Is Aquila (Dmitry) from WASM Forum Community the Author of the Carberp Banking Malware?

The post Is Aquila (Dmitry) from WASM Forum Community the Author of the Carberp Banking Malware? appeared first on Dancho Danchev’s Blog – Mind Streams of Information Security Knowledge.

Dear blog readers,

I recently did something very interesting and I decided to share my results and findings.

What I did was the following. While doing a technical collection round for malicious software I came across to Carberp’s source where I decided to take a peek and found out some pretty interesting and relevant personally attributable IoCs (Indicators of Compromise) which led me to further pursue an OSINT enrichment process which led me to believe and conclude that there’s a high probability that Aquilla (Dmitry) from the WASM forum community could be one of the main authors of the Carberp banking trojan.

The most interesting part of this technical collection round which then turned into IoCs extraction and then OSINT enrichment based on the successfully found hardcoded IoCs in Carberp’s publicly accessible and leaked source code is that I think I have managed to establish a direct connection between the hardcoded C&Cs and Is Aquila (Dmitry) from the WASM forum community.

Here’s the interesting part and the actual hardcoded C&C IoCs I found in Carberp’s publicly accessible source code:

hxxp://178.63.11.137 (Primary test C2)
hxxp://94.240.148.127 (Alt configuration node parsing `/cfg/passw.plug`)

Payload Drop Zones & Telemetry:
hxxp://apartman-adriana.com (http://…/temp/DrClient.dll) – Email: [email protected]
hxxp://56tgvr.info

We then have an interesting connection for one of the IoCs (hxxp://178.63.11.137) which appears to have been known to be responding to the email server for the WASM forum community which based on additional analysis appear to have been managed and operated and actually owned by Aquila also known as Dmitry (Email: [email protected]; [email protected]; hxxp://dimon.ru).

Related domain registrations for Aquila:

hxxp://symbolographia.com
hxxp://wasm.site
hxxp://posthumanism.info

Related screenshot:

*** This is a Security Bloggers Network syndicated blog from Dancho Danchev’s Blog – Mind Streams of Information Security Knowledge authored by Dancho Danchev. Read the original post at: https://ddanchev.blogspot.com/2026/04/is-aquila-dmitry-from-wasm-forum.html

Newly Discovered PowMix Botnet Hits Czech Workers Using Randomized C2 Traffic

Case For An Atmanirbhar Cyber Suraksha Mission

Entry-Level Cyber Workers Are Losing Out to AI

The Next Cyber Threat Isn’t Coming. It’s Waiting

Weekly Intelligence Report – 17 April 2026

‘Anyone with $10 could have walked straight through’: Report warns this legit-looking software is actually antivirus-killing adware

Dangerous Fake Microsoft Windows Update Confirmed—Do Not Download