+​
​ +​
​  
 
USE CASE 

Hunting an Illicit Service 

Provider 
 

 
This Use Case demonstrates how Flashpoint analysts used Maltego, Flashpoint collections, 
and PassiveTotal to confirm a potentially malicious service provider was linked to malware 
sample hashes and SSL certificates being sold. It will also show how Flashpoint finished 
intelligence are integrated into Maltego for further analysis. 
 
 
INTRO 
A threat actor operating under the alias "blacktds" began advertising various illicit services, to 
include bulletproof hosting, on a number of Russian-language forums starting in December 2017. 
The services were accessible via the website blacktds[.]com. 
 

 
Image 1: The actor “blacktds” advertising the services of the site as seen within the Flashpoint platform 
 
 
   
 

INVESTIGATION 
 
Flashpoint analysts used transforms within Maltego to map out the entities associated with the 
domain blacktds[.]com.  
 
PassiveTotal queries revealed that the domain resolved to an IP address in the Netherlands. Further 
investigation using PassiveTotal revealed associations to 74 additional domains as of the time of the 
original report in 2018. Several of the returned domains were confirmed to host exploit kits 
 

 
Image 2: PassiveTotal “Passive DNS” Maltego transform searching blacktds[.]com as of January 2019. This 
search extracts the IPs that have previously been associated with blacktds[.]com. 
 
   
 

Further PassiveTotal searches revealed historical WHOIS information on blacktds[.]com, potentially 

revealing an email address for the actor.A PassiveTotal search within the platform reveals historical 
WHOIS information that reveals a potential email address for the actor. 
 

 
Image 3: A PassiveTotal search reveals historical WHOIS information 
 
Additionally, through the PassiveTotal integration, Flashpoint analysts were able to link the IP 
address hosting blacktds[.]com to several malware sample hashes and SSL certificates that were 
hosted on the same server as blacktds[.]com, but were unable to confirm if the specific hashes 
and certificates located were part of the services provided by blackTDS. 
 

Image 4: Maltego searches linked blacktds' IP address   

 

PIVOTING THROUGH FLASHPOINT DATA 

Among several functionalities the Flashpoint transform allows, once Flashpoint completes their 
analysis and publishes a finished intelligence report, customers using the Flashpoint transform in 
Maltego are able to pull in data from the finished reporting into a Maltego chart for further analysis.  
 
Below is an example of how an analyst can investigate further into a finished intelligence report. 
Through the Maltego transform, it is possible to pull out the sources from Flashpoint’s 
comprehensive collection and expand upon the available data in a convenient graphic format.  
 
To run the search below, the analyst entered the title dataset of the “blacktds” report in an entity 
then ran the transforms: “Report to Source,” “Thread to Creator,” and “User to Posts.”  
 

 
Image 5: Network relating Forums, Communities, and Users 
 
 

ABOUT FLASHPOINT 
 
Flashpoint delivers Business Risk Intelligence (BRI) to empower business units and functions across 
organizations with a decision advantage over potential threats and adversaries. The company’s sophisticated 
technology and human-powered analysis enable enterprises and public sector organizations globally to bolster 
cybersecurity, confront fraud, detect insider threats, enhance physical security, assess M&A opportunities, and 
address vendor risk and supply chain integrity. 
 
For more information, visit www.flashpoint-intel.com or follow us on Twitter at @FlashpointIntel.