vxdb.sh Journalist | Cybercrime News |
It is human nature to be competitive, to try your best when competing against others. It is no different when it comes to video games. Major E-Sports tournament prize pools regularly reach the multi millions. Last year the CS2 PGL Major hosted in Copenhagen had a prize pool of $1.25M.
Outside of the Esports realm cheating is still very prevalent, from games like Fortnite, Apex Legends, CS2, even non competitive games like Minecraft or Roblox have cheating issues. Most if not all the top tier cheats aren't free. Instead they rely on a subscription-based monetization model, where users pay for access to private builds or regular updates designed to evade detection from the games AntiCheat. Cheat developers also utilize what are called resellers who advertise, and sell the cheat on behalf of the developers in exchange for a cut of the profits.
Most players don't want to or can't pay for premium/paid cheats so they hunt for free alternatives or cracked versions of paid cheats on sketchy forums, Youtube, or even Github. While some free cheats do exist, they usually don't have many features, are slower to update, and quickly detected by the AntiCheat, meaning they’ll get you banned fast, sometimes instantly. A significant portion of these “free” alternatives present security risks. In many cases, the download contains typically info stealers, Discord token grabbers, or RATs. In other instances, the advertised download is a working cheat but has malware executed in the background without the user knowing.
How threat actors spread their malware
Cybercriminals weaponize YouTube by posting videos that advertise free cheats, executors, or “cracked” cheats and then use the video description or pinned comments to funnel viewers to a download link. Many videos use the service Linkvertise which makes users go through a handful of ads and suspicious downloads to reach the final download link where the file is hosted on a site like MediaFire or Meganz. These videos are being posted on stolen or fake youtube accounts created and advertised by what are called Traffer Teams.
What are Traffers Teams?
"Traffer teams manage the entire operation, recruiting affiliates (traffers), handling monetization, and managing/crypting stealer builds. Traffer gangs recruit affiliates who spread the malware, often driving app downloads from YouTube, TikTok, and other platforms. Traffers are commonly paid a percentage of these stolen logs or receive a direct payment for installs. Traffer gangs will typically monetize these stolen logs by selling them directly to buyers or cashing out themselves." As per Benjamin Brundage CEO of Synthient.
In a recent upload by researcher Eric Parker, a YouTube channel was discovered repeatedly uploading videos advertising so-called “Valorant Skins Changer,” “Roblox Executor,” and similar “free hacks" all with oddly similar thumbnails. Each video’s description contained a download link that redirected users to a Google Sites page at "sites[.]google[.]com/view/lyteam".
This site is operated by a Traffer Team known as LyTeam, which promotes and distributes info-stealing malware under the guise of free game cheats.
Later in the same video, Eric Parker downloaded and analyzed a .dll file hosted on the LyTeam site. When uploaded to VirusTotal, the sample was identified to be a strain of the Lumma Stealer Malware, a well-known info-stealing malware family known for harvesting browser credentials and crypto wallets.
How to stay safe
Don't click random links and run files you find out on the internet, if needed use and AntiVirus software to scan files on your computer. Run sketchy files you find either in a virtual machine or sandbox, better yet use VirusTotal.
Staying safe doesn't mean you need to be paranoid 24/7, it's about awareness.
Thank you for reading,
vxdb :)
404media.co - Infostealer data can include passwords, email and billing addresses, and the embarrassing websites you use. Farnsworth Intelligence is selling to divorce lawyers and other industries.
When your laptop is infected with infostealing malware, it’s not just hackers that might get your passwords, billing and email addresses, and a list of sites or services you’ve created accounts on, potentially including some embarrassing ones. A private intelligence company run by a young founder is now taking that hacked data from what it says are more than 50 million computers, and reselling it for profit to a wide range of different industries, including debt collectors; couples in divorce proceedings; and even companies looking to poach their rivals’ customers. Essentially, the company is presenting itself as a legitimate, legal business, but is selling the same sort of data that was previously typically sold by anonymous criminals on shady forums or underground channels.
