Daily Drop (1058)
06-10-25
Tuesday, Jun 10, 2025 // (IG): BB // GITHUB // SN R&D
Spyware Maker Cuts Ties with Italy After Government Refused Audit into Hack of Journalist's Phone
Bottom Line Up Front (BLUF): Israeli spyware manufacturer Paragon has terminated its contracts with Italy after the government refused an independent audit to verify whether its Graphite surveillance tool was used against journalist Francesco Cancellato. This marks the first time a spyware company has publicly acknowledged ending a government contract due to abuse concerns, following a parliamentary investigation that found Italian intelligence services used the technology against civil society activists.
Analyst Comments: This unprecedented public termination of a government spyware contract signals a potential shift in the commercial surveillance industry's accountability and reputation management approach. Paragon's decision to prioritize transparency over revenue suggests growing pressure on spyware vendors to distance themselves from controversial uses of their technology. The Italian government's rejection of an independent audit raises questions about the thoroughness of COPASIR's investigation and whether authorities are genuinely committed to oversight. The targeting of migration rescue activists demonstrates how surveillance tools ostensibly designed for national security are being deployed against civil society organizations engaged in humanitarian work. This case may establish a precedent for other spyware vendors facing similar controversies with government clients.
FROM THE MEDIA: Paragon offered the Italian government and parliament a way to determine whether its Graphite system had been used against journalist Francesco Cancellato. Still, because Italian authorities chose not to proceed with this solution, the company terminated its contracts in Italy. The Parliamentary Committee for the Security of the Republic found no evidence that the surveillance technology was used against Cancellato. Still, it acknowledged that Italian intelligence services used Paragon's spyware to target phones belonging to civil society activists, including two men who work for a nonprofit that rescues migrants attempting to enter Italy by sea. Italy's Department of Information for Security rejected Paragon's offer to check system logs, calling them "invasive practices, unverifiable in scope, results, and method, and, therefore, not compliant with national security requirements."
READ THE STORY: The Record
Blocking Stolen Phones from the Cloud Can Be Done, Should Be Done, Won't Be Done
Bottom Line Up Front (BLUF): UK authorities want Apple and Google to extend IMEI blacklisting to cloud services to render stolen phones useless, but both companies are refusing despite the technical feasibility. While current network-based IMEI blocking has gaps allowing stolen phones to be resold internationally, cloud-based blocking would eliminate the resale value and theft incentive by cutting off access to essential services.
Analyst Comments: This resistance reveals the uncomfortable economic reality underlying big tech's approach to crime prevention—stolen phones represent a significant revenue stream through cloud service connections, particularly in developing markets where legitimate devices are unaffordable. Apple's security concerns about IMEI blackmail appear pretextual, while Google's "special bond" argument lacks substance. The real motivation likely mirrors Microsoft's historical tolerance of Windows piracy in emerging markets—ecosystem dominance trumps immediate revenue concerns. The companies also fear that effective blocking could spur the development of alternative cloud services in regions already suspicious of American tech hegemony. This case exemplifies how corporate interests consistently override public safety when cooperation would require sacrificing revenue or market position.
FROM THE MEDIA: All mobile phones have an IMEI that can be blacklisted on cell networks, but enough exceptions exist to provide healthy export markets for stolen devices, while cutting off access to Apple and Google cloud services from stolen devices would make them virtually useless anywhere. Apple says it's OK with the idea in theory but claims IMEI blocking would encourage blackmail for security reasons. At the same time, Google argues that "IMEIs are a special bond between carriers and subscribers, and that's the way it has to be." The real reasons include that every device connected to a cloud service means revenue, and the existence of an effective afterlife for stolen phones is equivalent to seeding modern smartphones into places that couldn't afford them otherwise, similar to Microsoft's studied ambivalence towards pirated copies of Windows in poorer markets.
READ THE STORY: The Register
DarkGaboon: Group Uses LockBit Ransomware Variant to Target Russian Companies
Bottom Line Up Front (BLUF): Since 2023, a cybercrime group dubbed DarkGaboon has been systematically targeting Russian organizations across banking, retail, tourism, and public services sectors using leaked LockBit 3.0 ransomware. Operating independently rather than as typical ransomware-as-a-service affiliates, the group conducts Russian-language phishing campaigns and leaves ransom notes in Russian, suggesting domestic or Russian-speaking perpetrators.
