{ "id": "c4b734b8-7fa5-4b8d-a5b0-0ab4ec69e778", "created_at": "2026-04-06T00:08:45.023975Z", "updated_at": "2026-04-10T03:36:48.202454Z", "deleted_at": null, "sha1_hash": "a87db09eeed596289e4b16403ec204fee397333c", "title": "Razy in search of cryptocurrency", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2021615, "plain_text": "Razy in search of cryptocurrency\r\nBy Victoria Vlasova\r\nPublished: 2019-01-24 · Archived: 2026-04-05 18:01:26 UTC\r\nLast year, we discovered malware that installs a malicious browser extension on its victim’s computer or infects an\r\nalready installed extension. To do so, it disables the integrity check for installed extensions and automatic updates for\r\nthe targeted browser. Kaspersky Lab products detect the malicious program as Trojan.Win32.Razy.gen – an\r\nexecutable file that spreads via advertising blocks on websites and is distributed from free file-hosting services under\r\nthe guise of legitimate software.\r\nRazy serves several purposes, mostly related to the theft of cryptocurrency. Its main tool is the script main.js that is\r\ncapable of:\r\nSearching for addresses of cryptocurrency wallets on websites and replacing them with the threat actor’s\r\nwallet addresses\r\nSpoofing images of QR codes pointing to wallets\r\nModifying the web pages of cryptocurrency exchanges\r\nSpoofing Google and Yandex search results\r\nInfection\r\nThe Trojan Razy ‘works’ with Google Chrome, Mozilla Firefox and Yandex Browser, though it has different\r\ninfection scenarios for each browser type.\r\nMozilla Firefox\r\nFor Firefox, the Trojan installs an extension called ‘Firefox Protection’ with the ID {ab10d63e-3096-4492-ab0e-5edcf4baf988} (folder path: “%APPDATA%\\Mozilla\\Firefox\\Profiles\\.default\\Extensions\\{ab10d63e-3096-4492-\r\nab0e-5edcf4baf988}”).\r\nFor the malicious extension to start working, Razy edits the following files:\r\n“%APPDATA%\\Mozilla\\Firefox\\Profiles\\.default\\prefs.js”,\r\n“%APPDATA%\\Mozilla\\Firefox\\Profiles\\.default\\extensions.json”,\r\n“%PROGRAMFILES%\\Mozilla Firefox\\omni.js”.\r\nYandex Browser\r\nThe Trojan edits the file ‘%APPDATA%\\Yandex\\YandexBrowser\\Application\\\\browser.dll’ to disable extension\r\nintegrity check. It renames the original file ‘browser.dll_’ and leaves it in the same folder.\r\nTo disable browser updates, it creates the registry key\r\n‘HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\YandexBrowser\\UpdateAllowed” = 0 (REG_DWORD).\r\nhttps://securelist.com/razy-in-search-of-cryptocurrency/89485/\r\nPage 1 of 10\n\nThen the extension Yandex Protect is installed to folder ‘%APPDATA%\\Yandex\\YandexBrowser\\User\r\nData\\Default\\Extensions\\acgimceffoceigocablmjdpebeodphgc\\6.1.6_0’. The ID acgimceffoceigocablmjdpebeodphgc\r\ncorresponds to a legitimate extension for Chrome called Cloudy Calculator, version 6.1.6_0. If this extension has\r\nalready been installed on the user’s device in Yandex Browser, it is replaced with the malicious Yandex Protect.\r\nGoogle Chrome\r\nRazy edits the file ‘%PROGRAMFILES%\\Google\\Chrome\\Application\\\\chrome.dll’ to disable the extension\r\nintegrity check. It renames the original chrome.dll file chrome.dll_ and leaves it in the same folder.\r\nIt creates the following registry keys to disable browser updates:\r\n“HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Google\\Update\\AutoUpdateCheckPeriodMinutes” = 0\r\n(REG_DWORD)\r\n“HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Google\\Update\\DisableAutoUpdateChecksCheckboxValue”\r\n= 1 (REG_DWORD)\r\n“HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Google\\Update\\InstallDefault” = 0 (REG_DWORD)\r\n“HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Google\\Update\\UpdateDefault” = 0 (REG_DWORD)\r\nWe have encountered cases where different Chrome extensions were infected. One extension in particular is worth\r\nmentioning: Chrome Media Router is a component of the service with the same name in browsers based on\r\nChromium. It is present on all devices where the Chrome browser is installed, although it is not shown in the list of\r\ninstalled extensions. During the infection, Razy modified the contents of the folder where the Chrome Media Router\r\nextension was located: ‘%userprofile%\\AppData\\Local\\Google\\Chrome\\User\r\nData\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm’.