In the infostealer ecosystem, there are communities of malware operators spreading its malicious builds in a daily basis, working under a common organization, more known as a team.
In this blog series I will be exposing very briefly the activity of some of these “traffers teams”: what they did, what are they doing and what they will do in the future. If possible, I’ll let them to talk freely in a quick interview.
Today, KZ Team Reborn:
The KZ Team Reborn is a traffer team specialized at working with infostealers. It started registering his activity at September 28, 2022 and is still active.
It is administrated by individual “TOKAEFFF”
Heads — The interview
Sadly, TOKAEFFF didn’t accepted the interview request:
Приветствую, спасибо за предложение, но я вынужден отказаться.
Не люблю публичности, извините
Hello, thanks for the offer, but I have to decline.
I don’t like publicity, sorry
Tails — The overview
~ Advertisements
The “KZ Team Reborn” team is advertised at Zelenka forum:
KZ Team REBORN | SEO | The Bay | Channels | 30% Crypto Cutout | Page 2 — Social engineering forum — Zelenka.guru (Lolzteam)
It offers the opportunity to work with stealers (providing free crypted builds), free SEO and a payout for every 100 logs provided to the team, also giving you 70% of the cryptocurrencies stolen. Everyone is invited to join the team, with or without prior experience.
~ Managing the Telegram Bot
The operations of the team are managed by https://t.me/KZTREBORN_BOT
Applying to join the team
To fill an application on the team you will be asked the following things:
Укажите ссылку на ваш профиль на lolz.guru
Расскажите, был ли у Вас опыт в данной сфере?
Provide a link to your profile on lolz.guru
Tell us, did you have experience in this area?
After filling the information and a successful administration approval, you will be accepted into the team.
The functionality of the bot is written in Russian, I will be providing both original and translated screenshoots.
Everything is detailed by “manuals” writte by the team administration or fellow team members:
KZ TEAM: WIKI — Telegraph
KZ TEAM — Общий мануал — KZ TEAM — Команда для лучших! (gitbook.io)
Summarizing,
The bot has the following sections:
Rules are shown there:
⚠️ Основные правила команды:
- Запрещено проверять билд на VirusTotal.
- Запрещено передавать билд третьим лицам.
- Запрещено мешать воркерам лить траффик.
- Запрещено вести себя неадекватно в чате.
За нарушение одного из этих правил грозит наказание! Уважайте друг друга и занимайтесь соответствующей работой.
⚠️ Basic team rules:
- It is forbidden to check the build on VirusTotal.
- It is prohibited to transfer the build to third parties.
- It is forbidden to interfere with workers’ flow of traffic.
- It is prohibited to behave inappropriately in the chat.
Violation of one of these rules will result in punishment! Respect each other and do the right work.
Also general statistics (Top / Group) from the team that will be discussed later.
The “get a build” section gives you the option to generate an infostealer build, protected with a crypter that you chose with only two clicks of effort, and ready to be used in the wild.
Stealers / Crypters
Build successfully created and encryptedAlso giving you the option to run a detection analysis with two more clicks
Under “My profile” section, you see this:
Your information, statistics, and options on the team allow you to get notifications on new logs received from your builds generated by the team, display your username in the general statistics, and automatically check Youtube and Discord accounts from your logs.
In the information section, you can see a general summary of the team, and you will find the channels of the team.
As you can see, at the time of writing this blog, there is a total amount of 592957 logs provided by workers to the team.
The Otctyk channel refers to the records that I discussed on the first release of thios blog series, and we can also find a general chat for team members. Manual has been shared previosuly.
Also please find the announcements provided on the bot since June 2023:
June 3, 2023:
@zxckvsdkvkzxvcz seo
June 4, 2023:
Пофиксили билдер люмы, простите за задержку. Насчет апи автосео еще повыясняю (Luma builder has been fixed, sorry for the delay. I’m still finding out about the Auto SEO API.)
June 6, 2023:
Fox work, можете использовать (Fox work, you can use)
@zxckvsdkvkzxvcz сео
June 8, 2023:
Цитата из канал LummaC2 “Работаем. Сегодня весь день вероятно будем недоступны. Работаем над всей инфраструктурой. Поставим все за облако”
Ждем-с
(Quote from the LummaC2 channel “We are working. Today we will probably be unavailable all day. We are working on the entire infrastructure. We will put everything behind the cloud”
We’re waiting, sir.)
