{
	"id": "1f63800f-97ee-4c7f-a9d7-2d4b73d7fe3a",
	"created_at": "2026-04-06T00:10:16.049574Z",
	"updated_at": "2026-04-10T03:22:06.764578Z",
	"deleted_at": null,
	"sha1_hash": "56dab1ac45cac588200f5c42c02ed696c4166bb1",
	"title": "GCleaner — Garbage Provider Since 2019",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2132493,
	"plain_text": "GCleaner — Garbage Provider Since 2019\r\nBy Benoit ANCEL\r\nPublished: 2021-01-18 · Archived: 2026-04-05 19:49:56 UTC\r\nReselling access to infected machines (aka “loads reselling”) has become a huge part of the cybercrime industry.\r\nIn this article we investigate an active threat actor, who has been in the loads industry for over two years, reselling\r\naccess to hundreds of thousands of machines every month.\r\nWhen botnet operators want to start their business, they have to face different challenges. They have to buy (or\r\nbuild) a piece of malware and a backend, rent different servers, pay for cryptors, certificates etc — but in the end,\r\none very important point is how to distribute the malicious software.\r\nThey can distribute the malware themselves (which is a lot of work) or pay a third-party, so called “load resellers”.\r\nSpammers, exploit kit distributors, Pay-Per-Install (PPI) vendors — all of them are just load resellers. You don’t\r\nbuy a number of spam campaigns from a spammer, you buy a number of infections — no matter how they are\r\nobtained.\r\nAs profitable as the loads business might be, it’s also a complex industry facing lots of changes that requires a\r\nstrong adaptive capacity in order to survive. Selling loads is not only about how many people you can infect; it’s\r\nalso what quality of infections you can provide to your clients.\r\nLoads sellers also have to protect their customers. When they distribute a payload they have to avoid ending up\r\nanalyzed by sandboxes, or talked about in social media. Otherwise the malware IOCs would be burned and their\r\nclients would have to buy new domains or certificates in order to stay outside blacklists, such as Spamhaus.\r\nWhen a cybercrime operation tries to steal money from a bank, the operators need victims who are accessing their\r\nonline banking accounts. That means you can forget about distributing a fake Roblox crack, but instead need to\r\nfind a way to infect accounting services and such.\r\nSpam is of course one of the main ways to sell loads, you can craft a specific mailing lists targeting only\r\ncompanies or specific sectors in order to obtain good quality bots, but banking trojan admins are sometimes very\r\npicky and will only pay the spammer if an infected bot reaches the webinjects CNC. It’s not an easy job.\r\nWhen you’re good at spamming you can make good money: We observed good spamming actors earning up to 60\r\n000 USD a week when they work well, but as strange as it seems, spamming starts being more and more\r\ncomplicated and lots of spammers lose their clients to other kinds of loads resellers.\r\nWe observed spammers complaining about different factors, the first one being that from their estimations, up to\r\n40% of the emails sent to the victims are opened on mobile devices. They cannot infect easily a tablet or a\r\nsmartphone and that means that half of the work they do goes directly in the trash. 2020 didn’t helped them either,\r\nhttps://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a\r\nPage 1 of 9\n\nthe medical crisis sending everybody home and various companies closing down caused a huge loss in term of\r\nspam ratio.\r\nHaving done this long introduction about the state of loads selling business, we are going to introduce you to an\r\nactor that is becoming very powerful.\r\nIt is a load seller working mainly for ransomware and password stealers actors for at least two years and who is\r\nstarting to reach huge monthly infections numbers.\r\nGarbage cleaner — Selling garbage since 2019\r\nIn the beginning of 2019 we observed a new actor becoming a client of the Fast Flux network called Brazzzers.\r\nThis client was using the fast flux to host a website called G-Cleaner for Garbage Cleaner, mimicking cleaning\r\ntools like CCleaner.\r\nPress enter or click to view image in full size\r\ng-cleaner[.]info\r\nBack then the admin was promoting the fake software via emails in order to have his cleaning tool downloaded,\r\nwhich was in fact dropping the Azorult password stealer.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a\r\nPage 2 of 9\n\nPress enter or click to view image in full size\r\nQuickly we observed the website implementing a Traffic Direction System (TDS) using IPLogger in order to\r\ndistribute different malware samples depending on the location the victim was downloading the fake cleaner from,\r\nand the list of these distributed malware samples started to grow.\r\nAzorult, PredatorTheThieff, and Miners started to be distributed but the infection ratio seemed to not be very good\r\nfor a load reseller. The problem was that you could download the fake software from the fake website, so any AV\r\ncompany could just automatically retrieve all the payloads and blacklist the IOCs automatically.