Starlink N Doge
https://obsidian-digitalgarden-blue.vercel.app/3-horse-notes-critical/aegis/starlink-n-doge/
Connected Articles and Stubs
Research Stub DOGE training app base.apk
musk doge new contracts 2025 source
Starlink-ghost-IP-range-129.224.221.0-24-last-seen-USA-1-10-25-announced-AS14593
https://en.wikipedia.org/wiki/Starlink
-
Starlink Services, LLC (a wholly-owned subsidiary of SpaceX)
-
Active since 2019; 6 years ago Paying customers since Oct 26, 2020; 4 years ago[2
](https://en.wikipedia.org/wiki/Starlink “2”)
[2
](<{{NOTE_PATH:}}> “Starlink”)
DoD, OIG Review of Musk Clearances in Dec 2024
**By ****Eric Lipton **
David A. Fahrenthold** **Signal 202-309-5010
Aaron Krolik** **
**and Kirsten Grind **Signal (347) 417-1874
-
Published Oct. 20, 2024Updated Oct. 21, 2024
**Kirsten Grind **
Elon Musk and his rocket company, SpaceX, have repeatedly failed to comply with federal reporting protocols aimed at protecting state secrets, including by not providing some details of his meetings with foreign leaders, according to people with knowledge of the company and internal documents.
Concerns about the reporting practices — and particularly about Mr. Musk, who is SpaceX’s chief executive — have triggered at least three federal reviews, eight people with knowledge of the efforts said. The Defense Department’s Office of Inspector General opened a review into the matter this year, and the** Air Force and the Pentagon’s Office of the Under Secretary of Defense for Intelligence and Security (NOTE: SEE RAINDROP FOR USDIS VULNS)** separately initiated reviews last month, the people said.
The Air Force also recently denied Mr. Musk a high-level security access, citing potential security risks associated with the billionaire. Several allied nations, including Israel, have also expressed concerns that he could share sensitive data with others, according to defense officials.
Internally, SpaceX has a team that is expected to ensure compliance with the government’s national security rules. Some of those employees have complained to the Defense Department’s Office of Inspector General and other agencies about the lax reporting, which goes back to at least 2021, four people with knowledge of the company said. SpaceX was awarded at least $10 billion in federal contracts with the Pentagon and NASA from 2019 to 2023, making it a major contractor.
**But since at least 2021, Mr. Musk and SpaceX have not adhered to those reporting requirements, **the people with knowledge of SpaceX said. He and his team have not provided some details of his travel — such as his full itineraries — and some of his meetings with foreign leaders, they said. He has also not reported his use of drugs, which is required even with a prescription, they said.
It is unclear why Mr. Musk did not report some of this information to the government, especially since he sometimes posts on X about matters that he does not relay to the Defense Department. It is also unclear if Mr. Musk instructed SpaceX to not report the information. No federal agency has accused him of disclosing classified material.
Still, “to have someone who has major contracts with the government who would be in a position to pass along — whether deliberately or inadvertently — secrets is concerning,” said Senator Jeanne Shaheen, Democrat of New Hampshire and a member of the Senate Committees on Armed Services and Foreign Relations.
Last month, Ms. Shaheen asked the Air Force and the Defense Department’s Office of Inspector General to investigate whether Mr. Musk was having inappropriate communications with foreign leaders, including President Vladimir V. Putin of Russia.
The Air Force and the Pentagon’s Office of the Under Secretary of Defense for Intelligence and Security initiated their reviews in response to questions from Ms. Shaheen and another lawmaker. On Friday, a day after The New York Times asked the secretary of the Air Force, Frank Kendall, about the matter, he responded to Ms. Shaheen, saying federal privacy laws prohibited him from discussing Mr. Musk’s case.
