{
	"id": "dce03b28-d7d7-4d0b-a997-265f7006278b",
	"created_at": "2026-04-06T01:31:20.89475Z",
	"updated_at": "2026-04-10T03:23:51.87816Z",
	"deleted_at": null,
	"sha1_hash": "e76b33bde08ef68b96b0847167fe818deebbfd59",
	"title": "DeathRansom Part II: Attribution",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5349295,
	"plain_text": "DeathRansom Part II: Attribution\r\nBy Artem Semenchenko and Evgeny Ananin\r\nPublished: 2020-01-02 · Archived: 2026-04-06 00:55:08 UTC\r\nIntroduction\r\nFortiGuard Labs recently discovered an ongoing DeathRansom malicious campaign. Our first blog on this new\r\nvariant was devoted to a technical analysis of the samples that had been gathered. In this second part, we will try\r\nto shed a light on how this DeathRansom campaign is connected with other campaigns, and who might be behind\r\nthem.\r\nFalse Scent and Connections with Vidar Stealer\r\nFalse Language Lead\r\nWe start our investigation with the sample\r\n13d263fb19d866bb929f45677a9dcbb683df5e1fa2e1b856fde905629366c5e1, which was mentioned in our\r\nprevious blog. This sample has debug paths, but we could not recognize the language used. In addition, it has nine\r\nresources, with a LANG_SLOVAK identifier constant (0x041B) in the resource section. This means that the\r\nsample could have been compiled on a machine with a Slovak language installed by default.\r\nFigure 1: A debug path inside the sample\r\nhttps://www.fortinet.com/blog/threat-research/death-ransom-attribution\r\nPage 1 of 22\n\nFigure 2. Part of the .rsrc section of the sample\r\nWe tried to translate a PDB path from Slovak by splitting the words in different ways and then feeding the results\r\nto various automatic translation services. However, none of these attempts led to a correct translation. In fact, the\r\nword “duzuk” was recognized by Google Translate not as Slovak, but as Basque (for the English “you have”).\r\nA Basque word was an intriguing lead, since this sample was downloaded from a domain in the .es domain zone\r\n(Spain). We believe that this domain was hacked, therefore we will not disclose the domain name here.\r\nThe name of the sample was also interesting: Wacatac_2019-11-20_00-10.exe. The word “Wacatac” can be\r\ntranslated from Basque in several different meaningful ways, so we decided to dig deeper.\r\nSince the file name has a clearly distinguishable name-date-time construction, we decided to search for this\r\npattern among all known files. Nine files were found. Their details are provided in Figure 3.\r\nFigure 3. A part of our investigation table\r\nhttps://www.fortinet.com/blog/threat-research/death-ransom-attribution\r\nPage 2 of 22\n\nAgain, we were a little disappointed: the resource language ID’s were changed from Nepali to Slovak then to\r\nNeutral then back to Slovak at a very fast pace. In addition, the debug paths look like machine-generated gibberish\r\nrather than any paths a human programmer would use.\r\nTherefore, we had to conclude that a Basque trace was just a coincidence. However, the Slovak and Nepali traces\r\nare not. Most probably, they were intentionally inserted to mislead potential investigators.