During a routine threat-hunting exercise, Cyble Research and Intelligence Labs (CRIL) came across a tweet about PureLogs information stealer by TG Soft. This tool is used by the Threat Actor (TA) “Alibaba2044” to launch a malicious spam campaign at targets based in Italy on the 14th of December 2022.

CRIL sent out an alert to the Intelligence Community on this threat, but unfortunately a lot of people dismissed it, due to the fact that this is a very common technique used by all sorts of cyber criminals, who steal email credentials.

TG Soft has been operating since 2011 and developed information stealer tools as well as spam botnets which are distributed via downloadable packages. These packages download malware members which conduct spam campaigns or search engine results manipulation (SERPs).

The TA uses these spam campaigns to achieve top positions on SERPs and generate traffic for their affiliate sites. The TA also sells malware with a set of servers and source code.

Through 2016, the TA has used social engineering on their victims, who have been targeted with epic spam campaigns using commercial gambling software. Most of their victims are unaware that they have been targeted and involved in a spam campaign. The TA has also developed “Information stealer” tools for stealing information from both PCs as well as smartphones and encrypted email attachments.

‍

Source: Pure coder offers multiple malware for sale in Darkweb forums - AlienVault - Open Threat Exchange