DoD Contracts
Research in Progress
Musk’s Gov Email
General Research
https://en.wikipedia.org/wiki/Starlink
https://completedns.com/dns-history/
https://whoisfreaks.com/tools/dns/history/lookup/link-spacex.com?type=all
From HackerTarget
Same IP ru.pre.link-spacex.com
| 3.252.209.80 |
|---|
ec2-3-252-209-80.eu-west-1.compute.amazonaws.com
pre.link-spacex.com
manage.pre.link-spacex.com
ru.pre.link-spacex.com
turkiye.pre.link-spacex.com
ua.pre.link-spacex.com
https://dnshistory.org/dns-records/devsecops.opm.gov
CNAME
2024-06-20 → 2025-10-25 opm-ocio-devsecops.github.io
Pivoting from DOGE.gov Records
Chain of thought overview
doge[.]gov ⇒ SPF records pitc.gov ⇒ found an old Biden site with 46eop in domain, so tried searching 47eop on urlscan.io
found salesforce infra with47eop—dev47se
https://www.shodan.io/search?query=dev47
Only server in Germany 147.154.135.252, Oracle Public Cloud
https://idcs-ab57fef8b46846a698602fa495b34f38.identity.oraclecloud.com/ui/v1/signin
and
https://idcs-9e08e9fa03664f4fa1f9c50c36b5b6b4.identity.oraclecloud.com/ui/v1/signin
3rd one:
https://idcs-b2fc90e89fda44619f53029f2791754a.identity.oraclecloud.com/ui/v1/signin
https://192.29.103.105/
aaand
https://whoisfreaks.com/tools/dns/history/lookup/doge.gov?type=all
Strings: v=spf1 include:spf.mail.dmz.pitc.gov ~all
whats pitc.gov? its not a reachable domain…
URLscan.io:
Hm, keys and a CRL…? December 4, 2024 eh?
VirusTotal says
WHOIS
AS27064 DoD
Interesting, created Dec 2, 2016, and Keys.pitc.gov was scanned Dec 4, 2024, both incoming trump admins
URLScan.io search for 47eop found this Sept 11, 2025 icon set that seems to be Cali, and who else?
General
Full URL
https://47eop—dev47se.sandbox.file.force.com/servlet/servlet.ImageServer?id=015SL000002UGe5&oid=00DSL000002Eg1R
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
18.252.168.93 Columbus, United States, ASN8987 (AWS-GOVCLOUD Amazon Data Services Ireland Ltd, IE),
Reverse DNS
ec2-18-252-168-93.us-gov-east-1.compute.amazonaws.com
Software
/
Resource Hash
117529c565d4d8000c904bf118607ed58a67b9b325b51b28783ae0a5317ce80c
https://crt.sh/?id=20762619642
observed sept 3, 2025 for a cert that expires Oct 14, 2025 and created a year prior
DoD AS8987 Strange Stuff
access.geoaxis.gs.mil
214.28.196.150
Maximus…CSI?
Found this stumbling through on https://urlscan.io/asn/AS8987
: https://maximuscsi.my.salesforce-setup.com/
MAXIMUS??? CSI, conf / sensitive info on amazon gov?
https://urlscan.io/result/019a2ce0-1396-720c-ac1a-37ed8cde8a71/#summary
More DOD
surveysdrc.com
16.64.1.211
Submitted URL: https://surveysdrc.com/DEOCS
Effective URL: https://surveysdrc.com/deocs_portal/(S(zo0wituwra0dnupggg3bejro))/EnterEmail.aspx
https://urlscan.io/result/019a271e-9cd3-759e-bf47-8856eb202182
Stylometric Analysis Resources
https://github.com/Casualtek/Ransomchats
https://www.danielsoper.com/sentimentanalysis/default.aspx
Looking at “doge” Shodan Query
Minecraft eh??
So I followed this “DOGE” chinese minecraft server via hash on the mongodb port
https://www.shodan.io/host/218.81.98.54
with a pretty specific git version
gitVersion”: “18b949444cfdaa88e30b0e10243bc18268251c1f”
hash
-657993921 | 2025-10-28T18:54:44.952065
Summary of China DOGE WTF is up China and DOGE and This Server Russia
followed china doge server ⇒ MongoDB with a specific configuration shared by servers in (descending order) China, U.S., Russia, India. Within U.S., at least one provider (NatCoWeb) is linked with Russia via Russian-Ukrainian founder (Raindrop? Obsidian?)
