Initial foothold gained Q4 2024 via OAuth misconfiguration during Microsoft Graph API onboarding (AAD conditional policy bypass via unverified device + legacy token leak). Maintained passive access through proxy registration callback capture and embedded reverse tunnel in edge endpoint (internal SharePoint).
Escalated privileges via sideloaded Teams app injection → lateral pivot through Citrix VDA → shell access to Secure Comms Gateway running hardened CentOS (4G airgapped relay). Dropped modified sshd for persistent ingress. Traffic mirror set up via ebtables redirect and custom journaling script (non volatile storage).
Current access includes:
Archive size: 5.2GB, organized by scrape date (Nov 2024 – May 2025).
One copy. One time. No escrow. No preview. No exceptions.
Price: 34 XMR
Contact:
- Tox: 3001439AF2274971CE7CBF53FEDC9E15BFDE1B1E18B113721F647F52CF0AE92B7E1005894BA6
Escalated privileges via sideloaded Teams app injection → lateral pivot through Citrix VDA → shell access to Secure Comms Gateway running hardened CentOS (4G airgapped relay). Dropped modified sshd for persistent ingress. Traffic mirror set up via ebtables redirect and custom journaling script (non volatile storage).
Current access includes:
- Passive session hijack of active GCHQ analyst (tier-2 clearance)
- Internal wiki read access + edit rights to staging draft nodes
- Live feed tap from isolated ZoomGov SIP endpoint
- Encrypted dumps (.eml, .mhtml, .xlsm) scraped biweekly
- Terminal-level access to container managing outbound relay ruleset
- Logs from internal discussions on Spain/UAE SIGINT cross-cooperation (referenced: Pedro Sánchez incident, UAE MoI foreign asset handling)
Archive size: 5.2GB, organized by scrape date (Nov 2024 – May 2025).
One copy. One time. No escrow. No preview. No exceptions.
Price: 34 XMR
Contact:
- Tox: 3001439AF2274971CE7CBF53FEDC9E15BFDE1B1E18B113721F647F52CF0AE92B7E1005894BA6
If you found this, it wasn’t by accident.