Combine cutting-edge XDR technology, multi-signal threat intelligence and 24/7 Elite Threat Hunters to help you build a world-class security operation.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Cyber risk and advisory programs that identify security gaps and build security strategies to address them.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
XDR with machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Seamless integration and threat investigation across your existing tech stack.
Proactive threat intelligence, original threat research and a world-class team of seasoned industry veterans.
Extend your team capabilities and prevent business disruption with expertise from eSentire.
We balance automated blocks with rapid human-led investigations to manage threats.
Guard endpoints by isolating and remediating threats to prevent lateral spread.
Defend brute force attacks, active intrusions and unauthorized scans.
Investigation and threat detection across multi-cloud or hybrid environments.
Remediate misconfigurations, vulnerabilities and policy violations.
Investigate and respond to compromised identities and insider threats.
Stop ransomware before it spreads.
Meet regulatory compliance mandates.
Detect and respond to zero-day exploits.
End misconfigurations and policy violations.
Defend third-party and supply chain risk.
Prevent disruption by outsourcing MDR.
Adopt a risk-based security approach.
Meet insurability requirements with MDR.
Protect your most sensitive data.
Build a proven security program.
Operationalize timely, accurate, and actionable cyber threat intelligence.
THE THREAT On November 12th, Citrix disclosed two separate vulnerabilities identified in Citrix Session Recording, which impacted multiple versions of Citrix Virtual Apps and…
Oct 23, 2024THE THREAT On October 23rd, Fortinet disclosed an actively exploited critical zero-day vulnerability impacting multiple versions for FortiManager. The vulnerability, tracked…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Three MDR package tiers are available based on per-user pricing and level of risk tolerance.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.
Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.
In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.
Here’s the latest from our TRU Team…
In April 2024, eSentire’s Threat Response Unit (TRU) briefly covered the D3F@ck Loader in the previous article. In this article, we will discuss Сергей Пантелеевич (Sergei Panteleevich), the individual behind the orchestration of D3F@ck Loader. We will also provide analysis of D3F@ck Loader samples and an extensive list of indicators of compromise discovered during the hunting process.
It’s important to note that Sergei Panteleevich is not the real name of the person behind the loader; the developer used the name of a Russian financial fraudster and founder of MMM, a company that executed one of the largest Ponzi schemes in history during the 1990s.
So, let’s start with the D3F@ck Loader developer (referred to as "Sergei" in this article), who currently uses the Telegram handle @Mavr_MMM and AO_MMM, Null14 on hacking forums. The Telegram account was first created in October 2022. The following is the history of account name changes:
Telegram Handle |
Display Name |
@GhostBustersKING |
GhostBusters |
@GHOSTBUSTERSKING |
GhostBusters |
@GhostBustersKING |
Сергей Пантелеевич |
@Mavr_MMM |
Сергей Пантелеевич |
@MAVR_MMM |
Сергей Пантелеевич |
While researching Sergei’s historical Telegram activity, we identified references to a “GhostBustersTeam” Telegram bot in LummaC2 Public Telegram channel in January 2024. Sergei has a poor reputation among Telegram community members (Figure 1) and was restricted from posting messages due to inappropriate behavior in Lumma Stealer's public Telegram chat.
Pivoting on the GhostBustersTeam bot, we found a reference on a Russian hacking forum where Sergei was promoting his MMM Team, also known as GhostBusters Team, and seeking to hire more people to spread Meta Stealer to exfiltrate data in June 2022 (Figures 2-3).
GhostBusters is a traffer (a term primarily used in Russian-speaking communities, referring to a person who deals with internet traffic. In the context of cybersecurity and the internet, a traffer typically works in the field of driving or redirecting internet traffic to specific websites, often for advertising or commercial purposes.
The term can also carry a negative meaning when traffers engage in less ethical practices such as distributing malware) team that specializes in distributing stealers, specifically Meta Stealer. @g0njxa provided a great report on GhostBusters team here.
Apart from managing and operating the MMM Team / GhostBusters, Sergei also sells EV (Extended Validation) certificates for up to $3000 per year. According to the advertisements, the user can also request a unique company name to be created (Figures 4-6).
It’s worth noting that it’s common for the developers behind loaders to sell EV certificates or promote the services that sell them, such as FakeBat and eDragon_x. EV certificates can help bypass SmartScreen, avoid application blocking upon running, and enhance a file's credibility; however, they often have a short lifespan due to the risk of revocation.
eSentire’s TRU team has actively been revoking certificates used by D3F@ck Loader. This forces malware developers and threat actors to invest more money and effort into obtaining new EV certificates.