\r\nScripts used\r\nIrrespective of the targeted browser type, Razy added the following scripts it brought along to the folder containing\r\nthe malicious script: bgs.js, extab.js, firebase-app.js, firebase-messaging.js and firebase-messaging-sw.js. The file\r\nmanifest.json was created in the same folder or was overwritten to ensure these scripts get called.\r\nhttps://securelist.com/razy-in-search-of-cryptocurrency/89485/\r\nPage 2 of 10\n\nLeft: list of files of the original Chrome Media Router extension.\r\nRight: list of files of the modified Chrome Media Router extension.\r\nThe scripts firebase-app.js, firebase-messaging.js and firebase-messaging-sw.js are legitimate. They belong to the\r\nFirebase platform and are used to send statistics to the malicious actor’s Firebase account.\r\nThe scripts bgs.js and extab.js are malicious and are obfuscated with the help of the tool obfuscator.io. The former\r\nsends statistics to the Firebase account; the latter (extab.js) inserts a call to the script i.js with parameters\r\ntag=\u0026did=\u0026v_tag=\u0026k_tag= into each page visited by the user.\r\nIn the above example, the script i.js is distributed from the web resource gigafilesnote[.]com\r\n(gigafilesnote[.]com/i.js?tag=\u0026did=\u0026v_tag=\u0026k_tag=). In other cases, similar scripts were detected in the domains\r\napiscr[.]com, happybizpromo[.]com and archivepoisk-zone[.]info.\r\nThe script i.js modifies the HTML page, inserts advertising banners and video clips, and adds adverts into Google\r\nsearch results.\r\nhttps://securelist.com/razy-in-search-of-cryptocurrency/89485/\r\nPage 3 of 10\n\nYouTube page with banners added by the script i.js\r\nThe culmination of the infection is main.js – a call to the script is added to each page visited by the user.\r\nFragment of the script i.js code that inserts the script main.js to web pages.\r\nThe script main.js is distributed from the addresses:\r\nNolkbacteria[.]info/js/main.js?_=\r\n2searea0[.]info/js/main.js?_=\r\ntouristsila1[.]info/js/main.js?_=\r\nsolkoptions[.]host/js/main.js?_=\r\nThe script main.js is not obfuscated and its capabilities can be seen from the function names.\r\nhttps://securelist.com/razy-in-search-of-cryptocurrency/89485/\r\nPage 4 of 10\n\nThe screenshot above shows the function findAndReplaceWalletAddresses that searches for Bitcoin and Ethereum\r\nwallets and replaces them with the addresses of the threat actor’s wallets. Notably, this function works on almost all\r\npages except those located on Google and Yandex domains, as well as on popular domains like instagram.com and\r\nok.ru.\r\nImages of QR codes that point to wallets also get substituted. The substitution occurs when the user visits the web\r\nresources gdax.com, pro.coinbase.com, exmo.*, binance.* or when an element with src=’/res/exchangebox/qrcode/’\r\nis detected on the webpage.\r\nAs well as the functionality described above, main.js modifies the webpages of the cryptocurrency exchanges\r\nEXMO and YoBit. The following script calls are added to the pages’ codes:\r\n/js/exmo-futures.js?_= – when exmo.*/ru/* pages are visited\r\n/js/yobit-futures.js?_= – when yobit.*/ru/* pages are visited\r\nwhere is one of the domains nolkbacteria[.]info, 2searea0[.]info, touristsila1[.]info, or archivepoisk-zone[.]info.\r\nThese scripts display fake messages to the user about “new features” in the corresponding exchanges and offers to\r\nsell cryptocurrency at above market rates. In other words, users are persuaded to transfer their money to the\r\ncybercriminal’s wallet under the pretext of a good deal.