Over 10 effective social press scams that rely on a wide range of targeted lures to mislead victims and key them into installing trojan like , Atomic macOS Stealer (aka ), and have been linked to a Russian-speaking crime gang known as Crazy Evil.
” Specializing in identity fraud, crypto fraud, and information-stealing malware, Crazy Evil employs a well-coordinated system of traffers — social engineering professionals tasked with redirecting legitimate traffic to malicious phishing pages”, Recorded Future’s Insikt Group in an examination.
The use of a different malware arsenal and a cryptoscam group demonstrates that the danger actor is attempting to harm the fragmented finance ecosystem by targeting users of both Windows and macOS systems.
Since at least 2021, Crazy Evil has been deemed to be effective, largely as a tasked with directing legitimate traffic to obscene landing pages run by another criminal organizations. Allegedly run by a threat actor known on Telegram as @AbrahamCrazyEvil, it serves over 4, 800 subscribers on the messaging platform (@CrazyEvilCorp ) as of writing.
In a detailed report about traffer services in August 2022, French cybersecurity firm Sekoia stated in a deep-dive report about traffer services that” they monetise the visitors to these botnet operators who intend to deal users either widely, or specifically to a place, or an operating system.”
Thus,” Traffer’s primary challenge is to produce high-quality traffic without bots, untold or analyzed by security vendors, and ultimately filtered by traffic type. In other words, traffers ‘ engagement is a form of direct generation”.
Unlike that revolve around setting up counterfeit shopping sites to facilitate fraudulent transactions, Crazy Evil focuses on the theft of digital assets involving non-fungible tokens ( NFTs ), cryptocurrencies, payment cards, and online banking accounts. It is thought to have allegedly generated more than$ 5 million in illicit revenue and compromised tens of thousands of devices worldwide.
In response to leave scams involving two other crime organizations, and , both of whom Sekoia had previously identified as being responsible for a using false Google Meet pages in October 2024, it has also gained new fame.
According to Recorded Potential,” Crazy Evil directly victimizes the cryptocurrency space with specialized spear-phishing lures.” ” Crazy Evil traffers sometimes take days or weeks of reconnaissance time to reach activities, identify priorities, and initiate commitments”.
The group’s administrators claim to provide instruction manuals and guidance for its taffers and for malicious payloads and boast of an affiliate structure to delegate the operations. They also claim to orchestrate attack chains that deliver information stealers and wallet drainers.
The second cybercrime organization to be exposed in recent years, Crazy Evil, operates in a teepee-based environment. A threat actor-controlled Telegram bot directs newly hired affiliates to other private channels.
- Payments, which announces earnings for traffers
- Logbar, which provides an audit trail of information stealer attacks, details about stolen data, and if the targets are repeat victims
- Info, which periodically updates Traffers ‘ technical and administrative information.
- Global Chat, the main forum for discussions ranging from work to memes, serves as its main communication channel.
The cybercrime group has been found to comprise six sub-teams, AVLAND, TYPED, DELAND, ZOOMLAND, DEFI, and KEVLAND, each of which has been attributed to a specific scam that involves duping victims into installing the tool from phony websites-
- Using job offer and investment scams, AVLAND ( also known as AVS | RG or AVENGE ) to spread StealC and AMOS stealers under the guise of a Web3 communication tool called “voxiumcalls [ .]] ] ] ). com” )
- TYPED, which uses TyperDex, an artificial intelligence program, to promote the AMOS stealer. ai” )
- DELAND, which spreads the AMOS stealer via a DeMeet community development platform. app” )
- ZOOMLAND, which leverages generic scams impersonating Zoom and WeChat ( “app-whechat [. ] com” ) to propagate the AMOS stealer
- DEFI, which purports to be the AMOS stealer through Selenium Finance, a digital asset management platform. fi” )
- KEVLAND, which is promoting the AMOS stealer using the name Gatherum, an AI-enhanced virtual meeting software. ca” )
According to Recorded Future,” As Crazy Evil continues to succeed, other cybercriminal organizations are likely to use its methods,” which calls on security teams to be constantly on the lookout for more widespread breaches and the erosion of trust in the cryptocurrency, gaming, and software industries.
The development comes as the cybersecurity company exposed a traffic distribution system ( TDS ) dubbed TAG-124, which overlaps with activity clusters known as , , , and . Multiple threat groups, including those associated with , , , , and have been found to use the TDS in their initial infection sequences.
“TAG-124 comprises a network of compromised WordPress sites, actor-controlled payload servers, a central server, a suspected management server, an additional panel, and other components”, it . The compromised WordPress websites display fake Google Chrome update landing pages, which ultimately lead to malware infections, if visitors meet a certain criteria.
Additionally, Recorded Future noted that the shared use of TAG-124 reinforces the link between and that recent TAG-124 campaigns have employed the ClickFix method, which requires users to press a button that is downloaded from a clipboard to start the malware infection.
Remcos RAT and ( also known as Broomstick or Oyster ), two of the payloads that were deployed as part of the attack, serve as a conduit for Rhysida and Interlock ransomware.
More than 10,000 compromised WordPress sites have been discovered as a distribution channel for AMOS and SocGholish as a result of what has been referred to as a client-side attack, totaling more than 10,000.
According to c/side researcher Himanshu Anand,” JavaScript loaded in the user’s browser generates the fake page in an iframe.” ” The attackers use outdated WordPress versions and plugins to make website detection more challenging for websites without a client-side monitoring tool in place.”
Additionally, threat actors have abused the confidence built up in well-known platforms like GitHub to house vile installers that led to the deployment of Lumma Stealer and other payloads like SectopRAT, Vidar Stealer, and Cobalt Strike Beacon.
Trend Micro’s activities have significant overlaps with strategies employed by a threat actor known as , who has a history of using GitHub repositories for payload distribution. The infection chain, however, starts with infected websites that point to shady GitHub release links.
Security researchers Buddy Tancio, Fe Cureg, and Jovit Samaniego that the distribution method for Lumma Stealer is evolving, with the threat actor currently using GitHub repositories to host malware.
” The malware-as-a-service ( MaaS ) model provides malicious actors with a cost-effective and accessible means to execute complex cyberattacks and achieve their malicious objectives, easing the distribution of threats such as Lumma Stealer”.