The 969 connection

During our research we also looked into the connections of the Blink Hacker Group and the Islamophobic 969 movement in Myanmar. A revealing exchange of messages took place during the last weekend of January 2016.
The website that hosts the official material released by Wirathu, a Burmese Buddhist monk and the spiritual leader of the anti-Muslim movement in Myanmar was defaced during Friday, evening.

Thet Wai  Phyo (Gtone), once again acts as a spokesman and coordinator of Blink Hacker Group and sends a message to what he believes is the hosting provider:

The son of bitch kalar, Aung Nat has hacked Ven Wirathu website.
When Blink Hacker Group has tried to fix it, they found the site is hosted in a lousy "Planet Creator" hosting. Although you have been in the IT field for long now, you have not improved your skills.

The attacker pretends to be like a "white hacker" or "pentester", you know this when you see the site status. 

Soon all the sites that share the same hosting will be gone [N.T. he includes a Bing link to discover those sites]

Before you get shamed, Planet Creator are you going to fix this yourself or BHG will do it?
Fucking Server!!!

Here is the details of the backdoor shell installed

Gtone trying to get the Wirathu website fixed with the help of BHG and the hoster.


Thet Wai Phyo, refers to the attacker as “Aung Nat” as a despective reference to “Aung Lat” the  member of the Myanmar Muslim Cyber Force (MMCF) behind the attacks.

What is interesting about the message exchange is that Thet Wai Phyo seems to have unique details of the defacement, since he includes at the end message what seems to be a part of the code of a the Dhanush Shell backdoor.

Min Aung, responsible of Planet Creator hosting provider (now Word Wide Myanmar WWM Co. Ltd) answers the message pointing responsibility to another hosting Shwe Hosting (Netscriper Co. Ltd).

The 2nd of February 2016, the website was back online.