DAYUM
Russia
185.255.134.141
2025-10-23T13:31:35.600206
vm3157789.firstbyte.club
FIRST SERVER LIMITED
155.138.205.65
https://www.shodan.io/search?query=hash%3A-1728046779
LittleSadSheep Started Getting Active Oct 2024…Same time as BB
https://github.com/LittleSadSheep?tab=overview&from=2024-06-01&to=2024-06-30
image.png——笨蛋兼家里蹲服务器运维,爱吃jvav,使我的搅拌机旋转(摆烂
https://x.com/littlesadsheep
https://huggingface.co/LittleSadSheep/activity/likes
http://121.43.149.127/login
from
https://www.shodan.io/search?query=doge+country%3A%22CN%22
DOGE synology disk station manager started appearing Jan 2025
Spikes in Feb, June, August
https://www.shodan.io/search?query=doge+country%3A%22CN%22
Russia MongoDB pivot from sadlittlesheep
https://www.shodan.io/host/185.255.134.141
More Sus Random Shit
registered last year Israel
remember DOGELON Trevor Nestor
WhoisXML API Subdomain search
https://tools.whoisxmlapi.com/domains-subdomains-discovery
DOGE-subdomains-containing-gov-whoisxmlapi.csv
Doge-related Azure Gov Cloud
sbzqxvoaonjdoge.usgovvirginia.cluster.atlas.usgovcloudapi.net
sbzdogeeg7th9mc.usgovvirginia.cluster.atlas.usgovcloudapi.net
Doge-related .gov Subdomains
saltydogede-photos.federalregister.gov
imfurrybrowndoges.federalregister.gov
dogesend.com.mcas-gov.us
phidogency-logos.federalregister.gov
imawatchdoges.federalregister.gov
saltydogede-photos.federalregister.gov
newonlinevdogency-logos.federalregister.gov
corndogublic-inscorndogection.federalregister.gov
spasec-usgva-devsecops-dev-rg-mysql-server-5170.mysql.database.usgovcloudapi.net
Foreign
doge.gov.taipei
english.doge.taipei.gov.tw
aidoge.southpunjab.gov.pk
www.doge21.ohio.govt.hu
public-ipuppydogection.federalregister.gov
Hybrid Analysis and VirusTotal DOGE Related Malware
When you see an email address pattern in a submission name, it typically indicates:
- Email attachment origin: The file was extracted from an email attachment, and the analyst included the recipient/sender address for context
- User tracking: The submitter tagged it with an identifier for their own organizational tracking
- Phishing campaign indicator: Analysts often include the targeted email address when submitting samples from phishing campaigns
3f538a9fead2596a1a766e3d381645c55f2160f357d740ecee8d6c5b88725bed
Why this is not the “misattributed” Big Balls ransomware campaign:
these files were submitted back in Feb 2025, far before any indicators of the ransomware
DNS Resolutions
business.bing.com
Resolved Ips
13.107.6.158
clients2.googleusercontent.com
Resolved Ips
192.178.163.132
doge.gov
Resolved Ips
104.18.5.127
104.18.4.127
edge-consumer-static.azureedge.net
edge-mobile-static.azureedge.net
Resolved Ips
13.107.253.70
jinpwnsoft.re
Resolved Ips
23.94.208.231
storage.googleapis.com
bg.microsoft.map.fastly.net
Resolved Ips
199.232.210.172
199.232.214.172
redirector.gvt1.com
Resolved Ips
108.177.121.139
108.177.121.113
108.177.121.101
108.177.121.100
108.177.121.102
108.177.121.138
IP Traffic
-
TCP 23.94.208.231:443 (jinpwnsoft.re)
-
TCP 13.107.253.70:443 (edge-mobile-static.azureedge.net)
-
TCP 13.107.6.158:443 (business.bing.com)
-
TCP 104.18.4.127:443 (doge.gov)
-
TCP 192.178.163.132:443 (clients2.googleusercontent.com)
-
UDP 23.94.208.231:443 (jinpwnsoft.re)
-
UDP 239.255.255.250:1900
-
TCP 172.202.163.200:443
-
TCP 23.2.94.216:443
-
64.233.181.104
-
TCP 64.233.181.104:443
-
TCP 192.178.129.101:443
-
TCP 172.217.214.84:443
-
“C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe” /svc
-
“C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe” —single-argument https://jinpwnsoft.re/
-
“C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe” —type=crashpad-handler “—user-data-dir=C:\Users<USER>\AppData\Local\Microsoft\Edge\User Data” /prefetch:4 —monitor-self-annotation=ptype=crashpad-handler “—database=C:\Users<USER>\AppData\Local\Microsoft\Edge\User Data\Crashpad” —annotation=IsOfficialBuild=1 —annotation=channel= —annotation=chromium-version=122.0.6261.129 “—annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe” —annotation=plat=Win64 “—annotation=prod=Microsoft Edge” —annotation=ver=122.0.2365.92 —initial-client-data=0x32c,0x330,0x334,0x328,0x33c,0x7ff8cde05fd8,0x7ff8cde05fe4,0x7ff8cde05ff0
-
“C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe” —type=gpu-process —no-appcompat-clear —gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== —mojo-platform-channel-handle=2060 —field-trial-handle=2064,i,252677469388152830,15530766717893881315,262144 —variations-seed-version /prefetch:2
-
“C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe” —type=utility —utility-sub-type=network.mojom.NetworkService —lang=en-US —service-sandbox-type=none —no-appcompat-clear —mojo-platform-channel-handle=2312 —field-trial-handle=2064,i,252677469388152830,15530766717893881315,262144 —variations-seed-version /prefetch:3
-
“C:\Users<USER>\Desktop\YumeKey Tool on the Web.url”
-
“C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe” -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
-
“C:\Windows\system32\BackgroundTaskHost.exe” -ServerName:BackgroundTaskHost.WebAccountProvider
-
C:\Users<USER>\Desktop\YumeKey Tool on the Web.url
-
C:\Windows\System32\RuntimeBroker.exe -Embedding
https://www.virustotal.com/gui/file/e4ec24e16f455464732a549185b832c48c95c8b1449d5e24fc326c5e8b2fbd3f
https://www.virustotal.com/gui/domain/files.doge.gov/relations
https://www.virustotal.com/graph/files.doge.gov
PDF that Seems to Be a Guide to Media and DOGE Targets Seen Feb 17, 2025
base.apk Contacted egov.uscis.gov
Just Sketchy, Can Monitor Vitals and Write Reproductive Data??