Analyst Comments: DarkGaboon's focus on Russian targets represents an unusual pattern in the ransomware landscape, where most groups typically avoid domestic operations or targets within their home countries. The group's use of publicly leaked LockBit 3.0 code, combined with open-source tools like Revenge RAT and XWorm, demonstrates how commoditized ransomware components enable new threat actors to launch sophisticated campaigns while complicating attribution efforts. The consistent targeting of financial sector employees through Russian-language phishing suggests intimate knowledge of local business practices and language nuances, reinforcing the likelihood of domestic actors or those with deep cultural familiarity.
FROM THE MEDIA: A financially motivated cybercrime group dubbed DarkGaboon has been targeting Russian companies in ransomware attacks, first identified by Russian cybersecurity firm Positive Technologies in January, but researchers have traced its operations back to 2023. The group deploys LockBit 3.0 ransomware against victims through phishing emails written in Russian that appear urgent and are usually directed at employees in financial departments, containing malicious attachments disguised as legitimate financial documents. Unlike typical LockBit affiliates operating under the ransomware-as-a-service model, DarkGaboon appears to function independently, leaving behind ransom notes written in Russian with contact email addresses previously linked to attacks on Russian financial institutions between March and April 2023.
READ THE STORY: The Record
Over 70 Organizations Across Multiple Sectors Targeted by China-Linked Cyber Espionage Group
Bottom Line Up Front (BLUF): China-nexus threat actors conducted a sophisticated cyber espionage campaign between July 2024 and March 2025, targeting over 70 organizations across the manufacturing, government, finance, telecommunications, and research sectors. The operation, tracked as PurpleHaze and overlapping with APT15 and UNC5174, exploited zero-day vulnerabilities days before public disclosure and involved reconnaissance against cybersecurity firm SentinelOne as part of a broader intelligence collection effort.
Analyst Comments: This campaign demonstrates the sophisticated operational security and strategic patience characteristic of Chinese state-sponsored groups, with coordinated attacks spanning nine months across diverse sectors and geographies. Exploiting CVE-2024-8963 and CVE-2024-8190 before public disclosure indicates advanced threat intelligence capabilities and possible insider knowledge or independent vulnerability research. The use of legitimate tools from The Hacker's Choice represents a concerning evolution in living-off-the-land tactics by state actors. Most significant is the suspected handoff of initial access to other threat actors, suggesting a compartmentalized operation model where specialized teams handle different phases of the attack lifecycle. The targeting of an IT logistics company managing SentinelOne hardware logistics reveals sophisticated supply chain reconnaissance aimed at high-value cybersecurity targets.
FROM THE MEDIA: The attacks have been attributed highly to China-nexus threat actors tied to PurpleHaze, which overlaps with Chinese cyber espionage groups APT15 and UNC5174, targeting manufacturing, government, finance, telecommunications, and research sectors. The threat actor leveraged operational relay box network infrastructure operated from China and exploited CVE-2024-8963 and CVE-2024-8190 vulnerabilities a few days before they were publicly disclosed. Six different activity clusters date back to June 2024 with the compromise of a South Asian government entity, including deployment of ShadowPad malware and Go-based reverse shell tools, with UNC5174 suspected of transferring access to other threat actors after establishing initial footholds.
READ THE STORY: THN
Floppy Disks and Paper Strips Lurk Behind US Air Traffic Control
Bottom Line Up Front (BLUF): The Federal Aviation Administration confirmed during congressional budget hearings that US air traffic control systems still rely on floppy disks and paper strips for critical operations, with modernizing plans taking years to implement. A Government Accountability Office report found that 105 138 air traffic control systems are problematic, with 40 systems over 30 years old and six systems deployed over 60 years ago.
Analyst Comments: The FAA's admission that modernization will require years while operating parallel old and new systems highlights the complexity of replacing entrenched technology in safety-critical environments. The recent Newark airport outage, caused by a simple copper cable failure, demonstrates how these aging systems create single points of failure with cascading effects across the national airspace. The challenge extends beyond technical replacement, including finding personnel with expertise in maintaining decades-old systems and the enormous costs of running dual systems during transition periods. This situation mirrors broader government IT challenges where the "if it ain't broke, don't fix it" mentality makes technical debt exponentially more expensive to resolve.
