{
	"id": "93196916-28ca-40ca-836b-99e8e52c02ea",
	"created_at": "2026-04-06T01:29:22.703368Z",
	"updated_at": "2026-04-10T03:21:26.59675Z",
	"deleted_at": null,
	"sha1_hash": "329ebd8fc4a208509413c50b266a072fc894fe71",
	"title": "Exposing the Deception: Russian EFF Impersonators Behind Stealc \u0026 Pyramid C2",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 17013456,
	"plain_text": "Exposing the Deception: Russian EFF Impersonators Behind\r\nStealc \u0026 Pyramid C2\r\nPublished: 2025-03-04 · Archived: 2026-04-06 00:54:17 UTC\r\nOpen directories often expose more than just files--they provide a window into how malicious campaigns operate.\r\nIn this case, we identified a threat actor impersonating the Electronic Frontier Foundation (EFF) to target\r\nthe online gaming community. The exposed directory contained decoy documents alongside the malware used in\r\nthis operation: Steal and Pyramid C2.\r\nFurther analysis linked 11 additional servers to the campaign through shared SSH keys, indicating a broad\r\nnetwork footprint. Code comments found within malicious Python and PowerShell scripts suggest the work of a\r\nRussian-speaking developer. The tactics and malware observed align with financially motivated cybercrime\r\nactivity. Hunt had already identified both C2 servers weeks earlier as part of routine scanning, but the open\r\ndirectory provided the link between the malware and this operation.\r\nThis post examines the role of the decoy documents and phishing attempts in the activity and explores how code\r\nanalysis revealed additional infrastructure.\r\nCampaign Overview\r\nA threat group impersonating the Electronic Frontier Foundation (EFF) is targeting Albion Online players through\r\ndecoy documents designed to lend credibility while malware executes in the background.\r\nAlbion Online is a multiplayer online role-playing game (MMORPG) with a player-driven economy. While real-money transactions are against the game's terms of service and can result in permanent bans, third-party markets\r\nexist where in-game assets are exchanged for money, making player accounts a lucrative target.\r\nPlayers on the game's forum have reported receiving messages from other members directing them to phishing\r\nwebsites, with the EFF's name used as a pretext to discuss the security of in-game goods tied to their accounts.\r\nTechnical Details\r\nOpen Directory\r\nOn February 27th, Hunt's AttackCapture™ identified an open directory at http[:]//83.217.208[.]90/documents.\r\nAttackCapture™ scans and archives files from exposed servers while categorizing malicious samples based on\r\nsandbox analysis, enabling quick reference during threat hunting. This particular server contained detections for\r\nPowerShell usage and Stealc, which immediately grabbed our attention.\r\nhttps://hunt.io/blog/russian-speaking-actors-impersonate-etf-distribute-stealc-pyramid-c2\r\nPage 1 of 15\n\nFigure 1: Screenshot of the directory contents hosted at 83.217.208[.]90 in Hunt.\r\nThe server hosted a mix of PDFs, ZIP archives, PowerShell scripts, and filenames with double extensions---\r\ncommon indicators of malware staging. While this section provides a brief overview of notable files, a detailed\r\nanalysis follows in the next section.\r\nInfrastructure \u0026 SSH Key Overlaps\r\nLet's first look at the IP address hosting the malware. Clicking on 'Hunt IP Search' in the Host section brings us to\r\nthe overview page, which quickly shows two areas of interest.\r\nhttps://hunt.io/blog/russian-speaking-actors-impersonate-etf-distribute-stealc-pyramid-c2\r\nPage 2 of 15\n\nFigure 2: Hunt overview for the suspicious IP.\r\nFirst, the 'Associations' tab displayed a pivot point revealing additional infrastructure. This IP address shares SSH\r\nkeys (fingerprint b48b0e3657560b80ce5e8309e422aa1655e4df2642d4a955b83945bac096b3f ) with 11 other IPs, all\r\nhosted on the Partner Hosting LTD network.\r\nWhile no significant indicators were found linking these servers to other known operations, all remained active\r\nbetween early to mid-January 2025 before ceasing activity around February 21.\r\nMore interestingly, the icon next to the magnifying glass for port 80 identifies that Hunt has already detected this\r\nIP as hosting a Stealc C2. We currently track 23 unique command-and-control servers associated with the stealer,\r\nwith detailed information fully accessible to users.\r\nDecoy Documents and Phishing Strategy\r\nWithin the /albion/files folder is a document titled 'Albion.pdf.' Upon opening the file, readers are\r\npresented with what appears to be a report from the Electronic Frontier Foundation titled:\r\n\"Electronic Report on Investigation of Virtual Asset Theft in Albion Online.\"\r\nHunt researchers have not been able to verify the document's authenticity as of this article's publication.\r\n*The EFF is a nonprofit that advocates for digital privacy, free expression, and cybersecurity protections while\r\nchallenging government surveillance and online censorship.\r\nhttps://hunt.io/blog/russian-speaking-actors-impersonate-etf-distribute-stealc-pyramid-c2\r\nPage 3 of 15\n\nFigure 3: Suspicious PDF targeting users of the Albion online game.\r\nThe document is three pages in length, and informs the reader that EFF received a request from the administrators\r\nof the online game to analyze transactions on the individuals account.\r\nAfter listing seemingly random item IDs linked to the potential victim's account, the report leads directly into the\r\ninvestigation results, informing the reader that unauthorized login attempts were detected and that stolen items\r\nhttps://hunt.io/blog/russian-speaking-actors-impersonate-etf-distribute-stealc-pyramid-c2\r\nPage 4 of 15\n\nwere transferred to their account.\r\nThe report concludes with recommended steps to further secure the user's account and leaves only the URL for the\r\nEFF contact webpage for questions.\r\nDocument Analysis\r\nExtracting metadata from the PDF using pdfinfo revealed several notable details:\r\nCreation Date: Feb 18, 2025\r\nPDF Library: Skia/PDF m132\r\nTitle: localhost:36223/webpageToPdf_67b3548070585_14546073906135025492.html\r\nCreator: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nHeadlessChrome/132.0.0.0 Safari/537.36\r\nThe above suggests the PDF was generated programmatically rather than manually created. The title field\r\nindicates it was converted from an HTML page hosted on localhost, reinforcing our belief that this was an\r\nautomated process to mass-generate lures for phishing campaigns.\r\nFigure 4: Results of running pdfinfo on Albion.pdf.\r\nWe won't discuss in detail the other PDF on the server, '1710407310845,' as we could not find proof of its use in\r\nthe wild. The document appears to target individuals in India with DCMA takedown notices.\r\nOf note, this document contained the below details, which were a departure from Albion.pdf:\r\nTitle: New Applications_April 2023.xlsx\r\nAuthor: shitesh\r\nCreator: Acrobat PDFMaker 22 для Word (\"для\" translates to \"for\" in English)\r\nPhishing Attempts Against Forum Users\r\nOn 28 February, a user on the Albion Online forum (forum[.]albiononline[.]com) created a thread detailing\r\nphishing messages they had received. The messages, impersonating the EFF, attempted to lure players into\r\nhttps://hunt.io/blog/russian-speaking-actors-impersonate-etf-distribute-stealc-pyramid-c2\r\nPage 5 of 15\n\nengagement under the pretense of an investigation. Notably, the user ended their post by expressing frustration at\r\nthe increasing volume of these messages, suggesting the campaign is widespread.