\r\nhttps://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a\r\nPage 3 of 9\n\nGet Benoit ANCEL’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nThat’s when the load sellers started to change their way of spreading the fake software. No more G-cleaner direct\r\ndownload around, the distribution is now done by various different crack websites.\r\nPress enter or click to view image in full size\r\nExample of crack websites\r\nAfter running one of those cracks, many different pieces of malware are deployed on the victim’s computer.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a\r\nPage 4 of 9\n\nDepending on your country, you receive different malware. In January 2021 we observed:\r\nSTOP/DJVU ransomware\r\nPress enter or click to view image in full size\r\nDJVU stats backend\r\nThe infrastructure\r\nhttps://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a\r\nPage 5 of 9\n\nAs mentioned earlier, this loads seller seems to try to hide his servers behind the Brazzzers fast flux. We managed\r\nto extract the real location of the backend over time:\r\ncleaner-g.online — 91.243.83.187\r\ncleaner-g.site — 91.243.83.187\r\ngcleaner.info — 91.243.83.187\r\ng-cleaner.info — 91.243.83.187\r\ngcleaner.ru — 91.243.83.187\r\nggcleaner.top — 91.243.83.187\r\nggcleaner.xyz — 91.243.83.187\r\nsfccleaner.top — 91.243.83.187\r\nge-cleaner.tech — 5.182.39.210\r\nge-cleaner.xyz — 5.182.39.210\r\nggcleaner.space — 5.182.39.203\r\nggcleaner.tech — 5.182.39.203\r\ngcc-partners.in — 5.182.39.44\r\nAs we can see, despite the frequent renewal of the domains, the backend stayed at the same place for 2 years,\r\nshowing the efficiency of the Brazzzer Fast flux to protect their servers.\r\nStatistics\r\nWe managed to obtain infection statistics for a month of activity, between December 2020 and January 2021.\r\nThe G-Cleaner network generated over 150,000 infections worldwide during this timeframe. It’s a huge number\r\nconsidering that December and January are not the best months for the cybercrime industry.\r\nThose infections seem to be split between 4 partners, with each partner targeting a specific region: US, CA, EU\r\nand MIX (common word for a bit of every country).\r\nPress enter or click to view image in full size\r\nhttps://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a\r\nPage 6 of 9\n\nWorld map of infections\r\nPress enter or click to view image in full size\r\nEuropean map showing the clear CIS border\r\nTop 25 infected countries for January 2021:\r\nhttps://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a\r\nPage 7 of 9\n\nWe can see here that the loads seller seems to bet on quantity and not quality of infections. They infect the\r\nmaximum number of victims they can, regardless of whether it’s an interesting victim or not. That’s why the\r\nmajority of malware seen related to this threat is password stealers. They distribute lots of password stealers to\r\ncollect a huge amount of various credentials for services like Netflix, Apple, Google, Spotify in order to fuel the\r\nblack market and make extra money.\r\nWe unfortunately didn’t find the price list for that particular loads seller, but if we refer to the actual market, Asian\r\nand South American bots can be sold for around 0.2 USD per infection, European goes up to 0.60 USD and US\r\nbots can be sold for more than 1 USD. So, even working on quantity and not quality we can see that loads selling\r\nis a very profitable business.\r\nRecent IOCs\r\ncrackedinfo.net\r\nsoftkeygenpro.com\r\ntopkeygen.com\r\ncleaner-g.online\r\ncleaner-g.site\r\ngcleaner.info\r\ng-cleaner.info\r\nhttps://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a\r\nPage 8 of 9\n\ngcleaner.ru\r\nggcleaner.top\r\nggcleaner.xyz\r\nsfccleaner.top\r\nge-cleaner.tech\r\nge-cleaner.xyz\r\nggcleaner.space\r\nggcleaner.tech\r\ngcc-partners.in\r\ncovid2023.info\r\nf241beb45db9a8b7.xyz\r\nnaritouzina.net\r\nprodocomelo.info\r\ndream.pics\r\nlandoflegendstore.net\r\nchrome-booster.com\r\n331befdc5416a898.xyz\r\nnoabuseshere.top\r\nhavalpartsch.top\r\nmmmmonsterpack.info\r\nradrile.xyz\r\ntelete.in\r\ntopprogress.top\r\ndavincieditor.com\r\nwheredoyougo.cn\r\nvjsi.top\r\nRelated work\r\nhttps://www.bleepingcomputer.com/news/security/fake-windows-pc-cleaner-drops-azorult-info-stealing-trojan/\r\nHappy hunting!\r\nSource: https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a\r\nhttps://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a"
	],
	"report_names": [
		"gcleaner-garbage-provider-since-2019-2708e7c87a8a"
	],
	"threat_actors": [],
	"ts_created_at": 1775434216,
	"ts_updated_at": 1775791326,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/56dab1ac45cac588200f5c42c02ed696c4166bb1.pdf",
		"text": "https://archive.orkl.eu/56dab1ac45cac588200f5c42c02ed696c4166bb1.txt",
		"img": "https://archive.orkl.eu/56dab1ac45cac588200f5c42c02ed696c4166bb1.jpg"
	}
}