FROM THE MEDIA: FAA Administrator Chris Rocheleau confirmed during budget hearings that the agency plans to transition "from a paper-based process to an electronic-based process" and eliminate "floppy disks or paper strips" from air traffic control operations. A GAO report found that 105 of 138 air traffic control systems are either "unsustainable" or "potentially unsustainable," with 40 systems deployed more than 30 years ago and six systems over 60 years old, facing challenges including difficulty finding spare parts and limited technical staff with expertise in repairing aging systems. The modernization plan involves switching from copper wire telephone lines to fiber optic cables and upgrading radar and facility systems. Still, Rocheleau admitted the transition would take considerable time, with the agency only recently issuing requests for information from companies about potential solutions.
READ THE STORY: The Register
Skitnet Malware Actively Adopted by Ransomware Gangs to Enhance Operational Efficiency
Bottom Line Up Front (BLUF): Skitnet malware, also known as Bossnet, has become a critical tool for ransomware gangs in 2025, with notable groups like Black Basta and Cactus leveraging its stealth capabilities and modular design. The malware's surge in adoption followed law enforcement disruptions in 2024 that dismantled major botnets, creating a void that Skitnet filled with its affordability and advanced evasion techniques.
Analyst Comments: Its technical sophistication—featuring Rust-based loaders, ChaCha20 encryption, DNS-based command-and-control, and "living-off-the-land" tactics—demonstrates how modern malware is explicitly designed to evade detection by traditional security tools. The timing of its popularity surge correlates directly with Operation Endgame's success in disrupting established botnets, highlighting how law enforcement victories can inadvertently create market opportunities for new threats. The malware's extensive use of legitimate tools like PowerShell and AnyDesk reflects the broader trend of ransomware groups blending into regular network traffic to avoid detection.
FROM THE MEDIA: The malware emerged following the May 2024 Operation Endgame that dismantled major botnets like QakBot and IcedID. First advertised on underground forums in April 2024, it uses sophisticated evasion techniques, including in-memory execution and DNS-based communication, to avoid detection. Organizations must adopt advanced defenses, including DNS traffic monitoring and behavior-based EDR solutions, to combat this evolving threat.
READ THE STORY: GBhackers
Brett Leatherman to Follow Bryan Vorndran as Head of FBI Cyber Division
Bottom Line Up Front (BLUF): FBI Director Kash Patel has selected Brett Leatherman, a career FBI official with over two decades of cybersecurity experience, to head the bureau's Cyber Division following Bryan Vorndran's retirement. The transition maintains continuity in the FBI's aggressive approach to disrupting cybercrime operations while Vorndran moves to Microsoft as deputy CISO for global supply chain cybersecurity.
Analyst Comments: Leatherman's appointment signals continuity in the FBI's evolved cyber strategy that moved beyond traditional indictment-focused approaches to encompass infrastructure disruption, victim outreach, and ecosystem erosion tactics. His background managing sophisticated criminal and state-sponsored cyber groups and his leadership of the National Cyber Investigative Joint Task Force positions him well to maintain the division's "partnership-focused and victim-centric" philosophy. The timing coincides with escalating nation-state threats, particularly from China, making his prior experience with state-affiliated cyberthreats crucial. Vorndran's move to Microsoft demonstrates the growing private-public sector talent exchange in cybersecurity leadership.
FROM THE MEDIA: As deputy assistant director for cyber operations, he managed teams handling sophisticated criminal and state-sponsored cyber groups while also serving as director of the National Cyber Investigative Joint Task Force. Vorndran, credited with making the FBI more aggressive in disrupting malicious hackers and cybercrime gangs, expanded the bureau's anti-cybercrime tactics beyond the indictment-and-arrest approach to include incident response, infrastructure dismantling, and ransomware payment recovery.
READ THE STORY: The Record
OpenAI Bans ChatGPT Accounts Used by Russian, Iranian, and Chinese Hacker Groups
Bottom Line Up Front (BLUF): OpenAI has banned ChatGPT accounts operated by Russian, Chinese, and Iranian threat actors who used the AI platform to develop malware, automate social media campaigns, and research sensitive technologies. The activities included a Russian group creating Go-based malware called ScopeCreep, Chinese APT5 and APT15 groups developing exploitation tools and brute-force scripts, and multiple influence operations generating polarized content across social platforms.
