Exposing Russian EFF Impersonators: The Inside Story on Stealc and Pyramid C2(hunt.io)
113 pointsby hn_acker3 days ago7 comments
  • caffeinewriter3 days ago
    Huh. The researchers seemed to gloss over the Cloudflare Pages URL, but it's actually pretty interesting. I haven't had a chance to look at it in depth yet, but it appears to use the search-ms: URL protocol to show an attacker controlled WebDAV server to serve the malware.

    The server hosting the malicious files seems to be down now, but this post details a similar attack:

    https://micahbabinski.medium.com/search-ms-webdav-and-chill-...

    It also seems to be part of a phishing kit, or potentially generated with AI due to the presence of the following comment.

        // Замени на свой URL
    Which in English is:

        // Replace with your URL
    And various other descriptive comments like

        // Полностью очищаем страницу (Completely clear the page)
    // Создаём новый контейнер с индикатором загрузки (Creating a new container with a loading indicator)
    // Через 3 секунды скрываем Cloudflare и запускаем загрузку (In 3 seconds, we hide Cloudflare and start the download.) [Though this was next to a 900ms timeout, so there's definitely been some tweaking]
    They're the kind of comments that don't really make sense if the author is writing them themselves, but would if they're using something off the shelf, or asking some LLM to output code. The descriptive comments of what the code's doing definitely makes me lean towards the latter.
    • inetknght3 days ago
      > The descriptive comments of what the code's doing definitely makes me lean towards the latter.

      Sadly, it's that exact kind of descriptive comments that are the kinds of comments that I expect to see in well-documented code. The kind of comments that I would expect from a seasoned engineer.

    • throw-the-towel2 days ago
      IDK, I think these comments look exactly like the comments in most real-world code.
  • nazgulsenpai3 days ago
    Posted as a separate submission before reading this one, but the EFFs blog post about it: https://www.eff.org/deeplinks/2025/03/simple-phish-bait-eff-...
  • d0mine3 days ago
    > Code comments found within and PowerShell scripts suggest the work of a Russian-speaking developer.
    • Y_Y3 days ago
      I have a git hook to translate all comments into Russian before I push to the victim's machine
  • m0003 days ago
    Isn't that title kind of clickbaity? TFA only mentions of a "russian-speaking developer". This is largely irrelevant to the malware analysis and no further links are established to some Russian actor.

    I.e there is no exposé of anyone, but putting "Exposing Russians" in the title gives clicks.

  • sneak3 days ago
    Not everyone who speaks the Russian language is a Russian.
    • _DeadFred_3 days ago
      Maybe you should inform Russia that. They sure seem to think eastern Ukraine is theirs because of russian language speakers.
      • erikerikson3 days ago
        Ukrainians see their language[0] as district from Russian. Not to deny that the Russians have claimed that Russian speakers are domiciled in Ukraine.

        [0] https://en.m.wikipedia.org/wiki/Ukrainian_language

        • lukaslalinsky2 days ago
          The two most recent Russian invasions actually caused the gain in popularity of the Ukrainian language. Before that, many people considered themselves Ukrainian and spoke only Russian. That's changing since the invasions started.
          • erikerikson2 days ago
            I'm no expert but the article I linked above says:

            > It is the first (native) language of a large majority of Ukrainians.

            • rat872 days ago
              It's pretty complicated especially since it's been changing significantly since 2022 and even 2014 but most Ukranians understand and speak russian and a large minority have or had it as a primary language. People also spoke both. It's not a straight west to east thing. Many of the cities especially not not only in the south and east were primarily russian speaking while the West and less urban areas were mostly Ukranian. Not to mention Surzhyk (mixed Ukrainan/Russian speech) or other smaller languages spoken in Ukraine.

              One good example is President Zelenskyy and Kvartal 95 (the comedy troupe/media company he and his friends formed) most of their shows and skits until recently were in russian. Their use of russian was not just because for export to russia or other russian speakers outside of Ukraine/Russia, it was not rare to make media aimed at a primarily Ukranian audience in russian. An Example Zelenskyy making fun of Putins claim that Kyiv is the mother of Russian cities(in russian) https://youtube.com/watch?v=tnaM-dXxpo8&list=PLfso1c1v9W3MAa...

              • dragonwriter2 days ago
                > Their use of Russian was not just because for export to russia or other russian speakers outside of Ukraine/Russia, it was not rare to make media aimed at a primarily Ukranian audience in Russian.

                I don't know about the other members of the troupe or the degree to which this is a factor, but Zelenskyy is himself a native Russian speaker.

        • _DeadFred_2 days ago
          I have an ex-girlfriend from eastern Ukraine. Prior to the war she spoke mainly russian, her parents spoke mainly russian, her friends spoke mainly russian. They all went to Moscow University. Of course now they are trying to switch to Ukrainian but it is not their first language.
      • dragonwriter2 days ago
        This is also why the North America belongs to, depending on exactly where you are, largely England and/or Spain.
  • 3 days ago
    undefined
  • rickandmortyy3 days ago
    since the kennedy stuff nothing has been as shocking