June 13, 2023:
Люма вернулась в строй, но с переменным успехом. В ближайшие пару дней с небольшим шансом может случится отвал. Следим за новостями.
Еще сейчас был перезапуск дедика, поэтому логи не будут идти блиэайшие пару минут, не паникуйте. Ждем пока мета проснется и все дойдет
(Luma returned to duty, but with varying degrees of success. In the next couple of days, there is a small chance that a dump may occur. Let’s follow the news.
Dedik has just been restarted, so the logs will not appear for the next couple of minutes, don’t panic. We are waiting for the meta to wake up and everything will come)
June 14, 2023
Билдер люмы пофиксили, теперь проблем с обновлением токена и тд не будет. (The Luma builder has been fixed, now there will be no problems with updating the token, etc.)
June 23, 2023
Пофиксили архиватор, ночью ют обновился, я ловко парировал и починил
Теперь люма выдает скрины в логах, добавил их в бота
Пофиксил небольшой баг с отстуком люмы в лс
Работать
(The archiver was fixed, the ute was updated at night, I deftly countered and fixed it
Now Luma displays screenshots in the logs, I added them to the bot
Fixed a small bug with luma knocking in PM
Work)
June 27, 2023
Архиватор был временно удален из бота в связи с аномальными зависаниями. Просим прощения за неудобство (The archiver was temporarily removed from the bot due to abnormal freezes. We apologize for the inconvenience)
June 28, 2023
@K1T_T Выдаст вам подписку в своем боте — условие: 10 логов за неделю.(@K1T_T Will give you a subscription in his bot — condition: 10 logs per week.)
June 29, 2023
Кто использует люмму сделайте пожалуйста ребилд! (Who uses Lumma, please do a rebuild!)
June 30, 2023
@vyaz1437 фри вяз, если на канале есть хотя бы 1 ролик 100 сео( и наш билд) (@vyaz1437 free elm, if the channel has at least 1 video 100 SEO (and our build))
July 7, 2023
Вернули редлайн в бота, можете заказывать билды (The redline has been returned to the bot, you can order builds)
July 10, 2023
@aizuuwuw залив (@aizuuwuw bay)
July 15, 2023
Автосео кабмек. Жёстко делаем ура ура и бегом проливаться (Autoseo cab. We do it hard hurray hurray and run to spill)
Уважаемые воркеры, покупайте каналы хотя бы от 300 сабов, на 5–15 подписчиков за 1 рубль вам не будут заливать. (Dear workers, buy channels from at least 300 subs; for 5–15 subscribers they won’t charge you for 1 ruble.)
July 20, 2023
М, вау, ого. Архиватор вернулся. В целом, все так же, но чуть чуть поправил оптимизацию. Качаем видосик, заливаемся, подрубаем автосео и на взлет. Всем спок спок
(Mm, wow, wow. The archiver is back. In general, everything is the same, but the optimization has been slightly improved. Download the video, upload it, turn on auto SEO and take off. Spock Spock everyone)
August 2, 2023
Проводятся тех. работы. Отстук будет частично недоступен примерно два часа. (Techniques are being carried out. work. The tap will be partially unavailable for approximately two hours.)
August 4, 2023
Уважаемые воркеры технические работы закончились, сделайте ребилд, старые билды работать не будут. (Dear workers, the technical work is over, do a rebuild, the old builds will not work.)
August 10, 2023
@vyaz1437 фри вяз( от 10 логов в тиме за все время) (@vyaz1437 free elm (from 10 logs in the team for the entire time))
August 12, 2023
Добрый день! Пофиксил архиватор, видео теперь докачиваются. Исправил работу AVCheck в боте. Теперь в нем нет ограничения на количество одновременных сканирований, но есть шанс что сама API сервиса не позволит создать задание, поэтому придется подождать минуту и попробовать снова.
Актуальные детекты:
PackLab — 4\26
FoxCrypt — 2\26
(Good afternoon The archiver has fixed it, the videos are now downloading. Fixed AVCheck in the bot. Now there is no limit on the number of simultaneous scans, but there is a chance that the service API itself will not allow you to create a task, so you will have to wait a minute and try again.
