{
	"id": "d77873ec-6430-469d-b7da-f672a9762303",
	"created_at": "2026-04-06T00:08:58.0143Z",
	"updated_at": "2026-04-10T03:30:33.392451Z",
	"deleted_at": null,
	"sha1_hash": "919509db6b4ee1e84bbf91f87475faef94825fac",
	"title": "Traffers: a deep dive into the information stealer ecosystem",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5347642,
	"plain_text": "Traffers: a deep dive into the information stealer ecosystem\r\nBy Quentin Bourgue,\u0026nbsp;Livia Tibirna\u0026nbsp;and\u0026nbsp;Sekoia TDR\r\nPublished: 2022-08-29 · Archived: 2026-04-05 21:42:07 UTC\r\nTraffers are threat actors playing a key role in the augmentation of the threat surface, and more generally in\r\nnon-legitimate traffic generation. SEKOIA observed hundreds of advertisements aiming at recruiting traffers to\r\ndistribute information stealers. Further investigation led us to identify a structure and a common modus operandi\r\nto most traffers teams distributing stealers.\r\nBackground\r\nThe cybercrime ecosystem is filled with a multitude of threat actors that share the same financial motivation\r\nthrough malicious activities. Although not well described by the global cybersecurity industry, the actors in charge\r\nof generating non-legitimate traffic play a key role in the distribution of threats, as well as the underground\r\neconomy.\r\nCommonly referred to as traffers (from the Russian word “Траффер”, also referred to as “worker” in the\r\nunderground community), these actors are responsible for redirecting user’s traffic to malicious content (malware,\r\nfraud, phishing, scam, etc.) operated by others. They monetise the traffic to these botnet operators who intend to\r\ncompromise users either widely, or specifically to a region, or an operating system. The main challenge facing\r\ntraffer is therefore to generate high-quality traffic without bots, undetected or analysed by security vendors, and\r\neventually filtered by traffic type. In other words, traffers’ activity is a form of lead generation.\r\nTo generate traffic, traffers lure users from legitimate or compromised websites to redirect them to a server, a\r\nwebsite, or malicious content operated by the botnet owner. Some sophisticated traffers make use of the Traffic\r\nDistribution System (TDS) to operate and redirect traffic. This tool allows traffers to filter traffic based on its\r\ncharacteristics, such as location, operating system, and HTTP headers, enabling them to sell high-quality traffic to\r\nthreat actors with specific targets. Other traffers focus on generating traffic to a very large audience over a short\r\nperiod of time while avoiding detection.\r\nAs part of a growing trend, numerous traffers join a team to distribute information-stealing malware on\r\nbehalf of the team administrator(s). In these teams, traffers can both be highly skilled threat actors and newcomers\r\nin the threat landscape, as they usually get training sessions when hired by a team. These groups are therefore a\r\ngateway into the cybercrime ecosystem for newcomers. Administrator(s) of the traffers team gather the user’s logs\r\n(stolen information including cookies, passwords, crypto wallets, documents, etc.) to exploit or sell them.\r\nIntroduction\r\nIn the first half of 2022, SEKOIA identified an increase in the use of information-stealing malware as the\r\npreferred commodity malware for cybercriminals. We observed this trend through our Darkweb monitoring\r\nroutine, our information stealers related indicators of compromise trackers, and our insights of the threat\r\nhttps://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem\r\nPage 1 of 20\n\nlandscape. These observations led us to analyse the main methods of distribution of this threat, as well as the\r\norganisation of traffers delivering stealers.\r\nTraffers teams dealing with stealers are mostly found on Russian-speaking cybercrime forums, especially for\r\nrecruitment purposes. Sekoia.io observed hundreds of advertisements aiming at recruiting traffers to distribute\r\ninformation stealers. Further investigation led us to identify a structure and a common modus operandi to most\r\ntraffers teams distributing stealers. We also share information on the main infection chain used by traffers\r\ndealing with information stealers and their arsenal.\r\nThis report is based on data collected from the Lolz Guru and BHF cybercrime forums between January and mid-August 2022. We focused our analysis on traffers’ activity related to information stealer distribution.\r\nTraffers distributing stealers: an immersion in the world of highly proliferating\r\ncybercriminals\r\nTraffers teams as part of the cybercrime ecosystem\r\nSimilarly to other threat actors in the continuously professionalising cybercrime landscape, traffers are either\r\noperating on their own, or join a team, called “traffers team”.