\r\nBitbucket Profile\r\nIn spite of these disappointments, these new samples also gave us an important clue. One of the samples shown on\r\nFigure 3 was downloaded not from the hacked .es site, but from a different URL:\r\nhxxp://bitbucket[.]org/scat01/1/downloads/Wacatac_2019-11-16_14-06.exe\r\nThe link was not accessible, and neither was the scat01 profile itself:\r\nFigure 4. Bitbucket message shown on an access attempt to the scat01 profile\r\nNevertheless, when we searched for other malicious samples which attempted to access this Bitbucket directory,\r\nwe found an interesting connections log from May 2019. The sample was related to the Vidar stealer malware\r\nfamily. \r\nhttps://www.fortinet.com/blog/threat-research/death-ransom-attribution\r\nPage 3 of 22\n\nFigure 5. A part of a connections log for the Vidar sample\r\nThe name pattern has an obvious resemblance to our Wacatac sample:\r\nWacatac_2019-11-20_00-10.exe\r\nscat01_2019-05-20_06-13.exe\r\nNext, we decided to search among the connections logs for a connection by the URL mask\r\nbitbucket[.]org/scat01/*\r\nOne of the connections logs found on VirusTotal is shown on Figure 6 (sample\r\ndc9ff5148e26023cf7b6fb69cd97d6a68f78bb111dbf39039f41ed05e16708e4).\r\nFigure 6. Contacted URL via a fresh malicious sample\r\nLet’s now analyze these connections. The connections shown in the green frame should be familiar to anyone who\r\nhas dealt with Vidar stealers, as they are standard Vidar libraries used to extract passwords from different\r\nbrowsers.\r\nThe connection shown in the red frame is an attempt to access an executable file with another Wacatac name.\r\nUnfortunately, this link was not accessible during the Vidar sample sandbox analysis, therefore we don’t have a\r\nWacatac_2019-11-16_17-03.exe sample.\r\nhttps://www.fortinet.com/blog/threat-research/death-ransom-attribution\r\nPage 4 of 22\n\nNevertheless, as you may remember from our first blog, DeathRansom uses the name ‘Wacatac’ to store crypto\r\nkeys in a registry. Therefore, we have strong reason to believe that the inaccessible Wacatac_2019-11-16_17-\r\n03.exe sample was another DeathRansom variant.\r\nTherefore, based on the same “malware hosting”, the same name pattern, and the fact that the Vidar sample tried\r\nto download a DeathRansom sample, we can conclude that the Vidar campaign and the DeathRansom campaign\r\nare run by the same actor, who uses scat01 as a Bitbucket profile name as well as a name for some malware\r\nsamples.\r\nWe decided to dig deeper and see what could be found about this scat01.\r\nFollowing scat01\r\nWe started to look for fresh malware containing the string scat01 in it. Here is a short summary of our findings:\r\nOne of the samples we found was the “Azorult” stealer malware that connects to a C2 server “scat01[.]tk”.\r\na45a75582c4ad564b9726664318f0cccb1000005d573e594b49e95869ef25284\r\nWe also managed to find a C2 panel of “1ms0rryStealer” with the name scat01 in the Benkow “Panel\r\nTracker” service: \r\nFigure 7. Archived record of the stealer control panel\r\nThe most important sample was found here:\r\nhxxp://gameshack[.]ru/scat01.exe\r\ne767706429351c9e639cfecaeb4cdca526889e4001fb0c25a832aec18e6d5e06\r\nThis sample is a non-obfuscated Evrial stealer. When we check its configuration, we see the following\r\n“Owner” field:\r\nhttps://www.fortinet.com/blog/threat-research/death-ransom-attribution\r\nPage 5 of 22\n\nFigure 8. Malware owner field\r\nThe last sample was downloaded from a root folder of the website gameshack[.]ru. This could mean that attackers\r\nsomehow control this webserver. Therefore, we decided to see what else could be found on this webserver. \r\nGameshack[.]ru Portal\r\nWe found many malicious samples, which were downloaded directly from a root folder on Gameshack[.]ru. We\r\ndecided to analyze all available samples and extract any information that could help us in our investigation.