Current detects:
PackLab — 4\26
FoxCrypt — 2\26)
August 31, 2023
Уважаемые воркеры, сейчас будут проводиться тех.работы, Ориентировочно 30–40 минут. Отстук может быть нестабильным.
(Dear workers, technical work will now be carried out, approximately 30–40 minutes. The knock may be unstable.)
September 4, 2023
Возьму 3х человек для ворка по тиктоку, обязательно с опытом! Писать @TOKAEFFF (I’ll take 3 people to work on Tiktok, definitely with experience! Write @TOKAEFFF)
October 2, 2023
Снова вернули LummaC2. Кончилась подписка на PackLab, в течении часа все придет в норму. Все работает всем спасибо
(LummaC2 is back again. The subscription to PackLab has expired, everything will be back to normal within an hour. Everything works thanks everyone)
мета дала ебу и не открывается панель, поменяйте билд на люмму(проблема на стороне меты, ждем фикс)
(the meta gave a fuck and the panel does not open, change the build to Lumma (the problem is on the meta side, we are waiting for a fix))
Исправили проблему с отсуком люмы. Была проблема со сборкой архивов самим стиллером, изза чего бот спотыкался и не мог распаковать архив. Все поправили, теперь все логи дойдут.
(Fixed the problem with luma suction. There was a problem with the assembly of archives by the stealer itself, which caused the bot to stumble and be unable to unpack the archive. Everything has been corrected, now all logs will arrive.)
October 5, 2023
Мета снова упала, поменяйте билд на люмму (The meta has fallen again, change the build to Lumma)
November 9, 2023
Люмма ворк, для того, чтобы вам стучало в бота, нужно сделать ребилд. (Lumma vork, in order for you to knock on the bot, you need to do a rebuild.)
Уважаемые воркеры, сделайте еще раз ребилд люммы, если хотите пользоваться фичами нового обновления. Удачного ворка! (Dear workers, rebuild your lumma again if you want to use the features of the new update. Happy vorking!)
November 10, 2023
Просим прощения за долгий отвал. Старые билды работают. Фокскрипт был удален из бота в связи с неработоспособностью сервиса. Архиватор работает. Сейчас в боте установлена старая база данных, поэтому у некоторых откатились профили. Если вы уже были в тиме, а сейчас бот просит подать заявку: подавайте и указывайте что уже были в тиме.
(We apologize for the long delay. Old builds work. Foxscript was removed from the bot due to the service not working. The archiver is working. Now the bot has an old database installed, so some profiles have been rolled back. If you have already been in the team, and now the bot asks you to submit an application: submit it and indicate that you have already been in the team.)
Используйте пока что люмму, потому что сейчас небольшие проблемы будут с метой. Как только все решим, будет уведомление.
(Use Lumma for now, because now there will be some problems with the meta. As soon as everything is decided, there will be a notification.)
November 11, 2023
мета ворк, можете запрашивать билды. (meta work, you can request builds.)
November 14, 2023
Билдер LummaC2 снова доступен! (Builder LummaC2 is available again!)
November 29, 2023
Внимание! В связи с обновлением меты всем нужно сделать ребилд( старые билды не будут стучать на новой панели). Люмма пока что прилегла, будем держать вас в курсе. Уважаемые воркеры, сделайте пожалуйста ребилд, это обязательно!(не касается тех, кому я отписал лично) (Attention! Due to the meta update, everyone needs to do a rebuild (old builds will not work on the new panel). Lumma is lying down for now, we will keep you posted. Dear workers, please do a rebuild, this is mandatory! (Does not apply to those to whom I wrote personally))
December 5, 2023
Кто использует люмму, сделайте ребилд. (Who uses Lumma, do a rebuild.)
December 19, 2023
Уважаемые воркеры, кто использует люмму и у кого нет юзер инфо в логах, сделайте ребилд пожалуйста. проблему пофиксили. (Dear workers, who uses Lumma and who does not have user information in the logs, please do a rebuild. the problem was fixed.)