Multiple experts 404 Media spoke to called the practice deeply unethical, and in some cases the use of that data probably illegal. The company is also selling access to a subset of the data to anyone for as little as $50, and 404 Media used it to uncover unsuspecting victims’ addresses.
The activities of the company, called Farnsworth Intelligence, show a dramatic shift in the bevvy of companies that collect and sell access to so-called open source intelligence, or OSINT. Historically, OSINT has included things like public social media profiles or flight data. Now, companies increasingly see data extracted from peoples’ personal or corporate machines and then posted online as fair game not just to use in their own investigations, but to repackage and sell too.
“To put it plainly this company is profiting off of selling stolen data, re-victimizing people who have already had their personal devices compromised and their data stolen,” Cooper Quintin, senior public interest technologist at the Electronic Frontier Foundation (EFF), told 404 Media. “This data will likely be used to further harm people by police using it for surveillance without a warrant, stalkers using it to gather information on their targets, high level scams, and other damaging motives.”
Infostealers are pieces of malware, often stealthily bundled in a piece of pirated software, that steal a victim’s cookies, login credentials, and often more information stored in their browser too. On its website, Farnsworth lays out several potential uses for that stolen data. This includes “skip tacing,” presumably a typo of skip tracing, which is where a private individual or company tracks someone down who owes a debt. The website says users can “find debtors up-to-date addresses.” Another use case is to “Find high impact evidence that can make/break the case of million dollar lawsuits, high value divorce cases, etc.” A third is to “generate lead lists of customers/users from competitors [sic] companies,” because the data could show which competing products they have login credentials for, and, presumably, use.
Trend™ Research uncovered a campaign on TikTok that uses videos to lure victims into downloading information stealers, a tactic that can be automated using AI tools.
Threat actors are now using TikTok videos that are potentially generated using AI-powered tools to socially engineer users into executing PowerShell commands under the guise of guiding them to activate legitimate software or unlock premium features. This campaign highlights how attackers are ready to weaponize whichever social media platforms are currently popular to distribute malware.
This report details the observed tactics, techniques, and procedures (TTPs), indicators of compromise (IoCs), and the potential impact of this trend.
Just days after reporting on the Samsung Tickets data breach, another massive leak has surfaced, this time targeting Royal Mail Group, a British institution with over 500 years of history.
On April 2, 2025, a threat actor known as “GHNA” posted on BreachForums, announcing the release of 144GB of data stolen from Royal Mail Group. The breach, once again facilitated through Spectos, a third-party service provider, exposes personally identifiable information (PII) of customers, confidential documents, internal Zoom meeting video recordings, delivery location datasets, a WordPress SQL database for mailagents.uk, Mailchimp mailing lists, and more.
Inexpensive information-stealing malware surged in 2024, infecting 23 million hosts, according to Flashpoint.
Following detections from our Managed Threat Detection (CyberSOC) teams, our CERT analysts were able to uncover several recent campaigns leading to CryptBot and Lumma infostealers.
Some of these campaigns are still active and target various organizations worldwide.
These campaigns leverage a little-documented loader we dubbed “Emmenhtal”, (because we are cheese lovers), which hides in the padding of a modified legitimate Windows binary and uses HTA.
Emmenhtal likely surfaced at the beginning of 2024 and is possibly being distributed by several financially motivated threat actors through various means (from traditional email phishing lures to fake videos).
IoCs can be found on our dedicated GitHub page here.
Note: The analysis cut-off date for this report was August 07, 2024.
Learn about the latest threats to macOS as Infostealers continue to rapidly adapt to evade static signatures.
Plus furtive et discrète que les cyberattaques avec rançongiciel, la menace des maliciels dérobeurs se maintient à un niveau élevé. Panorama de la menace en collaboration avec Sekoia.io.