\r\nTraffers teams operating on cybercrime forums display different focuses, some scamming NFT (Non-Fungible\r\nToken) or crypto currency owners, others targeting online casino users. Several of them deliver malware, such as\r\nRAT (Remote Access Trojan), miner or information-stealing malware. SEKOIA observed that more than 90% of\r\ntraffers teams operate information stealers, either commercial or developed within the team ones. Some even\r\noperate two or three stealers.\r\nMost of the traffers teams SEKOIA monitored operate on Russian-speaking cybercrime forums, e.g. Lolz Guru\r\nand BHF forums, commonly referred to as “social engineering forums” in the underground community. These\r\nforums are used to advertise products and services, to announce the emergence of new teams, and to collect\r\nreviews to gain visibility. In parallel, the Telegram instant messaging service is leveraged to organise teams’\r\nactivities. The majority of investigated traffers are native Russian speakers.\r\nFrom our observations, a team can grow to hundreds, even thousands of members (e.g. TigerTeams had over 200\r\nmembers and 340 bot subscriptions in April 2022 and BandanaTeam declared more than 5000 team members in\r\nJuly 2022).\r\nTo better understand the evolution of the traffers-related threat, we monitored the emerging traffers teams on the\r\nLolz Guru underground forum since early 2022.\r\nWe registered 125 traffers teams created since January 2022 on the Lolz Guru forum’s “Traffers” section. At least\r\nhalf of them were still active during the last month.\r\nhttps://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem\r\nPage 2 of 20\n\nFigure 1. Number of newly launched traffers teams by month in 2022 (Source: Lolz Guru forum, Traffers section)\r\nThe longevity of a traffers team is complex to assess. As the resources involved remain fairly accessible, teams\r\ndemonstrated flexibility in reorganising themselves, by merging with other teams or simply restarting from\r\nscratch. According to a declaration of the Dead Team’s administrator in June 2022, it cost him $3,000 to build a\r\nteam of 600 traffers before selling it. Another example, the entire infrastructure of TigersTeam (between 200 and\r\n340 traffers) was put on sale for $300 in April 2022, and the Moon Team (1000 traffers) was priced at $2, 300 in\r\nMay 2022. Based on several publications collected on the Lolz Guru forum, this represents an “investment” that\r\ncan break even in less than a month.\r\nA spotlight on a typical traffers team organisation\r\nA traffers team is an organised, centrally managed structure headed by one or several team administrators. Here is\r\nan overview of a typical traffers team and its interactions within the cybercrime ecosystem: \r\nhttps://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem\r\nPage 3 of 20\n\nFigure 2. Overview of a typical traffers team structure and its interactions\r\nTeam administrators’ role\r\nTeam administrators hire traffers in charge of generating traffic to distribute stealer builds.\r\nA team administrator is responsible for the management of all tasks complementary to traffic generation. This\r\nnotably includes getting a stealer licence and sharing builds ready for distribution to the team members, checking\r\nthe received logs for validity, and exploiting them quickly.\r\nTherefore, team administrators provide their team members a kit containing the following resources:\r\nBuilds automatically generated and pushed to traffers by a Telegram bot;\r\nA crypter service to encrypt or obfuscate malware builds to evade detection solutions;\r\nA “traffer’s manual” which includes guidelines for team members and full technical support. Team\r\nadministrators can draft a handbook by themselves or they can use the services of an independent third\r\nparty writing a traffer’s manual as-a-service;\r\nSEO (Search Engine Optimization) services to improve the visibility of videos uploaded on YouTube using\r\nthe 911 scheme (the 911 scheme is detailed later in the report and the Annex 2 illustrates the infection\r\nchain);\r\nA YouTube uploader software or a YouTube uploading service (by hiring a dedicated team member\r\nresponsible for uploading on YouTube on behalf of traffers);\r\nA Telegram channel for communication and support within the team;\r\nhttps://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem\r\nPage 4 of 20\n\nA Telegram bot for automating tasks, such as sharing new malware builds, statistics, money earned by the\r\ntraffer;\r\nA dedicated service for parsing, processing, exploiting and selling logs. The team administrators coordinate\r\nthe process of log qualification and analysis, extraction of logs of interest, and exploitation.