January 9, 2024
Уважаемые воркеры, сейчас будут проводиться технические работы, связанные с МЕТОЙ, убедительная просьба перекинуть свои билды на ЛЮММУ, для стабильного отстука. (Dear workers, technical work related to META will now be carried out, we kindly request you to transfer your builds to LUMMA for stable performance.)
January 30, 2024
Люма не работает, тех. работы на сервере. Делайте ребилд на мету (Luma does not work, tech. work on the server. Rebuild the meta)
Отмена, люма ворк. Ребилд не нужен (Cancel, luma work. No rebuild needed)
February 3, 2024
Уважаемые Воркеры! Кто использует мету, возьмите люмму. Мету завтра пофиксим. (Dear Workers! Anyone using meta, take Lumma. We’ll fix the meta tomorrow.)
February 6, 2024
Мета снова доступна, можете запрашивать билды. (The meta is available again, you can request builds.)
February 19, 2024
кто используют люмму, сделайте ребилд, обновились прокладки (who uses Lumma, do a rebuild, update the gaskets)
February 20, 2024
мета временно не ворк. (meta is temporarily not working.)
February 29, 2024
Уважаемые воркеры, перед тем как кинуть сеошеру ссылку, уточняйте пожалуйста есть ли место для накрута. В ближайшее время постараемся докупить дедики, чтобы не было очередей. (Dear workers, before sending a link to the seosher, please check whether there is a place for cheating. In the near future we will try to buy more grandfathers so that there are no queues.)
March 2, 2024
Уважаемые воркеры! Панель меты обновилась, сделайте ребилд в срочном порядке! Старые билды стучать не будут на новой панели. Если во время билда вам пишет, что билдер занят, значит попробуйте взять билд через некоторое время. (Dear workers! The meta panel has been updated, do a rebuild urgently! Old builds will not appear on the new panel. If during a build it tells you that the builder is busy, then try to take the build after a while.)
March 3, 2024
Уважаемые воркеры! В срочном порядке сделайте ребилд меты. (Dear workers! Rebuild the meta as a matter of urgency.)
~ Otctyk
The records on the KZ Team Reborn otctyk channel looks like these ones:
English words are translations, original message are russian words
✅ Пришёл новый лог! (New log has arrived!)
└ LummaC2 (or Ⓜ️ META) ( RedLine is not available anymore)
└Воркер: (Worker:)
Системная информация (System information)
└ Страна: (Country:)
└ IP:
└ Система: (System OS:)
Сводка из браузера (Log Summary)
└ Пароли: (Passwords)
└ Куки: (Cookies:)
└ Приложения: (Requests:)
└ Холодки: (Cryptocurrencies or Password Managers:)
Sadly, on February 7th, 2024 this channel was rebooted, and most of the records were lost. BUT, I saved a copy export of the channel at August, 4th 2023, that contains information since the beginning of the operation records of KZ Team until that day.
The analysis of records are made from September 28th, 2022 (First Record) to August 4th, 2023, and then from February 7th, 2024 to March 1st, 2024.