\r\nFigure 5: Screenshot of forum posts describing the phishing attempts against users.\r\nThe moderator acknowledged the attempts and provided general security recommendations as the discussion\r\ncontinued. An additional user reported receiving the same message and attached a screenshot showing the sender\r\nand contents.\r\nThe image revealed another piece of attacker-controlled infrastructure hosting a PDF at: act-7wbq8j3peso0qc1.pages[.]dev/819768.pdf\r\nFigure 6: User-provided screenshot of the phishing message they received.\r\nhttps://hunt.io/blog/russian-speaking-actors-impersonate-etf-distribute-stealc-pyramid-c2\r\nPage 6 of 15\n\nWe were unable to retrieve the document as requests to the page resulted in a perpetual loading page. The sender\r\nof these messages, \"reraveca1977,\" created their forum account the same day, February 28, before likely wiping\r\ntheir activity. There have been no further posts/activity from this account as of this writing.\r\nThe forum discussions confirm that phishing messages were actively circulating, aligning with findings from the\r\nopen directory and leading to additional attacker-controlled infrastructure hosting decoy documents.\r\nMalware Analysis\r\nLooking into the /albion directory revealed a Windows shortcut (LNK) file designed to execute a PowerShell\r\nscript, which facilitates malware delivery. The directory contains:\r\nReport-Albion-Online.lnk\r\n/files/Python.zip\r\n/files/Albion.pdf\r\nFigure 7: Screenshot of the files contained within the /albion directory.\r\nThe LNK file executes PowerShell using an Execution Policy Bypass, running albion.ps1 -a script located in\r\n/documents/pwsh/ on the same server. Once executed, the code retrieves Albion.pdf and Python.zip from the\r\ndirectory depicted in Figure 7.\r\nThe PowerShell code contains multiple comments in Russian, further supporting earlier indicators that Russian-speaking developers were involved in this operation. The script performs the following actions:\r\n1. Opens Albion.pdf to distract the user while the malware executes in the background.\r\n2. Extracts Python.zip and sleeps for 30 seconds.\r\nhttps://hunt.io/blog/russian-speaking-actors-impersonate-etf-distribute-stealc-pyramid-c2\r\nPage 7 of 15\n\n3. Searches for pythonw.lnk , a secondary shortcut file.\r\n4. If found, it executes pythonw.lnk and moves it to the Windows Startup folder, ensuring persistence on\r\nreboot.\r\n5. Drops albion.exe and 12.py from the zip archive into the TEMP folder.\r\nalbion.exe is a renamed legitimate Python 3.10.8 executable, likely used to execute the\r\naccompanying script.\r\n12.py will be discussed below.\r\nReviewing the contents of 12.py in a text editor, we found that the developer commented (in Russian) on every\r\nline of roughly 130+ lines of code.\r\nThe script includes logging, error checking, and, more importantly, two strings defined, encoded_script_1 and\r\nencoded_script_2 , obfuscated using zlib compression and base64 encoding. Upon decoding, both scripts are\r\nexecuted in the background while the main program sleeps for 30 minutes and then terminates the two processes\r\nat the end of the time.\r\nFigure 8: Snippet of 12.py.\r\nDecoding the strings in CyberChef reveals configuration files for Pyramid C2, an open-source framework we\r\npreviously wrote about, including tips on hunting for these servers in the wild.