Running the file with the valid EV certificate gives the end user a friendly UAC prompt (Figure 7). Running the file with a revoked invalid certificate would prevent the application from running (Figure 8).
The certificates we identified used by D3F@ck Loader are:
Based on additional research, we assess with medium confidence that Sergei is in his late 30s and at one point lived in Chelyabinsk, Russia, and studied at Chelyabinsk Construction College (ЧелябинскийМонтажныйКолледж).
In the previous blog, we covered the initial advertisement on the Exploit forum on D3F@ck Loader developed by Sergei. The loader has been observed to be delivering additional malware, including Raccoon Stealer, MetaStealer, SectopRAT, and DanaBot.
The first batch of D3F@ck Loader payloads distributed were signed as “LLC Kama Lubricant Company”. Let’s look at the initial payload (MD5: 47bc9ef09f431cd1dc92840a19fe2158) distributed around February 2024 and advertised in one of the demo videos provided by Sergei (Figure 10).
D3F@ck Loader uses the Inno Setup installer for the initial payload. Inno Setup is a free and user-friendly tool that makes it easy to create professional-looking installations. It includes a powerful scripting language (Pascal Scripting) that allows for the customization of installations.
Malware developers can use this feature to execute custom scripts that install additional payloads, set up persistence mechanisms, disable Defender, or perform other malicious activities during the installation process.
When analyzing Inno Setup malware, we highly recommend using the InnoExtractor tool by Havy Alegria. From the extracted files, we can look at the install_script.iss file, which contains all the installer instructions and settings (Figure 10).
We will focus on the Files section of the script (Figure 11):
Thanks to the InnoExtractor Tool, we can also get CompiledCode.
CompiledCode is a file generated by Inno Setup that contains the compiled bytecode of PascalScript code. The compiled bytecode allows the installer to execute custom scripts to handle various installation tasks, conditions, and user interactions programmatically during the setup process.
Let’s fetch the CompiledCode into Pascal Script Decompiler. We notice the base64-encoded strings that are decoded to the instructions to extract the password-protected 7z archive named “lib”. The archive contains the main D3F@ck Loader payload.
After extracting the payload from the archive, the code would execute Setup.exe and elevate.exe, which were mentioned previously.
As mentioned previously, Java binaries also play a crucial role in the operation of D3F@ck Loader. The payloads are written in JPHP with DevelNext. DevelNext is an integrated development environment (IDE) specifically designed for JPHP, which is a version of PHP that operates on the Java Virtual Machine (JVM).
The main payload’s functionality would contain “dn-compiled-module.jar” (MD5: 9231458f16389c65c76ad4b90cfe7504), specifically within “dn-compiled-module.jar\app\forms\” path. We can decompile the JPHP code to make it somewhat readable by capturing the section of codes where the Java magic bytes are present.
The “executePowerShellCommand” method from the decompiled code below is responsible for adding an exclusion path to Windows Defender and disabling behavior monitoring in Windows Defender (Figure 13).
The method “downloadAndRunFile$41” retrieves the final payload from the C2 server (jilinebyli[.]top), which is base64-encoded within Pastebin. The retrieved payload is then saved under the %TEMP% folder. As for the naming convention, the code fetches the current microtime using DateFunctions.microtime().
Microtime generally gives the current Unix timestamp in microseconds. The retrieved microtime is then passed to StringFunctions.md5(), which computes an MD5 hash of this microtime. MD5 hashing generates a 32-character hexadecimal number. The MD5 hash is then encoded into a base64 string.
After base64 encoding, any equals signs (=) used as padding in the base64 output are removed, so the name would be something like “MWE3OWE0ZDYwZGU2NzE4ZThlNWIzMjZlMzM4YWU1MzM.exe”.
At the end of April 2024, Sergei began obfuscating strings in the code with the custom base64 alphabet.
The script from the sample (MD5: 5cf2e80ac2a7f7fa24f74966d3ec904f) creates the mutex to avoid two instances running simultaneously (Figure 14).
From the “CURSTEPCHANGED” method, we can see base64-encoded strings (Figure 15).
We notice that immediately after the base64-encoded strings, it calls the “PAPERHELD” function. Looking into the “PAPERHELD” function, we notice a custom alphabet and instructions resembling base64-decoding with bit shifting operation (Figure 16).
We can make use of “maketrans” which creates a mapping where each character in the custom alphabet is replaced by the corresponding character at the same position in the standard alphabet. The decoded output of the strings is found on our IOC page on GitHub.
The decoded strings contain the instructions to extract the contents from the ZIP archive (additional downloaded payload), get a secondary C2 URL from Pastebin, start the malicious executable (125.exe) if it exists, and exclude the C:\ folder from being scanned by Defender.
