{
	"id": "a0d3632a-c599-4569-b30d-e5516cb2cabc",
	"created_at": "2026-04-06T00:16:42.449449Z",
	"updated_at": "2026-04-10T03:23:51.008882Z",
	"deleted_at": null,
	"sha1_hash": "c0e7177ecca5cea6b050c3a40efd74d389cee8a4",
	"title": "Malware group leaks millions of stolen authentication cookies",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 202264,
	"plain_text": "Malware group leaks millions of stolen authentication cookies\r\nBy Catalin Cimpanu\r\nPublished: 2022-12-07 · Archived: 2026-04-05 14:33:52 UTC\r\nTo add insult to injury, after users were infected by a malware strain that stole their passwords and personal data,\r\nthe malware operators forgot to secure their backend servers, which leaked sensitive user information for hundreds\r\nof thousands of victims for more than a month.\r\nFor weeks, Bob Diachenko, Cyber Threat Intelligence Director at security firm Security Discovery, has been\r\ntrying to convince a cloud provider to intervene and take down a malware group's server that was\r\nleaking hundreds of thousands of stolen passwords and millions of authentication cookies.\r\nThe data was leaked via an Elasticsearch server left exposed online without a password.\r\nThe server exposed data that is typically collected by a type of malware known as an infostealer. This type of\r\nmalware infects devices and then collects user credentials from web browsers, FTP, and email clients, data that is\r\nlater uploaded to command and control (C\u0026C) servers.\r\nTypically, most C\u0026C servers are hosted on a hacked website or a cheap virtual private server (VPS), and then the\r\ndata is aggregated in a so-called data lake, where it is centralized for further analysis.\r\nThe Elasitcsearch server discovered by Diachenko is believed to be one of these data lakes, where crooks were\r\naggregating their stolen information.\r\nhttps://therecord.media/malware-group-leaks-millions-of-stolen-authentication-cookies/\r\nPage 1 of 5\n\nAccording to Vitali Kremez, CEO of threat intelligence company Advanced Intelligence, and James Maude, lead\r\ncyber-security researcher at security firm BeyondTrust, based on the format of the \"bot_ID\" field assigned to each\r\ninfected host, the server was collecting data from users infected with version 1.7.2 of the RaccoonStealer malware.\r\n\"Racoon is fairly typical Malware-as-a-Service where for $75-$200 per month you get access to the toolkit to\r\ngenerate malware payloads and a backend website to administer your campaign from,\" Maude told The Record in\r\nan email interview last month.\r\n\"It is designed to steal login credentials, credit card information, cryptocurrency wallets, and browser information.\r\nPeople often don't realize, but things like the password store on Chrome are encrypted using the Windows API.\r\nThis means that if the malware is running in the user context, it can decrypt all the logins saved in the Chrome DB\r\nand steal them,\" Maude said.\r\nAnd according to data seen by this reporter, Maude was right. The Elasticsearch server did not only hold personal\r\nvictim data like emails, usernames, and device details but was also storing cleartext passwords and even\r\nauthentication cookies.\r\nhttps://therecord.media/malware-group-leaks-millions-of-stolen-authentication-cookies/\r\nPage 2 of 5\n\nIn the leaked data, we found credentials and cookies for email accounts, social media profiles, work applications,\r\nand even government portals.\r\nOf the entire data collected in the server, the most prevalent were authentication cookies, collected in the millions,\r\nrather than passwords, which were only hundreds of thousands.\r\nThe reason why the threat actor focused on stealing authentication cookies is that they allow better and easier\r\naccess to an account compared to usernames and passwords.\r\nAuth cookies, as they are also called, allow intruders to access victim accounts without needing to authenticate\r\nusing usernames and passwords and even bypass any two-step verification process that victims might have had in\r\nplace.\r\nFor this reason, authentication cookies are highly prized in the cybercrime ecosystem. Cybercrime marketplaces\r\nsuch as Genesis or RichLogs often list authentication cookies for sale on their portals.\r\nServer disappeared today without a trace\r\nBut while Diachenko has been fighting for weeks with little success to get the cloud provider to intervene and take\r\ndown this malware gang's data, the server mysteriously disappeared earlier today.\r\nhttps://therecord.media/malware-group-leaks-millions-of-stolen-authentication-cookies/\r\nPage 3 of 5\n\nAt the time of writing, it is unclear if the cloud provider finally decided to act or if the malware gang saw\r\nDiachenko and this reporter sift through the data while preparing this article.\r\nDiachenko told The Record he plans to provide parts of the stolen data he discovered in the now-defunct\r\nElasticsearch server to Troy Hunt, the operator of the Have I Been Pwned portal, so the data can be indexed and\r\nallow users to check if their account passwords and cookies were compromised. Diachenko said most of the data\r\nwas for users living in the United Arab Emirates and other Middle East countries.\r\nWe will update this article when the stolen data is going to be added to HIBP, so readers can know they can check\r\nit there.\r\nCatalin Cimpanu\r\nis a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement\r\nactions against hackers.\r\nhttps://therecord.media/malware-group-leaks-millions-of-stolen-authentication-cookies/\r\nPage 4 of 5\n\nSource: https://therecord.media/malware-group-leaks-millions-of-stolen-authentication-cookies/\r\nhttps://therecord.media/malware-group-leaks-millions-of-stolen-authentication-cookies/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://therecord.media/malware-group-leaks-millions-of-stolen-authentication-cookies/"
	],
	"report_names": [
		"malware-group-leaks-millions-of-stolen-authentication-cookies"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434602,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c0e7177ecca5cea6b050c3a40efd74d389cee8a4.pdf",
		"text": "https://archive.orkl.eu/c0e7177ecca5cea6b050c3a40efd74d389cee8a4.txt",
		"img": "https://archive.orkl.eu/c0e7177ecca5cea6b050c3a40efd74d389cee8a4.jpg"
	}
}