The “olux” and/or “oxo” or whatever guys

Their telegram account: hxxps://t.me/oluxshopsite/ 2 336 subscribers Olux Buy Tools, Shells, web shell, RDP, SSH, cPanel, Mailer, SMTP, Leads, Webmail, Cards, Account, Pages, olux, Olux SHOP, olux store

hxxps://t.me/oluxshopsite/729: Tutorial Video Cpanel & shell & Smtps & Mailler 1$-10$ Rdps & Office logs & Leads & Numbers 1$-20$ Accounts & webmails & Pages & Methods 1$-500$

you can top up your account instantly few seconds with bitcoin Send the exactly number of Bitcoin or more don't close the payment page. u can refresh page

Any Problem with the order:Submit report to seller Seller didn't fix problem within 5 hours.We will refund Buyer. Buyer didn't reply within 24 hours after seller.We will Close report. Note:avoid multi reply. hxxps://olux.li hxxps://oluxshop.li t.me/oluxshopsite/729 edited Sep 28 at 07:43

cdn4.cdn-telegram.org/file/cff2fa7546.mp4 —> not able to catch that one.

IP-address 162.55.238.94

I first stumbled across a cryptofraud site on that IP. But I also found sites on the same IP with hidden content. One or more lines with the following content on one or more pages on the same domain, first example: view-source:hxxps://www.bitwealthasset.com/ : hxxps://www.oxo.si/'>Buy Spamming Tools, Shells, web shell, RDP, SSH, cPanel. I don't know the value of this, some kind of “seo” maybe? Other domains with the same or variations of the code:

bluerichfoods.com bxplorer.online tocpharmaceuticals.com euphoriaeventplace.com (24 rows with the code) abbasheartinternationalministries.com abdanielstradomedhospital.com caishencharteredtrust.com capitalgrowinvest.com capitecfin.com cattyinvest.com cheeckstox.com educurrency.top

citricosartaca.com is apparently a blank page, but contains almost 40 lines, but with additional domains and keywords in the code. Contains links to the following domains: oxo.vc (gone), oxo.si (127.0.0.1) and oxo.is (which celebrates christmas). “Buy Leads”and “SMTP” has sneaked in some places in what “services” they seem to provide.

clarity-options-trade.com climaxpaytrading.com coinswalletsapp.com commercial-trading.com conexriseltd.com crescent-funds.com crownenergy-investment.com cryptohive.online cryptohubmine.com cryptoinxhange.com cryptotradinggai.com bettercryptoinvestment.net climatefitsolutions.com educurrency.top (redirectet from chuksblog.top) clarity-options-trade.com climaxpaytrading.com cloudminingcity.com coinstitude.com combdb.com commercial-trading.com corporateuniontrustbank.com couttss.com cryptnetverse.com cryptoevolution.info cryptohubmine.com cryptoinxhange.com cryptoref.info cryptospotpro.online daily-gt.com dashtradefx.com debulad.com decentralisedincome.com deroyaleservices.com doubleyielders.com empablockmarket.live eqtycdf.com euphoriaeventplace.com expertminer.online firstcornerstoneb.com firstmidwsb.com firstspringcu.online flaretrustline.app ftxdailyincome.com fx-primetradhub.com fxnetworktrading.com getmypins.com/manage/ ggemfx.com glimcoinfx.com globalbestcutbutchers.com (in total 190 lines of code) globalbinarycpro.com globalprimefinance.com globalsignalexpertmarkets.com globewritershub.com glockamory.com gnbancorp.com godfelhrconsultancy.com goldenmovicltd.com grandoption.org grantbakingonline.com greencoastonline.org greenpathtb.com greenpathtrust.com gricunashr.com hakkbully.com hakkdomain.com hakknocrat.com haloinvestpro.com hashmarketfx.com heritagecapitalfx.com heritagecf.net heritagepvltd.com hfplatform.live hoardblockexplorer.info hoardfx.com hoperbookings.online horizonjury.com icbcsbnk.com iconiccanna.com trades.idealtradesignal.com instaplug01.com intconib.com intertrustbk.com itechglobehack.com jkcostant.online kathleencahillmariconda.com kryptofxcore.com legacycrf.com legcreditf.com liamfinancing.com liteinterext.online luminerybank.com lumineryfb.com luxorrtech.com masterfxtrade.live mauricugointernational.com mectomfx.com megafxoptions.com midascryptotrade.com milesassetltd.com digitechcompany.cloud/en/public/ (redirects from minecoins.online) moleystonescapitals.com mycrypai.com mypnconline.com myviasupport.com nationalcreditunion.online niketradeprime.com northcelly.com northernsb.com omegafinanceleasing.com optimoser.com optimuminternationalmarkets.com ordezenterprise.com peakhash.com pinb.online premier-option.com primeglobalinvestments.live/home/ profxcrypto.com prohakks.com propertiesloans.com prudcrb.comstockstradersfx.com standardcorpb.com stuartfellstaffordshirebullterriers.com successfulfx.online suisepay.com surfhakks.com swisslitebank.online syngenresources.com tcloudusdt.com tescoinv.com titantrustb.com (site copied from cnl.com, which was registered in 1995 and seems “legit”) tnbancorp.com tocpharmaceuticals.com (on a buttload of links on this domain) tokssphere.com tonensiadiamonds.com top-m.online topromedics.com torchcart.com trippydelics.store tsbcadvisor.com ualliancecrdu.com ultimafxoption.com ultimaterealistic.com ultimatexplorer.info

ultrafxoption.com * A bit interesting is that the code did not exist on ultrafxoption.com on November 30th 2022 according to urlscan.io. But shows up in a scan in December 2023. Did all sites got this code injected in this timeframe? Can only speculate. Or use a lot of time trying to find out.

uniqueglobaloptions.com vacationdepts.info vertextradings.com vitalityplc.online waxiprofit.com wcouservice.biz web-gmd.com westagefinance.com * According to urlscan this domain contained the code also on December 4th 2023 winnersviewoptioninvestment.org wisgodynamic.com wmovelogistics.com wolf-trademarket.cfd world-miners.com wourld-cour.com xiloans.com xpressct.com xtrafcb.com xtrainterextcorp.com xtrainterextfb.com xtrainterextfcb.com xtratreasury.com ysmbundle.com ziraatinternationalcorporation.com * According to urlscan this domain contained the code also on September 11th 2023

citricosartaca.com is apparently a blank page, but contains almost 40 lines, but with different additional domains and keywords in the code. Contains links to the following domains: oxo.vc (gone), oxo.si (127.0.0.1) and oxo.is which celebrates christmas. “Buy Leads”and “SMTP” has sneaked in some places in what “services” they provide.

Various search engines gives hits to other sites on the same IP, but the hidden stuff is now gone: fujowillbusiness.com/sample-page/ wmtips.com/tools/info/sh3elltools.to hxxps://www.hotelfontana.de/magazin/tag/ayurvedische-reinigungskur/ hxxps://albertfinni.com/gva_template/crowdfunding-single-template/

Some sites appear in searches, but are now gone: lufix.pro, lufix.to, oluxshop.to

Domains, variatons of oluxshop.[tld] oluxshop.to (127.0.0.1)

Domains, variatons of olux.[tld] olux.to

ICQ: hxxps://icq.im/oluxshop

A now apparent dead facebook account: hxxps://www.facebook.com/groups/buywebshell/ sh3elltools.to seems somwehat related.