- Recent law enforcement takedown activity, including Operation Talent
- Chinese cybercrime activity on our radar, including Chinese Lunar New Year and RedNote scams
- Data showing that LummaC2 has advanced to become the most prevalent infostealer
- A case study showing that criminals may be just as vulnerable to malware infections as the rest of us
- New infostealers we’re tracking in 2025
Recent Cybercrime News and Events
Cl0p Mass Exploits Cleo File Transfer Software
In early December 2024, cybersecurity defenders noticed mass exploitation of a vulnerability (CVE-2024-55956) affecting Cleo Harmony, Cleo VLTrader, and Cleo LexiCom, which allowed for RCE on these devices. On December 15, the ransomware gang Cl0p claimed credit for the attack on their data leak site (DLS) and soon after began posting partial names of compromised organizations, threatening to leak their data if they did not pay a ransom. These initial lists generally contain the first few letters of an organization’s name followed by pound symbols, creating a hangman-like listing of partial victim names.
As of January 28, Cl0p has published files for 53 named organizations and has marked two additional victims as IN PROCESS OF PUBLICATION. They have also published an alphabetized list of 50 additional claimed victim organizations, which includes only organizations whose names begin with the first few letters of the alphabet. Based on these additional details, we estimate that there may be somewhere in the ballpark of 500 victims whose data Cl0p has posted or is still threatening to post in the near future.
This is not the first time that Cl0p has conducted mass exploitation of a zero-day vulnerability to compromise hundreds of organizations, exfiltrate data from vulnerable appliances, and pursue data theft extortion against a large number of victim organizations. In May 2023, Cl0p exploited a previously unknown vulnerability in the MOVEit file transfer software, exfiltrated victim data en masse, and conducted data theft extortion against hundreds of victims using a similar playbook.
FBI Operation Talent
Cracked and Nulled are both criminal hacking forums. Sellix (mysellix[.]io and sellix[.]io) is an e-commerce platform that is extremely popular for buying and selling illicit goods. StarkRDP is an easy-to-use Windows remote desktop hosting provider that was popular for launching cyberattacks.
The global effort by law enforcement agencies has been a positive and hopeful trend we started to see more of in the last 12 months and should continue to see into the new year. While cybercriminals will always work to find new ways to engage and sell stolen data, we saw a substantial impact to the ecosystem with Operation Magnus last year, and any market disruption will likely have ripple effects throughout the ecosystem.
US Users Join Chinese RedNote App
In mid-January, a ban on the social media app, TikTok was set to go into effect in the United States. During the brief period of downtime of the TikTok app in the US, the Chinese social media app RedNote (Xiaohongshu) rose to the top of the US Apple App Store downloads charts. RedNote is a social media application similar to Instagram that includes a large number of lifestyle influencers and the ability to shop in the app. This unprecedented influx of American users led to lots of examples of humorous interactions between Chinese and American users, as well as ‘Urgent’ job posts by the company to recruit English-language content moderators.
When examining the binary, SpyCloud Labs analysts noted that it contained multiple strings containing the word “backdoor.” However, as third-party cybersecurity researcher Matthew Remacle noted in his analysis of the app, these do not appear to be referring to malicious backdoors designed to stealthily gain remote access to a device. Instead, there appears to be a discrepancy in meaning between English and Mandarin developers, and “backdoor” in this context has a closer meaning to “plugin”. For example, ios_live_trtc_backdoor_support looks like it’s for Tencent’s Real Time Communication audio/video SDK.
However, like other major Chinese consumer applications, we can find dark market data brokers selling RedNote data on Telegram. From samples of RedNote data that we have been able to obtain, we have seen user details that appear to be from user shopping activity including product order information, tracking numbers, addresses, names, and phone numbers, as well as data for “Xiaohongshu [RedNote] User ID matching,” which appear to link the RedNote User ID numbers to personal information like names, phone numbers, and locations.
Year of the Snake Scams
Every year in late January and early February, countries within the Sinosphere have a weeklong celebration for Lunar New Year, with most workplaces shutting down for an entire week. This year, the celebration started on January 29, running into the first week of February.
During this time, some Chinese cybercriminals also go on vacation. As shown in the screenshots below, certain data brokers that we track post out-of-office announcements to their channels and pause orders for the week of the Lunar New Year celebration. Others who don’t shut down, often have specific announcements confirming that they will still be operating over the holiday break.
We’ve also observed Chinese cybercriminals engaging in fraud and scams centered around the Lunar New Year tradition of gifting money in paper red envelopes (Hongbao). This tradition has been around for centuries, but more recently Chinese tech companies have developed popular digital versions of red envelopes which allow users to send money to their loved ones electronically, as well as earn gifts of free money by playing different online games. Chinese cybercriminals have also developed a myriad of different scams, fraud, malware, and money laundering schemes all centered around digital red envelopes.
For example, some Chinese social apps like WeChat and QQ have a functionality where instead of gifting digital red envelopes directly to a friend, users can send a specified number of red envelopes to a group chat. If the number of envelopes is less than the number of users in the chat, then the members of the group chat have to race to “grab” one of the envelopes before they run out.
Third-party app creators have also created “grabber” applications that are designed to find and open the digital red envelopes on your messaging apps before others can grab them. Some of these grabber applications also contain malware that can steal victim information and even transfer money from their accounts.