Around the end of May 2024, Sergei started using Ceasar Cipher for string obfuscation, so each character is rotated 12 positions backward in the ASCII table (MD5: 17af51265211f359f047f26598862c54) (Figure 17). He also introduced anti-sandbox and DDR (Dead Drop Resolver) features.
For the anti-sandbox feature, the loader checks if processes such as VboxService.exe, Vmwareuser.exe, or Vmtoolsd.exe are present via the “SELECT Name FROM Win32_Process Where Name="%s" query. If one of the processes is present, the loader exits (Figure 18).
In other samples, another sandbox/VM check was present and was located within the DISKV method (Figure 19). The loader queries the disk drive information and looks for strings related to virtual machines with findstr command, then redirects the output to a text file named ds.txt. If one of the strings is present in the text file, the loader will exit.
The developer also integrated the PICADOR method, which specifies the path for dropping the next stage payloads at %TEMP%/av (Figure 20).
Upon analyzing the core JPHP payload of D3F@ck Loader, we can see that the loader sends the “ready”, “starting”, “downloaded” and “finished” commands to the C2 representing different stages of the infection process. You can check how the communication looks like in any.run sandbox.
From the code, we can also see the working path of the D3F@ck Loader’s developer:
“C:\\Users\\nesto\\OneDrive\\\Рабочий стол\\\ИСХОДЫ\\WORK\\WORK\\DEVEL\\Launcher\\Auto\\\Без прогресса — С ПИНГОМ\\src\\app\\forms\\MainForm.php”,which translates to “C:\\Users\\nesto\\OneDrive\\\Desktop\\\Sources\\WORK\\WORK\\DEVEL\\Launcher\\Auto\\\Without progress— with the ping\\src\\app\\forms\\MainForm.php”.
The code also contains the link to the Telegram channel hxxps://t[.]me/+JBdY0q1mUogwZWMy.
At the time of writing this article, the link is no longer available. However, we were able to extract an active Telegram link (hxxps://t[.]me/+UfHrjVyCLZ03ODYy) from another sample (MD5: 9c125392b8d62590c4284bc46f894168). The Telegram channel serves as another DDR (Figure 19) and a fallback mechanism in case the main C2 domain is offline.
In August 2024, the developer updated the loader by changing the path to “%TEMP%\hsperfdata_admin” for the next-stage payloads within the PICADOR method and adding a new Sandbox/AntiVM check method located within the ISENOUGHSPACE method. The method checks for the infected machine's disk space, which is the system drive, and makes sure that it is at least 120GB; otherwise, the loader will not execute (Figure 22). We included the hashes for recent samples, please see the Indicators of Compromise section.
We assess with high confidence that D3F@ck Loader will continue to actively operate and distribute its payloads through methods such as software impersonation and adult content, delivering various malware families.
The developer's use of Extended Validation (EV) certificates for the loader to bypass security screenings increases the chances of a successful infection on the host, although these certificates often have short lifespans due to diligent revocation efforts.
Additionally, the loader uses the Inno Setup installer, equipped with Pascal scripting, to perform malicious activities such as setting up persistence, retrieving additional payloads, and disabling security features during installation. Separately, the loader developer also runs multiple businesses, including a traffic team that specializes in distributing stealers and markets both EV certificates and the loader itself.
The eSentire Threat Response Unit (TRU) combines threat intelligence obtained from research and security incidents to create practical outcomes for our customers. We are taking a comprehensive response approach to combat modern cybersecurity threats by deploying countermeasures, such as:
Our detection content is supported by investigation runbooks, ensuring our SOC (Security Operations Center) analysts respond rapidly to any intrusion attempts related to known malware Tactics, Techniques, and Procedures. In addition, TRU closely monitors the threat landscape, constantly addresses capability gaps, and conducts retroactive threat hunts to assess customer impact.
MITRE ATT&CK Tactic |
ID |
MITRE ATT&CK Technique |
Description |
Initial Access |
T1189 |
Drive-by Compromise |
D3F@ck Loader mainly delivers their payloads via Malvertising |
Execution |
T1204 |
User Execution |
The loader tricks the user into executing a malicious file, often disguised as a trusted software or adult content with valid EV certificates. |
Discovery |
T1057 |
Process Discovery |
The loader checks the running processes related to virtual machines |
Defense Evasion |
T1562.001 |
Disable or Modify Tools |
Modifies security settings during installation to disable Windows Defender and avoid detection. |
Command and Control |
T1102.001 |
Web Service: Dead Drop Resolver |
Uses legitimate platforms like Telegram and Steam to host C2 IPs to facilitate command and control. |
You can access the detection rules here.
You can access the indicators of compromise here.
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.