\r\nExtracted C2 Infrastructure\r\nencoded_script_1 contains the C2: 104.245.240[.]19:443\r\nhttps://hunt.io/blog/russian-speaking-actors-impersonate-etf-distribute-stealc-pyramid-c2\r\nPage 8 of 15\n\nFigure 9: CyberChef decoding results for encoded_script_1.\r\nC2 for encoded_script_2: 212.87.222[.]84:443\r\nhttps://hunt.io/blog/russian-speaking-actors-impersonate-etf-distribute-stealc-pyramid-c2\r\nPage 9 of 15\n\nFigure 10: CyberChef decoding results for encoded_script_2.\r\nChecking these IPs in Hunt, we were surprised to find that our scanners detected the second C2 as Pyramid C2\r\ninfrastructure roughly two weeks ago.\r\nhttps://hunt.io/blog/russian-speaking-actors-impersonate-etf-distribute-stealc-pyramid-c2\r\nPage 10 of 15\n\nFigure 11: IP overview of 212.87.222[.]8, showing it as a Pyramid C2 in Hunt.\r\nPyramid C2 Behavior\r\nPyramid C2 is designed to deliver files encrypted, a technique that may allow it to bypass endpoint detection and\r\nresponse (EDR) solutions. Prior research identified its use of Basic Authentication and a distinct JSON response\r\nformat, which appeared again in this case. Reviewing the network communications from a malware sandbox\r\nanalysis displayed an HTTP GET request to\r\nhttp[:]//104.245.240[.]19:443/login/3keXipGb5Rr+gpGO9CjsSfdz+of5\r\nThe response is consistent with previously observed Pyramid C2 research, reinforcing its role in this campaign.\r\nhttps://hunt.io/blog/russian-speaking-actors-impersonate-etf-distribute-stealc-pyramid-c2\r\nPage 11 of 15\n\nFigure 12: JSON response from the Pyramid C2 server.\r\nSteal Communications\r\nFollowing the Pyramid C2 check-in, the malware initiates multiple POST requests to\r\nhttp[:]//104.245.240[.]18/d7f85cd3e24a4757.php .\r\nThese requests, made over port 80, align with Stealc stealer's standard check-in process. The malware proceeds to\r\ninteract with the Firefox and Chrome browsers, extracting stored credentials before sending them back to the C2\r\nserver.\r\nFigure 13: Snippet of the C2 communications as found by Triage.\r\nhttps://hunt.io/blog/russian-speaking-actors-impersonate-etf-distribute-stealc-pyramid-c2\r\nPage 12 of 15\n\nThe remaining PowerShell script, osnova.ps1 , functions identically to the previously analyzed code and,\r\nunfortunately, does not introduce any new tactics.\r\nConclusion\r\nThe recent campaign targeting the Albion Online gaming community underscores the evolving tactics of cyber\r\nadversaries. By impersonating reputable organizations like the Electronic Frontier Foundation (EFF), attackers\r\ndisseminated phishing messages that directed users to malicious infrastructures hosting both decoy documents and\r\nmalware.\r\nThis strategy not only exploits the trust users place in well-known entities but also leverages the immersive nature\r\nof gaming environments to increase the likelihood of successful compromises.\r\nOur investigation revealed that the threat actors mistakenly or intentionally left directories exposed where their\r\nmalicious payloads were stored and distributed, a misstep that can easily go unnoticed without proactive\r\nmonitoring. By analyzing these open directories, we identified the deployment of tools such as the Stealc stealer\r\nand Pyramid C2, highlighting the sophistication and resourcefulness of the adversaries.\r\nMitigation Strategies\r\nTo stay safe against such phishing campaigns, users are advised to:\r\nExercise caution with unsolicited communications: Be wary of unexpected messages, especially those\r\nrequesting personal information or urging immediate action.\r\nVerify the authenticity of sources: Cross-check the legitimacy of emails or messages purportedly from\r\nreputable organizations by contacting them through official channels.