This is VERY IMPORTANT, someone please post this as a new threat, as I'm a new user, reddit doesn't allow me to make new post. It can save many vendors' life I looked into the loctime xlsx file. it's basic a zip file containing many plain text xml files, you can change the file name from .xlsx to .zip and open with your zip viewer. I looked into the xml files one by one and guess what I find, the IP address of the hansa server.
in folder xl/drawing/_rels
<Relationship Id="rId5" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/image" Target="http://217.182.159.33:9998/img/xxxxxxxxxxxxxxxxxxxxxxxxxxxx/logo/logo.png" TargetMode="External"/><Relationship Id="rId6" Target="/xl/media/image2.png" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/image" /> the "xxxxx" is a long generated unique code, I guess each vendor has a unique one, this way when you open the xlsx file, excel send request to the IPv4 IP address for the image and they know your IP address without Tor protection. That's why they said they were able to get IP addresses of users
When you try to open the IP address, it shows exact the same image as hansa's onion domain
If you ever opened the file without IP address protection, you are fucked, your real IP address is leaked! clear your house ASAP
One more thing to say, athough there's this beacon image, but there's no hidden malware or macro VB code in the file, maco code can not be saved into a xlsx file, it can only be saved into a xls, xlsm and slxb file, so you don't need to worry about malware
Why is all the tinfoil hat bullshit being discussed but no-one is even taking a second look at this? seems like dank-nation was talking about it yesterday..