\r\nTeam administrators prompt recruited members to distribute the builds widely, to generate a large volume of logs\r\nvia stealer infections, and reward them based on a formula in which both quantity and quality of the collected\r\ninformation are taken into account.\r\nTeam administrators regularly organise competitions in which traffers are challenged to collect a maximum of\r\nlogs, i.e. distribute a maximum number of builds. Winners are awarded with cash prizes, and upgraded to a Pro\r\nversion of the membership. The Pro version unlocks access to a second stealer, traffers are invited to a private\r\nTelegram channel, they get better services (like SEO and else) and bonuses.\r\nTraffers team’s primary interest lies in crypto wallets logs.The generated revenue through exploitation is shared\r\nwith the traffer who submitted the logs (who gets from 60% to 90% of the revenue). A team might also extract and\r\nresell video games, e-commerce and social network accounts. The remaining logs are transferred back to the\r\ntraffers to be reused.\r\nLogs selling price within the underground community varies widely depending on their validity and the\r\ninformation they contain. Generally, the more recent a log is, the highest the probability of containing active\r\ncookies, the more it is wanted.\r\nTraffers’ role within a team\r\nOnce a traffer joined a team, it is able to make requests to a Telegram bot for builds to receive a malware sample.\r\nA traffer can make multiple requests to this bot, the number of builds it can generate being limited to a daily\r\nquota, as defined by team administrator(s). \r\nWhen joining teams, traffers often have to abide by a number of requirements at the risk of being expelled.\r\nRequirements include:\r\nThey can not use their own malware or glue a malware to the one delivered by the team, distributing\r\nransomware is also forbidden;\r\nThey can not share the received build with third parties;\r\nThey can not check the build on online services such as VirusTotal;\r\nThey can not be inactive for more than two weeks in a row.\r\nSEKOIA assess that this serves to frame the traffers’ activity to avoid abusive behaviour that could lead to burning\r\nthe C2 server. This is also a way to avoid an improper mass distribution of builds on channels easily detectable by\r\nsecurity vendors.\r\nOnce a traffer gets a build, it is responsible for spreading the malware using the team’s delivery methods, or its\r\nown infection chain.\r\nhttps://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem\r\nPage 5 of 20\n\nTraffers can also distribute their own information stealer, and monetize the collected logs by themselves by selling\r\nthem on underground marketplaces. They can as well steal cryptocurrency from crypto wallets without integrating\r\nan organised team. Nevertheless, from our observations, joining a team is largely preferred by traffers, as it comes\r\nalong with a number of advantages, to name a few:\r\nExperience is not mandatory – newcomers are welcomed and trained;\r\nNecessary tools are accessible and ready to use – traffers have no extra costs related to the stealer, crypter\r\nand other software;\r\nTraffers capitalise on the different services provided by their team administrator(s);\r\nTechnical support is guaranteed;\r\nTraffers team operators monetize collected logs immediately, as fresh and bulk logs are more valuable.\r\nAt the same time, the interest of traffers teams representatives in hiring a large number of traffers lies in having\r\naccess to large volumes of fresh data when cumulating all the submissions.\r\nModus Operandi observed in traffers teams dealing with stealers\r\nTraffers working with information-stealing malware are free to generate traffic and distribute the provided builds\r\nusing their own methods, as long as they comply with the team requirements. Each traffer therefore sets up and\r\noperates its own delivery chain.\r\nHowever, the majority of traffers teams SEKOIA observed provide tools and services to assist their members in\r\ngenerating traffic from YouTube videos. Most of them therefore use the tools made available to set up their\r\ndelivery chain. This infection chain, that consists in luring users from the legitimate YouTube website to redirect\r\nthem to the malicious content, is called 911 in the cybercrime ecosystem.\r\nIn the next part, we share more details on the common spreading methods used by traffers, as well as the malware\r\narsenal observed in most teams.