THREAD
1/ Mueller indictment included three references to domain linuxkrnl[.net, a domain not previously mentioned in any intel assessment, attribution or pundit commentary. Can we learn anything by drilling into its details?
1/ Mueller indictment included three references to domain linuxkrnl[.net, a domain not previously mentioned in any intel assessment, attribution or pundit commentary. Can we learn anything by drilling into its details?
2/ para 61 stated that domain linuxkrnl[.net was "encoded in certain X-Agent malware" on DNC network and that domain renewed "in 2015" using bitcoins. For now, look away from (interesting) bitcoins and note both early date (2015) and hard coding of domain in malware. 
3/ para 32 said that the domain linuxkrnl[.net was "GRU-registered" and that X-Agent communications from DNC to this domain continued until October despite Crowdstrike's efforts "by in or around June 2016".
4/ repeating earlier tweet, Crowdstrike installed their superduper software on May 6, 2016, long before exfiltration of DNC hack emails between May 19 and May 25. Mueller indictment concealed this embarrassing ineffectiveness of Crowdstrike. Executive Shawn Henry is Mueller's pal
5/ new: Mueller said that linuxkrnl[.net domain was hardcoded into X-Agent. But this domain NOT reported in contemporary analysis of X-Agent malware archived by Crowdstrike. VT: virustotal.com/en/file/fd39d2… Invincea (now gone): cynomix.invincea.com/sample/0b3852a…
6/ what is basis of new information? Was it discovered by re-analysis of archived malware i.e. overlooked by prior specialists? Or did it come from analysis of computer withheld from FBI by DNC in June 2016? Why wasn't domain listed in Intel Assessment of Jan 6, 2017?
7/ one more reference in indictment. para 64a stated that bitcoin pool used for linukkrnl[.net domain renewal was also used for purchase of "servers and domains" used in spearphishing operation, mentioning commonplace spoofs: accounts-qooqle[.com and account-gooogle[.com
8/ combining this information, we obtain useful chronological information that renewal of linuxkrnl[.net was in 2015 - from a pre-existing bitcoin pool already in use for spearphishing. These very early dates speak loudly against Trump collusion narrative.
9/ I've parsed information on IP addresses to which linuxkrnl[.net resolved. From ~June 2014 to 2015-03-03, it was in Netherlands under sketchy setup (nameserver carbon2u.com, registrant PDR LTD. D/B/A PUBLICDOMAINREGISTRY[.COM, Nobby Beach)
10/ from 2015-03-04 to 2016-11-21, the period relevant to Mueller, it resolved to 192.151.156[.205, Datashack in Missouri. (Mueller mentioned "GRU-leased" servers in Illinois and Arizona, but mot Missouri.) Obama admin was apparently unperturbed by GRU leasing servers in US.
11/ in 2017, domain seems to have lapsed into hands of domain-name farmers (but this is surmise and outside my knowledge.)
12/ tying back to indictment, the renewal of domain linuxkrnl[.net sometime in 2015, using bitcoin pool later used to register DCLeaks (in Apr 2016), occurred while domain resolved to Datashack in Missouri - prob late 2015.
13/ this dates back long before Carter Page, George Papadopoulus or other fabricated colluders (as do other elements described in Mueller indictment.) These early dates really undermine the already implausible collusion narrative.
14/ it also begs the question: was Obama administration counterintel unaware of GRU leasing servers in US? Or did they merely do nothing about such leases?
