{ "id": "c3eed1fc-b140-497b-922d-0df77bd1ca55", "created_at": "2026-04-06T00:14:37.193831Z", "updated_at": "2026-04-10T03:20:39.212721Z", "deleted_at": null, "sha1_hash": "83eedc07f98dd514b681d06d006713cb04f43176", "title": "Predator the Thief: New Routes of Delivery", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2487230, "plain_text": "Predator the Thief: New Routes of Delivery\r\nPublished: 2019-04-18 · Archived: 2026-04-05 15:56:10 UTC\r\nA FortiGuard Labs Threat Analysis Paper\r\nIntroduction\r\nIn March 2019, FortiGuard Labs discovered a running campaign against Russian-speakers using a new version of\r\n“Predator the Thief” stealer malware. The same actor was using one set of dummy files to deliver the stealer via\r\ndifferent forms of phishing, including Zipped files, fake documents, fake pdfs, and the WinRAR exploit described\r\nin CVE-2018-20250. \r\nIn this article, we observe the way the author sells this malware on hacking and game cheating forums, as well as\r\nhow it is maintained and updated. After that, we look at the malware code and examine the traps it contains.\r\nFinally, we show how a malware customer obfuscates and delivers the malware, along with other samples he\r\nexperimented with.\r\nPredator the Thief\r\nPredator the Thief was first observed by us in July of 2018, and it is one of the various stealer malware variants\r\nsold on hacking forums. The malware contains a C2 control panel and the malware executable builder.\r\nIts functionality is quite normal for a stealer. It can gather information about an infected host, steal passwords\r\nfrom browsers, replace cryptocurrency wallets in the buffer, take photos from the web-camera, and many other\r\nconfigurable options. The interesting thing is that unlike many other stealers written in C#, this malware is fully\r\nwritten in C/C++.\r\nAs the core of the malware has not changed much since the latest posts on this topic, you can check out more\r\ndetails in the analysis report of version 2.3.5 by Fumik0_. \r\nIn that analysis, we learned that the initial malware was written by “Alexuiop1337”. Checking the advertisement\r\npublished on one of the hacking and game cheating forums, we can see that the promotion of Predator continues\r\nto be very active, and that the malware author is now calling himself “Kongress_nlt”. \r\nhttps://www.fortinet.com/blog/threat-research/predator-the-thief-new-routes-delivery.html\r\nPage 1 of 14\n\nFigure 1. Advertisement for the malware\r\nFollowing the link on the forum, we observed a telegram profile of “sett9”, whose chats are still being frequently\r\nupdated. It seems like the chat “@sett9blog” is used less, and “@PredatorSoftwareChannel” is used just as a\r\nprivate blog for reverse engineering and Predator update news.\r\nFigure 2. User sett9 in Telegram and his public chats\r\nhttps://www.fortinet.com/blog/threat-research/predator-the-thief-new-routes-delivery.html\r\nPage 2 of 14\n\nWith the information provided in @PredatorSoftwareChannel we can see the malware’s update timeline. The\r\nmalware version v3.0.8 was released on 04.03.2019, and another new version v3.1.0 was released on 21.03.2019.\r\nThe latest release notes from the malware author are available on the Telegram channel. The translated version is\r\nshown in the following figure:\r\nFigure 3. Release notes for Predator v3.0.8 and v3.1.0\r\nAnother Release: v3.2.0\r\nAnd now, the author has just announced another release – v3.2.0. This release also affects the price of the\r\nmalware, raising the price from $35 to $80 USD.