hngopher.com

       [HN Gopher] Exposing Russian EFF Impersonators: The Inside Story...
       ___________________________________________________________________
        
       Exposing Russian EFF Impersonators: The Inside Story on Stealc and
       Pyramid C2
        
       Author : hn_acker
       Score  : 76 points
       Date   : 2025-03-06 19:01 UTC (3 hours ago)
        
 (HTM) web link (hunt.io)
 (TXT) w3m dump (hunt.io)
        
       | nazgulsenpai wrote:
       | Posted as a separate submission before reading this one, but the
       | EFFs blog post about it:
       | https://www.eff.org/deeplinks/2025/03/simple-phish-bait-eff-...
        
       | d0mine wrote:
       | > Code comments found within and PowerShell scripts suggest the
       | work of a Russian-speaking developer.
        
         | Y_Y wrote:
         | I have a git hook to translate all comments into Russian before
         | I push to the victim's machine
        
       | caffeinewriter wrote:
       | Huh. The researchers seemed to gloss over the Cloudflare Pages
       | URL, but it's actually pretty interesting. I haven't had a chance
       | to look at it in depth yet, but it appears to use the search-ms:
       | URL protocol to show an attacker controlled WebDAV server to
       | serve the malware.
       | 
       | The server hosting the malicious files seems to be down now, but
       | this post details a similar attack:
       | 
       | https://micahbabinski.medium.com/search-ms-webdav-and-chill-...
       | 
       | It also seems to be part of a phishing kit, or potentially
       | generated with AI due to the presence of the following comment.
       | // Zameni na svoi URL
       | 
       | Which in English is:                   // Replace with your URL
       | 
       | And various other descriptive comments like                   //
       | Polnost'iu ochishchaem stranitsu (Completely clear the page)
       | // Sozdaiom novyi konteiner s indikatorom zagruzki (Creating a
       | new container with a loading indicator)         // Cherez 3
       | sekundy skryvaem Cloudflare i zapuskaem zagruzku (In 3 seconds,
       | we hide Cloudflare and start the download.) [Though this was next
       | to a 900ms timeout, so there's definitely been some tweaking]
       | 
       | They're the kind of comments that don't really make sense if the
       | author is writing them themselves, but would if they're using
       | something off the shelf, or asking some LLM to output code. The
       | descriptive comments of what the code's doing definitely makes me
       | lean towards the latter.
        
         | inetknght wrote:
         | > _The descriptive comments of what the code 's doing
         | definitely makes me lean towards the latter._
         | 
         | Sadly, it's that exact kind of descriptive comments that are
         | the kinds of comments that I expect to see in well-documented
         | code. The kind of comments that I would expect from a seasoned
         | engineer.
        
       ___________________________________________________________________
       (page generated 2025-03-06 23:00 UTC)