\r\nFigure 9. Malicious samples downloaded from “gameshack[.]ru” (according to VirusTotal)\r\nhttps://www.fortinet.com/blog/threat-research/death-ransom-attribution\r\nPage 6 of 22\n\nThe malware samples “hosted” on the gameshack[.]ru website were downloaders. This means that their purpose\r\nwas to download a payload and run it. The main payload was of two types:\r\nEvrial stealer;\r\nMiner+Clipper+Stealer (Supreme miner).\r\nThe Evrial stealer samples were not obfuscated and contained the same “Owner” field – “scat01”.\r\nThe Supreme miner samples were obfuscated by “NULL SHIELD” (Confuser variant) and had an e-mail\r\nembedded: vitasa01[@]yandex.ru.\r\nFigure 11 shows part of the strings from the miner “Supreme.exe” (sample\r\n1e1fcb1bcc88576318c37409441fd754577b008f4678414b60a25710e10d4251). This miner also had the Evrial\r\nstealer inside its body:\r\nFigure 10. Strings from the miner’s part of the malware\r\nAs you can see, this sample uses the same iplogger service for counting the infected hosts as the DeathRansom\r\nsamples (see our recent blogpost for details.)\r\nThe Evrial stealer inside has the same “scat01” ownership:\r\nFigure 11. Strings from the Evrial stealer’s part of the malware\r\nAs you can see, the website “gameshack[.]ru” is controlled by attackers and they distribute malicious samples\r\nwith scat01 attribution strings inside.\r\nHere is a short summary of the info about the attackers that we have found so far, including the spread of malware\r\nfamilies associated with them:\r\nhttps://www.fortinet.com/blog/threat-research/death-ransom-attribution\r\nPage 7 of 22\n\nDeathRansom\r\nVidar stealer\r\nAzorult stealer\r\nEvrial stealer\r\n1ms0rryStealer\r\nSupreme miner\r\nAs well as attribution info:\r\nscat01 nickname;\r\nvitasa01[@]yandex.ru e-mail.\r\nControl over gameshack[.]ru\r\nIt seems obvious that these attackers use a Russian email service and a Russian domain zone .ru. In addition, we\r\nmust remember that DeathRansom performs a check for the system language, and it will not encrypt files if it\r\ndetects locales from an ex-USSR country.\r\nIn addition, when we analyze the stealers used by this group, we find that they can be purchased on Russian\r\nunderground forums. Therefore, we decided to continue our search there.\r\nRussian Underground\r\nOnce we searched for “scat01” and “vidar” on the Russian underground forums, we found a person with the same\r\nnickname providing a review (in Russian) of the Vidar stealer:\r\nFigure 12. Feedback for Vidar stealer left by scat01\r\nWe found another post left by scat01 on another forum. This time it concerns the Evrial stealer. He is afraid that\r\nsomeone might access his logs from that Evrial stealer, as all the information goes to the malware seller’s servers.\r\nhttps://www.fortinet.com/blog/threat-research/death-ransom-attribution\r\nPage 8 of 22\n\nFigure 13. Complaints of scat01 regarding Evrial stealer seller\r\nAnother post with a review was found on another Russian underground forum. This time the review is for\r\nSupreme miner:\r\nFigure 14. Feedback for Supreme miner\r\nMoreover, a user with the same name was active on yet another Russian underground forum (from now on, we\r\nwill refer to this underground forum as Russian underground forum #4). The user is currently banned for having\r\nmultiple accounts with different names. Please pay attention to the profile picture used here. \r\nhttps://www.fortinet.com/blog/threat-research/death-ransom-attribution\r\nPage 9 of 22\n\nFigure 15. Scat01 profile on the Russian underground forum #4\r\nNow, having found his/her profiles on the underground forums, we next extended our search, comparing the\r\ninformation. One interesting piece we discovered is a product review on Yandex.Market – the same company that\r\nprovides the email service in the @yandex.ru domain.