\r\n911 infection chain\r\nKnown on the Russian-speaking cybercrime forums as “911”, this infection chain consists in delivering the final\r\npayload using stolen YouTube accounts to distribute a download link. For this purpose, the traffer or a dedicated\r\nmember of the traffers team uploads a video on YouTube enticing the user to download an archive, disable\r\nWindows Defender and execute its content. In most observed cases, the uploaded video is a tutorial for installing a\r\ncracked software, a product licence key generator or even a cheat software for video games. The traffer abuses\r\nlegitimate file transfer services, such as Mega, Mediafire, OneDrive, Discord or GitHub, to store the payload. The\r\ndownloaded file is often a password-protected archive making it undetectable, containing an executable file which\r\nturns out to be the information-stealing malware.\r\nhttps://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem\r\nPage 6 of 20\n\nFigure 3. Typical 911 Infection chain\r\nUploading this content on YouTube requires bypassing YouTube’s anti-fraud system. For that purpose, the “911”\r\nmethod makes use of proxies to mask the attacker’s IP address and make the traffic leave with an IP address from\r\na location close to that of the YouTube channel owner. Given the amount of stolen data passing through the logs,\r\nSEKOIA assess that traffers teams likely use valid YouTube credentials and the associated IP address in follow-up\r\nactivities.\r\nWhile we observed this delivery method is widely leveraged by traffers, it is used to target individuals rather than\r\ncompanies. Some traffers teams (e.g. Bebra Team) don’t use the “911” method. \r\nSeveral hypotheses can be made about the choice not to use the 911 infection chain:\r\nSelling logs from stealers distributed via YouTube traffic may not be as profitable as the distribution via\r\nother legitimate service or websites, or company emails. Lured users on YouTube are more likely to be\r\nyoung people owning small accounts. Related credentials and wallets (crypto, Paypal, or others) linked to\r\nthese accounts are likely of lesser value, they are less likely to raise traffers teams’ primary interest.\r\nOn the other hand, YouTube offers a wide audience and a high volume of traffic. It is almost certain that\r\nthe 911 infection chain is a choice oriented on the quantity of traffic, rather than on the quality.\r\nSpreading payloads over an open channel, like YouTube, is likely to reduce the lifespan of the malware\r\nbuild, or the C2 server. Every step of the 911 is publicly available. It is therefore obvious to quickly burn\r\nthe malware builds and the information-stealer C2 servers.\r\nDistributing stealers using the 911 infection chain possibly results in a low infection rate. Convincing users\r\nto download and install cracked software from an unofficial site after disabling their antivirus would only\r\nbe effective on less sensibilized targets.\r\nOther common infection chains\r\nhttps://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem\r\nPage 7 of 20\n\nOther common delivery methods include websites masquerading as blogs or software installation pages to deliver\r\npassword-protected archives. Some traffers teams display good knowledge of Google Ads, Facebook Ads, Reddit\r\nAds, or other advertising platforms to promote their websites and reach a larger audience through indexing on\r\nsearch engines. Such campaigns are often put in the spotlight as they affect many victims.\r\nLastly, phishing emails remain one of the most common intrusion vectors used by the traffers. As done earlier by\r\nInitial Access Brokers to improve malware delivery performance, traffers adapted their infection chain, moving\r\nfrom Office VBA macros, which are now deactivated by default, to the use of LNK files.\r\nMalware arsenal of traffers teams\r\nBased on data collected from the traffer section (Трафферы) on Lolz Guru, SEKOIA established the list of the\r\nmost used information-stealing malware by traffers teams. For that purpose, we collected the publications of new\r\ntraffers teams entering into the information stealer business between January and mid-August 2022. The results\r\nare as follows:\r\nRedline 54\r\nMeta 8\r\nRaccoon 6\r\nVidar 5\r\nPrivate Stealer 4\r\nHere is a timeline of the newly created traffers teams since early 2022:\r\nhttps://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem\r\nPage 8 of 20\n\nFigure 4. Newly created traffers teams and their associated information stealer, by month in 2022 (Source: Lolz\r\nGuru forum, “Traffers” section)\r\nRedline\r\nThe majority of traffers teams SEKOIA observed on forums distribute the Redline information stealer, including\r\nBandana Team, Tigers Team, Cosmo Team, Sky Team, White Logs, Hydra Family, Heartless Team. Considered by\r\nexperienced threat actors as the best stealer on the market, Redline offers wide download and execution\r\ncapabilities, as well as stealing capabilities targeting web browsers, cryptocurrency wallets, data from local\r\nsystem, and several applications (VPN, video games, messenger and others).