A Russian-speaking cybercrime gang known as Crazy Evil has been linked to over 10 active social media scams that leverage a wide range of tailored lures to deceive victims and trick them into installing malware such as StealC, Atomic macOS Stealer (aka AMOS), and Angel Drainer.
“Specializing in identity fraud, cryptocurrency theft, and information-stealing malware, Crazy Evil employs a well-coordinated network of traffers — social engineering experts tasked with redirecting legitimate traffic to malicious phishing pages,” Recorded Future’s Insikt Group said in an analysis.
The use of a diverse malware arsenal cryptoscam group is a sign that the threat actor is targeting users of both Windows and macOS systems, posing a risk to the decentralized finance ecosystem.
Crazy Evil has been assessed to be active since at least 2021, functioning primarily as a traffer team tasked with redirecting legitimate traffic to malicious landing pages operated by other criminal crews. Allegedly run by a threat actor known on Telegram as @AbrahamCrazyEvil, it serves over 4,800 subscribers on the messaging platform (@CrazyEvilCorp) as of writing.
“They monetise the traffic to these botnet operators who intend to compromise users either widely, or specifically to a region, or an operating system,” French cybersecurity company Sekoia said in a deep-dive report about traffer services in August 2022.
“The main challenge facing traffer is therefore to generate high-quality traffic without bots, undetected or analysed by security vendors, and eventually filtered by traffic type. In other words, traffers’ activity is a form of lead generation.”
Unlike other scams that revolve around setting up counterfeit shopping sites to facilitate fraudulent transactions, Crazy Evil focuses on the theft of digital assets involving non-fungible tokens (NFTs), cryptocurrencies, payment cards, and online banking accounts. It is estimated to have generated over $5 million in illicit revenue and compromised tens of thousands of devices globally.
It has also gained newfound prominence in the wake of exit scams involving two other cybercrime groups Markopolo and CryptoLove, both of which were previously identified by Sekoia as responsible for a ClickFix campaign using fake Google Meet pages in October 2024.
“Crazy Evil explicitly victimizes the cryptocurrency space with bespoke spear-phishing lures,” Recorded Future said. “Crazy Evil traffers sometimes take days or weeks of reconnaissance time to scope operations, identify targets, and initiate engagements.”
Besides orchestrating attack chains that deliver information stealers and wallet drainers, the group’s administrators claim to offer instruction manuals and guidance for its taffers and crypter services for malicious payloads and boast of an affiliate structure to delegate the operations.
Crazy Evil is the second cybercrime group after Telekopye to be exposed in recent years, and it centers its operations around Telegram. Newly recruited affiliates are directed by a threat actor-controlled Telegram bot to other private channels –
- Payments, which announces earnings for traffers
- Logbar, which provides an audit trail of information stealer attacks, details about stolen data, and if the targets are repeat victims
- Info, which provides regular administrative and technical updates for traffers
- Global Chat, which serves as a main communication space for discussions ranging from work to memes
The cybercrime group has been found to comprise six sub-teams, AVLAND, TYPED, DELAND, ZOOMLAND, DEFI, and KEVLAND, each of which has been attributed to a specific scam that involves duping victims into installing the tool from phony websites –
- AVLAND (aka AVS | RG or AVENGE), which leverages job offer and investment scams to propagate StealC and AMOS stealers under the guise of a Web3 communication tool named Voxium (“voxiumcalls[.]com”)
- TYPED, which propagates the AMOS stealer under the guise of an artificial intelligence software named TyperDex (“typerdex[.]ai”)
- DELAND, which propagates the AMOS stealer under the guise of a community development platform named DeMeet (“demeet[.]app”)
- ZOOMLAND, which leverages generic scams impersonating Zoom and WeChat (“app-whechat[.]com”) to propagate the AMOS stealer
- DEFI, which propagates the AMOS stealer under the guise of a digital asset management platform named Selenium Finance (“selenium[.]fi”)
- KEVLAND, which propagates the AMOS stealer under the guise of an AI-enhanced virtual meeting software named Gatherum (“gatherum[.]ca”)
“As Crazy Evil continues to achieve success, other cybercriminal entities are likely to emulate its methods, compelling security teams to remain perpetually vigilant to prevent widespread breaches and erosion of trust within the cryptocurrency, gaming, and software sectors,” Recorded Future said.
The development comes as the cybersecurity company exposed a traffic distribution system (TDS) dubbed TAG-124, which overlaps with activity clusters known as LandUpdate808, 404 TDS, Kongtuke, and Chaya_002. Multiple threat groups, including those associated with Rhysida ransomware, Interlock ransomware, TA866/Asylum Ambuscade, SocGholish, D3F@ck Loader, and TA582 have been found to use the TDS in their initial infection sequences.
“TAG-124 comprises a network of compromised WordPress sites, actor-controlled payload servers, a central server, a suspected management server, an additional panel, and other components,” it said. “If visitors fulfill specific criteria, the compromised WordPress websites display fake Google Chrome update landing pages, which ultimately lead to malware infections.”
Recorded Future also noted that the shared use of TAG-124 reinforces the connection between Rhysida and Interlock ransomware strains, and that recent variations of TAG-124 campaigns have utilized the ClickFix technique of instructing visitors to execute a command pre-copied to their clipboard to initiate the malware infection.
Some of the payloads deployed as part of the attack include Remcos RAT and CleanUpLoader (aka Broomstick or Oyster), the latter of which serves as a conduit for Rhysida and Interlock ransomware.
Compromised WordPress sites, totaling more than 10,000, have also been discovered acting as a distribution channel for AMOS and SocGholish as part of what has been described as a client-side attack.
“JavaScript loaded in the browser of the user generates the fake page in an iframe,” c/side researcher Himanshu Anand said. “The attackers use outdated WordPress versions and plugins to make detection more difficult for websites without a client-side monitoring tool in place.”
Furthermore, threat actors have leveraged the trust associated with popular platforms like GitHub to host malicious installers that lead to the deployment of Lumma Stealer and other payloads like SectopRAT, Vidar Stealer, and Cobalt Strike Beacon.
Trend Micro’s activity exhibits significant overlaps with tactics attributed to a threat actor referred to as Stargazer Goblin, which has a track record of using GitHub repositories for payload distribution. However, a crucial difference is that the infection chain begins with infected websites that redirect to malicious GitHub release links.
“The distribution method of Lumma Stealer continues to evolve, with the threat actor now using GitHub repositories to host malware,” security researchers Buddy Tancio, Fe Cureg, and Jovit Samaniego said.
“The malware-as-a-service (MaaS) model provides malicious actors with a cost-effective and accessible means to execute complex cyberattacks and achieve their malicious objectives, easing the distribution of threats such as Lumma Stealer.”
