What’s Dead May Never Die: AZORult Infostealer Decommissioned Again

Leon Kurolapnik, Threat Intelligence Analyst and Raveed Laeb, Product Manager

Since mid-February, discussions throughout multiple cybercrime communities have been noting that the main password stealing features of the AZORult infostealer – one of the most prevalent stealers currently in use, and the main culprit behind the ongoing campaign – have been disabled by a recent Google Chrome update. Since AZORult isn’t actively maintained, many actors are now regarding the stealer as fully decommissioned.

Exploring the Genesis Supply Chain for Fun and Profit

Research: Part 1 – Misadventures in GUIDology by Raveed Laeb, Product Manager

This is the first post in a series of posts reviewing the supply chain of the Genesis Store market – a likely-Russian threat actor operating a successful, borderline innovative, pay-per-bot store since 2018. The following post features a quick-and-easy methodology breaking down over 335,000 unique Genesis infections into four malware groups, allowing us to attribute over 300,000 AZORult infections to the Genesis actors currently involved in campaigns resulting is tens of thousands of new AZORult infections per month. Furthermore, it seems Genesis isn’t necessarily leading these campaigns, but rather working with various Malware-as-a-Service (MaaS) providers and cybercrime services.

This discovery, linking Genesis with widely known commodity malware, highlights the ongoing threat to organizations and the proliferation of illegal data obtained from infections. It also sheds light on the supply chain relationships between actors operating within the cybercrime financial ecosystem (read: Dark Net); we’ll explore this theme, including specific actors and trends, in the next posts.

Uncovering the Anonymity Cloak

KELA's Research Team

Due to its anonymity, the Darknet is flooded with threat actors working together to share information, services, and knowledge required to carry out successful cyber-attacks, particularly within the cybercrime financial ecosystem.

We’ve uncovered the real identity of a threat actor dubbed SaNX – a handle that has become an infamous one among many security departments of numerous leading corporations worldwide. Here, we’ll also reveal his activities, other handles in the Darknet, and affiliations to other hacking groups.