{
	"id": "3b49f7ee-69ad-4ea3-895f-0cba21c05582",
	"created_at": "2026-04-06T02:11:52.332373Z",
	"updated_at": "2026-04-10T03:33:30.020734Z",
	"deleted_at": null,
	"sha1_hash": "b36a48d394c4de83fc0fa3babab00f7de84a6aa1",
	"title": "PrivateLoader: InstallsKey Rewind 2023",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 22076315,
	"plain_text": "PrivateLoader: InstallsKey Rewind 2023\r\nBy g0njxa\r\nPublished: 2024-02-01 · Archived: 2026-04-06 01:33:13 UTC\r\n43 min read\r\nFeb 1, 2024\r\nPrivateloader is the name of a malware that was created to load othermalware families into infected machines,\r\nbeing used into a PPI (Pay-Per-Install) service, currently known as InstallsKey.\r\nThis service is managed by “doZKey”\r\nand announced on all the major forums:\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 1 of 109\n\nSame content on all threads\r\nWWH (https://wwh-club.link/index.php?threads/installskey-installs-mix-world-europe-usa.245429/)\r\nBHF (https://bhf.ee/threads/661092/)\r\nExploit (https://forum.exploit.in/topic/218800)\r\nXSS (https://xss.is/threads/78607/)\r\nLOLZ (https://zelenka.guru/threads/4414359/)\r\nStyx (https://styxmarket.com/accounts/profile/DOZKEY)\r\nCoockie (https://coockie.pro/threads/installskey-installs-mix-world-europe-usa.2964/)\r\nAnd also some other irrelevant forums or the ones I have never heard of:\r\nCracked (https://cracked.io/Thread-Shoppy-InstallsKey-Installs-Loads-exe-apk-Wide-World-Europe-USA)\r\nDarkMarket (https://darkmarket.sx/threads/installskey-installs-mix-world-europe-usa-uniques.56581/)\r\nDarknet Army (https://darknetarmy.com/threads/installskey-installs-mix-world-europe-usa-uniques.1715/\r\nHackforums (https://hackforums.net/showthread.php?tid=6231470)\r\nDarkclub (https://darkclub.cc/threads/installskey-installs-mix-world-europe-usa-uniques.4817/)\r\nPrologic (https://prologic.su/topic/16793-installskey-installs-mix-world-europe-usa-uniques/)\r\nCarder Market (https://carder.market/threads/installskey-installs-mix-world-europe-usa.123539)\r\nSkynet (https://skynetzone.pw/threads/installskey-installs-mix-world-europe-usa-uniquesvsex-privetstv\r\nPrizrak (https://prizrak.ws/viewtopic.php?id=1215746)\r\nMegatop (https://megatop.biz/threads/installskey-installs-mix-world-europe-usa-uniques.29807/)\r\nGT Shop (https://2drop-work.cfd/threads/installskey-installs-mix-world-europe-usa-uniques.13716/)\r\nM0st (https://m0st.cc/index.php?/topic/17321-installskey-installs-mix-world-europe-usa-uniques/)\r\nSmm-Profi (https://smm-profi.ru/threads/installskey-installs-mix-world-europe-usa-uniques.9988/)\r\nDeepWeb (https://deepweb.to/threads/installskey-installs-mix-world-europe-usa-uniques.136540/)\r\n4cht (https://4cht.com/threads/installskey-installs-mix-world-europe-usa-uniques.271387/)\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 2 of 109\n\nNeurons (https://neurons.biz/threads/installskey-installs-mix-world-europe-usa-uniques.2818/)\r\nThejavasea (https://thejavasea.me/threads/installskey-installs-mix-world-europe-usa-uniques.163516/)\r\nHard-tm (https://hard-tm.su/threads/30412/)\r\nNohide (https://nohide.space/threads/installskey-installs-mix-world-europe-usa-uniques.21666/)\r\nHappy Hack (https://happy-hack.net/board/threads/installskey-installs-mix-world-europe-usa-uniques.19\r\nOdiscus (https://m.odiscus.com/topic_3081)\r\nInstagram Forum (https://instagramforum.ru/threads/installskey-installs-mix-world-europe-usa-uniques\r\nPirateHub (https://s1.piratehub.biz/threads/installskey-installs-mix-world-europe-usa-uniques.179958/\r\nSocLife (http://soc-life.com/forum/6-18503-1)\r\nProbiv (https://probiv.one/threads/installskey-installs-mix-world-europe-usa-uniques.144143/)\r\nThere must be more!\r\nAs you can see, the user promoting the service on most of these forums isn’t doZKey but hobotm\r\nThere are a lot of results for the handle “hobotm” on the Internet, that makes me believe that handle is used by\r\nmore than an individual, with no relation to each other.\r\nIf we look on the discussion Telegram channel of InstallsKey, please note that we can find an administration\r\nindividual under the moniker “@SkupisheEbannoiMegi”\r\nEncouraging people to buy from InstallsKey\r\nPress enter or click to view image in full size\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 3 of 109\n\nPress enter or click to view image in full size\r\nTranslated from Russian / Original Post\r\nAnd managing draws and contests\r\nPress enter or click to view image in full size\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 4 of 109\n\nPress enter or click to view image in full size\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 5 of 109\n\nTranslated from Russian / Original Post\r\nSo indeed doZKey is the main administrator of the InstallsKey Pay-Per-Install service but it seems to be more\r\npeople involved in the team.\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 6 of 109\n\nAnd some days later, in the first week of October, the installs service was either rebranded or sold into the actual\r\n“InstallsKey” by doZKey.\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 7 of 109\n\nThe new Dozkey service promoted on the old ruzki service\r\nInstallsKey has been operating since that date and is still active at the time of writing this article, offering three\r\nkinds of PPI services based on the GEO of these installs: WordWide, Europe, or USA.\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 8 of 109\n\nIn the world of PPI services, there is a common classification of\r\ncountries from where the installation can be done:\r\nTier 1 countries: Australia, Austria, Belgium, Canada, Denmark, Finland, France, Germany, Ireland, It\r\nTier 2 countries: Andorra, Argentina, Bahamas, Belarus, Bolivia, Bosnia and Herzegovina, Brazil, Bulg\r\nTier 3 countries: Albania, Algeria, Angola, Armenia, Azerbaijan, Bahrain, Bangladesh, Barbados, Beliz\r\nTier 1 \u0026 2 must be considered the aiming of these services, while Tier 3 are\r\nconsidered bad installs sources.\r\nBut how many “installs” is this service generating per day? Thousands\r\nWe take a brief example based on the review of one customer:\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 9 of 109\n\nUser “Fasilcrypt” alledgelly paid “DozKey” 700 USDT for a Mix of installs on his .exe file\r\nTransaction 5a922fe966a188d9e057b0e0fb843ccd7d673178fd988d38845a40e70d4c977f | TRONSCAN\r\nAnd we can use the statistics ID from his file (1726214)\r\nWe can see how statistics are being retrieved from Privateloader C2s. If we query an active c2, we get this:\r\n\u003c\u003cc2\u003e\u003e/api/stats.php?ids=\u003c\u003ccustomerID\u003e\u003e\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 10 of 109\n\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 11 of 109\n\nOne month of stats about installs (21st is a partial day result), on an active build since a lot of time.\r\nInstalls numbers are in the format: uniques (not uniques)\r\nI believe “Installs” refer to the total of install in the one-month timestamp and “Last year” would refer to the total\r\nof install that this guy got in the year (Because the number changed as of January 2024 | 1144585 (1995104) ).\r\nSince he seems a very active client with no installs limitations on the Installskey service, I would like to\r\ngeneralize this example to the whole service in order to show the scale of the Privateloader campaign. This is what\r\nthey name “Connected to stream”, a constant flow of installations.\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 12 of 109\n\nDo simple math: 4155 (6513) average installs from November 22, 2023, to December 20, 2023.\r\nSince the start day is unknown, if we take it as January 1st, that would mean an average of 3300 unique installs in\r\nthis year every single day. Looking at the “Last Year” results once in 2024, the average is similar: around 3100 /\r\nday.\r\nThese statistics are synchronized at Moscow, Russia (UTC+3) time.\r\nTerms of Service \u0026 Work Scheme\r\nThis PPI service has its own Terms of Service that can be found here:\r\nSERVICE RULES. A MUST-READ! — Telegraph (Russian)\r\nPress enter or click to view image in full size\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 13 of 109\n\nTranslated from Russian\r\nThe rules are clear, but in fact, they do not correspond to the behavior of Privateloader.\r\nAnd this is very interesting because of the 1st rule: “All kinds of lockers, encoders, miners are STRICTLY\r\nforbidden”.\r\nPrivateloader has actually been dropping ransomware and miners all over this year in every detonation. With\r\nransomware I talk about all kinds of STOP (djvu) variants, demanding small ransoms from individual victims\r\n(more information at STOP (Malware Family) (fraunhofer.de)). Also we have the Tofsee Botnet, where infected\r\nhosts are added to this botnet used to send spam emails and mine cryptocurrencies, among other uses (more info\r\nhere -\u003e Tofsee (Malware Family) (fraunhofer.de)).\r\nFurthermore, looking at the 3rd rule: “Purchase of units for the purpose of further resale is STRICTLY\r\nprohibited”, Privateloader also load other kinds of loaders. Some of these are Smoke Loader in the first place\r\n(being dropped always in every detonation) and Amadey Loader (highly used but not always). I believe the bots\r\n(infected victims) registered on these secondary loaders are used for further resale by the PPI service as GEO-targeted installs, or as quick and cheap low-quality installs (already used).\r\nIf you think that the same people behind Smoke (or other loaders) are the same on Privateloader, I believe you are\r\nwrong. This is just a tool for the PPI service, either to make it easier to spread malware builds or to maximize\r\nbenefits from infected hosts.\r\nPress enter or click to view image in full size\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 14 of 109\n\nA victim of the Privateloader campaign under the InstallsKey service in 2023:\r\n1 — Was infected by malware spread by the same people running the PPI service (or partners of them), for its own\r\nbenefit on certain credentials requests or any kind of further extortion (ransomware)\r\n2 — Joined a botnet, being used as a zombie for mining cryptocurrencies, or any other malicious activity (Proxies,\r\nSpam…)\r\n3 — Is load with unlimited third-party malware builds, customers of a Pay-Per-Install service.\r\nAt the time of the ZHIGALSZinstalls service, it was already demonstrated by Sekoia analysts how Ruzki used his\r\nown traffic (because of botnet IDs found on builds distributed at Privateloader), and the same is done by DozKey.\r\nIt is possible that, although a string ID relates the service to a malware build, it is not managed by the service\r\nitself? Yes, because anyone can put whatever he wants on that ID, but there are more facts to check: C2 server and\r\nthe server from where the build is being distributed directly from Privateloader, shared IP ranges at the same time,\r\nwhich makes us think they are strongly related, and if other PPI services show this kind of behavior, why not\r\nInstallsKey.