Analyst Comments: The Russian ScopeCreep campaign demonstrates AI's effectiveness in malware development and debugging, while Chinese groups leveraged ChatGPT for both technical development and large-scale influence operations. The diversity of malicious uses—from credential harvesting malware to social media manipulation—highlights AI's dual-use nature as both a defensive and offensive cyber tool. The operational security evolution is most concerning, with threat actors adapting their tradecraft to incorporate AI while maintaining anonymity through temporary accounts and careful usage patterns.
FROM THE MEDIA: Chinese groups APT5 and APT15 used ChatGPT to work on brute-force scripts for FTP servers, research large-language model automation for penetration testing, and develop code to manage Android device fleets for social media manipulation. Multiple influence operations generated bulk social media content, including Operation Uncle Spam creating polarized U.S. political content, Operation Helgoland Bite producing Russian-language content about German elections, and Storm-2035 generating pro-Iranian content across multiple platforms.
READ THE STORY: THN
Bitter Malware Employs Custom-Built Tools to Evade Detection in Advanced Attacks
Bottom Line Up Front (BLUF): The Bitter group (TA397), believed to be a state-backed actor aligned with Indian government interests, has evolved its malware arsenal over eight years from basic downloaders to sophisticated Remote Access Trojans and backdoors. Recent analysis reveals their latest tools, including MiyaRAT v5.0 discovered in May 2025, employ advanced encryption methods and obfuscation techniques that render traditional signature-based detection ineffective.
Analyst Comments: The group's eight-year evolution demonstrates systematic operational security and technical sophistication advancements, moving from simple character-based encoding to AES-256-CBC encryption and complex obfuscation strategies. Their consistent development patterns across malware families suggest a unified, well-resourced development team with institutional knowledge retention. The strategic focus on payload delivery efficiency over complex anti-analysis techniques indicates operational maturity and understanding of defensive countermeasures. Most concerning is their ability to iteratively update tools like MiyaRAT to evade detection rules, highlighting the challenges defenders face against persistent, state-backed threat actors who can invest in long-term capability development.
FROM THE MEDIA: Active since 2016, Bitter has transformed operations from deploying rudimentary downloaders to orchestrating sophisticated Remote Access Trojans and backdoors, with their infection chain prioritizing payload delivery during hands-on activities over complex anti-analysis techniques. Their malware demonstrates progression from basic encoding methods like character addition in early tools to advanced XOR and AES-256-CBC encryption in later families, with MiyaRAT's latest v5.0 variant introducing modified string decryption and C2 communication encryption that renders signature-based detection increasingly challenging. The group's standardized reconnaissance pattern, collecting computer name, username, and OS details across almost all payloads, underscores a methodical approach to victim profiling.
READ THE STORY: GBhackers
CISA Adds Erlang SSH and Roundcube Flaws to Known Exploited Vulnerabilities Catalog
Bottom Line Up Front (BLUF): CISA has added two critical vulnerabilities to its Known Exploited Vulnerabilities catalog based on evidence of active exploitation: a maximum-severity flaw in Erlang/OTP SSH (CVE-2025-32433) enabling unauthenticated remote code execution, and a cross-site scripting vulnerability in Roundcube Webmail (CVE-2024-42009) allowing email theft. Federal agencies must patch these vulnerabilities by June 30, 2025, while a separate unpatched WordPress plugin vulnerability affects over 5,000 sites.
Analyst Comments: Including these vulnerabilities in CISA's KEV catalog signals confirmed active exploitation in the wild, making them high-priority targets for threat actors. The Erlang SSH vulnerability's perfect CVSS score 10.0 reflects its severity, allowing complete system compromise without authentication. The connection between Roundcube XSS exploitation and previous APT28 campaigns targeting Eastern European entities suggests that nation-state actors continue leveraging webmail vulnerabilities for intelligence gathering. The rapid release of proof-of-concept exploits for the Erlang flaw increases the risk of widespread exploitation. The WordPress PayU plugin vulnerability demonstrates how e-commerce platforms remain attractive targets, with hard-coded credentials creating easily exploitable attack vectors.