The total amount of unique IP records from victims logs is: 418920
Check the full summarization here : IP Summarization Results of 418920 IPs — IPinfo.io
Sorted by countries:
Brazil
42193 IPs
United States
32955 IPs
Mexico
17372 IPs
France
14886 IPs
Germany
14760 IPs
India
14045 IPs
Turkey
14010 IPs
Colombia
13344 IPs
Argentina
12937 IPs
Peru
12388 IPs
Spain
12376 IPs
Vietnam
11882 IPs
Indonesia
11714 IPs
Philippines
11209 IPs
Poland
10996 IPs
Thailand
9656 IPs
United Kingdom
8137 IPs
Chile
7836 IPs
Italy
7816 IPs
Egypt
6354 IPs
Romania
5978 IPs
Ecuador
5197 IPs
Pakistan
5146 IPs
Canada
4498 IPs
Morocco
4125 IPs
Portugal
3950 IPs
Malaysia
3670 IPs
Dominican Republic
3620 IPs
Venezuela
3436 IPs
Algeria
3207 IPs
Bangladesh
3157 IPs
Netherlands
2948 IPs
South Korea
2864 IPs
Czechia
2727 IPs
Australia
2696 IPs
Hungary
2631 IPs
Bolivia
2518 IPs
China
2275 IPs
Belgium
2236 IPs
Sweden
2225 IPs
Israel
2169 IPs
United Arab Emirates
2074 IPs
Ukraine
1997 IPs
Serbia
1978 IPs
South Africa
1827 IPs
Uruguay
1787 IPs
Saudi Arabia
1720 IPs
Sri Lanka
1719 IPs
Iraq
1714 IPs
Bulgaria
1554 IPs
Greece
1524 IPs
Japan
1519 IPs
Lithuania
1459 IPs
Tunisia
1372 IPs
Austria
1364 IPs
Taiwan
1325 IPs
Nepal
1305 IPs
Georgia
1137 IPs
Slovakia
1136 IPs
Costa Rica
1083 IPs
Norway
1038 IPs
Switzerland
1035 IPs
Paraguay
935 IPs
Denmark
905 IPs
Finland
866 IPs
Jordan
852 IPs
Panama
847 IPs
Iran
806 IPs
Singapore
786 IPs
Croatia
768 IPs
Myanmar
754 IPs
Guatemala
740 IPs
Cambodia
733 IPs
Bosnia and Herzegovina
710 IPs
New Zealand
709 IPs
Kuwait
701 IPs
Mongolia
694 IPs
Kenya
694 IPs
Honduras
662 IPs
Nigeria
660 IPs
Hong Kong
598 IPs
Palestinian Territory
590 IPs
Slovenia
571 IPs
Ghana
508 IPs
Latvia
467 IPs
Jamaica
465 IPs
Ireland
461 IPs
Estonia
458 IPs
El Salvador
429 IPs
Qatar
416 IPs
Ivory Coast
399 IPs
North Macedonia
387 IPs
Puerto Rico
378 IPs
Lebanon
371 IPs
Cuba
363 IPs
Trinidad and Tobago
331 IPs
Moldova
329 IPs
Azerbaijan
287 IPs
Albania
284 IPs
Ethiopia
276 IPs
Nicaragua
271 IPs
Senegal
268 IPs
Oman
266 IPs
Mozambique
264 IPs
Bahrain
263 IPs
Reunion
253 IPs
Angola
251 IPs
Uzbekistan
232 IPs
Laos
216 IPs
Cameroon
210 IPs
Madagascar
187 IPs
Cyprus
156 IPs
Libya
156 IPs
Togo
144 IPs
Syria
137 IPs
Mauritius
136 IPs
Brunei
124 IPs
Russia
124 IPs
Tanzania
113 IPs
Luxembourg
110 IPs
Uganda
110 IPs
Montenegro
101 IPs
Zambia
100 IPs
Namibia
100 IPs
Guyana
99 IPs
Bahamas
96 IPs
Armenia
93 IPs
Malta
90 IPs
Kosovo
88 IPs
Benin
88 IPs
Maldives
86 IPs
Gabon
84 IPs
Mali
81 IPs
Martinique
72 IPs
Democratic Republic of the Congo
67 IPs
Haiti
64 IPs
Barbados
63 IPs
Botswana
63 IPs
Iceland
63 IPs
Republic of the Congo
61 IPs
Burkina Faso
60 IPs
Somalia
59 IPs
Sudan
58 IPs
Guadeloupe
53 IPs
Cabo Verde
50 IPs
Kyrgyzstan
50 IPs
Macao
49 IPs
Suriname
45 IPs
Belize
43 IPs
Rwanda
43 IPs
Zimbabwe
43 IPs
Mauritania
40 IPs
Yemen
37 IPs
Afghanistan
34 IPs
New Caledonia
32 IPs
Papua New Guinea
31 IPs
Malawi
30 IPs
Antigua and Barbuda
28 IPs
Andorra
27 IPs
