Jump to content
Click here to learn how to turn auto renewals OFF or get REFUNDED for unwanted auto renewals! ×
✨ PO BO6 External & DMA Cheats Publicly Released ×

Final update on the infostealer malware investigation

zebleer

By zebleer,
in Announcements

Recommended Posts

  • Administrator
zebleer

zebleer

Posted
  • Administrator
Posted

Awhile ago, a user messaged me that their PO login had been compromised even though they used a unique password for PO. It turned out that they had used software with infostealer malware, which stole their PO login. I eventually found the stolen logins in a DB and there were billions of them. It was clear gamers were being targeted in particular

Here is what I found
- There is an infostealer malware campaign orchestrated by a group in India. The malware itself is developed and sold as a service by a Russian group
- The group in India distributes the infostealer through free GitHub releases, GitHub cracks, cracked games, cracked software (including gaming related and photoshop/video editing software), free mod/cheat/tool/VPN/boost releases on GitHub/YouTube/EPVP/other forums, and torrents
- The group uses stolen logins to further spread the malware (e.g. using stolen accounts to post and vouch for the malware)
- All of the stolen logins are sold to another group who manages a compilation called nazapi which is a nearly 25TB compilation of stolen logins. This compilation is sold to the public
- Nazapi has not been shared much because it's so big. It's over 20TB, so the cost/time to download it or upload it is significant. Out of the 20TB, only ~100GB (compressed) was released on BreachForums because the leaker wasn't willing to pay the costs required to sharing it in full
- People with purchased access to nazapi use it for various purposes. One example I've seen in our community is that some account vendors are selling or releasing stolen BNET/Activision accounts. This is how they are getting so many (sometimes 10K+) accounts to release/sell

I know you all wanted me to name and shame the malware spreaders but there are no brand or known project names. No active cheat provider or known project is spreading this malware. It's all nameless free releases, cracks, and torrents that get taken down quite often but get posted and vouched for automatically by bots using stolen logins

What I have done
- In the past I was setting bait to find out what softwares had the malware by restoring my test device to a clean state using DeepFreeze, using a software, saving a unique login, triggering the malware, then repeating and seeing what logins ended up in nazapi. I'm not going to do that anymore because these releases/cracks/torrents get taken down and come back in new posts often. There is no point
- I purchased full access to nazapi including updates. I purchased infrastructure to download it fully including updates. See why I bought it below

What I will do
- I am going to share and continue to share stolen logins with affected domains/companies to render the efforts of the stealers useless. I am going to try to be faster about this with larger companies because I haven't been getting them their updated logins very fast and their users are suffering account theft issues as a result. It's also hard to help because most large companies won't talk to me
- I am going to make sure that the stealer is fully detected by every major anti-virus through reversal and submissions. This process has been annoying because the Russian group has a few strains of infostealer malware for sale as a service and they keep updating them
- I am going to try to share nazapi with places like haveibeenpwned but again it's over 20TB so it's very hard to share this around. It took me two weeks to download it personally and I had to use special software to parse it

What you should do
- Do not download sketchy free releases including cracks/torrents
- Know that GitHub releases are not always safe. GitHub is actually one of the primary places malware is spread because people trust it so much. GitHubs with compiled binaries are especially sketchy
- GitHubs that show up as a top result when you search "insert_software_name_here cracked" are especially not to be trusted
- Upload binaries to Virus Total before running them
- Install a quality anti-virus like Malwarebytes. Make sure to add an exclusion for the PO loader folder
- Only use software from sources/providers you trust
- Use a password manager such as the one Protonmail offers of one from here

13
Link to comment
Gazza908

Gazza908

Posted
Posted

Fair play, for a ‘cheating’ community lead zeb, you keep it fair, clean and safe. Couldn’t ask anything more from somebody, genuine nice guy and we all appreciate the work you do… lesson learned to never download free shit 👍

Link to comment
  • Administrator
zebleer

zebleer

Posted
  • Author
  • Administrator
Posted
9 minutes ago, edgar said:

a virtual machineis an option zeb. to test 

I have an isolated testing device and network that I use for malware investigations usually because a lot of malware checks for VM and won't run in one

This time I just used DeepFreeze to restore my computer to a clean state between tests to keep each test and unique login isolated

It is true though that if the malware will run in a VM (this one will but I didn't originally know that) it's better especially since you can have several VMs on one machine

Link to comment
  • Administrator
zebleer

zebleer

Posted
  • Author
  • Administrator
Posted

For sending data to haveibeenpwned I forgot to mention I'm going to remove passwords and just submit emails/usernames at first then send an out of order list of passwords later

I think transferring that data with accurate pairing should only be done to affected domains

Link to comment
Nike76

Nike76

Posted
Posted

I had a email from Steam saying my login had been compromised/login from America, i dnt use a vpn, im based in New Zealand.Would tht be any way related to this event? Im still able to login to both CoD/PO loader. Do i have anything to worry about?