\r\nIts logs (stolen data) are sold on multiple marketplaces, and custom tools to extract information of interest are also\r\ndeveloped and sold on underground forums. Redline’s reputation is even used as an asset by the team to recruit\r\nnew traffers.\r\nFrom an operational perspective, the Redline builder, which is the software used to compile a new sample of the\r\nmalware, easily allows traffers team operators to associate a Redline build with a traffer, making it easier to track\r\nstolen data by each of the members. This association is possible because a unique botnet name is included in the\r\nsample distributed by a traffer. This feature enables SEKOIA to track traffers whose Telegram profile is used for\r\nthe botnet name, and associate malware builds with Telegram profiles.\r\nMeta\r\nCompared to other stealers mentioned above, Meta Stealer is a newcomer in the Stealer-as-a-Service world.\r\nLaunched in March 2022, Meta is advertised as an updated version of Redline, with the same main capabilities. It\r\nis now the preferred stealer of a few traffers teams, including EverMoon Team, Gezzie Team, Lucky Team,\r\nTraffProject Team.\r\nRaccoon\r\nRaccoon Stealer 2.0 returns after a few months’ break. As shared in our analysis of this threat, Raccoon targets\r\nweb browsers, desktop applications and extensions for cryptocurrency wallets and data from local systems. It also\r\nallows the attacker to download and execute another payload.\r\nVidar\r\nAlthough not widely used in traffers teams monitored by Sekoia.io, Vidar Stealer is used by Bebra Team, the team\r\nwith the most active community observed on the Lolz Guru forum. Similarly to the previous three, Vidar collects\r\nsensitive information from web browsers, cryptocurrency applications and extensions, as well as files from local\r\nsystems whose extension matches those listed in the configuration. The malware also behaves as a loader by\r\ndownloading and executing payloads.\r\nAlthough the 911 infection chain is not highly advanced, traffers using it target a substantial audience using the\r\nYouTube platform, ranked in the top 5 most visited websites worldwide. Traffic generated via this method\r\ntherefore leads to numerous compromises by the Redline, Meta, Raccoon and Vidar stealers. Victims may be\r\nhttps://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem\r\nPage 9 of 20\n\nimpacted by theft of money, sensitive data, corporate and private accounts, identity theft, or other\r\ncascading consequences.\r\nLater in the report, SEKOIA shares general guidelines to prevent being infected by an information stealer, or to\r\nmitigate the threat.\r\nConclusion\r\nTraffers are threat actors playing a key role in the augmentation of the threat surface, and more generally in\r\nnon-legitimate traffic generation. While the concept of traffers is not new, it is likely their leveraging of\r\ninformation-stealing malware will continue in the short term. Additionally, as this model offers low entry\r\nbarriers and quick investment return, more traffers teams will highly likely emerge in the near future. \r\nTraffers teams dealing with stealers are organised and centrally managed structures in which resources and\r\nservices are made available to members by the team administrators. This allows traffers to focus on distributing\r\nteam’s malware builds, using in most cases the 911 infection chain, and thus earn money directly from the logs\r\ngenerated from successful compromises.\r\nSEKOIA analysts will continue to monitor the traffers’ threat and share the latest trends with our customers.\r\nAdditionally, we monitor emerging or well established stealers to produce actionable intelligence to our\r\ncustomers, including indicators of compromise for multiple families of information-stealing malware.\r\nHow to mitigate the threat?\r\nUnderstanding how information stealers are distributed and how they work is the first step towards protecting a\r\ncompany’s or an individual’s information system from this threat.\r\nHere are some general guidelines to prevent being infected by an information stealer:\r\nLimit software execution to trusted repositories: traffers abuse fake cracked software to spread information\r\nstealers. Apply a strict software execution policy to prevent users from downloading malware disguised as\r\nfake software installers.\r\nUse endpoint protection software to automatically quarantine malicious executable files.\r\nTrain users to be aware of phishing threats and avoid clicking on attached files or links in case of any\r\ndoubt.\r\nBlock outbound traffic on non-standard ports.