\r\nhttps://securelist.com/razy-in-search-of-cryptocurrency/89485/\r\nPage 5 of 10\n\nExample of a scam message on the EXMO website\r\nMain.js also spoofs Google and Yandex search results. Fake search results are added to pages if the search request\r\nsearch request is connected with cryptocurrencies and cryptocurrency exchanges, or just music downloading or\r\ntorrents:\r\n/(?:^|\\s)(gram|телеграм|токен|ton|ico|telegram|btc|биткойн|bitcoin|coinbase|крипта|криптовалюта|,bnrjqy|\r\nбиржа|бираж)(?:\\s|$)/g;\r\n/(скачать.*музык|музык.*скачать)/g;\r\n/тор?рент/g;\r\nThis is how an infected user is enticed to visit infected websites or legitimate cryptocurrency-themed sites where\r\nthey will see the message described above.\r\nhttps://securelist.com/razy-in-search-of-cryptocurrency/89485/\r\nPage 6 of 10\n\nGoogle search results that were modified by the infected extension\r\nWhen the user visits Wikipedia, main.js adds a banner containing a request for donations to support the online\r\nencyclopedia. The cybercriminals’ wallet addresses are used in place of bank details. The original Wikipedia banner\r\nasking for donations (if present) is deleted.\r\nFake banner on Wikipedia asking for donations\r\nhttps://securelist.com/razy-in-search-of-cryptocurrency/89485/\r\nPage 7 of 10\n\nWhen the user visits the webpage telegram.org, they will see an offer to buy Telegram tokens at an incredibly low\r\nprice.\r\nThe infected extension loads content on the telegram.org site from the phishing web resource ton-ico[.]network\r\nFake banner shown at telegram.org. The link leads to the phishing website ton-ico[.]network\r\nWhen users visit the pages of Russian social network Vkontakte (VK), the Trojan adds an advertising banner to it. If\r\na user clicks on the banner, they are redirected to phishing resources (located on the domain ooo-ooo[.]info), where\r\nthey are prompted to pay a small sum of money now to make a load of money later on.\r\nhttps://securelist.com/razy-in-search-of-cryptocurrency/89485/\r\nPage 8 of 10\n\nFraudulent banner on the vk.com website\r\nIndicators of compromise\r\nKaspersky Lab’s products detect scripts associated with Razy as HEUR:Trojan.Script.Generic.\r\nBelow are all the wallet addresses detected in the analyzed scripts:\r\nBitcoin: ‘1BcJZis6Hu2a7mkcrKxRYxXmz6fMpsAN3L’, ‘1CZVki6tqgu2t4ACk84voVpnGpQZMAVzWq’,\r\n‘3KgyGrCiMRpXTihZWY1yZiXnL46KUBzMEY’, ‘1DgjRqs9SwhyuKe8KSMkE1Jjrs59VZhNyj’,\r\n’35muZpFLAQcxjDFDsMrSVPc8WbTxw3TTMC’, ’34pzTteax2EGvrjw3wNMxaPi6misyaWLeJ’.\r\nEthereum: ’33a7305aE6B77f3810364e89821E9B22e6a22d43′,\r\n‘2571B96E2d75b7EC617Fdd83b9e85370E833b3b1′, ’78f7cb5D4750557656f5220A86Bc4FD2C85Ed9a3’.\r\nAt the time of writing, total incoming transactions on all these wallets amounted to approximately 0.14 BTC plus 25\r\nETH.\r\nMD5\r\nTrojan.Win32.Razy.gen\r\n707CA7A72056E397CA9627948125567A\r\n2C274560900BA355EE9B5D35ABC30EF6\r\nBAC320AC63BD289D601441792108A90C\r\n90A83F3B63007D664E6231AA3BC6BD72\r\n66DA07F84661FCB5E659E746B2D7FCCD\r\nMain.js\r\n2C95C42C455C3F6F3BD4DC0853D4CC00\r\n2C22FED85DDA6907EE8A39DD12A230CF\r\ni.js\r\n387CADA4171E705674B9D9B5BF0A859C\r\n67D6CB79955488B709D277DD0B76E6D3\r\nExtab.js\r\n60CB973675C57BDD6B5C5D46EF372475\r\nBgs.js\r\nF9EF0D18B04DC9E2F9BA07495AE1189C\r\nhttps://securelist.com/razy-in-search-of-cryptocurrency/89485/\r\nPage 9 of 10\n\nMalicious domains\r\ngigafilesnote[.]com\r\napiscr[.]com,\r\nhappybizpromo[.]com,\r\narchivepoisk-zone[.]info,\r\narchivepoisk[.]info,\r\nnolkbacteria[.]info,\r\n2searea0[.]info,\r\ntouristsila1[.]info,\r\ntouristsworl[.]xyz,\r\nsolkoptions[.]host.\r\nsolkoptions[.]site\r\nmirnorea11[.]xyz,\r\nmiroreal[.]xyz,\r\nanhubnew[.]info,\r\nkidpassave[.]xyz\r\nPhishing domains\r\nton-ico[.]network,\r\nooo-ooo[.]info.\r\nSource: https://securelist.com/razy-in-search-of-cryptocurrency/89485/\r\nhttps://securelist.com/razy-in-search-of-cryptocurrency/89485/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://securelist.com/razy-in-search-of-cryptocurrency/89485/" ], "report_names": [ "89485" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434125, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a87db09eeed596289e4b16403ec204fee397333c.pdf", "text": "https://archive.orkl.eu/a87db09eeed596289e4b16403ec204fee397333c.txt", "img": "https://archive.orkl.eu/a87db09eeed596289e4b16403ec204fee397333c.jpg" } }