{
	"id": "5a18282f-5ea3-418f-8b1c-e72d04fbe1ab",
	"created_at": "2026-04-06T00:11:50.526265Z",
	"updated_at": "2026-04-10T03:21:02.050376Z",
	"deleted_at": null,
	"sha1_hash": "1b7aedfeaa443992ec0d1eab109b0ca60aa56370",
	"title": "Crystal Finance Millennium used to spread malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 262741,
	"plain_text": "Crystal Finance Millennium used to spread malware\r\nArchived: 2026-04-05 16:19:49 UTC\r\nEarlier today, Costin from Kaspersky tweeded the following intriguing tweet:\r\nAfter some hunting, it was revealed the Crystal Finance Millennium website was indeed hacked, and serving three\r\ndifferent flavors of malware. In this short blog post, we'll take a look at the malware variants that were distributed,\r\nand provide minimal background.\r\nIntroduction\r\nCrystal Finance Millennium' website is currently taken offline by the hosting provider, but archives of the website\r\nexist online.\r\nFigure 1 - \"At this moment the site is blocked by the hosting administrator\"\r\nFrom the archived webpage, it becomes apparent they provide accounting software, peronalisation of medical\r\nrecords, blood service and \"full automation of the doctor's office\" - contrary to what their company name suggests,\r\nit appears they are (mostly) focused on medical software.\r\nhttps://bartblaze.blogspot.com/2017/08/crystal-finance-millennium-used-to.html\r\nPage 1 of 5\n\nFigure 2 - archived webpage of CFM's services\r\nMoving on to the malware present on their website:\r\nSmoke Loader\r\nSmoke Loader, also known as Dofoil, Sharik or just 'Smoke', is a botnet with the main purpose of downloading\r\nother malware - a downloader. \r\nSmoke Loader was originally downloaded from:\r\nhXXp://cfm.com[.]ua/awstats/load.exe         \r\nAdditionally, it was also mirrored at:\r\nhXXp://nolovenolivethiiswarinworld[.]com/ico/load.exe\r\nSmoke Loader drops itself in a random directory inside the user's %appdata% folder, for example:\r\n\\AppData\\Roaming\\Microsoft\\sfujsddu\\\r\nAdditionally, it performs an HTTP POST request to the following domains:\r\ncontsernmayakinternacional[.]ru\r\nsoyuzinformaciiimexanikiops[.]com\r\nkantslerinborisinafrolova[.]ru\r\nSmokeLoader has a debug path which is likely fake, or automatically generated:\r\nc:\\backward\\inch\\enumeration\\Atmel\\neces.pdb\r\nWe won't go any further into Smoke Loader here, but there's an excellent blog post by @hasherazade over at\r\nMalwarebytes here:\r\nSmoke Loader – downloader with a smokescreen still alive\r\nChthonic\r\nChthonic is a banking trojan and derivative of Zeus, well-known banking malware. Zeus, also known as Zbot, was\r\nleaked several years ago and has since then spawned multiple new, and often improved, banking trojans.\r\nChthonic uses a custom encryptor and, as a result, its payload hash will differ every time.\r\nIt was observed as a dropper from the following websites:\r\nhXXp://nolovenolivethiiswarinworld[.]com/ico/load.exe\r\nhXXp://crystalmind[.]ru/versionmaster/nova/load.exe         \r\nAdditionally, it drops its payload into the user's %appdata% folder; for example:\r\n\\AppData\\Roaming\\Microsoft\\MicrosoftStart.exe\r\nhttps://bartblaze.blogspot.com/2017/08/crystal-finance-millennium-used-to.html\r\nPage 2 of 5\n\nWhile Smoke Loader employs totally random filenames, Chthonic tries to hide by looking like a\r\nlegitimate program.\r\nIt performs an HTTP POST request to the following domain:\r\nnolovenolivethiiswarinworld[.]com\r\nInterestingly enough, Chthonic was spotted in June targeting a government institution in Ukraine:\r\nChthonic Trojan is back in nation-state cyberattack against Ukraine\r\nWhoever's behind this Chthonic campaign however, has a sense of humour by sporting the following\r\ndebug path: C:\\postmaster\\merge\\Peasants\\Billy.pdb\r\nChthonic will also create a simple batch file which goes through a loop and will delete the dropper and the batch\r\nfile once it has installed the payload.