FROM THE MEDIA: CVE-2025-32433 is a missing authentication vulnerability in the Erlang/OTP SSH server with a CVSS score of 10.0 that could allow an attacker to execute arbitrary commands without valid credentials, while CVE-2024-42009 is a cross-site scripting vulnerability in RoundCube Webmail with a CVSS score of 9.3 that could allow a remote attacker to steal and send emails via a crafted email message. According to Censys data, there are 340 exposed Erlang servers, and the release of several proof-of-concept exploits has quickly followed the public disclosure. An unpatched account takeover vulnerability in the PayU CommercePro WordPress plugin affects versions 3.8.5 and before, with over 5,000 active installations.
READ THE STORY: THN
New Supply Chain Malware Operation Hits npm and PyPI Ecosystems, Targeting Millions Globally.
Bottom Line Up Front (BLUF): A coordinated supply chain attack compromised over a dozen GlueStack packages on npm with nearly 1 million weekly downloads, deploying malware capable of remote code execution, file theft, and system control. Separate malicious packages on both npm and PyPI have been discovered with destructive wiper capabilities and credential harvesting functions, indicating an escalation in supply chain threats beyond traditional cryptocurrency mining, including system sabotage.
Analyst Comments: This multi-vector campaign demonstrates the maturation of supply chain attacks, with threat actors now deploying diverse payloads ranging from remote access trojans to destructive wipers and credential harvesters. The similarity between the GlueStack compromise and previous npm attacks suggests organized threat actors systematically target popular package ecosystems. The emergence of wiper malware represents a concerning shift from financially motivated attacks to potential sabotage operations. At the same time, the credential harvesting tools indicate a continued focus on social media platforms as attack vectors.
FROM THE MEDIA: The malware was introduced via a change to "lib/commonjs/index.js," allowing attackers to run shell commands, take screenshots, and upload files to infected machines, with these packages collectively accounting for nearly 1 million weekly downloads. Socket discovered two rogue npm packages that masquerade as legitimate utilities but implant wipers capable of deleting entire application directories using commands like "rm -rf *" for Linux and "rd /s /q ." for Windows. A Python-based credential harvester on PyPI claims to be an Instagram growth tool. Still, it prompts users for credentials and broadcasts them to ten different third-party bot services while implementing a remote kill switch through a Netlify-hosted control file.
READ THE STORY: The Record
Two Distinct Botnets Exploit Wazuh Server Vulnerability to Launch Mirai-Based Attacks
Bottom Line Up Front (BLUF): Two different Mirai botnet variants actively exploit CVE-2025-24016, a critical remote code execution vulnerability in Wazuh servers, within weeks of public disclosure in February 2025. The attacks demonstrate increasingly shrinking time-to-exploit timelines, with one botnet deploying LZRD Mirai variants and another spreading Resbot malware targeting Italian-speaking users through infrastructure with Italian nomenclature.
Analyst Comments: The involvement of two distinct threat groups targeting the same vulnerability indicates widespread adoption of the exploit across the cybercriminal ecosystem. The use of established Mirai variants like LZRD and Resbot demonstrates how mature botnet families continue evolving through modular reuse of existing code bases. The geographic targeting patterns, particularly the Italian-focused Resbot campaign, suggest botnet operators are increasingly tailoring their infrastructure and naming conventions for specific regions. The vulnerability's root cause in unsafe JSON deserialization highlights ongoing challenges with secure API development practices.
FROM THE MEDIA: CVE-2025-24016 is an unsafe deserialization vulnerability with a CVSS score of 9.9 that affects all versions of Wazuh server software, including and above 4.4.0, allowing threat actors to weaponize the vulnerability by injecting malicious JSON payloads to execute arbitrary Python code remotely. The first botnet serves as a downloader for LZRD Mirai variants from external servers. In contrast, the second botnet employs a similar strategy to deliver Resbot malware using domains with Italian nomenclature, potentially targeting Italian-speaking users. Both attacks were registered in early March and May 2025, demonstrating the ever-shrinking time-to-exploit timelines that botnet operators have adopted for newly published CVEs.
