Over 10 effective social media schemes that make use of a wide range of targeted bait to deceive victims and key them into installing malware like , Atomic macOS Stealer (aka ), and have been linked to a Russian-speaking crime group known as Crazy Evil.
” Specializing in identity fraud, crypto fraud, and information-stealing malware, Crazy Evil employs a well-coordinated system of traffers — social engineering professionals tasked with redirecting legitimate traffic to malicious phishing pages”, Recorded Future’s Insikt Group in an examination.
The use of a different malware arsenal and a cryptoscam team is a clear indication that the danger actor is attempting to target users of both Windows and macOS systems, putting a risk on the fragmented finance ecosystem.
Since at least 2021, Crazy Evil has been deemed to be effective, largely as a tasked with directing legitimate traffic to obscene landing pages run by another criminal organizations. Allegedly run by a threat actor known on Telegram as @AbrahamCrazyEvil, it serves over 4, 800 subscribers on the messaging platform (@CrazyEvilCorp ) as of writing.
In a detailed record about traffer services in August 2022, French cybersecurity company Sekoia stated that they “monetize the visitors to these malware operators who intend to deal users either broadly, or particularly, to a region, or an operating system.”
” The main challenge facing Traffer is therefore to make high-quality prospects without bots, untold or analyzed by safety vendors, and ultimately filtered by visitors type. In other words, traffers ‘ activity is a form of direct generation”.
Unlike that revolve around setting up counterfeit shopping sites to facilitate fraudulent transactions, Crazy Evil focuses on the theft of digital assets involving non-fungible tokens ( NFTs ), cryptocurrencies, payment cards, and online banking accounts. It is thought to have compromised tens of thousands of devices around the world and generated more than$ 5 million in illicit revenue.
In response to exit scams involving two different cybercrime organizations, and , both of whom were recently identified by Sekoia as being responsible for a ClickFix strategy using false Google Meet pages in October 2024, it has also gained newfound prominence.
According to Recorded Potential,” Crazy Evil directly victimizes the cryptocurrency space with specialized spear-phishing lures.” ” Crazy Evil traffers occasionally take days or weeks of recon time to reach activities, identify goals, and initiate commitments”.
The team’s administrators claim to provide training manuals and assistance for its taffers and for harmful payloads, as well as enjoy of having an online structure to outsource the operations, and that they also plan attack chains that deliver information stealers and wallet drainers.
The next cybersecurity organization to be exposed in recent years, Crazy Evil, operates in a teepee-based environment. A danger actor-controlled Telegram bot directs recently hired affiliates to other personal channels.
- Bills, which announces profits for traffers
- Logbar, which provides an audit trail of information grabber problems, information about stolen information, and if the goals are follow victims
- Info, which periodically updates traffers ‘ technical and administrative status.
- Global Chat, the main forum for discussions ranging from work to memes, serves as its main communication channel.
The cybercrime group has been found to comprise six sub-teams, AVLAND, TYPED, DELAND, ZOOMLAND, DEFI, and KEVLAND, each of which has been attributed to a specific scam that involves duping victims into installing the tool from phony websites-
- AVLAND ( also known as AVS | RG or AVENGE ), which uses job offer and investment scams to spread AMOS and StealC stealers using a Web3 communication tool called Voxium ( “voxiumcalls [ .]] ). com” )
- TYPED, which uses an artificial intelligence program called TyperDex ( “typerdex [ .]] ] to propagate the AMOS stealer. ai” )
- DELAND, which spreads the AMOS stealer via a DeMeet community development platform. app” )
- ZOOMLAND, which leverages generic scams impersonating Zoom and WeChat ( “app-whechat [. ] com” ) to propagate the AMOS stealer
- DEFI, which purports to be the AMOS stealer through Selenium Finance, a digital asset management platform. fi” )
- KEVLAND, which is promoting the AMOS stealer using the name Gatherum, an AI-enhanced virtual meeting software. ca” )
According to Recorded Future,” As Crazy Evil continues to succeed, other cybercriminal organizations are likely to use its methods,” which calls on security teams to be constantly on the lookout for more widespread breaches and the erosion of trust in the cryptocurrency, gaming, and software industries.
The development comes as the cybersecurity company exposed a traffic distribution system ( TDS ) dubbed TAG-124, which overlaps with activity clusters known as , , , and . Multiple threat groups, including those associated with , , , , and have been found to use the TDS in their initial infection sequences.
“TAG-124 comprises a network of compromised WordPress sites, actor-controlled payload servers, a central server, a suspected management server, an additional panel, and other components”, it . The compromised WordPress websites display fake Google Chrome update landing pages, which ultimately lead to malware infections, if visitors meet a certain set of criteria.
Additionally, Recorded Future noted that TAG-124’s shared use reinforces the link between the and that recent TAG-124 campaigns have used the ClickFix method, which requires users to copy a command directly from their clipboard to start the malware infection.
Remcos RAT and ( also known as Broomstick or Oyster ), two of the payloads that were used to transport ransomware Rhysida and Interlock, are some examples of the deployments.
Compromised WordPress sites totaling more than 10,000 have also been discovered acting as a distribution channel for AMOS and SocGholish as part of what has been labeled as a client-side attack.
According to c/side researcher Himanshu Anand,” JavaScript loaded in the user’s browser generates the fake page in an iframe.” ” The attackers use outdated WordPress versions and plugins to make website detection more challenging for websites without a client-side monitoring tool in place.”
Additionally, threat actors have used popular platforms like GitHub to host malicious installers that led to the deployment of Lumma Stealer and other payloads like Cobalt Strike Beacon and Vidar Stealer.
The tactics employed by Trend Micro contrast significantly with those employed by a threat actor known as , who has a track record of using GitHub repositories for payload distribution. However, a significant difference is that the infection chain starts with infected websites that point users to shady GitHub release links.
Security researchers Buddy Tancio, Fe Cureg, and Jovit Samaniego reported that” the threat actor is now using GitHub repositories to host malware.”
” The malware-as-a-service ( MaaS ) model provides malicious actors with a cost-effective and accessible means to execute complex cyberattacks and achieve their malicious objectives, easing the distribution of threats such as Lumma Stealer”.