https://www.virustotal.com/gui/file/02bb3c1be5b343437bd0fd5a13ee6a21695d5d93631a9b1959317ca7a33a0934/details
Mobile Passport Control
Alright start summarizing
- A suspicious server located in Taiwan (China) with DOGE in the server name.
- Minecraft on one port, a very specific MongoDB config on another high-number port
- when pivoting on Shodan via MongoDB, about 400 hosts around the world have been observed with same build, version, git build, etc
- FIRST OBSERVATION BY SHODAN (TRENDS) - Jan 2025. China, USA, Russia within same month.
Very Sketchy Constellation of Contacted Gov Sites from Cloudflare 172.65.90.27
https://www.virustotal.com/gui/ip-address/172.65.90.27/relations
suckmychocolatesaltyballs.doge.gov
On October 4, 2025, the Hybrid Analysis malware detection tool received a malware sample “test.exe”
https://hybrid-analysis.com/sample/3feb7babc4040fa802fd2c8d3ce7c6fe5d64d14f8a004ee5faebbabb35bf7b18
and dropped a series of files called
test.exe contacts one domain which I thought was a joke but look at reg date
https://magrathea.endchan.net/qrbunker/thread/161567.html
2025-09-27 06:58:52
CISA Leak Found on Intelx.io, 2/28/25
Starlink and Russia Article
-
Starlink - Why do we care about Starlink? Andy Jenkinson⇒
Ukrainian deaths in 2022. Used a Russian talking point Zaporiphizhia to justify shutting down Starlink (WWIII!),
-
then got the Verizon contract in July 2025, first day shut down Starlink leading to deaths in Ukraine, at a time where Ukraine was making advances.
-
September 2025 - biggest attack by Russia of entire war. Another Starlink outage shutting down comms on Ukraine’s entire frontline.
Examples of Russian intel leaking?
-
what is suspicious that we still don’t understand?
- link-spacex.com registered last March or May in China, ostensibly linked to Ugandan cell phone company, subdomains for Turkey, India, China, Russia, Ukraine.
- Starlink Crimea https://bgp.he.net/AS204791#_prefixes
-
how much $$$ Dod in contracts, a lineup of timeline
2022
2024
Feb 2024 - Musk Denies Selling Starlink to Russia
The Guardian, Feb 11, 2024
Newsweek, Feb 12, 2024 (response):
“There have been recorded cases of the use of these devices by the Russian occupiers,” Andriy Yusov, a spokesperson for Kyiv’s GUR, told Ukrainian outlet RBC in an article published on Saturday. “This is starting to take on a systemic nature,” Yusov told the outlet.
Troops with Moscow’s 83rd Assault Brigade are using Starlink to access the internet in hotspots in the eastern Donetsk region, including near the village of Klishchiivka and the town of Andriivka, the GUR said in a separate statement. Russia controls part of the Donetsk region.
SpaceX has repeatedly said it does “not do business of any kind with the Russian government or its military."
"Starlink is not active in Russia, meaning service will not work in that country,” the company said in a statement. “SpaceX has never sold or marketed Starlink in Russia, nor has it shipped equipment to locations in Russia. If Russian stores are claiming to sell Starlink for service in that country, they are scamming their customers.”
https://www.newsweek.com/elon-musk-false-reports-starlink-russia-ukraine-spacex-1869007