Mister Spy’s Origin⌗
Mister Spy started out with defacing websites in the late 2010s and between 2019-2022 they’ve claimed an impressive ~19,000 defacements as seen on their Zone-H profile.
Their associated GitHub profile, MisterSpyX, even boasts their high ranking on Zone-H:
Often times when such a large number of defacements is attained - it is done through the use of hacking tools to help automate the discovery and exploit process.
Mister Spy Bot⌗
Mister Spy Bot is a website exploitation attack tool created by
Mister Spyand written in Python.
Mister-Spy-V7 is the last known version of this attack tool and is available on
MisterSpyX’s own Github repository.
How It Works⌗
Mister Spy Bot provides automation to malicious users when they are trying to obtain unauthorized access on target websites by automating the exploitation of known CMS (mostly Joomla and WP) theme or plugin vulnerabilities.
The tool locally stores exploits and other code in multiple subdirectories that are called by the
main.pyscript. In total there are over 25 separate Python files that can be run by
main.pydepending on what function the user selects. These allow for modularity and make it easier for additional functions to be added to the tool.
We can also see functions dedicated to providing data to the Olux marketplace which sells access to hacked websites, email accounts, and other compromised resources.
A successor to this style of attack tool, FoxAuto by
Anonymous Fox, improves upon it by consolidating the code into one Python file and utilizies heavy obfuscation of its Python code.
Mister Spy = Moetaz Brayek⌗
How do we know that
Moetaz Brayek is
Moetaz Brayek does nothing to hide the fact that they are linked to the
Mister Spy alias.
We can see it clearly on his personal Facebook page:
Oftem times I see malicious hackers that will claim one, or more, of the following as their job roles:
- full stack developer
- security researcher
- pen tester
Moetaz Brayek likes to use this specific quote on profile pages:
“I’m currently learning how to earn money by sleeping”
This, of course, makes it easy to find his other GitHub profiles that are using the same quote and are involved with similar Python and PHP malware.
During my writing of this post,
Moetaz Brayekseems to have gone into damage control and has taken down his own Facebook page and also scrubbed the social media links from his GitHub profile: