grey 
Saw @censys awesome blog about Columbian C2 servers (https://censys.com/blog/unmasking-the-infrastructure-of-a-spearphishing-campaign) and thought I'd do a quick OSINT walkthrough.
Thread below !
(0/???)
One of the best indicators Censys found for attribution is the email address accidentally left in a git commit:
% git log
commit fa480e80bc5b9e154fad138ef47191032e7ba4dd (HEAD -> main, origin/main, origin/HEAD)
Author: Shadow GRT <[email protected]>
Date: Wed May 7 15:51:15 2025 +0000
Given this is a gmail the first tool we should immediately use is GHunt (https://github.com/mxrch/GHunt)
(1/???)
The Ghunt output provides us with a few good leads. First it confirms that it's a valid gmail account. Second it provides links to the TA's Google Maps reviews.
grey@thruntmachine:~$ ghunt email [email protected]
By: mxrch (๐ฆ @mxrchreborn)
Support my work on GitHub Sponsors ! ๐
> GHunt 2.3.3 (๐ท Spider Edition) <
๐ You are up to date !
[+] Stored session loaded !
[+] Authenticated !
๐ Google Account data
[+] Custom profile picture !
=> https://lh3.googleusercontent.com/a-/ALV-UjVyN5P4R9BhUF4W6b8P-zSsuy32A0AsMRd2P9G3VeMGM3JE4HAj
[-] Default cover picture
Last profile edit : 2025/05/05 09:34:18 (UTC)
Email : [email protected]
Gaia ID : 112604768676644210605
User types :
- GOOGLE_USER (The user is a Google user.)
๐ Google Chat Extended Data
Entity Type : PERSON
Customer ID : Not found.
๐ Google Plus Extended Data
Entreprise User : False
๐ฎ Play Games data
[+] New token for playgames has been generated
[-] No player profile found.
๐บ Maps data
Profile page : https://www.google.com/maps/contrib/112604768676644210605/reviews
[Statistics]
Ratings : 6
[-] Reviews are private.
๐ Calendar data
[-] No public Google Calendar.
(2/???)
Taking a look at their Maps data: https://www.google.com/maps/contrib/112604768676644210605/reviews we can confirm they spent time in Columbia within the past 3-6 years. We also see the username mentioned in the Censys report "Shadow GRT"
Let's pivot off of ShadowGRT and find those other accounts mentioned by Censys.
(3/???)
Pivoting to YouTube first we find https://www.youtube.com/c/ShadowGRT. This fits Censys reporting of Minecraft videos.
Immediately I always check the other profile links to find other accounts:
https://twitter.com/GermanRaul10
https://plus.google.com/112604768676644210605?hl=es
https://instagram.com/german_t01
(4/???)
Pivoting to the Twitter account (Archived here: https://archive.is/50Q3U#selection-735.0-735.13) we see more location details of Putumayo, Colombia. This is within a short distance of the Google Maps reviews in Meta, Columbia . Helping us correlate the geolocation of this person.
We also get a hint to what be their real name of pseudonym "German Raul"
(5/???)
Looking back at the Youtube account (archived here: https://archive.is/n9xEA#selection-3587.416-3611.0) we see additional social account details in the description of a recent video:
Mis redes:
Twitter: https://twitter.com/GermanRaul10
Instagram: https://www.instagram.com/german_t01/
Correo: [email protected]
Skype: ShaDow Grt
Discord: ShaDowGRT #4582
This also confirms the gmail account originally seen in the git commit is indeed related to this person.
(6/???)
Using Sherlock (https://github.com/sherlock-project/sherlock) we can find a few other accounts to widen the amount of datapoints we have:
DuoLingo: https://www.duolingo.com/profile/SHADOWGRT (https://archive.ph/I2bNH)
Wattpad: https://www.wattpad.com/user/ShadowGRT (https://archive.is/LRrLq)
Steam: https://steamcommunity.com/id/ShadowGRT/ (https://archive.is/VzTo7) - This shows the name "Germรกn Trejos" - We'll come back to this.
Roblox: https://www.roblox.com/users/643063460/profile (https://archive.is/jFOZB)
RuneScape: https://apps.runescape.com/runemetrics/app/overview/player/ShadowGRT (https://archive.is/DuocM)
(7/???)
Finally had some more free time. Ran the data we have so far through leaked databases and the results confirm our previous OSINT.
-GameSprite
Email: [email protected]
Password: 14389e232e2da8a35e45a34dae245407
Registration: 2017-05-29 19:09:11
Salt: 78d2c0
IP: 191.102.75.226
Nick: ShadowGRT
-SoarGames
Email: [email protected]
Password: a00080f376b0e18de43185e4a66259d2
Registration: 2018-05-19 19:49:16
Salt: c97dcf
IP: 152.231.29.35
Nick: Shadowgrt
-Canva
Email: [email protected]
Registration: 2017-11-27 20:13:29
Language: es-CO
Nick: shadowgamer5628
-Wattpad
Email: [email protected]
Registration: 2017-10-23 02:52:20
Full name: Shadow GRT
Nick: ShadowGRT
Country: CO
(8/???)