Red Sky Alliance

Wapack Labs has operated Red Sky Alliance for over seven years. We are a trusted group of organizations, large and small, sharing information about targeted, advanced, and emerging cyber threats in a private secure portal. 
Red Sky Alliance offers TLP White and Green reporting that can satisfy most any situational awareness need, with reports, forums and people to ask questions of --  Sign up Now for FREE Membership and Access to all Content.

Get Advice, Intelligence, & Help.

Did you just connect with Jeff on LinkedIn? You are in the right place, the portal offers cybersecurity reporting that can satisfy your situational awareness needs. Sign up Now for FREE Membership and Access to all Content.


Burlington Cytherian

Between December 6 – December 7, 2018, an IP address, belonging to Cytherian, Burlington, NC, hosted in Peak10, was identified connecting to Wapack Labs owned command and control sinkholes. For questions or comments regarding this…
Read more…

Finished Analysis

BlackBullet Credential Stuffing

Summary Wapack Labs has identified a new credential stuffing tool named BlackBullet for sale through third-party hacking sites. BlackBullet started selling on hacking sites in early 2018 and will be available in open source in March 2019. This report provides background information on the BlackBullet tool, outlines capabilities, and identifies companies targeted for credential stuffing.
Read more…

The Network Systems Department (NSD) of the People’s Liberation Army (PLA) Strategic Support Force, created in December 2015, appears to be the entity where military cyber operations are now based.  It is a challenging collection target and many aspects of this PLA organization are still unknown.

The NSD is very rarely mentioned in open sources by its actual name.  Instead, new data confirms that it uses the cover designator “32069 Unit.”  Using this as a search term,…

Read more…


New Exploit Threatens Over 9,000 Hackable Cisco RV320/RV325 Routers Worldwide

If your company uses Cisco RV320 or RV325 Dual Gigabit WAN VPN routers, then technicians should immediately install the latest firmware update released by the Cisco last week.  

Cyber attackers have actively been exploiting two newly patched high-severity router vulnerabilities, after a security researcher released their proof-of-concept exploit code on the Internet last weekend.…

Read more…

King Servers

Summary King Servers is a Russian hosting firm whose servers have been involved in numerous Russian criminal and Russian APT activities over the last few years. These activities include the compromise of the Arizona and Illinois SBOE (State Board of Elections) websites in 2016, and the use of King Server IP’s as C2’s for the newest Trickbot module. Wapack Labs also found that in February 2018, King Servers hosted the Emotet malicious email campaign involving denniscrawford2014[.]com. This…
Read more…

Wapack Labs in the News

On - Demand, Red Sky Alliance Threat Brief Broadcast.

Please join us every week for an, on demand, rebroadcast of our Weekly Red Sky Alliance Threat Brief, a succinct summary of current threat activities designed to inform your decision-making. Listen in on what our Wapack Labs analysts have been working on.

Register Here, Watch Now
See you online!

Cyber Security Blog

You need to be a member of Red Sky Alliance to add comments!

Join Red Sky Alliance


  • Oil and Gas - keep an eye on Venezuela and Nigeria. See Oil and Gas section.
  • A number of hackers and scammers were arrested in Nigeria. The timing is interesting: general elections will be held in Nigeria on 16 February 2019 to elect the President, Vice President and the National Assembly.
    Two groups were recently arrested in Port Harcourt, where many hackers' previously profiled by Wapack Labs live.
    It is possible that those arrests aimed at improving Nigerian image.
    It is also established by Wapack Labs that many hackers in Nigeria sympathize secessionist movement. So it is possible that some of the cyber-related arrests represent political infightings.

    Arrest by Nigerian region from recent to older:
    I. Port Harcourt Zonal Office
    1) Emenike Ulu, Uchenna Samuel Nwogu, Kelvin Ogbonna, Richard Uduma and Collins George Isilabo. They were all arrested at No.22 Alcon Estate, Liberty Street, Woji, Port Harcourt, Rivers State.
    2) Six suspected internet fraudsters (four men and two women; Oghenekewe Akinnawo, Kemka Amadi, Revelation Macaulay, Damilola Oyinloye, Mary Ndubuisi and Jennifer Vandi. ) arrested at their hotel hideout in Rumuigbo, Port Harcourt, Rivers. Alleged fraudulent activities ranging from love scam on numerous dating sites, obtaining money by false pretenses and other fraud still being investigated.
    II. Enugu Zonal Office
    3) 13 suspects arrested for allegedly engaging in cyber crime and internet fraud.
    “Three of the suspects were arrested at Awka, Anambra State, following intelligence reports and surveillance carried out on them.
    “Six were arrested at Ngwo in Enugu State, while four were arrested at an estate in Abakpa area of Enugu State.

    Local source for the arrest details: www.dailyadvent[.]com/index.php/2019/02/13/busted-five-yahoo-boys-arrested-laptops-and-car-recovered-in-port-harcourt-photos/
  • A new Credential Stuffing tool named BlackBullet started being disseminated through cracking / hacking sites during the second half of 2018. This tool is set to be released in Open Source in March of this year. Check out our report that provides details on this newest credential stuffing tool.
  • See 02 12 2019 Vessel Impersonation report and weekly Maritime Watchlist in the Transportation Section.
  • The Chinese Maritime Silk Road expands a bit more.....see Transportation Section.
  • Oil and Gas phishing against three companies. The report is in the Oil and Gas Section.
  • University Spearphishing: see Banking & Finance section
  • Oil & Gas Brief for 02 08 2019 posted.
  • I just submitted a CFP for HackMiami7 titled "RDPwned: An in depth examination of adversarial RDP TTPs". Hoping this talk gets accepted because it will go really well with the 3-4 report series I am writing on RDP. Does anyone here have interest in defending against RDP attacks?
  • Merchant Vessel (M/V) VICTORIA being impersonated and spreading malware - see Transportation section.
This reply was deleted.