READ THE STORY: THN
Google Vulnerability Allowed Hackers to Access User Phone Numbers
Bottom Line Up Front (BLUF): A critical vulnerability in Google's account recovery system enabled attackers to brute-force and obtain phone numbers of any Google user by exploiting a legacy form that functioned without JavaScript. The attack achieved approximately 40,000 verification attempts per second using IPv6 rotation. It required only 20 minutes to crack U.S. phone numbers, prompting Google to award $5,000 and fully deprecate the vulnerable endpoint by June 2025.
Analyst Comments: The researcher's ability to circumvent rate limiting through IPv6 address rotation highlights the challenge defenders face when dealing with the vast IPv6 address space. The attack's effectiveness varied dramatically by country due to phone number formatting differences, creating unequal risk exposure for users globally. Most concerning is the attack's undetectable nature and lack of prerequisites beyond obtaining a user's display name, which could be leaked through seemingly unrelated services like Google Looker Studio. The vulnerability underscores the importance of comprehensive security reviews when maintaining backward compatibility features.
FROM THE MEDIA: The vulnerability exploited Google's username recovery form that continued to function without JavaScript, bypassing modern security protections and enabling systematic phone number enumeration attacks using IPv6 address rotation to exploit the vast address space provided by /64 IP ranges. The attack required obtaining the target's Google account display name through Google's Looker Studio and using masked phone number hints from the forgot password flow, then systematically brute-forcing phone numbers with a custom tool, achieving approximately 40,000 verification attempts per second. Google initially awarded the researcher $1,337 but increased the reward to $5,000 after an appeal, implementing immediate mitigations and completely deprecating the No-JavaScript username recovery form by June 2025.
READ THE STORY: GBhackers
Items of interest
Major Food Wholesaler Says Cyberattack Impacting Distribution Systems
Bottom Line Up Front (BLUF): United Natural Foods, the largest health and specialty food distributor in North America and leading supplier for Whole Foods, suffered a cyberattack on June 5 that has disrupted operations and customer order fulfillment. The company took systems offline after discovering unauthorized activity, implementing workarounds where possible while working with law enforcement and cybersecurity firms to restore operations.
Analyst Comments: The timing and operational impact suggest this could be a ransomware attack, though the company has not disclosed specific details about the threat actors or methods used. United Natural Foods' role as Whole Foods' primary supplier and its $8.2 billion quarterly revenue make this a strategically significant target that could affect grocery availability across numerous retail chains. The company's quick decision to take systems offline demonstrates improved incident response practices learned from previous food sector attacks. However, the ongoing operational disruptions highlight the vulnerability of just-in-time food distribution networks to cyber threats.
FROM THE MEDIA: United Natural Foods identified unauthorized activity on its systems on June 5, prompting officials to take systems offline, temporarily impacting the company's ability to fulfill and distribute customer orders. The Rhode Island-based company is the leading supplier for Whole Foods and is considered the largest health and specialty food distributor in the United States and Canada, reporting $8.2 billion in net sales last quarter. The incident follows multiple high-profile disruptions in the food sector in the previous four years, including recent attacks on large suppliers and supermarket chains in the U.K., and a massive cyberattack on Dutch conglomerate Ahold Delhaize USA that affected hundreds of U.S. stores ahead of Thanksgiving last year.
READ THE STORY: The Record
UNFI Cyberattack Disrupts Food Supply Chains Amid Stock Plunge (Video)
FROM THE MEDIA: A major cyberattack has crippled United Natural Foods (UNFI), North America’s largest wholesale food distributor, disrupting operations across 30,000 locations and causing an 8.6% stock plunge. With 53 distribution centers, 28,000 employees, and key partnerships like Amazon’s Whole Foods, UNFI’s paralysis ripples through the retail and grocery sectors. Employees and customers report canceled shifts, product shortages, and delayed deliveries. The incident raises serious concerns about ransomware threats to supply chains under President Trump’s economic agenda. As UNFI scrambles to recover, this breach spotlights growing digital vulnerabilities in critical infrastructure. Triple disruption, triple disruption, triple disruption.
Whole Foods Distributor Hit by Apparent Cyberattack | Supply Chain Disruption Alert (Video)
FROM THE MEDIA: A major distributor for Whole Foods Market has reportedly suffered a cyberattack, raising concerns over potential disruptions in the grocery supply chain. This incident highlights the growing threat of cybercrime targeting food distributors and critical infrastructure.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.