Who is Mister Spy? ☠️
Outline
Mister Spy’s Origin⌗
Mister Spy
started out with defacing websites in the late 2010s and between 2019-2022 they’ve claimed an impressive ~19,000 defacements as seen on their Zone-H profile.
Their associated GitHub profile, MisterSpyX, even boasts their high ranking on Zone-H:
Often times when such a large number of defacements is attained - it is done through the use of hacking tools to help automate the discovery and exploit process.
Mister Spy Bot⌗
Mister Spy Bot is a website exploitation attack tool created by
Mister Spy
and written in Python.Mister-Spy-V7 is the last known version of this attack tool and is available on
MisterSpyX
’s own Github repository.
How It Works⌗
Mister Spy Bot provides automation to malicious users when they are trying to obtain unauthorized access on target websites by automating the exploitation of known CMS (mostly Joomla and WP) theme or plugin vulnerabilities.
The tool locally stores exploits and other code in multiple subdirectories that are called by the
main.py
script. In total there are over 25 separate Python files that can be run bymain.py
depending on what function the user selects. These allow for modularity and make it easier for additional functions to be added to the tool.
We can also see functions dedicated to providing data to the Olux marketplace which sells access to hacked websites, email accounts, and other compromised resources.
A successor to this style of attack tool, FoxAuto by
Anonymous Fox
, improves upon it by consolidating the code into one Python file and utilizies heavy obfuscation of its Python code.
Mister Spy = Moetaz Brayek⌗
How do we know that Moetaz Brayek
is Mister Spy
?
Well, surprisingly, Moetaz Brayek
does nothing to hide the fact that they are linked to the Mister Spy
alias.
We can see it clearly on his personal Facebook page:
And for some reason, he even puts the MisterSpyx GitHub on his resume.
Oftem times I see malicious hackers that will claim one, or more, of the following as their job roles:
- full stack developer
- security researcher
- pen tester
- programmer
Moetaz Brayek
has all four of these roles mentioned across his personal GitHub and resume 😂😂😂
Additionally Moetaz Brayek
likes to use this specific quote on profile pages:
“I’m currently learning how to earn money by sleeping”
This, of course, makes it easy to find his other GitHub profiles that are using the same quote and are involved with similar Python and PHP malware.
During my writing of this post,
Moetaz Brayek
seems to have gone into damage control and has taken down his own Facebook page and also scrubbed the social media links from his GitHub profile: