Exposing Russian EFF Impersonators: The Inside Story on Stealc and Pyramid C2
6 comments
·March 6, 2025caffeinewriter
inetknght
> The descriptive comments of what the code's doing definitely makes me lean towards the latter.
Sadly, it's that exact kind of descriptive comments that are the kinds of comments that I expect to see in well-documented code. The kind of comments that I would expect from a seasoned engineer.
nazgulsenpai
Posted as a separate submission before reading this one, but the EFFs blog post about it: https://www.eff.org/deeplinks/2025/03/simple-phish-bait-eff-...
d0mine
> Code comments found within and PowerShell scripts suggest the work of a Russian-speaking developer.
Y_Y
I have a git hook to translate all comments into Russian before I push to the victim's machine
null
[deleted]
Huh. The researchers seemed to gloss over the Cloudflare Pages URL, but it's actually pretty interesting. I haven't had a chance to look at it in depth yet, but it appears to use the search-ms: URL protocol to show an attacker controlled WebDAV server to serve the malware.
The server hosting the malicious files seems to be down now, but this post details a similar attack:
https://micahbabinski.medium.com/search-ms-webdav-and-chill-...
It also seems to be part of a phishing kit, or potentially generated with AI due to the presence of the following comment.
Which in English is: And various other descriptive comments like They're the kind of comments that don't really make sense if the author is writing them themselves, but would if they're using something off the shelf, or asking some LLM to output code. The descriptive comments of what the code's doing definitely makes me lean towards the latter.