Devin Nunes, his Website, and a Trojan Horse — Part II


The story of how Devin Nunes and other GOP candidates may have been compromised.

Part II

As we looked more closely at the domains assigned to the server still hosting the malicious code we found on Devin Nunes’s campaign website,, a pattern emerged. It became clear that all the websites on this computer were associated with the Nebraska company Northstar Campaign Services. It also became clear that the malicious code we found was not an accident.

The Devin Nunes Server and Tracking the IP

We checked the IP address of the server and found that it hosts at least one other website, But, like, that website has disappeared. Specifically, we get a “404” error when we try to navigate to it with a web browser. This means that the files that display the website have been removed from the server.

This IP address — — belongs to a server provided by Microsoft’s Azure hosting service. VirusTotal shows us that there is another domain associated with this IP address,

What did we find when we browsed to It directed us to another URL. An apparent login form for a site called

The Domains

The most recent Registrant for both of these domains is Andrew Northwall.

This is bizarre indeed. Why would a domain called redirect to the log-in page for a political site? We continued our investigation.

We next had a closer look at the domain Surprisingly, five different IP addresses have hosted in the past two years. That means that the same IT team likely controls all these IP addresses and servers associated with them.

Surprise, it’s a virus

Looking at the IP addresses that had hosted this domain, one stood out — the server associated with the address This IP address is associated with hosting service Cosentry. Cosentry is an entirely different hosting provider from the IP address.

Cosentry hosted previously along with a number of political-looking domains. But, what else did Cosentry host? Well according to VirusTotal, a very nasty virus file “calls home” to this server. So, a code running on other computers was programmed to communicate specifically with this server.

Let’s look at the viruses associated with this file.

What is this Trojan file and what is it capable of doing? McAfee describes this as a “trojan threat designed to steal data from victim’s system.”

To summarize:

One of the computers that recently hosted is serving malicious code disguised to look like a JPEG image file. Meanwhile, another computer that recently hosted is receiving communications from computers infected with an information-stealing Trojan Horse.

Two different computers, two different hosting providers. And both computers are associated with North Star Campaigns as well as some very nasty spyware.

This raises many questions. What is the company North Star Campaigns? How is North Star Campaigns associated with Devin Nunes? How is North Star Campaigns associated with EZPolitix? Who is behind all this?

Read Part I here.

Written by Unhackthevote

Follow us:

Author: Unhackthevote