\r\nSame work scheme, different names and time.\r\nYou can dig a little bit further on Privateloader customers on other sections of this blog.\r\nTarget market\r\nWe can see people paying for the InstallsKey service, but to whom is the InstallsKey service advertising?\r\nWe can’t think about targeted attacks on a specific working population (although there is segregation by country).\r\nThe objective is to get a constant flow of installation, no matter who you are or where you work. If you have\r\nsomething valuable to anyone, it will be stolen and processed.\r\nThat’s when financial fraud comes into play. Extreme monetization of logs, leading to financial losses all over the\r\nworld, represents a huge income to this kind of threat actors.\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 15 of 109\n\nFor example:\r\nPress enter or click to view image in full size\r\nInstallsKey is looking for potential collaborations on financial fraud activities, they provide you with logs, and\r\nthen you work on those requests. It is also important to understand how the InstallsKey service is probably also\r\nmaking profit from its own traffic logs, the same logs that will be provided to the customer of the PPI service with\r\nits own build.\r\nIn fact, the first mention of requests for this kind of criminal work was about Nubank (a Brazilian neobank, the\r\nlargest fintech bank in Latin America) on January 16, 2023.\r\nAn screenshot from an unknown source shared on the InstallsKey channels at December 22th, 2022 shows how\r\nthe installations geo-sources looked at that time.\r\nPress enter or click to view image in full size\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 16 of 109\n\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 17 of 109\n\nand you can confirm that Brazil was the most infected and the first source of installations for the Privateloader\r\ncampaign. Supply and demand, market rules.\r\nAn example of review showing this kind of financial fraud activities:\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nTranslated / Original\r\nAnd of course not everyone that is a customer of InstallsKey is going to commit financial fraud crimes but\r\nwhatever he does will start a chain that will end in another individual committing financial fraud activities,\r\nbecause is from that kind of illegal activities from where threat actors makes the highest income, an income that\r\ndoesn’t belongs to them.\r\nSo the message seems clear: pay for installs, get logs and work on your requests. Make it easy.\r\nPromotions \u0026 partners\r\nOn the InstallsKey channels we can find some advertisements for other products.\r\nThe most advertised product is the RisePro stealer.\r\nThis malware has been documented by multiple analysts (See https://flashpoint.io/blog/risepro-stealer-and-pay-per-install-malware-privateloader/\r\nhttps://blog.sekoia.io/new-risepro-stealer-distributed-by-the-prominent-privateloader/), also focusing on the\r\nrelation of this stealer and PrivateLoader.\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 18 of 109\n\nAnd it is a fact that Risepro has been widely used by the PrivateLoader operators but, as a tool as stated before.\r\nThere are rumors that the same people who own PrivateLoader also own Risepro Stealer, but I think this is not\r\ntrue at all. The team behind RisePro Stealer uses the Privateloader campaign traffic to test its product, and the\r\nPrivateloader team uses the Risepro Stealer to test its campaign, run statistics, and likely also to get profit from its\r\nlogs. I believe RisePro isn’t owned by the actual PPI service of doZKey; it’s more likely related to the old ruzki\r\nPPI service.\r\nAnalysts saw this stealer activity for the first time in December 2022. The first mention of Risepro on InstallsKey\r\nchannels is on January 9, 2023, where an user (now deleted) said this:\r\nTranslated from Russian\r\nInstallsKey administrator “doZKey” denies his claims and the relation between the stealer and him or ruzki (the\r\nadministrator of ZHIGALSZinstalls, predecessor of InstallsKey as stated before). Please also note that if this is\r\ntrue, it means that RisePro has been around since at least August-September 2022.\r\nOn the PPI service channels they admitted having a collaboration with RisePro stealer, advertising it in a very kind\r\nway as “our stealer”.\r\nPress enter or click to view image in full size\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 19 of 109\n\nSource: InstallsKey channels (Translated from Russian)\r\nAnother product that is advertised on InstallsKey channels is the Bulletproof Hosting Service “ironhost.io”\r\nPress enter or click to view image in full size\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 20 of 109\n\nThis service was advertised on May 15th, and IronHost started providing a server as a C2 for InstallsKey on\r\nNovember 1st: reported here\r\nThe InstallsKey service, RisePro and IronHost were related in some way in 2023, and experts have talked about\r\nthis. An example:\r\nPlease refer to the ProjectFOX report as you will see later, Tracking down the cybercriminal infrastructure of\r\ninfostealer RisePro — Projet FOX\r\nAnalysts found an EasyLead related domain on mail.mediaskollsoft[.]com and this was hosted on IronHost. In\r\nfact, now it looks like this:\r\nPress enter or click to view image in full size\r\nPrivateloader functionality over this year\r\nThe functionality of Privateloader relies on PHP files stored in directories under an /api folder (and sometimes\r\nopen to the public):\r\nAt the time of writing this report, an updated Privateloader C2 looks like:\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 21 of 109\n\nBased on my observation, all this 2023, a Privateloader build was using tracemap.php, firegate.php, base_fns.php,\r\nand firecom.php. But at the time of writing this report, this functionality had changed a little bit, and Privateloader\r\noperators introduced bing_release.php, and flash.php.\r\nThe executables that sometimes appear in the same folder as the PHP files are 99% of the time “RisePro” Stealer.\r\nThe .jpeg and .png files on these directories are not images but the browser extensions that are being installed by\r\nPrivateLoader. The .jpeg refers to the .crx file, and the .png refers to .json data related to the extension.\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 22 of 109\n\nExecutables that are being load by Privateloader are .bmp files (in fact, xor-ed executables) being mainly\r\nrequested from VK attachments, also from bitbucket.org or Discord, or directly from other domains. Some recent\r\nexamples of this VK attachments:\r\nsdfhj8s.bmp\r\nhttps://vk.com/doc418490229_669674726?hash=zO6JQAo6iYaXqKxkZ7OtAgZUB0nnLHef5V5H7iZ0Erg\u0026dl=V9sXR6aIOgK\r\nPLmp.bmp\r\nhttps://vk.com/doc418490229_669753443?hash=xBPbo5OmmjzwJojlZOFbmu9Qg1TtR9d8MRZqMGAVdH0\u0026dl=HHirDf6vFga\r\nBotClients.bmp\r\nhttps://vk.com/doc418490229_669637079?hash=VdguLglaUQxQEWy7OPzp09fMiy3JG1498Od7lJ6mEhw\u0026dl=Z0vdo01g0fZ\r\nWWW11_32.bmp (Url tagged as WW_11)\r\nhttps://vk.com/doc418490229_669753909?hash=WT7APgrulCXZFZTSEvdEhpp2wKrYTIZVouZnBZXB72g\u0026dl=7ei7VkBuvhB\r\nfile191223.bmp (Url tagged as test22)\r\nhttps://vk.com/doc418490229_669783554?hash=BH6rDsCdPWk2J9y1TmstXOZKSIMojhaG8Fw9a8GF3Ps\u0026dl=gYknZQrp3U8\r\nonxin.bmp (Url tagged as 1)\r\nhttps://vk.com/doc418490229_669783497?hash=lpgJt6qZJygrnJD46sqduKmXlfiOOex3pEVxJqSqyH4\u0026dl=mlJSM2PcfjV\r\ncrypted.bmp (Url tagged as 1)\r\nhttps://vk.com/doc418490229_669744741?hash=OaF1x9qtGSlulTdzzPxQkefg8M8fGibH0KNgx7Org7k\u0026dl=ynpLFb3qBIW\r\nLG.bmp (Url tagged as logger_statistics)\r\nhttps://vk.com/doc418490229_669653354?hash=l8DHCu4lEp9Sb8CTCk5eithtVIhhbBkli1pjUtPjJNP\u0026dl=7vSjZ36UYD1\r\nAs these files will be deleted in some time, please find them on MalwareBazaar:\r\nMalwareBazaar | PrivateloaderVK (abuse.ch)\r\nLet’s roll out this:\r\nDistribution of builds\r\nThe first time I found the Privateloader campaign was on March 21, 2023. Dozens of Soundcloud accounts were\r\ncompromised, sharing fake software downloads via shortened links. The same campaign was running under fake\r\nGoogle sites and groups.\r\nThe ID of this campaign is 09, a number that is commonly seen to all Privateloader packed releases offered in this\r\ncampaign.\r\nPress enter or click to view image in full size\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 23 of 109\n\nPress enter or click to view image in full size\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 24 of 109\n\nThere are still some live examples. Please find them by yourself at:\r\nhttps://www.google.com/search?q=download+free+crack+2023+site%3Asoundcloud.com\r\nhttps://www.google.com/search?q=download+free+crack++2023+site%3Agoogle.com\r\nThis fake shortened links (every path of these domains leads to Privateloader downloads) redirects to a download\r\npage that at the time of writing this report, looks like this (it changed over time):\r\nPress enter or click to view image in full size\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 25 of 109\n\nAll these fake shortener link services involved in this campaign can be tracked with FOFA:\r\n(fid=”8L8HD+qBqq+rUpSGtABeVg==”)\r\nhttps://en.fofa.info/result?qbase64=ZmlkPSI4TDhIRCtxQnFxK3JVcFNHdEFCZVZnPT0i\r\nPress enter or click to view image in full size\r\nFull list of Fake Shortner links (CAMPAIGN ID 09)\r\nEvery path with a length \u003e= 2 will lead to a PrivateLoader download\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 26 of 109\n\n5.149.248.110\r\ncinurl.com\r\npicfs.com\r\nblltly.com\r\nurllio.com\r\nurloho.com\r\nbltlly.com\r\ntinourl.com\r\ntinurll.com\r\ntiurll.com\r\ntweeat.com\r\nurlca.com\r\nfancli.com\r\nurlomo.com\r\nurlgoal.com\r\nurlcod.com\r\nshurll.com\r\nbytlly.com\r\nssurll.com\r\ntlniurl.com\r\nimgfil.com\r\nurlin.us\r\njinyurl.com\r\ntinurli.com\r\ngeags.com\r\nurluss.com\r\nurllie.com\r\nshoxet.com\r\nurluso.com\r\nvittuv.com\r\nmiimms.com\r\ngohhs.com\r\nIn this specific campaign ID, Privateloader is spread as a packed file (.zip, .rar, .7z) stored in a hijacked domain.\r\nPlease find in the next parts of this article every domain affected by Privateloader over this observation study case.\r\nBut most recently, after speaking with some Privateloader victims and checking on InstallsKey customer logs, I\r\nwas able to identify another campaign being spread via malicious ad networks.\r\nThe IDs of this campaign are 1 and 2.\r\nEvery domain is related to at least one infostealer victim, so yes, any way are involved in the Privateloader\r\ncampaign. Some sites that provide Privateloader downloads are:\r\npivigames.blog\r\ngamezfull.com\r\nzdescargas.org\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 27 of 109\n\ncrackzipp.com\r\nindir.torrentabi.com\r\npastemytxt.com\r\ntechwarez.com\r\nfreegamesdl.net\r\ndevteknoloji.com\r\nbuyurindir.org\r\nawdescargas.com\r\ncrackshash.com\r\nblizzboygames.net\r\nblizzpaste.com\r\nuii.io (wordcounter.icu \u0026 pwrpa.cc)\r\nfc-lc.xyz (digitalmarktrend.com)\r\nuploadrar.com\r\nadurly.cc\r\nshrinkme.org\r\nturbobit.com\r\nThese campaign IDs use the same download page as those exposed before, but they often rely on Mega links and\r\nDiscord attachments to deliver Privateloader builds in the same packed format.\r\nPress enter or click to view image in full size\r\nDomains used for sharing Privateloader download links in campaigns IDs 2 and 1 check the location of the user,\r\nand the request is cached on the browser session of the user, so it can’t be shared or reused after some time. URLs\r\nfrom campaign ID 09 are non-cached and can be shared.\r\nPress enter or click to view image in full size\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 28 of 109\n\nAn example of a cached 1-time use URL\r\nThis frontend is nothing new. There is a report from Project Fox (Tracking down the cybercriminal infrastructure\r\nof infostealer RisePro — Projet FOX) that linked that frontend to a service named “EasyLead”. Please refer to\r\nthat article for further insights into the Privateloader frontend.\r\nPress enter or click to view image in full size\r\nSource: Tracking down the cybercriminal infrastructure of infostealer RisePro — Projet FOX\r\nAnd I noticed it very late, but it seems to be another framework used by Installskey operators to spread\r\nPrivateloader.\r\nAt the time of writing this, it can be found at domain\r\nadstructor.com\r\nPress enter or click to view image in full size\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 29 of 109\n\nhttps://adstructor.com/share/file?AMCMtmXoTQUAi2UCAEVTFwAoAAAAAADA.file\r\nhttps://adstructor.com/share/dl\r\nThe framework belongs to amp.dev\r\nThe website will give us a packed file protected with a random 4-digit password, containing a Privateloader build.\r\nPress enter or click to view image in full size\r\nAs said, there are two kinds of sites involved in the Privateloader, the ones that have fake download buttons coded\r\ninto the site, redirecting to suspicious domains that manage the ad traffic networks, including Privateloader\r\ndownloads; and the ones that use abusive link shortening services or downloading hosts in order to provide\r\ndownload links, and these services are responsible for the management of the web traffic, including malicious ads\r\non its body.\r\nDomains were also scanned with Malcore to get some intel and prove that domains are involved with infostealers\r\nlogs activity.\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 30 of 109\n\nThere should be more domains because everything was extracted from a very small sample of logs from\r\nPrivateloader, as you will notice later.\r\nDIRECTLY SHARING PRIVATELOADER VIA AD NETWORKS\r\npivigames.blog (Target: Spanish-speaking users)\r\nThe service providing ads to this website is ADBUHO.\r\nThis domain has fake download buttons coded on his pages\r\nDownloading Privateloader from pivigames.blog\r\nClicking on any fake download button will start a redirection chain\r\nending in linkonclick.com\r\nSome requests to linkonclick.com will provide a PrivateLoader download\r\nThe extended redirection chain is\r\nhttps://pivigames.blog/adbuho\r\nhttps://pivigames.blog/pged.php\r\nhttps://adbuho.com/pivigames2.php\r\nhttps://pivigames.blog/descargas-2.php\r\nhttps://www.linkonclick.com/jump/next.php?r=2558259\r\nhttps://page.strtgic.com/click?pid=10\u0026offer_id=20738\u0026sub1=170583592810000TESTV431140760274V30\u0026sub2=25\r\n[PrivateLoader]\r\nEverything seems to be managed by .js files:\r\nPress enter or click to view image in full size\r\n/pivigames.blog/descargas-2.js\r\nThis domain is involved with victim logs\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 31 of 109\n\ngamezfull.com (Target: Spanish-speaking users)\r\nThis domain has fake download buttons coded on his pages\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 32 of 109\n\nDownloading Privateloader from gamezfull.com\r\nA click on a download button will redirect you to daubreeitebumboatmenmisdeal.com\r\nsometimes sharing Privateloader\r\nhttps://daubreeitebumboatmenmisdeal.com/SgrVO12d3e621f858adb823f06a344dcd9fa200cbe328\r\n[PrivateLoader]\r\nThis domain is involved with victim logs\r\nPress enter or click to view image in full size\r\nzdescargas.org (Target: Spanish-speaking users)\r\nThis domain has fake download buttons coded on his pages\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 33 of 109\n\nPress enter or click to view image in full size\r\nClicking on any fake download button does a request to daubreeitebumboatmenmisdeal.com\r\nSome requests to daubreeitebumboatmenmisdeal.com will provide a PrivateLoader download\r\nhttps://daubreeitebumboatmenmisdeal.com/SgrVO12d3e621f858adb823f06a344dcd9fa200cbe328\r\n[PrivateLoader]\r\nThis domain is involved with victim logs\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 34 of 109\n\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 35 of 109\n\ncrackzipp.com (Target: English-speaking users)\r\nThis domain has fake download links coded on his pages\r\nPress enter or click to view image in full size\r\nClicking on fake download links will start a redirection chain\r\nSome requests will provide a Privateloader download\r\nExtended redirection chain\r\nhttps://bluedownload10.sbs/go.php?a_aid=648adb2ebbf11\u0026chan=\u0026fn=adobe-creative-cloud-crack-2024-downlo\r\nhttps://href.li/?https://track.redis06.sbs/go/19a45436-cb73-4be8-8e51-8ee0e9a6e90d?affiliate=648adb2e\r\nhttps://unleakyammiolitesmithian.com/qhrPf0e8235b4dfec746189b023e2e0662dc9663c3796?q=adobecreativeclo\r\n[Privateloader]\r\nThis domain is involved with victim logs\r\nPress enter or click to view image in full size\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 36 of 109\n\nindir.torrentabi.com (Target: Turkish users)\r\nThis domain has fake download buttons coded on his pages\r\nClicking on fake download buttons will start a redirection chain\r\nSome requests will provide a Privateloader download\r\nExtended redirection chain\r\nhttps://highfile1.click/go.php?a_aid=55d0ea51596f4\r\nhttps://href.li/?https://track.redis06.sbs/go/19a45436-cb73-4be8-8e51-8ee0e9a6e90d?affiliate=55d0ea51\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 37 of 109\n\nhttps://unleakyammiolitesmithian.com/qhrPf0e8235b4dfec746189b023e2e0662dc9663c3796?q=Setup\u0026s1=55d0ea5\r\n[Privateloader]\r\nThis domain is involved with victim logs\r\npastemytxt.com (Target: WorldWide)\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 38 of 109\n\nThis domain has fake download buttons coded on his pages\r\nClicking on fake download buttons will start a redirection chain\r\nSome requests will provide a Privateloader download\r\nExtended redirection chain\r\nhttp://get.claruspolaris.com/?a=197977\u0026o=149408\u0026c=0\u0026co=251140\u0026mt=5\r\nhttps://aditmedia.g2afse.com/click?pid=3052\u0026offer_id=20972\u0026sub1=71b3e999867c4446b9a28eae4bcd25af247a0\r\nhttps://driptrip.trckswrm.com/click?offer_id=851\u0026pub_id=5\u0026pub_sub_id=3052_197977_\u0026pub_click_id=65b2de\r\nhttps://783242.com/QnrIa0083bf12b648b2e6b119a10c5df42a6f4bc217ce?s1=5\u0026s2=3052_197977_\u0026s3=BOTKssIAAAGN\r\n[Privateloader]\r\nThis domain is involved with victim logs\r\nPress enter or click to view image in full size\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 39 of 109\n\ntechwarez.org (Target: Spanish-speaking users)\r\nThis domain has fake download buttons coded on his pages\r\nPress enter or click to view image in full size\r\nClicking on fake download buttons will make a request to polysomiamovantcripes.com\r\nSome requests will provide a Privateloader download\r\nhttps://polysomiamovantcripes.com/HHrK00a134727d27d3a897eb0d326e2e86b0a6c4c5221?q=UniFab%20Video%20Co\r\nThis domain is involved with victim logs\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 40 of 109\n\nPress enter or click to view image in full size\r\nfreegamesdl.net (Target: English-speaking users)\r\nThis domain has fake download buttons coded on his pages\r\nPress enter or click to view image in full size\r\nClicking on fake download buttons will start a redirection chain\r\nSome requests will provide a Privateloader download\r\nExtended redirection chain\r\nhttps://nicatethebene.info/redirect?tid=1009722\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 41 of 109\n\n[Privateloader]\r\nThis domain is involved with victim logs\r\ndevteknoloji.com (Target: Turkish users)\r\nThis domain has fake download buttons coded on his pages\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 42 of 109\n\nPress enter or click to view image in full size\r\nClicking on fake download links will start a redirection chain\r\nSome requests will provide a Privateloader download\r\nExtended redirection chain\r\nhttps://bluedownload10.sbs/go.php?a_aid=63ba729511d6d\u0026chan=devtek\u0026fn=street-fighter-4-champion-editio\r\nhttps://href.li/?https://track.redis06.sbs/go/19a45436-cb73-4be8-8e51-8ee0e9a6e90d?affiliate=63ba7295\r\nhttps://unleakyammiolitesmithian.com/qhrPf0e8235b4dfec746189b023e2e0662dc9663c3796?q=streetfightercha\r\n[Privateloader]\r\nThis domain is involved with victim logs\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 43 of 109\n\nbuyurindir.org (Target: Turkish users)\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 44 of 109\n\nThis domain has fake download buttons coded on his pages\r\nPress enter or click to view image in full size\r\nClicking on fake download links will start a redirection chain\r\nSome requests will provide a Privateloader download\r\nExtended redirection chain:\r\nhttps://afiletoget.click/b/a_aid/623cb2bc22496/chan/buyurindir/fn/a\r\nhttps://href.li/?https://track.redis06.sbs/go/19a45436-cb73-4be8-8e51-8ee0e9a6e90d?affiliate=623cb2bc\r\nhttps://unleakyammiolitesmithian.com/qhrPf0e8235b4dfec746189b023e2e0662dc9663c3796?q=a\u0026s1=623cb2bc224\r\n[Privateloader]\r\nThis domain is involved with victim logs\r\nPress enter or click to view image in full size\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 45 of 109\n\nawdescargas.com (Target: Spanish-speaking users)\r\nThis domain has fake download buttons coded on his pages\r\nPress enter or click to view image in full size\r\nThe video is from a pop-up\r\nIf you click any button you will be redirected to here, where clicking the fake button will do the same redirection\r\nto malicious domains.\r\nPress enter or click to view image in full size\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 46 of 109\n\nClicking on fake download links will start a redirection chain.\r\nAlso pop-up links\r\nSome requests will provide a Privateloader download\r\nFrom a pop-up:\r\nhttps://www.greatdexchange.com/jump/next.php?r=3873611\r\nhttps://page.strtgic.com/click?pid=10\u0026offer_id=20658\u0026sub1=1706263910000TPTTV415800791604V1f\u0026sub2=4220\r\n[Privateloader]\r\nFrom clicking the fake button\r\nhttps://awdescargas.com/go/aHR0cHM6Ly9hd2xpbmtzLnh5ei8/cD0xNjU5Ng==\r\nclick\r\nhttps://awlinks.xyz/link/go.php?url=https://www.greatdexchange.com/jump/next.php?r=3873611\r\nhttps://page.strtgic.com/click?pid=10\u0026offer_id=20658\u0026sub1=1706263910000TPTTV415800791604V1f\u0026sub2=4220\r\n[Privateloader]\r\nThis domain is involved with victim logs\r\nPress enter or click to view image in full size\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 47 of 109\n\ncrackshash.com (Target: English-speaking users)\r\nThis domain has fake download buttons coded on his pages\r\nClicking on fake download buttons will start a redirection chain\r\nSometimes providign a Privateloader download\r\nhttps://crackshash.com/dc.php\r\nhttps://braisingalackadayentr.monster/3or02363a39e65c756001406ce4405bad16ec28c8ef2a\r\n[Privateloader]\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 48 of 109\n\nThis domain is involved with victim logs\r\nPress enter or click to view image in full size\r\nblizzboygames.net (Target: Spanish-speaking users)\r\nThis domain has fake download buttons coded on his pages\r\nPress enter or click to view image in full size\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 49 of 109\n\nClicking on any fake download button starts a redirection chain\r\nSome requests will provide a PrivateLoader download\r\nhttps://onclickalgo.com/jump/next.php?r=6058394\r\nhttps://page.strtgic.com/click?pid=10\u0026offer_id=20738\u0026sub1=170541019010000TPTTV425055776704V0e\u0026sub2=37\r\n[Privateloader]\r\nThis domain is involved with victim logs\r\nPress enter or click to view image in full size\r\nINDIRECTLY INVOLVED WITH PRIVATELOADER\r\nThe usage of an specific link shortening service or files downloading host on a website must not relate the domain\r\nwith the abusive content that this link shortening service is providing in its links, also if this shorteners are doing\r\nits job.\r\nBut the fact is that people visit this domains looking for a download and, once they click on the shortened link,\r\nthey are mislead into a fake downloads. So, the websites below are not malicious but they are actively\r\ncontributing to the Privateloader campaign, aware or not, just by using this abusive services as a monetization way\r\non his websites.\r\nThis are some abusive services identified\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 50 of 109\n\nGet g0njxa’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\n#1. uii.io\r\nwordcounter.icu \u0026 pwrpa.cc\r\nAlthough these domains seems to be harmless (A word counter and a password generator website), they are being\r\nused by the link shortening service uii.io as an “adwall” while redirecting users from the shortened link to the real\r\ncontent.\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nPrivateloader is being shared on these domains with fake download buttons:\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 51 of 109\n\nExample from videos:\r\naquiyahorajuegos.net\r\nA click on a download button starts a redirection chain\r\nExtended redirection chain\r\nhttps://uii.io/full?api=c292a05bb7dc2de70d01890ac99b711b8992e0be\u0026url=aHR0cHM6Ly9kcml2ZS5nb29nbGUuY29t\r\nhttps://wordcounter.icu/2syc714tfuF\r\n[Click on fake buttons]\r\nhttps://magpiesblemisherombudsman.com/Uur86779dad79f3b39b84fd4f16176e0fcb6046af5a8e\r\n[Privateloader]\r\nAnd this domain is involved with infostealer infections:\r\nPress enter or click to view image in full size\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 52 of 109\n\nOther domains identified using this link shortening service related to infostealers infections:\r\nprogramaspcfulls.com (playpastelinks.com)\r\nDownloads are managed by a pastes site, using uii.io\r\nPress enter or click to view image in full size\r\nbajarjuegospcgratis.com (pastesdescargas.com)\r\nDownloads are managed by link shortening service cpmlink.net (although it has a lot of spam seems to not be\r\nrelated to Privateloader) and then users are redirected to a pastes site, using service uii.io\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 53 of 109\n\nPress enter or click to view image in full size\r\n#2 fc-lc.xyz\r\nAdwalls used by this link shortening service have fake buttons that redirects users to Privateloader downloads.\r\nPress enter or click to view image in full size\r\nExample from video:\r\nblizzpaste.com\r\nClicking on any fake download start a redirection chain:\r\nhttps://homogonymouserapparels.monster/nMr4R7a8151d37b38199c48d4003466e1f6419c4e1283?q=MyFile\r\n[Privateloader]\r\nThe second stage from this shortened links is another adwall on\r\ndigitalmarktrend.com\r\nPress enter or click to view image in full size\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 54 of 109\n\nThat has more fake buttons redirecting us to the same domain\r\nPress enter or click to view image in full size\r\nhttps://homogonymouserapparels.monster/r?token=f312f1697118de7f3aa002ccbb1aba5de4ec5cf7\u0026q=my_file\r\nPress enter or click to view image in full size\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 55 of 109\n\n#3 uploadrar.com\r\nThis downloading host has fake downloading buttons that are redirecting users to Privateloader downloads. Thay\r\ntry to disable debugger.\r\nPress enter or click to view image in full size\r\nExample in video:\r\ns0ft4pc.com \u003e\u003e portable4pc.com\r\nhttps://canoestallowrootsabre.com/jKr1Qed15878d1333c59e199f1f0956713d3614ab6b3b?q=EssentialPIM.Pro.BE\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 56 of 109\n\nPress enter or click to view image in full size\r\nOther domains identified using this service are:\r\nfcportables.com\r\nPress enter or click to view image in full size\r\n#4 adurly.cc\r\nOnce we click the link and land on the redirection adwall of this link shortening service, a Javascript function is\r\nloaded on the first click on any point of the website with an invisible banner, redirecting us to Privateloader\r\ndownloads.\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 57 of 109\n\nMalicious ads are being served from 8jw0.com and mediapalmtree.com\r\nExample from video:\r\nkmspico.co\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 58 of 109\n\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 59 of 109\n\n#5 shrinkme.org\r\nThe adwall of this link shortener service has fake download buttons. There are two malicious clicks on invisible\r\nbanners before we can interact with the real website.\r\nPress enter or click to view image in full size\r\nhttps://kuy8h8e.com/jwroWc58c8a6ae95b504791a8c81e29a34c4c9ea2a649?q=Windows 11 23H2 Build 22631.3007\r\nExample in video:\r\npcprogramasymas.net\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 60 of 109\n\n#6 turbobit.com\r\nThe download host has fake download buttons redirecting users to Privateloader downloads\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 61 of 109\n\nSeems like they started to have some issue on hosts, but indeed its a Privateloader download\r\nhttps://veritiesgarlejobade.com/RurUj74497aa5ee97595f88481a9aebc44b13691cad05?q=%0A%20%20%20%20Downlo\r\nExample from video:\r\nfullprogramlarindir.net\r\nPress enter or click to view image in full size\r\nThe observation on these campaigns (1 and 2) started in mid-November 2023, while since the beginning of my\r\nPrivateloader tracking journey in May, it was focused on campaign ID 09. Domains involved since November are:\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 62 of 109\n\nCampaign IDs 1 \u0026 2\r\nmagicleafstarlight.com\r\nth3cats.com\r\nrecetasplus.com\r\nsygox.com\r\ncrockpics.com\r\npics4world.com\r\nyoungcoloristsunited.com\r\nukm293.com\r\nzuh720.com\r\nlvn915.com\r\nkvd739.com\r\nivd580.com\r\nCampaign ID 09\r\nairfiltersing.com\r\ngts794.com\r\n// Please note that sometimes there is reuse of domains by both IDs\r\nThere was a time that Threat actors were abusing Google drawings from Google docs in order to provide these\r\ndownloads (Example).\r\nOr recently, hosting a Dropmefiles download page on /komfuel.com/download/\r\nPress enter or click to view image in full size\r\nAbout ad services and ad networks\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 63 of 109\n\nAs seen before, Privateloader is being distributed via websites on malicious buttons redirecting the user to what it\r\nseems ads and spam networks via affiliate offers.\r\nSome of the companies offering this malicious “ads” is\r\nAdbuho.com\r\nAs seen before on pivigames.blog\r\nPress enter or click to view image in full size\r\nIn fact, some .js scripts are stored there\r\nPress enter or click to view image in full size\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 64 of 109\n\nhttps://adbuho.com/pivigames2.js\r\nThe website itself is suspicious , created with stock photos and seems fake, there no more interaction with it than\r\ncreating an account. Adbuho seems to be registered in Azerbaijan.\r\nAnother company offering these fake download button ads is:\r\nNetpub.media\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 65 of 109\n\nPress enter or click to view image in full size\r\nAs seen on digitalmarktrend.com from fc-lc.xyz\r\nAn Italian registered company offering ad revenue optimization\r\nI can’t find any other fast relation between websites and ad companies, so here is the summarization of malicious\r\ndomains starting the redirection chains to affiliate ads offers, that must be considered malicious. The suspension of\r\nthese domains must disrupt partially the Privateloader campaign and a lot of other spam-related threats.\r\nlinkonclick.com\r\ndaubreeitebumboatmenmisdeal.com\r\nbluedownload10.sbs\r\nunleakyammiolitesmithian.com\r\ntrack.redis06.sbs\r\nhighfile1.click\r\nget.claruspolaris.com\r\naditmedia.g2afse.com\r\ndriptrip.trckswrm.com\r\n783242.com\r\npolysomiamovantcripes.com\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 66 of 109\n\nnicatethebene.info\r\nafiletoget.click\r\ngreatdexchange.com\r\npage.strtgic.com\r\nonclickalgo.com\r\nmagpiesblemisherombudsman.com\r\nhomogonymouserapparels.monster\r\ncanoestallowrootsabre.com\r\n8jw0.com\r\nmediapalmtree.com\r\nkuy8h8e.com\r\nveritiesgarlejobade.com\r\nTaking a look on link shortening services and downloading hosts is confusing. They offer high payouts and seems\r\nvery tempting to try it and use it.\r\nEither if a third-party advertiser is abusing this kind of services or the service itself has found a monetization way\r\nworking for malware traffic, all services are involved in the Privateloader campaign.\r\nuii.io\r\nfc-lc.xyz\r\nuploadrar.com\r\nadurly.cc\r\nshrinkme.org\r\nturbobit.com\r\nAbusing legit services on the Internet is nothing new,\r\nplease remember why Anonfiles shut down its site, and the long-time abusive advertising it was serving. (reports:\r\nFile sharing site Anonfiles shuts down due to overwhelming abuse (bleepingcomputer.com)\r\nGermán Fernández on X: “🚨 Continúa campaña de #Malvertising desde el popular sitio @AnonFiles con\r\ndescarga activa de #RedLine Malware. + Descarga tipo “segundo plano” + 17 dominios maliciosos. + Archivos\r\ncon el mismo nombre del original. + Y protegidos con contraseña. IOC: https://t.co/R9SH4lRAUa\r\nhttps://t.co/cebFWge1E4\" / X (twitter.com))\r\nStorage of builds\r\nPrivateloader builds are stored in a packed file on some compromised domain in the campaign ID 09. More than\r\n300 detonations of Privateloader builds were made by me on Anyrun, every time I noticed that they changed the\r\nlocation of the build, sometimes reusing domains in a new path. (You can see this by tag “privateloader“ and\r\n“g0njxa”) on app.any.run website\r\nSince May 16th, 2023, this builds were located at the following domains:\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 67 of 109\n\ncilay.cl\r\n ~ /download/File_pass1234.7z (April 23th)\r\n...\r\nepicitem.ir\r\n ~ /wp-content/download/File_pass1234.7z (May 16th)\r\nalakarga.com.tr\r\n ~ /wp-content/download/File_pass1234.7z (May 17th) (June 20th)\r\npearltransit.org\r\n ~ /download/File_pass1234.7z (May 18th)\r\npico-eg.org\r\n ~ /download/File_pass1234.7z (May 19th)\r\n ~ /wp-content/download/File_pass1234.7z (July 14th)\r\nquizbn.com\r\n ~ /download/File_pass1234.7z (May 22th)\r\ncorsyne.com\r\n ~ /wp-content/soft/Setup_pass1234.7z (May 23th)\r\n ~ /01765/zip1_09.7z (October 10th)\r\nebenezcartagena.org\r\n ~ /download/Setup_pass1234.7z (May 23th)\r\n ~ /wp-content/download/File_pass1234.7z (June 10th)\r\nglicebeautyandspa.com\r\n ~ /download/Install_pass1234.7z (May 24th)\r\npp.webmobile.ma\r\n ~ /download/File_pass1234.7z (May 25th)\r\nmyaralwatan.com.sa\r\n ~ /wp-content/download/Install_pass1234.7z (May 26th)\r\nitfolkstechnology.com\r\n ~ /download/Install_pass1234.7z (May 27th)\r\n ~ /download/File_pass1234.7z (July 25th)\r\n ~ /wp-download/zip.7z (October 3rd)\r\nblitzz.com.ar\r\n ~ /wp-content/download/File_pass1234.7z (May 28th)\r\njuliereyesrealtorteam.site\r\n ~ /wp-content/download/File_pass1234.7z (May 29th)\r\nthextra2.com\r\n ~ /download/Install_pass1234.7z (May 30th)\r\npetcentercanoas.com.br\r\n ~ /wp-content/download/File_pass1234.7z (May 31th)\r\ninfotrace.cl\r\n ~ /download/File_pass1234.7z (June 1st)\r\nusml.ca\r\n ~ /download/File_pass1234.7z (June 2nd)\r\nnunukan-airport.com\r\n ~ /wp-content/download/File_pass1234.7z (June 2nd)\r\nhealthkindlabs.com\r\n ~ /download/File_pass1234.7z (June 3rd)\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 68 of 109\n\nims.a2hosted.com\r\n ~ /download/File_pass1234.7z (June 4th)\r\nmithransilks.com\r\n ~ /download/Installs_pass1234.7z (June 5th)\r\n ~ /download/File_pass1234.7z (June 18th) (June 27th)\r\nglobalcorporatelogistics.com\r\n ~ /wp-content/download/File_pass1234.7z (June 5th)\r\nlet4pakistan.com\r\n ~ /download/File_pass1234.7z (June 6th)\r\nnexpredsolutions.com\r\n ~ /wp-content/download/File_pass1234.7z (June 7th) (June 14th)\r\ncallmeonjunk.com\r\n ~ /download/File_pass1234.7z (June 7th)\r\nparalkemeia.eu\r\n ~ /wp-content/download/File_pass1234.7z (June 8th)\r\nbeyondgreat.co\r\n ~ /wp-content/download/File_pass1234.7z (June 10th)\r\n ~ /download/File_pass1234.7z (August 7th)\r\ncreasm.com\r\n ~ /wp-content/download/Install_pass1234.7z (June 11th)\r\nstarkmadstuff.com\r\n ~ /wp-content/download/Install_pass1234.7z (June 11th)\r\ncobaktesbrow.com\r\n ~ /download/File_pass1234.7z (June 11th)\r\nashaltech.net\r\n ~ /download/File_pass1234.7z (June 12th) (June 25th) (July 3rd)\r\nzamoringlobal.com\r\n ~ /download/File_pass1234.7z (June 13th) (June 18th)\r\nglobalafs.com\r\n ~ /download/File_pass1234.7z (June 13th)\r\nai.getnextlevelmarketing.com\r\n ~ /download/File_pass1234.7z (June 14th) (June 20th) (June 26th) (June 28th)\r\n ~ /download/File.7z (July 10th)\r\nbetter-relating.com.au\r\n ~ /download/download/File_pass1234.7z (June 15th)\r\n2karra.com\r\n ~ /download/File_pass1234.7z (June 16th)\r\nsvconstructora.com\r\n ~ /wp-content/download/File_pass1234.7z (June 17th) (July 27th) (August 1st)\r\n ~ /wp-content/upgrade/File_pass1234.7z (July 28th)\r\n ~ /wp-admin/maint/archive.7z (September 29th)\r\npyjamty.com\r\n ~ /wp-content/download/File_pass1234.7z (June 17th)\r\ndokumentasoluciones.com\r\n ~ /wp-content/download/File_pass1234.7z (June 17th)\r\nangkorbayon.com\r\n ~ /wp-content/download/File_pass1234.7z (June 18th) (June 30th) (July 6th)\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 69 of 109\n\nbthp.com.pk\r\n ~ /wp-content/download/File_pass1234.7z (June 19th) (June 24th) (July 1st)\r\ninternetpisco.com\r\n ~ /wp-content/download/File_pass1234.7z (June 19th)\r\nphotosoncanvas.com.au\r\n ~ /download/File_pass1234.7z (June 20th)\r\nfinest.co.ke\r\n ~ /wp-content/download/File_pass1234.7z (June 20th)\r\nasi-rca.ro\r\n ~ /download/File_pass1234.7z (June 21th)\r\ncuentasstreaming.com\r\n ~ /wp-content/download/File_pass1234.7z (June 22th) (July 13th)\r\nvieirasadv.com.br\r\n ~ /download/File_pass1234.7z (June 23th)\r\ngabrielgarciarealty.com\r\n ~ /download/File_pass1234.7z (June 26th) (June 29th) (July 2nd)\r\n ~ /.well-known/File_pass1234.7z (July 6th)\r\nbbincentives.org\r\n ~ /download/File_pass1234.7z (June 29th) (July 21th)\r\nzakaconsortium.com\r\n ~ /wp-content/download/File_pass1234.7z (July 4th)\r\ndashuroj.net\r\n ~ /download/File_pass1234.7z (July 4th)\r\ntlt.ma\r\n ~ /download/File_pass1234.7z (July 5th)\r\nvkengcivil.com.br\r\n ~ /wp-content/download/File_pass1234.7z (July 8th)\r\ncobaktesbrow.com\r\n ~ /download/content/File_pass1234.7z (July 9th)\r\n ~ /download/File_pass1234.7z (July 23th)\r\npiccoli-traslochi-milano.it\r\n ~ /download/File_pass1234.7z (July 9th)\r\n ~ /wp-admin/File_pass1234.7z (July 11th)\r\nevarlic.com\r\n ~ /wp-content/download/File_pass1234.7z (July 9th) (July 11th) (July 13th)\r\n (July 16th) (July 17th) (July 31th)\r\n ~ /wp-content/cache/File_pass1234.7z (July 30th)\r\n ~ /wp-content/uploads/pass1234_setup.7z (August 16th)\r\narnpackersmovers.com\r\n ~ /wp-content/download/File_pass1234.7z (July 10th)\r\nfortal.co\r\n ~ /kop/File_pass1234.7z (July 12th)\r\n ~ /wp-content/uploads/File_pass1234.7z (August 5th)\r\nfundovidaips.com\r\n ~ /wp-content/download/File_pass1234.7z (July 12th)\r\n ~ /download/File_pass1234.7z (July 18th)\r\n ~ /wp-content/plugins/release_03421_pass1234.rar (November 17th)\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 70 of 109\n\nmatsybd.com\r\n ~ /download/File_pass1234.7z (July 13th)\r\npolemedical.ma\r\n ~ /download/File_pass1234.7z (July 15th)\r\nsmarttechideas.xyz\r\n ~ /wp-content/download/File_pass1234.7z (July 18th)\r\nstoredechuladas.com\r\n ~ /wp-content/download/File_pass1234.7z (July 16th)\r\ndrcesargalvan.com\r\n ~ /wp-content/_download/File_pass1234.7z (July 19th)\r\n ~ /wp-includes/ID3/File_pass1234.7z (July 20th)\r\nramurame.com\r\n ~ /wp-content/download/File_pass1234.7z (July 22th)\r\nlineart.in\r\n ~ /download/File_pass1234.7z (July 24th) (July 27th)\r\nsafira-widd.com\r\n ~ /wp-content/download/File_pass1234.7z (July 25th)\r\n ~ /wp-content/uploads/File_pass1234.7z (August 6th)\r\nspeedwell.com.bd\r\n ~ /download/File_pass1234.7z (July 26th)\r\nrisesincesteel.com\r\n ~ /wp-content/uploads/File_pass1234.7z (July 27th)\r\nmakemyholidays.net\r\n ~ /images/File_pass1234.7z (July 29th)\r\niqbitprimes.com\r\n ~ /download/File_pass1234.7z (August 1st)\r\nofficialk2spice.com\r\n ~ /wp-content/download/File_pass1234.7z (August 2nd)\r\namimasud.com\r\n ~ /download/File_pass1234.7z (August 3rd)\r\n ~ /wp-includes/wp-upl/file_p_a_s_s1234.zip (September 15th)\r\nhorizonfbs.com\r\n ~ /wp-content/download/File_pass1234.7z (August 4th)\r\nopentrade.com.bo\r\n ~ /plugins/File_pass1234.7z (August 5th)\r\ndosisagency.com\r\n ~ /wp-content/uploads/File_pass1234.7z (August 5th)\r\ntoar.com.br\r\n ~ /wp-content/uploads/File_pass1234.7z (August 6th)\r\n ~ /wp-content/download/File_pass1234.7z (August 8th)\r\nskylineprodutora.com.br\r\n ~ /download/Pass1234_file.7z (August 9th)\r\noffersprize.com\r\n ~ /wp-content/download/File_pass1234.7z (August 10th)\r\n ~ /wp-content/uploads/File_pass1234.7z (August 27th)\r\n ~ /wp-content/uploads/gate9_pass1234.7z (September 26th)\r\nanerepairservices.com\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 71 of 109\n\n~ /wp-content/download/File_pass1234.7z (August 10th)\r\ncolegiojuanbernardone.com\r\n ~ /wp-content/download/File_pass1234.7z (August 11th)\r\n ~ /templates/system/passw1234.7z (September 25th)\r\n ~ /wp-admin/user/setup.7z (October 23th)\r\n ~ /wp-admin/user/File.7z (November 10th)\r\nnupectogo.com\r\n ~ /download/Install_Pass1234.7z (August 12th)\r\nsicapre.com.mx\r\n ~ /download/File_pass1234.7z (August 12th)\r\nferremallasymecanizados.com\r\n ~ /download/pass1234_file.7z (August 13th)\r\n ~ /net/pass_setup1234.7z (September 21th)\r\nvisitunja.com.co\r\n ~ /wp-content/download/pass1234_setup.7z (August 14th)\r\naboutdailynews.com\r\n ~ /wp-content/uploads/pass1234_setup.7z (August 15th)\r\nthuexevietanh.com\r\n ~ /download/pass1234_setup.7z (August 17th)\r\n ~ /software/Install_pass1234.7z (August 25th)\r\n ~ /wp-download/zip.7z (September 28th)\r\n ~ /bawangtoto/gate9.rar (November 17th)\r\nsujathaputhra.lk\r\n ~ /download/pass1234_setup.7z (August 17th) (August 20th)\r\ndalaibeauty.com\r\n ~ /wp-content/download/Setup_pass1234.7z (August 19th)\r\n ~ /wp-includes/install/Setup_pass1234.7z (August 30th)\r\n ~ /wp-admin/maint/zip.7z (September 30th)\r\nmidiaxplr.com\r\n ~ /wp-content/soft/Install_pass1234.7z (August 19th)\r\n ~ /wp-content/setup_pass.7z (September 3rd)\r\nseedofchrist.org\r\n ~ /wp-content/download/Pass1234_Install.7z (August 20th)\r\nmdesignmediagroup.com\r\n ~ /download/Setup_password1234.7z (August 22th)\r\nconcreteprinciplesdesign.com\r\n ~ /installer/Setup_password1234.7z (August 23th)\r\n ~ /wp-download/zip.7z (October 8th)\r\nmartvl.com\r\n ~ /download/Setup_pass1234.7z (August 23th)\r\nnext-niger.net\r\n ~ /wp-content/soft/Setup_pass1234.7z (August 24th)\r\n ~ /wp-content/uploads/File.7z (October 25th)\r\ninsuport.com\r\n ~ /wp-content/install/pass1234_setup.7z (August 27th)\r\n ~ /upload/pass1234_gate9.7z (September 14th)\r\n ~ /wp-download/we/file_ver1_009.rar (December 12th)\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 72 of 109\n\ncelema.co\r\n ~ /wp-content/install/Setup_pass1234.7z (August 29th)\r\n ~ /wp-download/zip9.7z (October 2nd)\r\njulimichkids.com\r\n ~ /download/pass_setup.7z (August 30th)\r\ncevdetaladagtradingltd.com\r\n ~ /wp-includes/File_pass1234.7z (September 1st)\r\n ~ /wp-includes/1211/setup_v2.rar (December 6th)\r\nfaucetmeaning.com\r\n ~ /wp-admin/user/setup_pass.7z (September 4th)\r\n ~ /wp-content/upgrade/Install_p_a_s_s1234.7z (September 19th) (September 21th)\r\n ~ /wp-admin/user/setup.7z (October 22th)\r\n ~ /wp-content/upgrade/Archive.rar (November 3rd)\r\n ~ /wp-content/wp-upload/release_ver0_9.rar (December 11th)\r\njanetjackson.com.br\r\n ~ /wp-content/uploads/setup_pass.7z (September 11th)\r\n ~ /wp-content/2123w/release_ver2.rar (December 11th)\r\nfepcografic.com\r\n ~ /security/pass1234_setup.zip (September 12th)\r\n ~ /wp-download/Archive.7z (October 1st)\r\n ~ /folder/Setup.rar (November 5th)\r\n ~ /img/gate9.rar (November 14th)\r\n ~ /descargas/gate9.rar (November 16th)\r\ninnovacionlearning.com\r\n ~ /wp-upl/setup_1234pass.7z (September 13th)\r\numutsoydinc.com\r\n ~ /wp-includes/wp-upl/Install_p_a_s_s1234.zip (September 14th)\r\n ~ /wp-admin/network/zip.7z (September 29th)\r\n ~ /wp-admin/File.7z (November 8th)\r\n ~ /wp-content/release_file_09.rar (December 4th)\r\njogjaindotrans.com\r\n ~ /system/File_p_a_s_s1234.7z (September 17th)\r\nbeautydiamondstore.com\r\n ~ /wp-admin/network/File_p_a_s_s1234.7z (September 18th)\r\n ~ /wp-admin/maint/zip.7z (September 30th)\r\n ~ /wp-admin/user/setup.7z (October 21th)\r\n ~ /tmam/File.rar (November 9th)\r\n ~ /wp-admin/maint/File.7z (November 9th)\r\nmekonnen-visual.com\r\n ~ /download/soft9w/pass1234.zip (September 19th)\r\ndigitalwork-ci.com\r\n ~ /wp-content/uploads/File_p_a_s_s1234.7z (September 20th) (September 22th)\r\nsgbci-consultant.com\r\n ~ /soft/Install_p_a_s_s1234.zip (September 21th)\r\nkoreconnexion.com\r\n ~ /wp-content/uploads/IT-SDK_Installer.7z (September 23th)\r\nalrehabmaroc.com\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 73 of 109\n\n~ /wp-content/backuply/pass1234.7z (September 26th)\r\nappstopic.com\r\n ~ /wp-content/wp/zip.7z (September 27th)\r\n ~ /wp-soft/setup.7z (October 23th)\r\nersapack.com\r\n ~ /wp-download/archive.7z (September 27th)\r\n ~ /pcss/release%20v1_3.rar (December 7th)\r\nnebschool.com\r\n ~ /wp-admin/js/archive.7z (September 30th)\r\nbodegaycocina.co\r\n ~ /novias/zip.7z (October 1st)\r\nkabile-art.net\r\n ~ /wp-download/zip.7z (October 1st)\r\ncoossa.com\r\n ~ /soft9w/idm-download-with-crack-64-bit-2023.7z (October 2nd)\r\nsunbabsco.com\r\n ~ /wp-download/zip.7z (October 4th)\r\n ~ /wp-download/software/zip.7z (October 5th)\r\n ~ /wp-download/server/zip.7z (October 6th)\r\namsangroup.com\r\n ~ /net/Zip.7z (October 7th)\r\n ~ /wp-download/setup.7z (October 21th)\r\n ~ /wp-download/soft/File.7z (October 28th)\r\n ~ /folder/01/archiv.rar (October 31th)\r\njatoo-ci.com\r\n ~ /wp-download/zip.7z (October 7th)\r\n ~ /tetu/file_reliase0_9.rar (November 28th)\r\nfaviskincare.com\r\n ~ /wp-upl/zip.7z (October 9th)\r\n ~ /wp-upl/setup.7z (October 22th)\r\nkaryaindahperkasa.com\r\n ~ /879876/download/zip.7z (October 10th)\r\n ~ /wp-content/server/setup.7z (October 22th)\r\ncompuservjr.com\r\n ~ /wp-download/archive.7z (October 12th)\r\nbidartrepuestos.com\r\n ~ /wp-download/archive.7z (October 12th)\r\ngulf4pets.com\r\n ~ /wp-download/zip_09.7z (October 12th)\r\nempresaozono.com\r\n ~ /wp-download/gate9.7z (October 13th)\r\nwakamoleart.com\r\n ~ /download/gate9.7z (October 14th)\r\netiquetaspiura.com\r\n ~ /download/gate9.7z (October 14th)\r\n ~ /dr/release_file_09.rar (December 3rd)\r\n ~ /swe/release_ver0_9.rar (December 12th)\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 74 of 109\n\nvectribeagency.com\r\n ~ /wp-download/gate9.7z (October 14th)\r\n ~ /wp-content/plugins/File.rar (November 6th)\r\nsilkylearning.com\r\n ~ /wp-download/archive.7z (October 15th)\r\nbaramode.com\r\n ~ /wp-upload/Setup.7z (October 16th)\r\n ~ /wp-content/server/File.7z (October 29th)\r\n ~ /wp-includes/server/File.rar (November 1st)\r\nashvircreations.com\r\n ~ /wp-upload/Archive_ver1_032.7z (October 17th)\r\nnetworknewsbd.com\r\n ~ /wp-upload/setup.7z (October 17th)\r\n ~ /wp-soft/Setup.7z (October 18th)\r\nindustriasscr.com\r\n ~ /wp-soft/File.7z (October 17th)\r\nmittmexico.com\r\n ~ /wp-soft/Setup.7z (October 19th)\r\naaslab.org\r\n ~ /wp-admin/network/setup.7z (October 19th)\r\njulimichkids.online\r\n ~ /wp-admin/user/setup.7z (October 20th)\r\n ~ /wp-includes/211/setup_file_1_3.rar (December 6th)\r\nsge-sarlu.com\r\n ~ /wp-content/cache/Setup.7z (October 24th)\r\ninremo.com.mx\r\n ~ /wp-download/File.7z (October 26th)\r\neplangocview.com\r\n ~ /wp-download/File.7z (October 26th)\r\nfoodremit.com\r\n ~ /wp-download/server/File.7z (October 27th)\r\nlepumedcal.com\r\n ~ /wp-download/Setup.7z (October 28th)\r\nhey-randomgirl.com.br\r\n ~ /wp-content/upgrade/File.7z (October 29th)\r\n ~ /wp-content/plugins/File.rar (November 6th)\r\n ~ /net/release_1_3.7z (December 19th)\r\ngorichemarketing.com\r\n ~ /download/setup.rar (October 30th)\r\n ~ /download/folder/017976/archiv.rar (November 1st)\r\njamuna-trims.com\r\n ~ /folder/01/Archive.rar (October 30th)\r\n ~ /wp-upload/File.7z (November 10th)\r\nraslordeckltd.com\r\n ~ /wp-includes/server/setup.rar (November 2nd)\r\nserver.appsstaging.com\r\n ~ /3346/File.rar (November 4th)\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 75 of 109\n\nsurcreativegroup.com\r\n ~ /folder/file.rar (November 11th)\r\n ~ /software/File.rar (November 13th)\r\nstalentcoin.com\r\n ~ /form/Archive.rar (November 12th)\r\nzoomradio.com\r\n ~ /server/release_111023_9.zip (November 12th)\r\nlamiaagro.com\r\n ~ /theme/Archive.rar (November 13th)\r\ncloud4ccs.com\r\n ~ /wp-content/upgrade/File.rar (November 14th)\r\nxtremewindowcleaningllc.com\r\n ~ /wp-content/download/reliase1_09.rar (November 18th)\r\nahmedsemab.com\r\n ~ /wp-content/upgrade/reliase1_019.rar (November 19th)\r\nromvalstudios.com\r\n ~ /wp-content/server/reliase1_9.rar (November 19th)\r\ndemo.devswire.com\r\n ~ /wp-content/upgrade/reliase_9.rar (November 20th)\r\ncolombianosprofesionalesenontario.com\r\n ~ /wp-content/upgrade/reliase_091.rar (November 20th)\r\njual.kacangmete.com\r\n ~ /wp-content/upgrade/reliase1_9.rar (November 21th)\r\ninflowingagency.com\r\n ~ /dsd/reliase1_09.rar (November 21th)\r\n ~ /we/reliase_0_9.rar (November 30th)\r\nislammagdy.com\r\n ~ /server/reliase9_1.rar (November 22th)\r\n ~ /static/reliase_0_9.rar (November 27th)\r\n ~ /tuny/archive_release_v9.rar (December 4th)\r\nrhiviephotography.com\r\n ~ /wp-content/upgrade/reliase9_1.rar (November 23th)\r\ntest.uniformmarkets.com\r\n ~ /server/reliase0_9.rar (November 23th)\r\nyateluckyfisher.com\r\n ~ /nextpayapp/archive_v9.rar (November 24th)\r\ncolortheoryksa.com\r\n ~ /wp-content/upgrade/archive_v9.rar (November 25th)\r\nleeziptv.com\r\n ~ /ARVEST/reliase_v09.rar (November 26th)\r\n ~ /ARVEST/File_ver9.rar (November 27th)\r\n ~ /davivi/release_ver9.rar (December 3rd) (December 16th)\r\n ~ /server/release.rar (December 28th)\r\nyosoyunalfa.com\r\n ~ /wp-download/file_reliase_v9.rar (November 26th)\r\nkwikteamsupport.com\r\n ~ /server/archive_v9.rar (November 27th)\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 76 of 109\n\nmumayizat.com\r\n ~ /wp-content/litespeed/reliase1_9.rar (November 28th)\r\nrodhigital.com\r\n ~ /aladin/release_v9.rar (December 1st)\r\n ~ /ambalwarsa/file_ver_9.rar (December 5th)\r\n ~ /server/release.rar (december 29th)\r\ncasapatiobolivia.com\r\n ~ /wp-content/uploads/release_v1_3.rar (December 6th)\r\nsistemaslyf.com\r\n ~ /sistemamein/release_v2.rar (December 6th)\r\nforexyatirimi.com.tr\r\n ~ /wp-content/uploads/release_v1_3.rar (December 6th)\r\nhbtproperty.com\r\n ~ /wp-includes/IXR/release_v2.rar (December 6th)\r\ncccastello.com\r\n ~ /net/release_v0_9.rar (December 8th)\r\npuntosoporte.cl\r\n ~ /wp-content/upgrade/release%20ver2.rar (December 8th)\r\nmonkdeskapps.com\r\n ~ /upload/release_v1_3.rar (December 10th)\r\n ~ /upload/release_2.rar (December 11th)\r\nefacthsac.com\r\n ~ /restoran/release_v1_3.rar (December 10th)\r\nwingstrongsports.com\r\n ~ /wp-upload/file_ver1_009.rar (December 12th)\r\n ~ /assets/release_v9.rar (December 14th)\r\nshalimarpaints.com\r\n ~ /assets/release_v9.rar (December 13th)\r\nafashionstudio.com\r\n ~ /b/release.rar (December 13th)\r\ngiftimprint.com\r\n ~ /b/release.rar (December 14th)\r\nfirstrustt.com\r\n ~ /wp-download/release_v09.rar (December 15th)\r\nrtexcorporation.com\r\n ~ /storage/app/release.rar (December 17th)\r\nbauchisdgs.org.ng\r\n ~ /wp-upload/release_v9.rar (December 17th)\r\njibiadata.com.ng\r\n ~ /download \u003e Discord CDN (December 18th)\r\nsupersistersofpak.org\r\n ~ /wp-upload/File.zip (December 19th)\r\nconsciencepropre.com\r\n ~ /wp-content/uploads/release_09.rar (December 19th)\r\n ~ /wp-includes/wp-upload/release.rar (December 27th)\r\n(komfuel.com) royalasiabd.com\r\n ~ /wp-content/uploads/setup.rar (December 20th)\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 77 of 109\n\nmunisartimbamba.gob.pe\r\n ~ /wp-upload/release_2_0.rar (December 20th)\r\npablomirandaarquitecto.cl\r\n ~ /wp-upload/setup.rar (December 20th)\r\nbytebreez.com\r\n ~ /wp/setup.rar (December 21th)\r\ntahaozeler.com\r\n ~ /wp-content/upgrade/release.rar (December 21th)\r\naccship.com\r\n ~ /server/release.rar (December 22th)\r\naskerimalzemeciyiz.com\r\n ~ /wp-content/upgrade/release.rar (December 22th)\r\ncemtokbay.com\r\n ~ /server/release.rar (December 23th)\r\nemoner7840.com\r\n ~ /wp-content/uploads/file.rar (December 24th)\r\neukariyer.com\r\n ~ /download/wp-upload/release.rar (December 24th)\r\nfcrteknikservis.com\r\n ~ /wp-upload/release.rar (December 24th)\r\nglobalteach.net\r\n ~ /download/release.rar (December 25th)\r\nfazliustam.com\r\n ~ /wp-upload/release.rar (December 25th)\r\ngurnazakademi.com\r\n ~ /wp-upload/release.rar (December 25th)\r\nguolitexbd.com\r\n ~ /wp-upload/release.rar (December 26th)\r\nmashkaanta.com\r\n ~ /wp-content/wp-upload/release.rar (December 26th)\r\nrpmedicgroup.com\r\n ~ /server/release.rar (December 27th)\r\nrosemount-bd.com\r\n ~ /wp-content/uploads/release.rar (December 31th)\r\nAs stated before, the usage of Discord CDN attachments and Mega downloads is also very common in campaign\r\nIDs 1 and 2. They also tried to spread builds via app.box.com (Example) or Google Drive.\r\nDetonations of builds\r\nThanks to the periodic detonation of Privateloader builds, we can know the hosts that were used as C2 over this\r\nyear:\r\nSummarization: IP Summarization Results of 15 IPs — IPinfo.io\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 78 of 109\n\n149.154.158.34 (March 21st) [opendir]\r\n94.142.138.113 (April 22nd) [opendir]\r\n208.67.104.60 (April 23nd) [opendir]\r\n94.142.138.131 (April 23nd) [opendir]\r\n85.208.136.10 (May 17th)\r\n94.131.106.196 (May 17th)\r\n5.181.80.133 (May 17th)\r\n45.15.156.229 (May 29th)\r\n193.42.32.118 (September 1st)\r\n91.92.243.151 (November 2nd)\r\n194.49.94.113 (November 11th)\r\n185.216.70.235 (November 12th)\r\n195.20.16.45 (December 10th)\r\n77.105.147.130 (December 11th)\r\n195.20.16.46 (December 12th) [opendir]\r\nAs you can see, the most common hosting provider for these hosts is AEZA INTERNATIONAL LTD, a well-known hosting provider also famous for its bulletproof-related service and abused by Threat Actors. You can see\r\nmore bulletproof hostings , like STARK INDUSTRIES SOLUTIONS LTD\r\nWe can also track the hosts from where builds were requested by these Privateloader C2s. Most of these builds are\r\ndirectly related to customers of the PPI service, but I believe hosts are controlled by the same people running the\r\nservice.\r\n/** As stated before, Privateloader loads other loaders that load other builds from other hosts, and in this section,\r\nonly the builds loaded directly by Privateloader were taken into account ** /\r\nSummarization: IP Summarization Results of 127 IPs — IPinfo.io\r\nSorted in chronological order (May 16th - December 31st)\r\n185.161.248.37\r\n163.123.143.4\r\n45.12.253.74\r\n109.206.243.208\r\n176.113.115.239\r\n91.215.85.147\r\n209.250.254.249\r\n77.91.68.16\r\n45.81.39.190\r\n83.97.73.126\r\n78.141.217.110\r\n45.143.137.71\r\n136.244.105.69\r\n51.210.156.4\r\n45.63.40.48\r\n95.214.25.234\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 79 of 109\n\n83.97.73.128\r\n194.180.48.90\r\n194.169.175.124\r\n45.9.74.6\r\n83.97.73.130\r\n45.9.74.80\r\n83.97.73.131\r\n46.30.190.83\r\n77.105.146.74\r\n109.70.148.54\r\n94.156.35.76\r\n185.39.207.64\r\n176.123.0.55\r\n141.95.126.89\r\n119.18.54.161\r\n185.39.207.84\r\n83.97.73.134\r\n194.169.175.132\r\n85.217.144.228\r\n37.1.207.170\r\n95.214.25.233\r\n176.113.115.84\r\n5.42.67.2\r\n83.97.73.183\r\n77.91.124.31\r\n45.66.230.164\r\n77.91.124.5\r\n77.91.124.40\r\n194.169.175.136\r\n85.217.144.143\r\n95.179.141.133\r\n95.214.25.232\r\n194.169.175.138\r\n87.120.88.198\r\n194.169.175.139\r\n77.91.124.47\r\n95.214.25.207\r\n77.91.68.1\r\n77.91.124.231\r\n91.103.253.32\r\n87.121.221.58\r\n108.61.99.145\r\n209.250.242.222\r\n194.169.175.233\r\n185.82.126.111\r\n89.185.85.189\r\n195.58.51.86\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 80 of 109\n\n194.169.175.232\r\n185.225.75.154\r\n77.91.68.238\r\n179.43.142.242\r\n94.156.253.187\r\n178.63.45.64\r\n51.250.21.16\r\n171.22.28.208\r\n171.22.28.214\r\n138.201.165.90\r\n46.173.215.72\r\n171.22.28.222\r\n94.142.138.221\r\n5.42.64.2\r\n45.130.231.6\r\n194.169.175.242\r\n194.55.224.41\r\n77.91.68.239\r\n45.129.14.83\r\n87.236.19.185\r\n171.22.28.226\r\n85.143.221.30\r\n103.23.232.80\r\n77.91.68.249\r\n108.179.232.106\r\n185.225.74.144\r\n5.42.64.10\r\n171.22.28.213\r\n77.95.113.16\r\n146.59.70.14\r\n171.22.28.212\r\n213.108.246.141\r\n171.22.28.219\r\n45.132.1.20\r\n171.22.28.221\r\n193.42.33.7\r\n193.42.33.68\r\n109.107.182.2\r\n37.139.129.88\r\n185.172.128.69\r\n193.106.175.190\r\n91.92.240.231\r\n194.49.94.48\r\n194.49.94.97\r\n212.113.122.87\r\n194.169.175.118\r\n5.42.92.93\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 81 of 109\n\n194.87.216.191\r\n194.49.94.154\r\n185.198.57.117\r\n5.42.64.35\r\n109.107.182.45\r\n194.5.249.115\r\n109.107.182.3\r\n193.233.132.4\r\n85.209.176.216\r\n185.172.128.19\r\n193.233.132.34\r\n194.33.191.102\r\n212.193.54.81\r\n85.209.11.204\r\n62.84.96.105\r\n185.172.128.53\r\n45.15.156.2\r\nThe most common hosting provider is altawk.com (AS203727 Daniil Yevchenko) which is related to YeezyHost,\r\na bulletproof service advertised on forums and highly used by Threat Actors:\r\nhttps://zelenka.guru/threads/3235733/\r\nConstant improvements were applied to Privateloader builds in order to avoid sandbox detonation. By the end of\r\nthe year, using AnyRun, it was very hard to detonate Privateloader builds with a successful run, and a proxy\r\nconnection and a machine with an OS \u003c Windows 7 x64 was needed.\r\nProfiling customers\r\nFirst of all, from customers reviews, let me share every transaction / address associated with doZKey and the\r\nInstallsKey service:\r\nUSDT:\r\nTLHFZSH8LtRas9Bcrg9rD54nNhjYQQQRLw\r\nTransaction #1 — $70\r\nTransaction 43d562a363b554cec532c863c32fdcc8572d0e1fe421ac0e6a8ff3c792ba7b20 | TRONSCAN\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 82 of 109\n\nSource: https://wwh-club.link/index.php?threads/installskey-installs-mix-world-europe-usa.245429/post-2265221\r\nTransaction #2 — $5000\r\nTransaction 123967b28ca50be06288b37afee86b2d5f2a008a9b3ddf1f3b0bd6995ddd9d6d | TRONSCAN\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 83 of 109\n\nSource: InstallsKey | Installs Mix World / Europe / USA / UNIQUES — Social Engineering Forum\r\n— Zelenka.guru (Lolzteam)\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 84 of 109\n\nBTC\r\nbc1qp2rlyxetphma0tv5v87f520h74633ce55hrlfn\r\nTransaction #1–0.00260123 BTC\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 85 of 109\n\nSource: InstallsKey | Installs Mix World / Europe / USA / UNIQUES — Social Engineering Forum\r\n— Zelenka.guru (Lolzteam)\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 86 of 109\n\nSometimes we can identify the owner of dropped builds just by looking at network traffic of that specific\r\ninfostealer. Please note that customers of Privateloader are getting the same installs at the same time, that means\r\nfor example a single victim is distributed between 5–20 different sources at the same time. Frightening!\r\nBecause of this, some complaints about the InstallsKey service is the life of victims logs: first come, first served!\r\nFrom Meta and Redline builds, it is possible to identify some InstallsKey customers:\r\nCosmic Cloud — https://t.me/cloudcosmic\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 87 of 109\n\nA cloud of private paid logs, selling what they get from PrivateLoader installs (mainly), among other traffic\r\nservices, I believe.\r\nIoCs:\r\n157.254.164.98:28449 | Cosmic Logs | CosmicCloud | @cloudcosmic | buddha\r\n | @CLOUDCOSMIC (https://cloudcosmic.store) | ShadowLogs\r\n | Logs | LogsCosmic | cosmic\r\n185.225.73.32:14387 | Log$ | CosmicLog$ | @CLOUDCOSMIC (https://cloudcosmic.store)\r\n185.225.73.32:44973 | loguis | cloudcosmic (https://cloudcosmic.store)\r\n185.225.75.171:22233 | (@cloudcosmic (https://cloudcosmic.store)\r\n91.92.250.219:22233 | cloudcosmic (https://cloudcosmic.store)\r\n194.33.191.60:44675 | cloudcosmic (https://cloudcosmic.store)\r\nPress enter or click to view image in full size\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 88 of 109\n\nIt’s interesting to see how the Cloud Cosmic was operating under the Shadow Cloud name at some point between\r\nJune and July 2023. This cloud is still active, so it has probably all this time been operating and reselling clouds\r\nfrom Cosmic Cloud.\r\nIf we lurk on the free releases of logs of his channel:\r\nPress enter or click to view image in full size\r\nIP Summarization Results of 303 IPs — IPinfo.io\r\nWe can notice that most of the worldwide victims downloaded a Privateloader build and executed it:\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 89 of 109\n\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nIn fact, on the last META v4 release, the content of the clipboard at the infection time was also grabbed by this\r\nstealer, and we can see that this victim had a PrivateLoader download link. 184 out of 303 logs have a clipboard\r\nrecord, and 135 of them have a Privateloader link over Discord CDN (associated with campaign IDs 1 and 2).\r\nPlease note that all malicious attachments came from the same DC channel:\r\n60 - https://cdn.discordapp.com/attachments/1189944781556695173/1190292759081390140/release.rar\r\n30 - https://cdn.discordapp.com/attachments/1189944781556695173/1190293054809178213/release.rar\r\n24 - https://cdn.discordapp.com/attachments/1189944781556695173/1190684453756993536/release.rar\r\n21 - https://cdn.discordapp.com/attachments/1189944781556695173/1190684573965754398/release.rar\r\nIn some specific cases, I can also see from which site they downloaded this Privateloader build because of cookie\r\nrecords (using cookies as browser history).\r\nThese sites are the ones you have seen previously in this article.\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 90 of 109\n\nPress enter or click to view image in full size\r\nLogsDiller — https://t.me/logsdiller_notify\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 91 of 109\n\nA cloud of private paid logs, also selling what they get from Privateloader installs, BUT they have other traffic\r\nsources. I have seen them in the past distributing builds on Youtube using compromised accounts.\r\nAn example of an alternative traffic source is the website: allsft.info\r\nPress enter or click to view image in full size\r\nDetonation: Analysis allsft.info Malicious activity — Interactive analysis ANY.RUN\r\nThey use Redline (Although they have been seen using also Meta Stealer)\r\nIoCs:\r\n178.33.182.70:18918 | ID: LogsDiller Cloud (Telegram: @logsdillabot)\r\n51.210.170.199:23368 | ID: LogsDiller Cloud (Telegram: @logsdillabot)\r\n147.135.231.58:23368 | ID: LogsDiller Cloud (Telegram: @logsdillabot)\r\n147.135.231.58:39396 | ID: LogsDiller Cloud (Telegram: @logsdillabot)\r\n135.125.27.228:39396 | ID: LogsDiller Cloud (Telegram: @logsdillabot)\r\n146.59.161.7:36019 | ID: LogsDiller Cloud (Telegram: @logsdillabot)\r\n146.59.161.7:48080 | ID: LogsDiller Cloud (Telegram: @logsdillabot)\r\n147.135.165.22:17748 | ID: LogsDiller Cloud (Telegram: @logsdillabot)\r\n147.135.165.22:38685 | ID: LogsDiller Cloud (Telegram: @logsdillabot)\r\n178.32.90.250:29608 | ID: LogsDiller Cloud (Telegram: @logsdillabot)\r\n149.202.8.114:26642 | ID: LogsDiller Cloud (Telegram: @logsdillabot)\r\n51.89.201.49:6932 | ID: LogsDiller Cloud (Telegram: @logsdillabot)\r\n209.250.248.11:33522 | ID: LogsDiller Cloud (Telegram: @logsdillabot)\r\n136.244.98.226:33587 | ID: LogsDiller Cloud (Telegram: @logsdillabot)\r\n51.83.170.21:19447 | ID: LogsDiller Cloud (Telegram: @logsdillabot)\r\n149.202.0.242:31728 | ID: LogsDiller Cloud (Telegram: @logsdillabot)\r\n51.38.95.107:42494 | ID: LogsDiller Cloud (Telegram: @logsdillabot)\r\n146.59.10.173:45035 | ID: LogsDiller Cloud (Telegram: @logsdillabot)\r\n51.255.152.132:36011 | ID: LogsDiller Cloud (Telegram: @logsdillabot)\r\n146.59.161.13:39199 | ID: LogsDiller Cloud (Telegram: @logsdillabot)\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 92 of 109\n\n51.254.67.186:16176 | ID: LogsDiller Cloud (Telegram: @logsdillabot)\r\n171.22.28.236:38306 | ID: LogsDiller Cloud (Telegram: @logsdillabot)\r\n194.169.175.234:27221 | ID: LogsDiller Cloud (Telegram: @logsdillabot)\r\n194.49.94.40:21348 | ID: LogsDiller Cloud (Telegram: @logsdillabot)\r\n185.216.70.232:28121 | ID: LogsDiller Cloud (Telegram: @logsdillabot)\r\n194.49.94.142:41292 | ID: LogsDiller Cloud (Bot: @logsdillabot)\r\n194.49.94.181:40264 | ID: LogsDiller Cloud (Telegram: @logsdillabot)\r\n95.214.26.17:24714 | ID: LogsDiller Cloud (Telegram: @logsdillabot)\r\n193.233.132.48:24324 | ID: LogsDiller Cloud (Telegram: @logsdillabot)\r\n45.15.156.187:23929 | ID: LogsDiller Cloud (Telegram: @logsdillabot)\r\n195.20.16.188:20749 | ID: LogsDiller Cloud (Telegram: @logsdillabot)\r\nThe administrator of this logs cloud left a review of InstallsKey:\r\nasap_rocky — Форум социальной инженерии — Zelenka.guru (Lolzteam)\r\nPress enter or click to view image in full size\r\nTranslated from Russian\r\nHe says that he bought installs for personal use. In the screenshot he shared, we can see that he spent $5000 in\r\nUSDT on October 26th, 2022.\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 93 of 109\n\nAnd he came out with a total profit of 127113 DOGE and 1269 USDT (~ $14k) worth of stolen cryptocurrencies.\r\n(1 DOGE = ~ $0.1 at 11/2022)\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 94 of 109\n\nPress enter or click to view image in full size\r\nIf we compare the releases of these two clouds, we can note the reality of Pay-Per-Installs services, same victims\r\non different sites.