Regards

Nike

Link to comment
  • 3 weeks later...
MooseKuckles

MooseKuckles

Posted
Posted
On 5/23/2024 at 2:40 PM, zebleer said:

Awhile ago, a user messaged me that their PO login had been compromised even though they used a unique password for PO. It turned out that they had used software with infostealer malware, which stole their PO login. I eventually found the stolen logins in a DB and there were billions of them. It was clear gamers were being targeted in particular

Here is what I found
- There is an infostealer malware campaign orchestrated by a group in India. The malware itself is developed and sold as a service by a Russian group
- The group in India distributes the infostealer through free GitHub releases, GitHub cracks, cracked games, cracked software (including gaming related and photoshop/video editing software), free mod/cheat/tool/VPN/boost releases on GitHub/YouTube/EPVP/other forums, and torrents
- The group uses stolen logins to further spread the malware (e.g. using stolen accounts to post and vouch for the malware)
- All of the stolen logins are sold to another group who manages a compilation called nazapi which is a nearly 25TB compilation of stolen logins. This compilation is sold to the public
- Nazapi has not been shared much because it's so big. It's over 20TB, so the cost/time to download it or upload it is significant. Out of the 20TB, only ~100GB (compressed) was released on BreachForums because the leaker wasn't willing to pay the costs required to sharing it in full
- People with purchased access to nazapi use it for various purposes. One example I've seen in our community is that some account vendors are selling or releasing stolen BNET/Activision accounts. This is how they are getting so many (sometimes 10K+) accounts to release/sell

I know you all wanted me to name and shame the malware spreaders but there are no brand or known project names. No active cheat provider or known project is spreading this malware. It's all nameless free releases, cracks, and torrents that get taken down quite often but get posted and vouched for automatically by bots using stolen logins

What I have done
- In the past I was setting bait to find out what softwares had the malware by restoring my test device to a clean state using DeepFreeze, using a software, saving a unique login, triggering the malware, then repeating and seeing what logins ended up in nazapi. I'm not going to do that anymore because these releases/cracks/torrents get taken down and come back in new posts often. There is no point
- I purchased full access to nazapi including updates. I purchased infrastructure to download it fully including updates. See why I bought it below

What I will do
- I am going to share and continue to share stolen logins with affected domains/companies to render the efforts of the stealers useless. I am going to try to be faster about this with larger companies because I haven't been getting them their updated logins very fast and their users are suffering account theft issues as a result. It's also hard to help because most large companies won't talk to me
- I am going to make sure that the stealer is fully detected by every major anti-virus through reversal and submissions. This process has been annoying because the Russian group has a few strains of infostealer malware for sale as a service and they keep updating them
- I am going to try to share nazapi with places like haveibeenpwned but again it's over 20TB so it's very hard to share this around. It took me two weeks to download it personally and I had to use special software to parse it

What you should do
- Do not download sketchy free releases including cracks/torrents
- Know that GitHub releases are not always safe. GitHub is actually one of the primary places malware is spread because people trust it so much. GitHubs with compiled binaries are especially sketchy
- GitHubs that show up as a top result when you search "insert_software_name_here cracked" are especially not to be trusted
- Upload binaries to Virus Total before running them
- Install a quality anti-virus like Malwarebytes. Make sure to add an exclusion for the PO loader folder
- Only use software from sources/providers you trust
- Use a password manager such as the one Protonmail offers of one from here

You are the GOAT. Much Respect 

Link to comment
  • 1 month later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go to topic listing

Privacy

Our top priority is to keep our identities private as well as the identities of our users. We will never ask you for your full name, your ID, or your address. What info we do have for you is deleted quickly and will never be given away or sold. Your payment details are received and kept securely via tokenization by our card processor (see Card Payments). Please contact us to request that we delete any data that we have of yours (IP, device ID, etc).

Card Payments

For card payments, we use a processor that supports tokenization. It is integrated into our website checkout and uses tokenization to collect data that you input, store it as a token, and transfer it to their servers. Your card data will never touch our servers, even if you store your card here for renewals or future usage. To read more, click here. FYI, our processor also does not show us your full card number, expiration, or security code.

Security

We obsess over security. Everything you enter on our website will be kept and transmitted in the most secure ways possible. Even your usage logs are stored encrypted. We also monitor our loader automatically, revoking access from bad actors, so that you can feel secure. We guarantee to all of our users that under no claims or demands of any kind, will we leak or distribute client data. We also do not collect your name, ID, or address.

Quick Links

×
×
  • Create New...