\r\nHunt or block stealer-related indicators of compromise (IoCs).\r\nIf prevention was not enough, a successful compromise often leads to the collection and exfiltration of sensitive\r\ninformation from the infected host. In this case, our recommendations of mitigation are:\r\nIsolate the infected machine and remove the threat.\r\nPerform anti-malware scan on the infected host to ensure that neither a persistence mechanism was\r\nestablished on the infected machine, nor that another payload was dropped.\r\nhttps://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem\r\nPage 10 of 20\n\nReset passwords and session cookies, block credit cards. If passwords are stored in web browsers, it is\r\nabsolutely necessary to renew them, same goes for session cookies. If credit card data is saved into the web\r\nbrowsers, contact the bank to block the affected credit cards.\r\nTake appropriate measures to limit the consequences of a leak of sensitive documents located on the\r\ninfected host.\r\nAnnex\r\nAnnex 1 – Basic concepts used by traffers dealing with stealers\r\nList of some basic concepts routinely used by traffers in their daily activities:\r\nBuild (“билд” in Russian) – a stealer’s sample linked to the traffer’s Telegram account, to gather all\r\ncollected logs on its Telegram bot;\r\nCrypter (“крипт” in Russian) – a software used for encryption of a malicious file for anti-virus evasion;\r\nInstalls (“инсталлы” in Russian) – a method to get logs by inciting the user to download a malicious file.\r\nInstalls are usually developed within a traffers team and shared amongst the team members;\r\nLogs parsing (from the Russian “чек логов”) – the process of verifying logs to identify and sort logs of\r\ninterest based on a given query. This can be done manually or automatically, with open source, paid or\r\ncustom-made software;\r\nLogs processing (from the Russian “отработка логов”) – the process of analysing logs, also used to refer\r\nto log exploitation;\r\nKnock time (from the Russian “отстук”) – a term used by traffers and team administrators to qualify the\r\nrapidity with which a log is received by a traffer after a build is distributed. This term is used to stress a\r\nmalware’s successful execution rate;\r\n911 – a term used to designate an infection chain consisting of taking over a YouTube channel.\r\nAnnex 2 – Presentation of the Reimann Team’s organisation and evolution\r\nThis case illustrates the evolution of the highly active traffers team Reimann Team and its internal organisation.\r\nReimann Team has been advertised on the Lolz Guru forum since May 2022. Its representative on the forum stated\r\nthat the group was active since at least early 2021 and it is almost certain it still is.\r\nhttps://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem\r\nPage 11 of 20\n\nFigure 5. Advertisement aiming at recruiting traffers in Reimann Team (Source: Lolz Guru forum)\r\nReimann Team is currently recruiting new traffers and offers their team members the following kit of resources:\r\nTelegram bot for log collection\r\nTelegram bot for log parsing\r\nA dozen of Telegram chats and groups for technical support\r\nYouTube Uploader\r\nSEO services\r\nAutomated crypts and builds\r\nA traffer’s manual\r\nhttps://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem\r\nPage 12 of 20\n\nFigure 6. Example of a user interaction with the Reimann Team’s Telegram bot. The number of logs collected by\r\neach of the traffers and by the entire traffers team is displayed, as well as the revenue generated by every team\r\nmember at a given time. (Source: Lolz Guru forum)\r\nReimann Team has two different approaches to pay its members:\r\nTraffers can submit all the collected logs to its team administrator and then be paid by number of logs;\r\nTraffers can choose to keep a part of the collected logs to exploit them by themselves;\r\nTraffers can get 70% of the revenue after the team has exploited its logs.\r\nTo encourage a high level of activity, its administrator organises quests and challenges and allocates bonuses.\r\nFigure 7. A Reidmann Team traffer’s review on the Lolz Guru forum: “I am working now for a few months, and\r\nduring this time I already received about 100,000 roubles” (the equivalent of 1,350 euros at the date of\r\npublication) (Source: Lolz Guru forum)\r\nTo monetize received logs, the team representatives are selling them via a marketplace called “Reimann Logs”. So\r\nthey gather the logs obtained by traffers and sell them within 7 days. Logs from Steam, Minecraft and Roblox are\r\nparticularly mentioned. \r\nAnnex 3 – 911 infection chain example\r\nhttps://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem\r\nPage 13 of 20\n\nTo illustrate the 911 infection chain described in the report, here is a campaign distributing the Redline\r\ninformation stealer using this method, as performed on 18 August 2022.