\r\nhttps://www.fortinet.com/blog/threat-research/predator-the-thief-new-routes-delivery.html\r\nPage 3 of 14\n\nFigure 4. Translated release notes for the 3.2.0 version of malware\r\nThere is also a new, interesting feature mentioned by the malware author – the malware has been fully rewritten to\r\nmake it fileless. This means that the malware will not leave any files or directories in the system, enabling it to run\r\nmuch stealthier on a victim’s machine. Unfortunately, as of the date this article was written, we haven’t found\r\nsamples of v3.1.0 or v3.2.0 in the wild. For this research blog, we have analyzed the older version of Predator the\r\nThief —v3.0.8 — used in the campaign possibly started by the author himself or one of his customers.\r\nTrap for Analysis\r\nThe Predator version used by those unknown actors has not changed much from its previous version.\r\nOnce we started our analysis, we obtained the version information in a text file after its execution. \r\nhttps://www.fortinet.com/blog/threat-research/predator-the-thief-new-routes-delivery.html\r\nPage 4 of 14\n\nFigure 5. Predator version information in information.txt\r\nThe code of the malware is obfuscated to try and slow down any analysis. We found that every string in Predator\r\nis dynamically produced, with some of them being hardcoded in the file or its assembly with simple byte\r\noperations like “xor”, “not” or “sub” encoding.\r\nInterestingly, it includes traps to perform fake character-decoder-like function pairs. It inputs the correct character\r\nbyte-by-byte into the function pairs, and then outputs the same character. In Figure 6, the red square shows how\r\nthe string “cmdvrt64.dll” is input into the trap functions.\r\nFigure 6. Confusing string generation and trap function for normal string input\r\nC2 Connection\r\nIn this campaign, all the samples use the following domain as their C2 server.\r\n                hxxp://sonsobakq1.mcdir[.]ru/\r\n“mcdir[.]ru” is a Web Hosting service in Russia, where anyone can register his subdomain for free. We also found\r\nthe following connection patterns with this C2 server.\r\n                hxxp://sonsobakq1.mcdir[.]ru/api/conf.get\r\n                hxxp://sonsobakq1.mcdir[.]ru/api/info.get\r\n                hxxp://sonsobakq1.mcdir[.]ru/api/gate.get?p1=[x]\u0026p2=[x]\u0026p3=[x]\u0026p4=[x]\u0026p5=[x]\u0026p6=[x]\u0026p7=[x]\r\n                hxxp://sonsobakq1.mcdir[.]ru/api/download.get\r\nhttps://www.fortinet.com/blog/threat-research/predator-the-thief-new-routes-delivery.html\r\nPage 5 of 14\n\nOnly “conf.get” was not mentioned in the previous analysis report by Fumik0_, as it was probably added in the\r\nnewer versions of the malware. So we will dig in to provide more information here.\r\nThere are seven items in the response data. However, only five of those items are processed by the configuration\r\nprocessing function. We find that those items are simply used as flags in the main routine of Predator the Thief to\r\nenable/disable specific functionalities.\r\nFigure 7. Data in configuration respond\r\nThe meanings for different items are shown below.\r\n                p1: Web camera video capture\r\n                p2: Anti-debug/Anti-sandbox\r\n                p3: Firefox password stealer configuration flag for collecting logins.json and signons.sqlite\r\n                p4: Steam data stealer\r\n                p5: Screenshot capture\r\nThe flags “p7” and “p8” are not used in the current version. There is a setting for grabber to change target file\r\nextensions. However, that setting is not enabled either.\r\nFigure 7 above shows the configuration with screenshot capturer and the Firefox configuration flag enabled (0 is\r\nenabled for the Firefox configuration).\r\nDelivery Tricks Used in this Predator Campaign\r\nWe found Predator samples packed with AutoIt in this campaign, and all of them use fabric materials price-list or\r\nsame-cloth pictures to attract victims to execute the AutoIt-packed malware.\r\nPhishing with Archive and Fake Document\r\nOne of the samples observed in this campaign is placed in a zip file and faked as a document among a set of\r\npictures.