TL;DR of new SpyCloud Labs research
SpyCloud Labs researchers Kyla Cardona & Aurora Johnson joined Cyberwire Podcast host, Dave Bittner for a Research Saturday episode where they broke down their in-depth research into how insiders working for Chinese police departments, banks, telecommunications providers, and technology companies are making money on the side by selling user data on the dark market. This research has also been highlighted in two SpyCloud Labs blogs:
Current and forthcoming cybercrime research
Skid Ouroboros
On January 24, security researchers at CloudSEK reported an apparent criminal-on-criminal campaign that involved the infection of thousands of low-level criminal actors who believed they were gaining access to a malware builder. Instead of being able to construct their own deployable malware, they were infected with what CloudSEK researchers called “[a] trojanized version of the XWorm RAT builder.”
Using details from the CloudSEK report, SpyCloud Labs identified the Telegram bot that had been used to exfiltrate system and other information from the infected devices and conducted their own analysis of the data that had been exfiltrated from infected hosts.
Initial bot command:
As noted in the original report, each new infection was assigned a unique machine ID – which the researchers used as a “kill switch” to remove the active infections – within an initial message, all of which contained basic information about the infected host, such as the username and country.
Screenshot from the CloudSEK report showing a new bot connection and the use of the uninstall command.
As of the time of writing 34,504 of these messages existed, however, almost all were repeated multiple times, and only 3,534 unique messages of this type were found. In all, 2,825 unique infection ID’s were assigned.
System information:
6,338 messages were sent by the bot containing information about infected hosts, which contained the version of the operating system (all Windows or “undefined”), the computer and user names, a timestamp that is assumed to correspond to the time of the infection, hardware information, the antivirus program(s) installed on the device, and whether the malware started with administrator permissions.
An analysis of the chronology revealed that the first infections likely occurred at the end of August 2024, with substantially more endpoints beaconing system information at the beginning of October of that year. October 5, 2024, proved to be the single biggest day for the campaign, with the bot reporting 1,729 total new messages containing device-level information from an infected host.
Many of the bot messages appeared to come from the same infected host. There were only 360 unique computer names, and 404 distinct system times. It is not known whether this indicates partial or unsuccessful infections, or if this reflects some kind of decision by the operator(s) of the campaign to request system information only from specific hosts.
Browser data:
Browser data, including downloads, cookies, saved credit cards, and saved passwords, were found for 406 apparently distinct victim devices – however, the malware appears to have only successfully harvested passwords from 184 of those unique devices and credit card details from
Example of a “BrowserPasswords” file harvested by the malware from an infected machine. We only see this present for 184 unique infections.
11 of those devices, and the majority of the browser data was limited to cookies and downloads.
An analysis of browser history files revealed a significant number of visits to sites that host game cheats, file hosting services, and low-level criminal forums. Saved credential data roughly reflected these findings, with a significant number of saved logins for criminal forums including Cracked (23 logins), V3rmillion (13), and Hackforums (7).
In all, 9,570 unique credentials, comprising 1,410 unique emails, were found in the 184 browser folders that contained a saved passwords file. Using SpyCloud’s collection of infostealer data, 541 of the emails were identified as having been previously compromised via malware unassociated with the XWorm RAT campaign.
Controlling for emails that were non-routable (i.e. incomplete or non-existent email domains), approximately 49% of campaign-related infections – where credentials were stolen – were from a device which had been previously infected with a commodity infostealer or other malware. This suggests that a large number of victims attempted to install the malicious builder on their host device, rather than using a virtual machine.
SpyCloud is unable to validate the claimed number of infections within the initial report. Based on the unique infection IDs found in the messages, there is evidence of 2,825 unique infections, of which approximately 404 reported additional system information at least once. However, as SpyCloud began scraping the channel on November 13, 2024, messages sent to the channel prior to that date may have been deleted or otherwise made unavailable. Because of how Telegram stores and serves messages, it is impossible to determine whether there was any deleted data from before we began to collect and save messages from the channel. Our research continues and our team will share a more detailed picture of our findings in the future.
SpyCloud’s recaptured data collection numbers
January Monthly Total
Total New Recaptured Data Records for January:
1,539,929,415
New Recaptured Third-Party Breach Data this Month
Third-Party Breaches Parsed and Ingested:
376
New Data Records from Third-Party Breaches:
755,320,056
New Recaptured Infostealer Malware Data this Month
Unique Infostealer Infection Logs Parsed:
3,286,823
New Data Records from Infostealer Infections:
116,614,897
New Stolen Cookie Records:
767,994,462
New Infostealer Malware Families
Turalalv – Turalalv is an open source stealer written in Rust. The source code is available on GitHub. It has functionality to steal data from browsers, cryptocurrency wallets, password manager extensions, and other applications like Discord and Steam.
Ox Stealer – Ox Stealer appears to be either a rebranding or new product offering from the creator of the Ailurophile Stealer. It appears to have capabilities to steal victim system information, as well as cookies and credentials from browsers.
Arcane Stealer – This stealer appears to be a resurfacing of an older stealer from 2019 that appears to be back in circulation. This new version of Arcane appears to leave “Arcane Stealer” watermarks on the screenshots it takes of victim machines. Interestingly, many of the recent Arcane Stealer logs that we have observed in the wild appear to be from infections of Russian users.
Typhon Keylogger – Typhon is also a newer version of an older stealer that has been slightly rebranded as “Typhon Reborn V2”. Cisco Talos analyzed this new and improved version, and found that it has a variety of new features including improved anti-analysis and sandbox evasion.
Stay in the Loop
Keep reading