\r\nStep 1\r\nUser searches for a tutorial to download Photoshop for free on YouTube. To reproduce this, we entered\r\n“photoshop free download” in the search bar.\r\nFigure 8. Results for the search “photoshop free download” on YouTube as of August 18, 2022\r\nhxxps://www.youtube[.]com/results?search_query=photoshop+free+download\r\nFirst results are very recent as the videos were published a few hours or days earlier. They were all uploaded on\r\nstolen YouTube accounts and they all contain a download link and a password in the description.\r\nStep 2\r\nhttps://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem\r\nPage 14 of 20\n\nThe content of the first video describes how to install the allegedly free Photoshop version through the following\r\nsteps:\r\nDownloading the archive;\r\nDisabling the “Real-time protection” of the Windows for Microsoft Defender Antivirus;\r\nExtracting files from the password-protected archive using the password “5105”;\r\nRunning as administrator the executable file.\r\nFigure 9. Tutorial to install the allegedly free Photoshop version\r\nhxxps://www.youtube[.]com/watch?v=7A-yeYc63NY\r\nThe description of the YouTube video contains a link to a telegra[.]ph webpage and a password.\r\nStep 3\r\nhttps://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem\r\nPage 15 of 20\n\nThe video was uploaded on the stolen YouTube account “DJ STYLE Tv” with more than 400,000 subscribers. The\r\nlegitimate owner of the account was still using this account two weeks earlier to share music mixes.\r\nFigure 10. 400k YouTube account on which the tutorial was uploaded\r\nhxxps://www.youtube[.]com/channel/UCSdTq3mF_zRDyJCR1jxAANw\r\nStep 4\r\nThe user is redirected on a telegra[.]ph web page after clicking the link in the description. The webpage contains a\r\nMediaFire link and again the password “5105”.\r\nFigure 11. Telegra[.]ph webpage mentioned in the YouTube video description\r\nhxxps://telegra[.]ph/Photoshop-08-17-3\r\nStep 5\r\nhttps://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem\r\nPage 16 of 20\n\nThe user is now redirected to the MediaFire website, on a download page of a RAR archive named\r\n“photoshop.rar”.\r\nFigure 12. Archive “photoshop.rar” hosted on MediaFire\r\nhxxps://www.mediafire[.]com/file/byq6aromyp6y5je/photoshop.rar/file\r\nhxxps://download2294.mediafire[.]com/vd7oeq9fu5pg/byq6aromyp6y5je/photoshop.rar\r\nThe RAR archive was uploaded on MediaFire from the Russian Federation the previous day.\r\nStep 6\r\nAt that stage, the user downloads the password-protected archive and follows instructions from the YouTube video\r\nto disable Windows Defender protection, decompress the archive “photoshop.rar” and execute the executable file\r\n“photoshop.exe”.\r\nhttps://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem\r\nPage 17 of 20\n\nFigure 13. Content of the password-protected archive “photoshop.rar”  photoshop.rar SHA256\r\n462524577af8eb243217386c635682108a17f617d22299492310c1a05605c629\r\nphotoshop.exe SHA256 7be64a3fd654b4217c6cf82e6de8fa45e30555b58e7422d77ab49da2f6a10a57\r\nWhen run on an environment monitored by SEKOIA.IO XDR, the file is dected as Redline and YTStealer\r\naccording to SEKOIA.IO CTI. The Redline C2 server is 185.200.191[.]18:80 . Indicators are available on our\r\npublic portal:\r\n• Network-related IoC on SEKOIA.IO\r\n• File-related IoC on SEKOIA.IO\r\nhttps://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem\r\nPage 18 of 20\n\nFigure 14. Detection of “photoshop.exe” as Redline in SEKOIA.IO XDR\r\nChat with our team!\r\nWould you like to know more about our solutions?\r\nDo you want to discover our XDR and CTI products?\r\nDo you have a cybersecurity project in your organization?\r\nMake an appointment and meet us!\r\nRead also :\r\nDiscover our:\r\nCTI platform\r\nXDR platform\r\nSOC platform\r\nTools for SOC analyst\r\nhttps://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem\r\nPage 19 of 20\n\nSIEM solution\r\nShare\r\nCTI Cybercrime Dark Web Malware Stealer Traffers\r\nShare this post:\r\nSource: https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem\r\nhttps://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem\r\nPage 20 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem"
	],
	"report_names": [
		"traffers-a-deep-dive-into-the-information-stealer-ecosystem"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434138,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/919509db6b4ee1e84bbf91f87475faef94825fac.pdf",
		"text": "https://archive.orkl.eu/919509db6b4ee1e84bbf91f87475faef94825fac.txt",
		"img": "https://archive.orkl.eu/919509db6b4ee1e84bbf91f87475faef94825fac.jpg"
	}
}