\r\nPSCrypt\r\nPSCrypt, which is based on GlobeImposter, another ransomware variant, has been hitting Ukraine in the past:\r\nhttps://www.bleepingcomputer.com/news/security/before-notpetya-there-was-another-ransomware-that-targeted-ukraine-last-week/\r\nInterestingly enough, the same PSCrypt campaign was spotted earlier this month by @malwarehunterteam:\r\nThis tweet suggests the attacks started as early as the 14th of August.\r\nPSCrypt was originally downloaded from:\r\nhXXp://cfm.com[.]ua/awstats/wload.exe         \r\nPSCrypt will encrypt files and append an extension of .pscrypt - in order to restore your files, which asks for 3500\r\nHryvnia (~ EUR 115):\r\nFigure 3 - PSCrypt ransom message\r\nPSCrypt provides a fully detailed ransom message on how to send bitcoins to the cybercriminal, as well as a\r\npersonal ID (\"Ваш личный идентификатор\"). The ransom note appears to have several spelling mistakes, and\r\nmay not be original Ukrainian language.\r\nhttps://bartblaze.blogspot.com/2017/08/crystal-finance-millennium-used-to.html\r\nPage 3 of 5\n\nAdditionally, PSCrypt will remove RDP related files and registry keys, likely to prevent an administrator to clean\r\nan infected machine remotely. It will also clear all event logs using wevtutil:\r\nFigure 4 - Batch file which goes through commands in sequential order\r\nWhoever's behind this PSCrypt campaign also shows sign of humour, indicating an address in the US, pointing to\r\na company called \"Unlock files LLC\". Such company does not exist:\r\nFigure 5 - Unlock files LLC address\r\nFigure 6 - Companies at the same address\r\nUnfortunately, the Bitcoin address shows a history of already paid ransoms, dating back to the 15th of\r\nAugust: 1Gb4Pk85VKYngfDPy3X2tjYfzvU62oL\r\nAt time of writing, a total of 0.0924071 has been received, which is around EUR 328.\r\nSince the first payment was on the 15th of August, this supports the theory of CFM's website being\r\ncompromised at least before or on the 15th, quite possibly the 14th.\r\nThe general recommendation is to NOT pay, but rather restore files from a backup.\r\nConclusion\r\nWhile Crystal Finance Millenium's website was hacked, it's possible its software was not affected. In the mean\r\ntime, I'd advise to not upgrade or update any software belonging to the company, but rather wait for an official\r\nstatement from their side.\r\nhttps://bartblaze.blogspot.com/2017/08/crystal-finance-millennium-used-to.html\r\nPage 4 of 5\n\nThe hacking of a company or personal website can always happen, and as such, it is important to act fast once it's\r\nhappened - the (hosting) company did the right thing to take the website offline while things are being fixed in the\r\nbackground.\r\nThe bigger question here is if it may be a targeted attack - recently, Ukraine has been targeted heavily by not only\r\nEternalPetya (also known as NotPetya), but also by Xdata and PSCrypt. Additionally, seemingly targeted attacks\r\nhad Chthonic as payload, and, as reported in this blog post, another software company in Ukraine has been\r\ncompromised.\r\nAs usual, best is to wait until further data is available before making any judgments.\r\nPrevention advise for ransomware can be found on my dedicated page about ranomware prevention:\r\nhttps://bartblaze.blogspot.co.uk/p/ransomware-prevention.html\r\nAnd, as always, indicators of compromise (IOCs) can be found below, as well as additional resources.\r\nIOCs\r\nResources\r\nNew Cyberattack wave is launched using officialweb site of the accounting software developer«Crystal Finance\r\nMillennium» (PDF)\r\n“Crystal Attack” analysis – behavior analysis of the “load.exe” sample (PDF)\r\nSource: https://bartblaze.blogspot.com/2017/08/crystal-finance-millennium-used-to.html\r\nhttps://bartblaze.blogspot.com/2017/08/crystal-finance-millennium-used-to.html\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://bartblaze.blogspot.com/2017/08/crystal-finance-millennium-used-to.html"
	],
	"report_names": [
		"crystal-finance-millennium-used-to.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434310,
	"ts_updated_at": 1775791262,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1b7aedfeaa443992ec0d1eab109b0ca60aa56370.pdf",
		"text": "https://archive.orkl.eu/1b7aedfeaa443992ec0d1eab109b0ca60aa56370.txt",
		"img": "https://archive.orkl.eu/1b7aedfeaa443992ec0d1eab109b0ca60aa56370.jpg"
	}
}