\r\nFigure 16. Review for a purchase\r\nIn the review there is no text (only a score), but we can see its location. The review was made from Aksay. Aksay\r\nis a small Russian town near Rostov-on-Don (we will come back to this clue a little later).\r\nhttps://www.fortinet.com/blog/threat-research/death-ransom-attribution\r\nPage 10 of 22\n\nFigure 17. Aksay on Google Maps\r\nAnother important clue here is the username of the reviewer account: vitasa01. Therefore, it is highly probable\r\nthat this reviewer has access to the email vitasa01[@]yandex.ru, which we have seen in previous malicious\r\nsamples.\r\nhttps://www.fortinet.com/blog/threat-research/death-ransom-attribution\r\nPage 11 of 22\n\nFigure 18. Yandex username in the URL string\r\nAlso, please pay attention to the picture used in this profile. It is the same picture shown in Figure 15. Therefore,\r\nwe have a triple match:\r\nthe profile picture\r\ncurrent username\r\nYandex username\r\nAt this point, we are pretty sure that this Yandex profile is related to the scat01 profile we found on the Russian\r\nunderground forum #4 as well as to the malware distributed from gameshack[.]ru. But how can we find the\r\npossible real identity of this author? We decided to see what info we could find about gameshack[.]ru itself.\r\nGameshack[.]ru Portal\r\nWe found an interesting YouTube channel that promotes the website gameshack[.]ru. The link to gameshack[.]ru\r\nis named: “our game portal.”\r\nhttps://www.fortinet.com/blog/threat-research/death-ransom-attribution\r\nPage 12 of 22\n\nFigure 19. YouTube channel advertising malicious website\r\nThe username given here is “SoftEgorka.” “Egorka” is a diminutive for the Russian name “Egor.” The avatar\r\npicture also refers to gameshack[.]ru.\r\nAnother interesting piece of information we found is a Skype link. In figure 20, you can see that it refers to the\r\nskype username SoftEgorka:\r\nFigure 20. Skype link in the YouTube profile\r\nhttps://www.fortinet.com/blog/threat-research/death-ransom-attribution\r\nPage 13 of 22\n\nWhen we searched for a “SoftEgorka” skype user, we found the following user profile on the same Russian\r\nunderground forum #4. This time the username “Super info” is used.\r\nFigure 21. “Super info” profile on the Russian underground forum #4\r\nThe Skype address corresponds to the YouTube channel discussed above. The user states that he lives in Italy.\r\nMoreover, searching further for his messages, we found another confirmation that this could be true:\r\nhttps://www.fortinet.com/blog/threat-research/death-ransom-attribution\r\nPage 14 of 22\n\nFigure 22. The actor claims that he/she is from Italy\r\nBy digging further among Super Info posts, we found an announcement about game accounts sales (Steam, WoT,\r\nOrigin). Here we should note that stealers observed above are capable of stealing passwords from different games\r\nand game distribution platforms. This more indirect evidence that Super Info may be connected to the ongoing\r\nstealers campaign.\r\nhttps://www.fortinet.com/blog/threat-research/death-ransom-attribution\r\nPage 15 of 22\n\nFigure 23. A message with a WebMoney ID and the known skype link inside\r\nIn the contacts section of the sale, you find “Skype: SoftEgorka” as well as the WebMoney ID 372443071304.\r\nThis same WMID is mentioned in another post from the same user. It is also related to Steam accounts for sale.