Cybersecurity researchers shed light on a previously unregistered rust, called Myth Ctyler, which spreads to fraudulent game sites.
“After the shooting, the malicious software reflects the fake window, which is legal, simultaneously deciphering and performing malicious code in the background,” Trellix Hugde, Vasant – Note In the analysis.
The theft, which was originally sold on the telegram for free under the beta at the end of December 2024, has since switched to malicious software (MAAS). It is equipped for theft of passwords, battles and autosophonation both in chromium-based browsers, such as Google Chrome, Microsoft Edge, Brave, Opera, Vivaldi and Mozilla Firefox.
Malicious software operators have found maintaining a number of telegram channels to advertise the sale of compromised accounts, and provides reviews of their services. These channels were closed Telegram.
The data shows that the myth theft is distributed through fake websites, including one in Google bloggers, offering different video games under the pretext of checking them. It should be noted that to provide another malicious software for theft known as the blogger index page AGEOSEALERAs revealed by Flashpoint in April 2025.
Trellix said it also found that malicious software is distributed as a hacked version of a game deception called DDRACE on the Internet forum, emphasizing many distribution cars.
Regardless of the initial access vector, the loaded loader reflects the user’s window to fool them, thinking that a legitimate application is being performed. In the background, the loader decodes and triggers the theft.
In the 64-bit DLL file, the theft tries to stop the startup processes associated with different web browsers before stealing the data and select them on a remote server, or in some cases, on Webhook’s disorder.
“It also contains anti-narlysis methods, such as strings burdening and checking the system using file names and users,” the researchers said. “The authors of the malware regularly update the theft code to avoid detecting AV and introduce additional functionality, such as the capabilities of the screen and the clipboard clipboard repository.”
The theft of the theft is not only when it comes to the use of game possessive possession programs for the distribution of malware. Last week, the Palo Alto Networks 42 unit shed light on a different Windows malicious program called Blitz, which distributed through the back purification games and hacked installers for legitimate programs.
First of all, it is distributed by a malicious control telegram, Blitz consists of two steps: the booter responsible for the Bot Useful load, which is designed to enter the keys, removing screenshots, download/download code. It is also equipped with a service refusal (DOS) for web servers and drops the Xmrig Shakhtar.
The back of the Cheat carries out the check against Sandbox before getting the next malicious software, while the bootloader only works when the victim is again logged in after leaving or rebooting. Loading is also tuned to run the same check against Sandbox before giving up Bot.
What is characteristic of the attack chain, this is what Blitz Bot and XMR Cryptocurrency Miner are useful loads, as well as the components of their command and control infrastructure (C2) located in the arms. Facial undertaking blocked the user’s account after a responsible disclosure of information.
According to the end of April 2025, Blitz estimated 289 infections in 26 countries led by Russia, Ukraine, Belarus and Kazakhstan. Last month, the actor of the threats behind the blitz claimed on his telegraph channel that they were hanging boots after they apparently found that he had a built -in Trojan. They also provided the removal tool to wipe the malicious software from the victim systems.
“A person behind malicious Blitz software seems to be a Russian speaker who uses Moniker SW1ZZX on social media platforms” – Note. “This malware operator is probably the Blitz developer.”
Development occurs when Cyfirma talked about the new Trojan (Rat) based C#based on C#, which has great observation, perseverance and system control. It was publish On GitHub in April 2025, claiming it was intended only for an “educational and ethical demonstration”.
 |
|
Blitz — Lean infection |
“It establishes perseverance through replication of the folders and modifications of the Windows registry, while using unobstructed execution and methods of escalation of privileges for stells,” company company company – Note. “Basic features include keyboard, screen, espionage/audio, remote shell and analysis function.”
In addition, to show the ability to remotely reproduce sounds or system sounds by the victim car, DuplexSpy Rat contains a power control module that allows the attacker to remove commands at the compromised hoste, such as shutdown, restarting and sleeping.
“(Malicious software) performs a fake lock screen, reflecting the image that is submitted by the attacker (Base64, encoded) on the full screen while turning off the user’s interaction,” Cyfirma added. “This prevents the closure unless it is permitted by mimicking the freezing system or the redemption notice to manipulate or pronounce the victim.”
The conclusions also follow from the report of the positive technology that Several threaten subjectsincluding Ta558. Room. Agg (Aka Benefit), Phaseshifters (AKA Angry LIKHO, sticky werewolf and UAC-0050), UAC-0050and Phantomcontroluse CRYPTER’s offer as services called Cryptors and tools To cloud files such as Ande Loader.
The networks of attacks using cryptors and instruments were sent to the United States, Eastern Europe (including Russia) and Latin America. One of the Crypter platform is Nitrosoftwares (.) Com, which also offers various tools including exploits, crypto, loggers and cryptocurrency, among others.
