Finding a Good Man: Part 2

Read Finding a Good Man (Part 1):

Read the last update on Good Man:

It has been over 5 months since I found and started tracking the actor(s) behind what I dubbed the “Good Man” campaign. I called it the Good Man campaign because the registrant email used for many of the malicious domains was Furthermore, one of the registrant names used during this operation was “good man”.

Goodmandilaltain, possibly written as “good man di laltain” (I’m really not sure), was a fable (mainly from North-West India or East Pakistan) during British rule, known as the “good man’s lantern”. The fable was about a blind man who carried a lantern (“laltain” or “laaltain” in Hindi) as he walked through the forest. “People looked at him bemused as he’d walk by every night, realizing he couldn’t benefit from the light he was carrying. When approached and asked why, the blind man responded: ‘The lantern is for others to see in darkness. It is for those who otherwise, would be lost”.

The first domain ever to be registered to was This domain was registered back on January 28th, 2014, and it is no longer active. I am not sure what it was used for, but “” almost sounds like some sort of PayPal phishing site. The registrant name of that domain was “jnnnnn man”, not “good man”. I couldn’t locate any cached images for

The second domain registered to was It was registered on January 30th, 2014, two days after they registered It too was registered under the name “jnnnnn man”. Archived pages from were inconclusive.

The third domain registered to was (registered on February 3rd, 2016). It was during this domain registration that one of the actors behind the Good Man campaign used their real information (OPSEC fail). Here is the public Whois information for

Attribute Value
Registrar, LLC (R171-LRMS)
Name Ali Hassan
Street Okara|07714435691
City Okara
State Punjab
Postal 54000
Country Pakistan
Phone 927714435691

We can see from the public Whois information that a “Ali Hassan” from Pakistan is the registrant. We also have a phone number from Pakistan; 92 + 7714435691. was the only domain found to be using that phone number. I couldn’t find any archived pages for this domain either.

The fourth domain registered to was an illegal carding forum called (no longer resolving). Below is the Whois information for

Attribute Value
WHOIS Server
Registrar PDR Ltd. d/b/a
Name good man
Organization non
Street 343 Sharwood Drive,,Naples,FL
City Naples
State FL
Postal 34110
Phone 92923467486896

We can see from this Whois information that the name being used is “good man” and the email is The phone number used for this registration was 92 + 923467486896.

Looking at archived images for this site shows that there was a moderator called “sixer”:

Archived image of cpro dot pw

Image taken from on October 24th, 2016, showing Sixer and RajuRockett selling dumps of stolen data, including credit card information.

Below is an image of Sixer actively looking to buy “shells cpanel’s with high traffic”.

image of vendor post

This isn’t just a coincidence. The user Sixer (on is more than likely the owner of and the registrant behind the Good Man domains, including the aptly named It could be Ali Hassan or it could be one of his partners.

Also, the author of Terror EK (AKA Neptune EK and Blaze EK) has informed me that might have been the person who purchased his EK:

sixer exploit im

Terror EK was then rebranded by the new owner as Eris EK.

Checking Facebook for any accounts tied to returns an account called “Sixer SA”:


This establishes a clear link between Sixer on, the domain and the email address

Something else to consider… Sixer is the name of a popular cricket team in Sydney Australia. Maybe “Sixer SA” stands for Sixer Sydney Australia? I do know that cricket is a very popular sport in Pakistan and India. Also, I have reason to believe that one of his friends on Facebook is from Pakistan and is currently going to college in Australia.

Additionally, one of the Good Man domains is called (registered on 10/10/16). For those of you that don’t know, .CC is the TLD for Cocos (Keeling) Islands, an Australian territory.

Further examination of Sixer SA’s Facebook profile shows that they are Pakistani and friends with a “Ali Hassan Maneka” (Remember that “Ali Hassan” is the name used to register some of the Good Man domains):

Sixer FB Account 1

Sixer SA’s Facebook profile from May 1st, 2017.

Sixer SA only had one photo on their Facebook account. That photo is of a family member with the last name “Maneka”.

Ali Hassan Maneka FB

Ali Hassan Maneka’s Facebook profile from May 1st, 2017. He lives in Lahore, Pakistan, and went to DPS College Okara

Ali briefly deactivated his Facebook account during the weeks when all the Good Man domains were taken offline. He has since reactivated his Facebook account, which you can find HERE.

Sixer SA’s Facebook profile also shows that he is following a couple of people:

Sixer following Malik

Checking other popular social media sites, I was also able to locate his Twitter account at @AliHasanManeka:

Twitter Ali Hassan

Ali Hassan Maneka’s Twitter profile from May 1st, 2017.

His Twitter account is using the email address and a phone number ending in “96”:

The phone number registered to many of the Good Man domains also ends with a “96” (92923467486896).

Domains registered to that phone number include:

Domains Email Registered 4/18/2017 4/3/2017 4/3/2017 4/3/2017 4/3/2017 4/3/2017 4/3/2017 3/31/2017 3/29/2017 3/24/2017 2/22/2017 1/20/2017 1/17/2017 12/2/2016 11/12/2016 11/11/2016 11/8/2016 8/15/2016 4/3/2016 3/28/2016 7/1/2015

His first tweet was on October 30th, 2016:

First tweet

Below are some more images taken from his Twitter account:

Doing some digging into his Twitter acquaintances shows an interesting account called @BanjoDon3.


Looking at @BanjoDon3’s Twitter feed we can see they have posted a total of 19 times, all on November 28th, 2016, and all about anyfucks[.]biz/1:

BanjoDon3 is registered to and the registrant name is “good man”. It was also being used to host their Keitaro TDS server (among other things) and was responsible for redirecting victims to exploit kits. Another important thing to note is that both Ali’s and @BanjoDon3’s Twitter accounts were created in November, 2016.

Further research shows a user “GoodMan DiLaltain” on a very old social network called The group that “GoodMan DiLaltain” belonged to on was called “Scorpion-Dagger”. The group description is as follows:

Scorpion-Dagger group

You can see many names given in the group description :

  • “Me” (AKA GoodMan DiLaltain)
  • Shehraam Bhai (AKA Shehraam Nawaz)
  • Mansoor (AKA Mansoor Khagga and Mansoor Sahab)
  • Muneeb Hasan (AKA Waisay Muneeb Bhai and Muneeb Bhai)

This group of friends and classmates called themselves “Pantagon”. They liked to think of themselves as “real gangsters”. Also, looking through the various posts on their forum, I could identify a couple more names:

  • Salahuddin Khagga
  • “Haider”

Searching through the forum shows that the user GoodMan DiLaltain is the person who wrote part of the description for this group:

Group description discussion

It looks like they’ve since deleted this group page, however, you can view the archived pages HERE. Names on these forums can be used to further correlate the link between GoodMan DiLaltain and Ali Hassan Maneka.

I want to mention that I don’t believe Ali Hassan Maneka is acting alone. He just happened to be the one with horrible OPSEC. It is likely that there were multiple individuals involved in the Good Man campaign.

Below is a list of verified Good Man domains:

Here are some additional domains that I believe were under the control of the Good Man actors:

Domain First Seen Last Seen 6/7/2017 5:01 6/7/2017 5:01 4/2/2017 0:00 4/9/2017 2:35 4/5/2017 21:30 4/8/2017 9:59

The only difference with these domains are that they protected their Whois information. Something to note, was being used as a CnC server for ZeuSVM:

Also, the domain “” is a direct reference to a blog post written by Kafeine called “RIG evolves, Neutrino waves goodbye, Empire Pack appears”:

That is all I have for now. Thanks for reading!

Documented Good Man cases:

Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: