Post by VMRay
7,830 followers
š„ Alert: One Russian-speaking crew, one set of servers: a malware botnet, a hands-on console for breaking into corporate networks, and an AI Telegram troll farm. š Report: https://lnkd.in/e2QF96pW We track it as Operation STANDOFF. The starting point was a single sample that VMRay UniqueSignal flagged on behavior, not a signature or known indicator. Pivoting on the two hardcoded C2 IPs it contacted at runtime revealed the wider operation. One IP also hosted the operators' console, "STANDOFF COORD". The same Russian-speaking crew runs three revenue-generating operations from one server infrastructure: a commodity malware botnet, hands-on intrusions into corporate networks, and an AI-driven Telegram troll farm (fake accounts and GPT-written personas generating engagement at scale). Much of the C2 blends in by redirecting requests to GitHub; pivoting on that pattern uncovered 44 related Russian servers. š” Takeaways: ⢠Financial and influence operations run side-by-side. Malware steals credentials and crypto wallets, mines Monero, enrolls victims into a proxy-botnet, and supports hands-on corporate intrusions. The Telegram operation uses AI-generated personas for engagement manipulation, disinformation, promotions, scams, and audience building. ⢠VMRay UniqueSignal flagged the sample based on behavior and exposed two hardcoded C2 IPs (212.193.30[.]45/proxies.txt and 212.193.30[.]29/server.txt) that led to the broader infrastructure. ⢠The malware C2 also hosted "STANDOFF COORD", a multi-operator console containing stolen NTLM hashes, Kerberos tickets, session cookies, and private keys. ⢠A single loader deploys Raccoon Stealer, RedLine, Amadey, SmokeLoader, Socelars, Glupteba, and XMRig while disabling Windows Defender and Windows Update. ⢠Persistence is achieved through a fake csrss.exe dropped into C:\Windows\rss and installed as a startup service using VirtualBox-style names. ⢠Victims are enrolled into a proxy-botnet through 212.193.30[.]45/proxies.txt, creating traffic relays for operator use or resale. ⢠The influence operation uses AI-generated Telegram accounts connected to a Standoff 2 / PUBG Mobile gaming portal that funnels a young audience. ⢠The C2 hides in plain sight: 44 TimeWeb-hosted servers redirect requests to GitHub to blend in with trusted traffic. ⢠A malformed WinHTTP User-Agent corrupted to a single 0x02 byte provides a distinctive network signature. ⢠Attribution points to a Russian-speaking team through Russian-language tooling, Moscow-time scheduling, and consistent "ggstandoff" / "GG Influence" branding.