Alt configuration node parsing `/cfg/passw.plug`)</p><p><b>Payload Drop Zones & Telemetry:</b><br>hxxp://apartman-adriana.com (http://…/temp/DrClient.dll) – Email: <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="cba6a2a7aaa5e5b1beb1aaa08bb1afe5bfe6a8a4a6e5a3b9">[email protected]</a><br>hxxp://56tgvr.info</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_2U_2obpJW0o7Fqr_wA6ToRO02I1Wx2U26x9AFsphifA9WbfnnX0YASjxNFb7PvTn2VKYxHdR9sqTA65uUYmxo97997EwjZRRuWvrckgvZPUTLOhBiDHGhop2zNulqcw-dQP01IM3IOtZuq-KJOffdZpYqmYJpJR6zrKbanVHe02UE-lFEYnN/s387/Carberp_03.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img loading="lazy" decoding="async" border="0" data-original-height="387" data-original-width="231" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_2U_2obpJW0o7Fqr_wA6ToRO02I1Wx2U26x9AFsphifA9WbfnnX0YASjxNFb7PvTn2VKYxHdR9sqTA65uUYmxo97997EwjZRRuWvrckgvZPUTLOhBiDHGhop2zNulqcw-dQP01IM3IOtZuq-KJOffdZpYqmYJpJR6zrKbanVHe02UE-lFEYnN/s320/Carberp_03.png" width="191"></a></div><p>We then have an interesting connection for one of the IoCs (hxxp://178.63.11.137) which appears to have been known to be responding to the email server for the WASM forum community which based on additional analysis appear to have been managed and operated and actually owned by Aquila also known as Dmitry (Email: <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="5c38351c3835313332722e29">[email protected]</a>; <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="abcadadec2c7caebdccad8c685d9de">[email protected]</a>; hxxp://dimon.ru).</p><p><b>Related domain registrations for Aquila:</b></p><p>hxxp://symbolographia.com<br>hxxp://wasm.site<br>hxxp://posthumanism.info</p><p> </p><p> </p><p> </p><p> </p><p><b></b></p><div class="separator" style="clear: both; text-align: center;"><b><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-ZC3ylbmAPBb9ZPRP8gAx5GdP23g2kopwsajVrR3peNlXOgUP_MpUR1ryeeL4EwWDGeRaP23LA8O_X-k_4SEsAmeJpi9eHfJ2YSe_3bIJ0Yato3u2JihMCJ6-iJt0NMp5yuhLzA2LmIX91wAY1-bWymYF1g1Lpb0gpcyMEmDSiKrWpwZF46-6/s354/Carberp_04.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img loading="lazy" decoding="async" border="0" data-original-height="354" data-original-width="234" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-ZC3ylbmAPBb9ZPRP8gAx5GdP23g2kopwsajVrR3peNlXOgUP_MpUR1ryeeL4EwWDGeRaP23LA8O_X-k_4SEsAmeJpi9eHfJ2YSe_3bIJ0Yato3u2JihMCJ6-iJt0NMp5yuhLzA2LmIX91wAY1-bWymYF1g1Lpb0gpcyMEmDSiKrWpwZF46-6/s320/Carberp_04.png" width="212"></a></b></div><p><b>Related screenshot:</b></p><p></p><p></p><p> </p><p> </p><p> </p><p><img loading="lazy" decoding="async" src="https://feedpress.me/link/23736/17320157.gif" height="1" width="1"></p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/04/is-aquila-dmitry-from-wasm-forum-community-the-author-of-the-carberp-banking-malware/" data-a2a-title="Is Aquila (Dmitry) from WASM Forum Community the Author of the Carberp Banking Malware?"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F04%2Fis-aquila-dmitry-from-wasm-forum-community-the-author-of-the-carberp-banking-malware%2F&linkname=Is%20Aquila%20%28Dmitry%29%20from%20WASM%20Forum%20Community%20the%20Author%20of%20the%20Carberp%20Banking%20Malware%3F" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F04%2Fis-aquila-dmitry-from-wasm-forum-community-the-author-of-the-carberp-banking-malware%2F&linkname=Is%20Aquila%20%28Dmitry%29%20from%20WASM%20Forum%20Community%20the%20Author%20of%20the%20Carberp%20Banking%20Malware%3F" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F04%2Fis-aquila-dmitry-from-wasm-forum-community-the-author-of-the-carberp-banking-malware%2F&linkname=Is%20Aquila%20%28Dmitry%29%20from%20WASM%20Forum%20Community%20the%20Author%20of%20the%20Carberp%20Banking%20Malware%3F" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F04%2Fis-aquila-dmitry-from-wasm-forum-community-the-author-of-the-carberp-banking-malware%2F&linkname=Is%20Aquila%20%28Dmitry%29%20from%20WASM%20Forum%20Community%20the%20Author%20of%20the%20Carberp%20Banking%20Malware%3F" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F04%2Fis-aquila-dmitry-from-wasm-forum-community-the-author-of-the-carberp-banking-malware%2F&linkname=Is%20Aquila%20%28Dmitry%29%20from%20WASM%20Forum%20Community%20the%20Author%20of%20the%20Carberp%20Banking%20Malware%3F" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://ddanchev.blogspot.com/">Dancho Danchev's Blog - Mind Streams of Information Security Knowledge</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Dancho Danchev">Dancho Danchev</a>. Read the original post at: <a href="https://ddanchev.blogspot.com/2026/04/is-aquila-dmitry-from-wasm-forum.html">https://ddanchev.blogspot.com/2026/04/is-aquila-dmitry-from-wasm-forum.html</a> </p>