\r\nAnd this time, another skype profile is mentioned: nedugov99\r\nhttps://www.fortinet.com/blog/threat-research/death-ransom-attribution\r\nPage 16 of 22\n\nFigure 24. A message with the same WMID and skype account nedugov99\r\nSearching again, this time for this new Skype ID, an old advertisement for the sale of a game account shows up:\r\nFigure 25. Old advertisement of a game account for sale\r\nHere, we can see several important pieces of information:\r\nUser name: undefined_Nedugov\r\nhttps://www.fortinet.com/blog/threat-research/death-ransom-attribution\r\nPage 17 of 22\n\nThe skype id: nedugov99\r\nThe phone: +7951****311\r\nVkontakte SNS id: id154704666\r\nWe checked the mobile phone number and it belongs to the Rostov-on-Don region.\r\nNext, we checked out the VK id154704666 profile:\r\nFigure 26. Vkontakte SNS profile of Egor Nedugov\r\nThe name “Egor” corresponds to one of the underground nicknames, “SoftEgorka,” and the surname “Nedugov”\r\ncorresponds to the Skype account “nedugov99”. According to the profile, this individual lives in Rostov-on-Don.\r\nRemember that the Yandex review made by scat01 was done from Aksay – a small town near Rostov-on-Don.\r\nAnd even more interesting, he is following (or maybe even administrating?) the “Gameshack[.]ru official group”.\r\nThe link to the same group is found in the YouTube profile shown in Figures 20-21.\r\nhttps://www.fortinet.com/blog/threat-research/death-ransom-attribution\r\nPage 18 of 22\n\nFigure 27. “Egor Nedugov” is following the malicious website VK group\r\nHere an astute reader might ask: “Rostov-on-Don? But what about Italy, mentioned in Figures 21-22?” To get an\r\nanswer, we have to visit Egor’s Instagram page:\r\nFigure 28. Instagram account of Egor Nedugov\r\nAs we might learn from his Instagram and Facebook accounts, he indeed lived in Italy for some time.\r\nhttps://www.fortinet.com/blog/threat-research/death-ransom-attribution\r\nPage 19 of 22\n\nThere is one more thing here. At this point in the investigation, we asked ourselves: “what if scat01 and\r\nSoftEgorka are different actors? The former one compiles malware and the later one “hosts” it on Gameshack[.]ru\r\nportal?” Obviously, we have connections via gameshack[.]ru and geographical connections, but what if they are\r\nfriends and live in the same region?\r\nWell, we found yet another clue: the profile on csgo-stats[.]net is shown in Figure 29. The user with the username\r\nscat01 names himself as Egor (Russian: Егор). We must note that the name “Egor” is rare in Russia.\r\nFigure 29. Scat01 profile on csgo-stats[.]net\r\nWe also found many other profiles of the same actor. According to information on underground forums, this\r\nperson is responsible for account stealing, carding, malware distribution, and even the phishing and scamming of\r\nhis forum mates. That is why nearly all his accounts on underground forums were eventually banned.\r\nConclusion\r\nFortiGuard Labs established a significant connection between the ongoing DeathRansom and Vidar malware\r\ncampaigns. They share the naming pattern and infrastructure used. We also found evidence that a Vidar sample\r\ntried to download the DeathRansom malware.\r\nWe believe that an actor with the nickname scat01 could be responsible for the latest DeathRansom attack, as well\r\nas other malicious attacks. We also found evidence of strong Russian roots in the malware being distributed.\r\nBased on the evidence left on Russian underground forums, we were able to find a person who seems to likely be\r\nbehind these malicious campaigns.