Bhutan
25 IPs
French Polynesia
25 IPs
Fiji
24 IPs
Guinea
23 IPs
Equatorial Guinea
23 IPs
Guam
22 IPs
Aruba
19 IPs
U.S. Virgin Islands
19 IPs
Saint Vincent and the Grenadines
19 IPs
Dominica
18 IPs
Belarus
18 IPs
Curacao
16 IPs
Cayman Islands
15 IPs
Jersey
15 IPs
Saint Lucia
14 IPs
Kazakhstan
13 IPs
Mayotte
12 IPs
Sierra Leone
12 IPs
Tajikistan
11 IPs
Niger
11 IPs
Greenland
10 IPs
Turks and Caicos Islands
10 IPs
Grenada
10 IPs
Djibouti
10 IPs
Guinea-Bissau
9 IPs
French Guiana
9 IPs
Burundi
8 IPs
Timor Leste
8 IPs
Eswatini
8 IPs
Saint Kitts and Nevis
7 IPs
Chad
7 IPs
Liberia
7 IPs
Sao Tome and Principe
6 IPs
Monaco
6 IPs
Faroe Islands
6 IPs
British Virgin Islands
6 IPs
Bermuda
6 IPs
Isle of Man
6 IPs
Comoros
5 IPs
Lesotho
5 IPs
Samoa
5 IPs
Gambia
5 IPs
Solomon Islands
4 IPs
Vanuatu
4 IPs
Gibraltar
4 IPs
Liechtenstein
4 IPs
Seychelles
4 IPs
Bonaire, Saint Eustatius and Saba
3 IPs
Saint Martin
3 IPs
South Sudan
3 IPs
Sint Maarten
2 IPs
Micronesia
2 IPs
Northern Mariana Islands
2 IPs
Guernsey
2 IPs
San Marino
2 IPs
Aland Islands
1 IP
Kiribati
1 IP
The full list of IPs can be found at: https://github.com/g0njxa/ProfilingTraffers/raw/main/KZ%20TEAM%20REBORN.txt
So yes, workers from KZ Team Reborn have acted against people from around the world.
As said before, the full number of logs received by the team (at the time of writing this blog) and shown by the statistics at the Telegram Bot is 592957. I believe this number can be trusted, considering 418920 unique records provided here (with some months of activity unrecorded) and several examples of reinfection.
These numbers make the total flow of infections an average of ~1250 unique daily victims of the people working for this team.
In the first months, the record on the Otctyk channel didn’t show what stealer was used, but after some time, yes. There are a total of 30175 records tagged as Redline logs, 303598 as Meta logs, and 56953 as LummaC2 logs.
Some requests that are being checked on the log are:
Session files: Steam, Anydesk, Telegram, Discord, FileZilla
Cookies and Credentials: “BANKS”, “MONEY”, Paypal, GPay, Amazon, Facebook Business
: Authenticator, AuthyDesktop, Bitcoincore, Coinbase, Binance, MetaMask, Exodus, Atomic, Phantom, Electrum, TrustWallet, Yoroi, Nami, CryptoCom, TerraStation, Keplr, OKX, Math, AgrentX, Petra, Coin98, VenomWallet, RoninWallet, BinanceChainWallet, LeapWallet, Martian, UniSat, TronLink, Martian, Sui, PolkadotJS, LedgerLive, ExodusWeb3, iWlt, HavahWallet, BinanceWallet, ZilPay, Backpack, CompasWallet
There should be more
~ Workers
Please keep in mind that there is an option on this team to hide your username on the OTCTYK records, so most of the logs didn’t disclose an actual username, and also the possibility for users to change their username, so more than one username could refer to the same operator.
There are a total of 848 usernames and their victims. Of course, the list is incomplete because of the reasons stated before.