\r\nIn Figure 8, we can see what the old trick is: it uses a document-like icon to fake the document with an executable\r\nfile. The name of the zip file in English is the name of a company that specializes in the design and sale of\r\npersonal protective equipment and uniforms. The fake document name translates to mean “Tailoring Order for”,\r\nand it then names one of the territorial divisions of a federal city in Russia, which is a very targeted name for a\r\ndocument.\r\nAfter executing the executable, a dummy document is then shown (Figure 9) as if it were legit. However, the\r\nmalware is also executed at the same time in the background.\r\nhttps://www.fortinet.com/blog/threat-research/predator-the-thief-new-routes-delivery.html\r\nPage 6 of 14\n\nFigure 8. Phishing zip with fake document and dummy image\r\nhttps://www.fortinet.com/blog/threat-research/predator-the-thief-new-routes-delivery.html\r\nPage 7 of 14\n\nFigure 9. Dummy document used by the malware\r\nPhishing with WinRAR Exploit\r\nAnother sample exploits a vulnerability in the UNACEV2.dll library of WinRAR software previously identified in\r\nCVE-2018-20250.\r\nThere are two figures for introducing this trick-triggering exploit.\r\nFigure 10 shows how this exploit is used. When the victim decompresses the malicious “.rar” file, three dummy\r\n“.png” images are shown. However, in the background, the exploit is triggered and a malicious file called “hi.exe”\r\nis placed in Windows Startup folder.\r\nFigure 11 shows the hidden decompression path for triggering the exploit and placing the malware in the Windows\r\nStartup folder so that the next time the user logs into the system the decompressed file will be executed. \r\nhttps://www.fortinet.com/blog/threat-research/predator-the-thief-new-routes-delivery.html\r\nPage 8 of 14\n\nFigure 10. Malware dropped to Startup folder via WinRAR exploit CVE-2018-20250\r\nFigure 11. Hidden decompression path for exploiting CVE-2018-20250\r\nBesides the zip archive and WinRAR exploits, the actor uses additional “containers” for its malware. Those\r\ninclude:\r\nA fake PDF file with the same document name as the one dropped from zip;\r\nAnother fake document dropping Predator malware that uses the same C2 server.\r\nAnalysis of Decompiled AutoIt Script\r\nAll the samples we investigated were packed with the “CypherIT Crypter” that utilizes AutoIT scripting language\r\nfor hiding the payload.\r\nThe fake document contained in the phishing zip, for example, is packed by AutoIt twice. The actor packed\r\nPredator malware with CypherIT, and then packed the output again in order to add a dummy document to the\r\nexecutable. The following figure shows the first-stage AutoIt script.\r\nFigure 12. First-stage AutoIt script for installing malware and dummy document\r\nhttps://www.fortinet.com/blog/threat-research/predator-the-thief-new-routes-delivery.html\r\nPage 9 of 14\n\nWe found that the script is more obfuscated in the malicious payload that was placed in the startup folder via the\r\nWinRAR exploit. In Figure 13, the main part of the script is shown. It is used for calling the function to decode\r\nand execute the Predator the Thief stealer.\r\nFigure 13. De-obfuscated AutoIt script\r\nAs the de-obfuscated script shows, it reads and decodes the resource, then it loads the shellcode for injecting the\r\ndecoded payload — which is Predator the Thief malware.\r\nFigure 14. Decoded executable from resource section in original executable file \r\nCommon Shellcode for Hollow Process Injection\r\nWhen AutoIt script calls the shellcode, it creates a suspended process for “dllhost.exe”, and then uses this hollow\r\nprocess to inject the Predator payload.\r\nhttps://www.fortinet.com/blog/threat-research/predator-the-thief-new-routes-delivery.html\r\nPage 10 of 14\n\nFigure 15. Shellcode for injecting Predator payload into hollow process\r\nUnused Functions in the Malicious AutoIt Script\r\n1. Removable device file replacement\r\nIt creates files with a “*.pif” extension, copies the names from the original files, and then removes the original\r\nfiles. It replaces all the files on removable devices with the malware and tries to deceive its victims into executing\r\nthe malware.