\r\nSolution\r\nhttps://www.fortinet.com/blog/threat-research/death-ransom-attribution\r\nPage 20 of 22\n\nAll samples mentioned in this article are detected by the FortiGuard antivirus engine:\r\n05b762354678004f8654e6da38122e6308adf3998ee956566b8f5d313dc0e029 - W32/Kryptik.GYME!tr\r\n0cf124b2afc3010b72abdc2ad8d4114ff1423cce74776634db4ef6aaa08af915 - W32/Kryptik.GYQI!tr\r\n13d263fb19d866bb929f45677a9dcbb683df5e1fa2e1b856fde905629366c5e1 - W32/Kryptik.ANT!tr\r\n2b9c53b965c3621f1fa20e0ee9854115747047d136529b41872a10a511603df8 - W32/GenKryptik.DYFO!tr\r\n4bc383a4daff74122b149238302c5892735282fa52cac25c9185347b07a8c94c - W32/GenKryptik.DYBP!tr\r\n6247f283d916b1cf0c284f4c31ef659096536fe05b8b9d668edab1e1b9068762 - W32/GenKryptik.DXWB!tr\r\n66ee3840a9722d3912b73e477d1a11fd0e5468769ba17e5e71873fd519e76def - W32/Kryptik.GYMH!tr\r\ndc9ff5148e26023cf7b6fb69cd97d6a68f78bb111dbf39039f41ed05e16708e4 - W32/GenKryptik.DXWQ!tr\r\nf78a743813ab1d4eee378990f3472628ed61532e899503cc9371423307de3d8b - W32/GenKryptik.DXWH!tr\r\nfedb4c3b0e080fb86796189ccc77f99b04adb105d322bddd3abfca2d5c5d43c8 - W32/Kryptik.GYQI!tr\r\na45a75582c4ad564b9726664318f0cccb1000005d573e594b49e95869ef25284 - W32/Generic!tr.pws\r\ne767706429351c9e639cfecaeb4cdca526889e4001fb0c25a832aec18e6d5e06 - MSIL/Agent.QJH!tr\r\n1e1fcb1bcc88576318c37409441fd754577b008f4678414b60a25710e10d4251 - MSIL/CoinMiner.AHY!tr\r\nThe FortiGuard Web Filtering service blocks the following URLs as malicious:\r\niplogger[.]org/1Zqq77\r\nbitbucket[.]org/scat01/ \r\nscat01.mcdir[.]ru\r\ngameshack[.]ru\r\nscat01[.]tk\r\nIOC\r\nSHA256:\r\n05b762354678004f8654e6da38122e6308adf3998ee956566b8f5d313dc0e029\r\n0cf124b2afc3010b72abdc2ad8d4114ff1423cce74776634db4ef6aaa08af915\r\n13d263fb19d866bb929f45677a9dcbb683df5e1fa2e1b856fde905629366c5e1\r\n2b9c53b965c3621f1fa20e0ee9854115747047d136529b41872a10a511603df8\r\n4bc383a4daff74122b149238302c5892735282fa52cac25c9185347b07a8c94c\r\n6247f283d916b1cf0c284f4c31ef659096536fe05b8b9d668edab1e1b9068762\r\n66ee3840a9722d3912b73e477d1a11fd0e5468769ba17e5e71873fd519e76def\r\ndc9ff5148e26023cf7b6fb69cd97d6a68f78bb111dbf39039f41ed05e16708e4\r\nf78a743813ab1d4eee378990f3472628ed61532e899503cc9371423307de3d8b\r\nfedb4c3b0e080fb86796189ccc77f99b04adb105d322bddd3abfca2d5c5d43c8\r\na45a75582c4ad564b9726664318f0cccb1000005d573e594b49e95869ef25284\r\ne767706429351c9e639cfecaeb4cdca526889e4001fb0c25a832aec18e6d5e06\r\n1e1fcb1bcc88576318c37409441fd754577b008f4678414b60a25710e10d4251\r\nURL:\r\nhttps://www.fortinet.com/blog/threat-research/death-ransom-attribution\r\nPage 21 of 22\n\niplogger[.]org/1Zqq77\r\nbitbucket[.]org/scat01/ \r\nscat01.mcdir[.]ru\r\ngameshack[.]ru\r\nscat01[.]tk\r\nLearn more about FortiGuard Labs and the FortiGuard Security Services portfolio. Sign up for our weekly\r\nFortiGuard Threat Brief.\r\nLearn about Smart Tips to Avoid Crypto Scams.\r\nRead about the FortiGuard Security Rating Service, which provides security audits and best practices.\r\nSource: https://www.fortinet.com/blog/threat-research/death-ransom-attribution\r\nhttps://www.fortinet.com/blog/threat-research/death-ransom-attribution\r\nPage 22 of 22",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/death-ransom-attribution"
	],
	"report_names": [
		"death-ransom-attribution"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775439080,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e76b33bde08ef68b96b0847167fe818deebbfd59.pdf",
		"text": "https://archive.orkl.eu/e76b33bde08ef68b96b0847167fe818deebbfd59.txt",
		"img": "https://archive.orkl.eu/e76b33bde08ef68b96b0847167fe818deebbfd59.jpg"
	}
}