Some of these usernames may be known to you. List:
@A111A_1337
@A1234Aqqq
@AP_Apely
@AcidTripwithSmile
@Agsiakka
@Ajajjajak
@Alaster6474
@Alexandra_piiiter
@Alibabbu
@AltezzaSEO
@AnemusDev
@Answer_support
@Ar4ikkz
@Armakon
@AslanbekZ
@Atlantidateam
@AuroraStealerSupport
@AustraliaCourier
@AuzyK
@Avihoof
@Azamalus
@BANIlIBAN355
@BORSUK666
@BS_JE228
@BTS_is_my_Love
@BUTAJI9
@BaLaMuT963
@Banjiro_me
@BaraBere777
@BeZZon88
@Bibizanya
@Bibizanyas
@Bigidila
@Bla1zer0
@Bogdan4565
@Bolenkord
@BookingBookingovich
@BoulevardDepoLZQ
@Bulbexw
@Bybiksa
@CAPybaRaWork223
@CCTV_SK8
@CHEROKEEEEE
@CKAMEPCAHT777
@COLLECTORSHOPE
@CapyPapy
@Catbroke
@Cheraa14
@Churkastan
@CocacolaN
@Corleone1337
@CorrecterTomson
@Corrupted000
@D3dc0d
@DEDUS_INSULTIK
@DEVil1037
@DZFastzs
@Dange011
@Darknessonchick
@De0niss
@DefrostDegrod
@DeniskaPepiska12
@DenkaLenka
@DetSuppo
@Diomong
@DiscobaII
@Dizab1le
@Djoker1832
@Djoker1833
@Dobriy_Do3
@DominatorOfMamont
@DonaldCrack
@Dosbbjfff2737
@DownTownes
@DrStaunerr
@DurtCrushTvoiMama
@EBATELMAMASH
@Eman461
@Enifun3
@Enot1832
@EphemeralGhost
@Erundaje
@FBSKUPBRO
@FRANKOLOLZTEAM
@Fast_Bee
@Favvlogs
@FoticeAnalize
@FuckThePol1ciano
@FuckYouStupidBich
@Fuddy14
@FusikOnefersink
@Ganysialox
@Garou_AYF
@Gdjer
@Gen1us23_kz
@Gevorgyan143
@Glhf_slv
@Glnnnz
@God0ut
@Gopaogi
@Gopaoqi
@Grechkaxdd
@HSKDGARF
@HanDevi
@Harizon234
@HedlessKorblox
@HellllBoy111
@Hellter5kellter
@Hentsister
@HomanzX
@Hto_ya_takoy
@HumanNet
@I337ZZ8
@I_LikeBeing
@Ialwgwwwwbt
@Ink_Sanessss
@Inpe652
@Issaaq
@JABKA9983
@JDSFRY
@JESUS_MANS
@JYZI1
@Jaidenchadha
@JoeBidenUSAAA
@Jon1k02
@K1RYXACH4N
@K1T_2
@K1T_T
@KOL1VAN
@Kabanchik404
@Kapushkaa_manager
@Kapusta7
@Karpeeer
@Kasocametoo
@Kateyko
@Kitovnikit
@Kloazt
@Klozz1
@Kovname
@KtoTakoyLolz
@LXNKIR
@LZTGUDETAMA
@Lamesda
@Latunie
@LazytkinRoma
@Leet777
@Ler0is
@LewisDev
@LoVeyueyo
@Lolka121
@Lolzteam0ne0uts
@Loolk232
@LoveRoadsss
@LoxsZP
@Loxsik1
@Loxsik2
@Lychiyvmire12
@M1ku_N0kano
@MAMKINDOXXXER
@MODESAMEKHADA
@Maifil_Maifil
@MaksimVumov
@MangaliZiP
@MarattamYT
@Marokumo
@MarsSellers12
@Matsudoka
@MiloradaKurs
@Minyanet
@Mishka_Top_1
@ModeSamekhada
@Mont4nk3
@MoorLucky
@MorfeyGG
@Mr_M0riarty
@MuskYOUTUBE
@Myesh1
@Myqeq
@N0LIKTRAFF
@Neizy_z
@NestorGavrilov
@Neum33
@NotAyacosiDern
@Noxyzzz
@OO0OO00O0O
@OTRABIKMLK
@OTRABIKSHOP
@Omolix
@Oprols
@OwnerCloud
@OxOOO142
@Pivnoyyyy
@Pmaenjoyer
@Pochemuchka3
@Polss
@PositiveDeat
@PraViteIb
@Prkl1337
@Propitak
@Protantu
@Pssnsvk
@PudjeSmom
@PumPumPon
@QURWESSSS
@QYSTER
@Quince_lzt
@Qumen_doto
@R1gge
@R3yD4se