\r\n2. UAC bypass\r\nIt uses two methods to implement fileless UAC bypass. One uses Event Viewer through registry hijacking, and the\r\nother one uses “fodhelper.exe”\r\n3. Downloader for executing the next stage of the malware\r\nLooking for the Artifacts\r\nIf we recheck the AutoIt script created by the actor, we find something interesting in its path. The script author has\r\nleft behind install paths from his system.\r\nFigure 16. Install paths in first stage AutoIt script\r\nWe found interesting strings within these paths. “Рабочий стол”, found in one string, stands for “Desktop” in the\r\nRussian version of Windows. In addition, the C2 server — hxxp://sonsobakq1.mcdir[.]ru — can be also\r\ninterpreted from Russian as “Son of a dog”, or “Dream of a dog”. Combined with a document name written in\r\nRussian, we can be fairly certain sure that the actor behind this campaign is a Russian-speaker.\r\nFurthermore, we decided to look for any other information linked to the “nrjat” username written in a malicious\r\nscript file. The username itself looks like a mistype of the “njRAT” malware widely used by different actors. So\r\nwhen we searched for the “C:\\Users\\nrjat\\” string used in malware, we found samples possibly related to this\r\nhttps://www.fortinet.com/blog/threat-research/predator-the-thief-new-routes-delivery.html\r\nPage 11 of 14\n\nactor. First, we found an AutoIt script sample which is almost the same as the one we analyzed in the previous\r\nsection:\r\nFigure 17. AutoIt script sample related to the nrjat\r\nIn addition, the actor has a habit of compiling malware in debug mode of Visual Studio. The following figure\r\nshows the list of the samples developed or compiled by the “nrjat”.\r\nFigure 18. Samples developed or compiled by the actor\r\nUsing these artifacts, what’s left in the malware samples makes it easier for us to observe his activities. In June of\r\n2018, he compile the XMR miner. And since October 2018, he has started compiling and using “Arkei stealer”\r\nmalware. After researching his previous activity, we found several samples to be buggy – their decryption\r\ncomponent was broken and the malware was not able to properly unpack itself. We also discovered that he tried to\r\nobfuscate the Arkei stealer with a “self-morphing-csharp-binary” packer, the source of which we were able to find\r\non GitHub.\r\nIn general, all of the samples we examined contain debug information of “nrjat”, and we also observed the\r\nconsistent use of specific obfuscation tools like CypherIT Crypter used in the current campaign.  \r\nConclusion\r\nFortiGuard Labs tracked the Predator the Thief campaign targeting Russian speakers.\r\nWe found out that the campaign actor has been active since last June, 2018. The actor possibly collected his\r\nmalware from one of the hacking forums or chats and prepared at least one template for his phishing campaign.\r\nHe also uses simple but effective phishing techniques to make victims execute the malware.\r\nPredator the Stealer in this campaign has not change much from previous versions, but we have found several\r\nnew tricks the actor uses for spreading this malware. He uses fake zips and documents. Sometimes very\r\nspecifically targeted to a victim, and even uses the WinRAR exploit to spread the malware. The payload was\r\nhttps://www.fortinet.com/blog/threat-research/predator-the-thief-new-routes-delivery.html\r\nPage 12 of 14\n\npacked using a third-party packing tool that utilizes the AutoIT scripting language. Checking the path hardcoded\r\nin the script revealed that this “nrjat” actor is experimenting with different malware and stealers.\r\nFortiGuard Labs will continue to monitor this malware author’s activity along with any Predator the Thief\r\nmalware campaigns.