\r\nUtilize security tools for link and attachment analysis: Before interacting with links or downloading\r\nattachments, employ sandbox services like URLScan or VirusTotal to assess potential threats. *Ensure\r\nyou aren't uploading sensitive information first.\r\nInfrastructure Observables and IOCs\r\nSSH Fingerprint: b48b0e3657560b80ce5e8309e422aa1655e4df2642d4a955b83945bac096b3fb\r\nNetwork Observables and IOCs\r\nIP Address ASN Notes\r\n83.217.208[.]90 Partner Hosting LTD Opendir/Stealc C2 -- Port 80\r\n104.245.240[.]19 Railnet LLC Pyramid C2\r\n212.87.222[.]84 GLOBAL CONNECTIVITY SOLUTIONS LLP Pyramid C2 -- Port 443\r\n185.102.115[.]18 Partner Hosting LTD Shared SSH keys w/ 83.217.208[.]90\r\nhttps://hunt.io/blog/russian-speaking-actors-impersonate-etf-distribute-stealc-pyramid-c2\r\nPage 13 of 15\n\nIP Address ASN Notes\r\n185.102.115[.]16 Partner Hosting LTD Shared SSH keys w/ 83.217.208[.]90\r\n185.102.115[.]20 Partner Hosting LTD Shared SSH keys w/ 83.217.208[.]90\r\n185.102.115[.]22 Partner Hosting LTD Shared SSH keys w/ 83.217.208[.]90\r\n83.217.208[.]108 Partner Hosting LTD\r\nShared SSH keys w/ 83.217.208[.]90\r\nDomain: immediate-zenar[.]net\r\n185.102.115[.]17 Partner Hosting LTD Shared SSH keys w/ 83.217.208[.]90\r\n185.102.115[.]11 Partner Hosting LTD Shared SSH keys w/ 83.217.208[.]90\r\n185.102.115[.]14 Partner Hosting LTD Shared SSH keys w/ 83.217.208[.]90\r\n185.102.115[.]19 Partner Hosting LTD Shared SSH keys w/ 83.217.208[.]90\r\n185.102.115[.]21 Partner Hosting LTD Shared SSH keys w/ 83.217.208[.]90\r\n185.102.115[.]15 Partner Hosting LTD Shared SSH keys w/ 83.217.208[.]90\r\nN/A CloudFlare, Inc. act-7wbq8j3peso0qc1.pages[.]dev\r\nHost Observables and IOCs\r\nFilename SHA-256\r\nalbion.ps1 a524d1acb0692fc90e20548d4bea29b4996c4113420942e43addd8c5609e29a4\r\nosnova.ps1 4dcca5d3269eb44f3cf7af62c0da3b6acab67eb758c9fb2f5cc5b1d13a7286f7\r\nReport-Albion-Online.lnk cf8065df8674c2a09b3cb94f308c48f04a8664b066dd5107b117e99062f5621e\r\nterms-of-service.pdf.lnk cf8065df8674c2a09b3cb94f308c48f04a8664b066dd5107b117e99062f5621e\r\n1710407310845.pdf a7e617783d7f1b0079c605126fba074ee7ee431077cd97d391e41f364a0afe1b\r\nAlbion.pdf b7612517337a7a3678e7f138dab36cd8a42e843f0536c0ccb74a2b0aa2224505\r\nPython.zip (/albion/files/) f60c212190a69149480586c9c9e340605dfa4b16a571f34b2ce31db4d0f7659a\r\n12.py aa89169a746709de1fd18510fc6e8850a863ebcc419ba0ca21fa479e59730c6e\r\nalbion.exe 56f1a4d528fdee439b5b747c00d0b4a61b2c0bd8783e0abdb87c6d969a8f1e91\r\nPython.zip (/files/zip/) 3d3559a29f94bb349b928518dcf0c3757813e32195d16880e94169ca9affdede\r\nhttps://hunt.io/blog/russian-speaking-actors-impersonate-etf-distribute-stealc-pyramid-c2\r\nPage 14 of 15\n\nSource: https://hunt.io/blog/russian-speaking-actors-impersonate-etf-distribute-stealc-pyramid-c2\r\nhttps://hunt.io/blog/russian-speaking-actors-impersonate-etf-distribute-stealc-pyramid-c2\r\nPage 15 of 15\n\npreviously wrote Extracted C2 Infrastructure about, including tips on hunting for these servers in the wild.\nencoded_script_1 contains the C2: 104.245.240[.]19:443 \n   Page 8 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://hunt.io/blog/russian-speaking-actors-impersonate-etf-distribute-stealc-pyramid-c2"
	],
	"report_names": [
		"russian-speaking-actors-impersonate-etf-distribute-stealc-pyramid-c2"
	],
	"threat_actors": [],
	"ts_created_at": 1775438962,
	"ts_updated_at": 1775791286,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/329ebd8fc4a208509413c50b266a072fc894fe71.pdf",
		"text": "https://archive.orkl.eu/329ebd8fc4a208509413c50b266a072fc894fe71.txt",
		"img": "https://archive.orkl.eu/329ebd8fc4a208509413c50b266a072fc894fe71.jpg"
	}
}