\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 95 of 109\n\nAnd here, I am only comparing these two clouds. I’m sure this same victims can be found in other sources,\r\nvictims of different malware but under the same malware campaign, Privateloader.\r\nYT\u0026Team Cloud — https://t.me/ytteam_cloud\r\nAnother cloud of private logs, who relies on the Privateloader traffic to fill up its cloud. Was pretty active since\r\nJune 2023, and suddenly disappeared around December 2023.\r\nIoCs:\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 96 of 109\n\n176.123.9.85:16482 | @oleh_ps | YT\u0026TEAM LOGS | @ytlogsbot | Ddoska\r\n176.123.4.46:33783 | @oleh_ps | @ytlogsbot\r\n185.216.70.238:37515 | @oleh_ps\r\n194.169.175.235:42691 | YT\u0026TEAM CLOUD | @ytlogsbot | @oleh_ps\r\n176.123.7.190:32927 | @ytlogsbot\r\nX Claus Cloud — https://t.me/xclauscloud\r\nA private cloud that started on the end of October 2023, firstly seen at Privateloader on the first days of\r\nNovember.\r\n91.103.252.189:30344 | ID: @xclauscloud_bot\r\nHe is using Redline and sometimes posts screenshots from his panel:\r\nThis was posted as “LIVE TRAFFIC” and the number of logs that he was also posting matched the Privateloader\r\nstatistics trend of installations/day\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 97 of 109\n\nPixel Cloud\r\n194.49.94.11:80 | ID: pixelcloud\r\nIndividuals from the Amnesia Team\r\nAmnesia Team, an OG log traffickers group in service since December 2022 and still working, banned from the\r\nmajor forums because “working with logs from CIS countries victims” is prohibited.\r\nPress enter or click to view image in full size\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 98 of 109\n\nThe botnet IDs of these builds have the following format:\r\n[ Telegram ID — PanelID-Crypt ] , where Telegram ID refers to the Telegram User ID who requested a stealer\r\nbuild, Panel ID refers to the Stealer Panel ID from where the builds were generated (this is kind of confusing and\r\nmaybe wrong since I’m not confident at all), and Crypt refers to the Crypter service used in the build generated,\r\namong three options: Alice Crypt, Easy Crypt and Packlab.\r\nIt seems like some users working for the Amnesia Team decided to invest some money buying installs on the\r\nInstallsKey service. Builds seen on Privateloader are:\r\n1801258641-26990097-easy\r\n1543974212-26990097-packlab\r\n5904899475-93lhAj6K-alice\r\n678468341-26990097-packlab\r\n678468341-26990097-alice\r\n678468341-26990097-easy\r\n6663705738-IX5wZhT8-MANUAL\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 99 of 109\n\nTracing an user using a Telegram ID without talking to him before is impossible. Sometimes it is possible to relate\r\nthe Telegram ID with the username thanks to leaked IDs by moderation bots on groups, sadly seems like none of\r\nthis telegram IDs were seen at any group I am in.\r\nAnd how do we know these builds belonged to the Amnesia team?\r\nThe C2 was 5.42.65.101, working for a very long time (Before May 16th). This relation got publicly reported at\r\nNovember 2023 (here) by Security researcher Karol Paciorek. On this same IP, an html website was hosted\r\nshowing a frame of the Amnesia Cloud all these months.\r\nOn December 8th, the Amnesia Team updated its infrastructure, and this C2 server got shut down. Let’s see how\r\n2024 stands for these guys!\r\nThe InstallsKey service :) (And other PPI services!!)\r\nAs said before, the InstallsKey service also uses its own traffic to generate logs… Meta and Redline are not their\r\nbest options, but they were used. Time dates and IP ranges (from the list of “servers from where builds loaded by\r\nPrivateloader were requested”) match, so including suspicious Botnet IDs, there’s no reason to not think\r\nInstallsKey is a customer of himself.\r\nIoCs:\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 100 of 109\n\n45.9.74.117:15394 | ID: installs\r\n213.21.220.222:8080 | ID: INSTALLSKEY\r\n~~~ Installs3000\r\nA very old installs service (from 2021!) that sells “downloads (traffic, installs) of the MIX world (extension *.exe\r\nand *.dll)! The source of traffic is exchanges. There is no CIS”\r\n62.72.23.19:80\r\nInstalls3000_20231002\r\nInstalls3000_20230731\r\n149.100.158.96:80\r\nInstalls3000_20231030\r\n~ Hawk Traffic\r\n80.85.152.116:31050 | ID: @HawkTraffic\r\nStarted at the end of November, been active for some weeks. He “provides the latest methods of generating\r\ntraffic”\r\nOther Redline and Meta Botnets IDs were:\r\n@Chicago\r\ntrafico\r\nmusor\r\n1\r\nmix\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 101 of 109\n\nBigBoss\r\nmitro\r\n2\r\n@Chicacgo\r\nmina\r\nmisa\r\ngoga\r\nmusa\r\nmunder\r\nmaxi\r\nmetro\r\n29.05.2023\r\nronin\r\ntinda\r\nrocker\r\nbrain\r\nbuddha\r\nads1\r\ncrazy\r\nxccz\r\nmast\r\n@Germany\r\nboris\r\nmoro\r\ndroid\r\nmare\r\nrovno\r\nmy cloud yt\r\nwq12\r\nlux3\r\nStukaet norm\r\nMr Leung\r\njoker\r\nrt2\r\nprolivka\r\nwerta\r\nmaza\r\njason\r\ngrom\r\n1006\r\n@nudikq1\r\nhares\r\nBOGO2\r\nmucha\r\nrt243\r\nrt5\r\nnarko\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 102 of 109\n\nbuil1\r\nLogsLive1\r\nrt6\r\njako\r\ncrypton\r\nnorm\r\nfurod\r\nmasha\r\n1red1\r\nrt4\r\nzahar\r\nroma\r\nrt7\r\nnasa\r\n190723_rc_11\r\ngrom\r\nnews\r\nkrast\r\nLylawork0721\r\nlande\r\n12\r\nrt234\r\ngotad\r\npapik\r\nlodka\r\nrt23\r\nPersom\r\nmaxik\r\nmicky\r\nsavin\r\ndodge\r\nsutra\r\nfdg\r\nkedra\r\nsomethingmad_build\r\ngibon\r\nlonda\r\n1308\r\nregta\r\nmeson\r\ndava\r\n3\r\nmaga\r\ndugin\r\njonka\r\n10keuro\r\nlang\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 103 of 109\n\nrota\r\ngogi\r\nrwan\r\nsmokiez1_build\r\n1smokiez_build\r\nvaga\r\nnrava\r\nsmokiez2_build\r\nstas\r\ncheat\r\nsruta\r\ndomka\r\nnarik\r\ngena\r\nsq1\r\nramon\r\nsmokiez\r\nALENA\r\n2109\r\ntrush\r\nsmokiez1new\r\nFRESH\r\n10k\r\nunique\r\nunique285\r\nAlenus\r\njones\r\njordan\r\nsmokiez285\r\nstatem\r\nunique28.5\r\nbreha\r\nbuild285\r\n123\r\nFrance\r\nwolfa\r\nsupera\r\nhomed\r\ngrome\r\nCash\r\n100k\r\n200k\r\nChicago-6-11\r\n1MIL\r\ntaiga\r\nFILE1\r\ngetmoney\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 104 of 109\n\n16.11.23_Ob\r\nhorda\r\nLiveTraffic\r\n1124\r\nnew\r\nTEST\r\n113\r\n2k\r\nPREMIUM1\r\n193-1201\r\nnew1\r\nPREMIUM\r\nwork001\r\nword1337\r\n1211-55000\r\nwork1337\r\n1214-55000\r\n1215-55000\r\n1216-55000\r\n666\r\n1217-55000\r\nnewest\r\nwork28.7\r\n1219-55000\r\nuniq2\r\nnewsss\r\n24k\r\nIf you ever have seen this in a log, please note that probably was collected on Privateloader\r\nLooking at Lumma Stealer builds, we can also get some insights from Installskey’s customers\r\nLumma ID (PanelID--WorkerID)\r\nGhYTuY\r\nBVgYti\r\nV566Iu--inerino\r\nVcFuIq\r\n88BbUq\r\nV566Iu--sdelka\r\nOpUUUy\r\nYTghyI\r\nGyVvdO\r\niOqpIq--gr5555555\r\nZomIjN\r\nVgYiqp--GR\r\nRrM068\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 105 of 109\n\nVgYiqp--gerg\r\nRyInGu--LylaBundle09.10\r\nHVvByi--source1\r\nZaaaac--pw7\r\nHqweNg\r\nRyInGu--BarretBundle\r\nRyInGu--Hook17.10\r\nHvBvV9--Dirty\r\nhJgToq--dozkey\r\nRyInGu--Lyla3\r\nZaaaac--oi2\r\nZaaaac--oi5\r\nZaaaac--oi7\r\nSaRBgi\r\nHVvByi--bundle\r\nHHhUQl--new\r\nHvBvV9\r\nLGNDRY\r\n996Nvt\r\nC1TNmL\r\n97HgTi\r\nYmMYnu\r\nPeDDlo\r\nPeRFCk--doZkey\r\nAmNsA2--backdo\r\nWgJyoO--b\r\nSvBmLB\r\nAmNsA2--aus\r\nMV90Nv\r\nWgJyoO--tested\r\nT1mOs2\r\nNmLpQW--spam2\r\nAmNsA2--uniq\r\nAmNsA2--leg\r\nAmNsA2--unical\r\nWWH111\r\nLPnhqo--@usernemer9\r\nFATE99--Premium\r\nIf you ever have seen this in a log, please note that probably was collected on PrivateLoader\r\nTraffers\r\nOne of the first IDs we should pay attention to is “inerino”.\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 106 of 109\n\n“iNerino” is the handle of an user running a PPI service known as InstallsBot, live since 2018 (and still supposed\r\nto be active):\r\nPress enter or click to view image in full size\r\nhttps://zelenka.guru/threads/707036/\r\nt.me/InstallsBot\r\nSo it seems like iNerino was at some point using the InstallsKey PPI service as a customer; who knows, maybe\r\nreselling traffic or just testing the “neighbors”? 2023 has been a very inactive year for this service; in fact, in 2022,\r\npeople started to complain about the bad quality of the iNerino service.\r\nAnd some individuals can be seen, like “usernemer9”\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 107 of 109\n\nPress enter or click to view image in full size\r\nThe “LPnhqo” Lumma Panel ID belongs to some kind of traffers team, because it has been seen with other worker\r\nIDs (also telegram users). Sadly, I can’t identify which team is using this panel.\r\nAnd doZKey!\r\nTwo different panels on the end months of 2023\r\nMobile Traffic (.apk)\r\nPrivateloader also offers .apk installations.\r\nPress enter or click to view image in full size\r\nSomeone asked doZKey about the APK Traffic on the InstallsKey service, and it seems to not have a lot of\r\ncustomers for this option.\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 108 of 109\n\nWe can trigger .apk downloads for the same sites spreading Privateloader for Windows victims, just by changing\r\nthe User Agent to any Android device.\r\nThis is the point where I can’t distinguish between Privateloader downloads and other Spam downloads we get on\r\nthese sites. If we rely on the domains we previously identified as “Campaign 09\" we get some samples:\r\nMalwareBazaar | PrivateloaderAPK (abuse.ch)\r\nAs you can see, most of them are detected as “Triada” (Triada (Malware Family) (fraunhofer.de)). Considered by\r\nKaspersky a “modular mobile Trojan” with capabilities of “download and launch other files”, are these Triada\r\nbuilds being used as the Privateloader for mobile devices?\r\nOther builds are detected as “HiddAd” adware or the “GodFather” banking trojan.\r\nAnd we also get a redirection to download this app from Google Play:\r\nSecureX: Navegador Web Privado — Aplicaciones en Google Play\r\nThat looks very suspicious based on user reviews.\r\nFeel free to take a look on everything!\r\nStay safe from threats. Protect yourself.\r\n@\r\n| Also available at t.me/privateloader (EN \u0026 RU)\r\nSource: https://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nhttps://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65\r\nPage 109 of 109",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65"
	],
	"report_names": [
		"privateloader-installskey-rewind-2023-c1ce027cbe65"
	],
	"threat_actors": [
		{
			"id": "dcba8e2b-93e0-4d6e-a15f-5c44faebc3b1",
			"created_at": "2022-10-25T16:07:23.816991Z",
			"updated_at": "2026-04-10T02:00:04.758143Z",
			"deleted_at": null,
			"main_name": "Lurk",
			"aliases": [],
			"source_name": "ETDA:Lurk",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775441512,
	"ts_updated_at": 1775792010,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b36a48d394c4de83fc0fa3babab00f7de84a6aa1.pdf",
		"text": "https://archive.orkl.eu/b36a48d394c4de83fc0fa3babab00f7de84a6aa1.txt",
		"img": "https://archive.orkl.eu/b36a48d394c4de83fc0fa3babab00f7de84a6aa1.jpg"
	}
}