\r\n-= FortiGuard Lion Team =-\r\nSolution\r\nFortinet users are protected from mentioned malicious threats with the following solutions:\r\nFiles are detected by FortiGuard Antivirus\r\nMalicious URLs are blocked by our FortiGuard Web Filtering Service\r\nIOCs\r\nWinRAR exploit Sample:\r\n0387349a884258b521ab239aa8d66832f61998276f07d928cddd6bcbc1cf6235 - AutoIt/Injector.DVD!tr\r\nPhishing zip sample:\r\n52fecde66e386cc9b8affe3ff9a0a3ca7d1183ff64e22e9538d0da710bb0818d - AutoIt/Injector.DTS!tr\r\nAutoIt packed Predator:\r\n976246e1663a6a4281ded0fecf4623f046f3d469afce3606987cdf95853ec72b - AutoIt/Injector.DVD!tr\r\n1f6be31a365b27db0b241c2cca082f3125c9b1614a333131d094d803e663d30d - AutoIt/Injector.DUS!tr\r\n63ac7687506b4fe7538bc21c349c3eb913b334e2e6536ff1e5beb05f34587ce5 - AutoIt/Injector.DUS!tr\r\n924c3d33537b72f7f499c982757e630a3e6fe673ee1293ea2e669a14d18155b5 - AutoIt/Injector.DUS!tr\r\nUnpacked Predator:\r\n6651bd04b08e6ac98189750348c32c8c78f35cb800f87a4c654c28451242eb50 - W32/Agent.PPZ!tr.spy\r\nAutoIt Script from CypherIT:\r\ne627dd82ff3bfed8fcac4f297e41af46856109c333640d14af3027e9ec576707 - VBS/Nymeria.6707!tr.dldr\r\nCoinminer:\r\na501dbeb6190252dee719099a7df2857c4dba4a0c196ac3ca9200c23bc348597 - Riskware/CoinMiner\r\nb3e0e892968f12a0511014cde572f04ef03d1719e98d9f63eca0eb766e6049e7 - MSIL/Kryptik.EOJ!tr\r\n818c1ea41f995580fa01a46f1ffd38f58d0633bba6a21e4cede525fd2c289dbf - MSIL/Kryptik.EOJ!tr\r\nd8f8811b49dcda80908e3c8fe98d5b9ac45344c2fbbe3ba3ab0533ea897ffd5e - MSIL/GenKryptik.BYPV!tr\r\na3a30b0521eb8fd3d2f13c2c934d12c44db80a4e81642b800549009de4cf40ec - W32/Kryptik.OIC!tr\r\n83ef12cddbc4b68357b79d167dacefc4e94b3cf49fde2f8412f08b8a50cf7a23 - MSIL/Kryptik.OJC!tr\r\n126e43dbcd5851341ac2b5dcf3729d06b6ee4c858984effff8150f36990a56ce - W32/Generic_PUA_MP!tr\r\nd4c1d131ff1d5df5ec8584a3bf0364c94cafea4fd107a081c413cba8c7384f20 - W32/Kryptik.OIO!tr\r\nd42876d4c096fdc9b6fd3b1ef94088c0605b06ff288c4658c39c304dc65bd6e3 - W64/CoinMiner!tr\r\nhttps://www.fortinet.com/blog/threat-research/predator-the-thief-new-routes-delivery.html\r\nPage 13 of 14\n\nself-morphing-csharp-binary:\r\n85f5c093609938bdd0eede165e9c225e64bd3af1020f38e86bfb20ad708cf694 - MSIL/Agent.DMA!tr\r\nArkei Stealer:\r\n98a951540c810b9b20ba319eb2ec43656cd5e02a9644292f8682752f1697aa1c - MSIL/Agent.DMA!tr\r\n7390a16aa246b30faac296c8ce50eda601943b032497b950c8c47c41c02ac588 - MSIL/Agent.DMA!tr\r\n7b5d2783d41e962b590f5727c07619997c060068c4e864d9c605777dc161f506-MSIL/GenKryptik.CLXD!tr\r\ndab4ce6249544b0bf0f8e6ae8a7cea826e0c21225e8aaf9beacf6a6eb800169d - MSIL/GenKryptik.CLXD!tr\r\n0c77942d137bf7e6ecf279e1adc98b04641c510eebc2ed826391aef57b086f50 - MSIL/Agent.DMA!tr\r\n7bb0f3485812173fec7e4e1ffda148631de33438cc9ece5bfb6f3ea0dc912a16 - MSIL/GenKryptik.CLXD!tr\r\n1e0a23c53f8aad24446a6ad9404b0251687d402547ab8bb3f949ab9e2e89d9c3-MSIL/GenKryptik.CLXD!tr\r\nC2 URLs:\r\nhxxp://sonsobakq1.mcdir[.]ru/ - Malicious\r\nhxxp://sonsobakq1.mcdir[.]ru/api/conf.get - Malicious\r\nhxxp://sonsobakq1.mcdir[.]ru/api/info.get - Malicious\r\nhxxp://sonsobakq1.mcdir[.]ru/api/gate.get - Malicious\r\nhxxp://sonsobakq1.mcdir[.]ru/api/download.get - Malicious\r\nSource: https://www.fortinet.com/blog/threat-research/predator-the-thief-new-routes-delivery.html\r\nhttps://www.fortinet.com/blog/threat-research/predator-the-thief-new-routes-delivery.html\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.fortinet.com/blog/threat-research/predator-the-thief-new-routes-delivery.html" ], "report_names": [ "predator-the-thief-new-routes-delivery.html" ], "threat_actors": [], "ts_created_at": 1775434477, "ts_updated_at": 1775791239, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/83eedc07f98dd514b681d06d006713cb04f43176.pdf", "text": "https://archive.orkl.eu/83eedc07f98dd514b681d06d006713cb04f43176.txt", "img": "https://archive.orkl.eu/83eedc07f98dd514b681d06d006713cb04f43176.jpg" } }