@RagTag88
@Ravver
@Readilzarab
@RedBall911
@Remo4kaaa
@Richardcrime
@RickSanchVeZ
@Rikkiloly
@RipnDick
@RuPi19
@S1ngleeech
@STEELODO
@Sanchekkkkk
@Sashapet145
@ScallyMilanoLZ
@Schumacher20
@Schumacher211
@ScroogeMain
@SinorikOtrapik
@Soezbitch
@SofortD
@Sosiska_kill3202
@Squireelty
@Sssovv
@Super_Shuka
@SuppMain1
@SuppMain7
@Syoneex
@TC_Haze
@TErpiLa_1488
@TOKAEFFF
@Tansy987
@Tarelka_guru
@Targaryen_LZT
@TeacherMera
@TeamLionso
@Terephia
@TerranGames
@Thomas_Goodmans
@Tqwaw
@Traffer228
@TxT_fm
@Tyagi_Trinity
@UKRAINE_POWER228
@Undet3cted
@UniqPRSN
@VBIV_V_EBALO
@VIETNAMSUPPORTT
@VPlues
@Ventenda
@Vissywork
@Voskresene_7
@Vrd911
@WYUIIII
@WYUuilol
@Welulu
@Wenpiay
@WithLoveYou0
@WithLoveYouuuuu
@Wizzard882
@WorthiesTea479
@Wovix872
@Wyzaa
@XPOM_TEPPOP
@XPOM_TEPPOPUCT
@Xokkaqdo03
@YTMARKET_SUPPORT_2
@YawaraSF
@Yebannik
@YoungJesly
@Z1Pik
@Zdnnras
@Zhosoboi
@Zixail
@ZodiakWRLD
@Zura1203
@ZxcFolzy
@Zyk1k1
@aaaaaprilrichhh
@aaashebye
@abszzz07
@admusichannel
@adopter2010
@afkfarm
@aizuuwuw
@akkkerman
@alan_772
@alexgood228
@almadakur
@almaketty
@androzxczxc
@anoqqq
@aqo0n
@archiveman666
@argux
@aschotic
@asdlkjho
@asdsxve666
@ash3s
@ashleyorg
@ashmelshop
@ashqikko
@assassin8356
@avd_sere
@aweeawsqwe
@awfulsane
@ayebalbessssss
@b8er0
@badteamer
@baldewniy_muwik
@barrerafarmila
@bebrulyaukr
@bevdfs
@bigmachonok
@blackrtruth
@blaze_DEV
@bloodyrain12
@blyadstrm
@bobobobobens
@bpaduha
@brjenk
@brostfors
@brostiklolz
@brthtmpla
@bruneX_lzt
@btc_own
@buldos1k
@bulionamagit
@buss5life
@buuulbl4
@c1gannka
@cadillac1337
@cao_white
@carousellscm
@chaosinsurgency
@checklogov
@chereshnya2
@cherkaa14
@cheww9
@chifiiiir
@chinhpc
@chrisdime_lolz
@clinker777
@coldcheck
@cpoxa1
@creveoolus
@crixevil
@ctavixname
@cxd3r
@cxnerxx
@cxnerxxx
@d3737361
@daegpes
@dangerouslylone
@danilkabugaga
@danonez7
@danyaderkach
@danyakhropatiy
@dcpmanhattan
@deadsource21
@deathwill
@demteror
@deonenss
@designer_givenchy
@developedgame
@devmygame
@dfgdsgfasdf
@disjsnrifjman
@djekler0
@djyxghdfg
@dmziw
@dodge222
@doitforgrandson
@dolcihabanna
@dotaeng
@drazygod_lzt
@dropmelogs
@dxxlllxl
@e1dz1egodnii
@effry1
@egormoonsxx
@elprimov
@empathyclxn
@eqsdwdxqweqsdwae
@erLrust
@eviltwinzz
@ex4vier
@exploit_us
@exqzmyblyat
@f1ngster
@fairlil
@fallzex
@farmingbitcoin
@fckyu0day
@fcril2
@fdgsdgserwsdfgs
@fenib11
@fentdevlzt
@ffgua09
@fimiz1
@fjhbaaufhadsofjjafdn
@fjillspinwla
@flamelos@yourbelovedmuerto
@flomast
@fomicvell
@fondnesssw
@forrtuna_lzt
@foruman
@forzelfg
@fpdilla
@froD67
@frozen_lzt
@ftywex
@fuddleee
@fvdgeee
@gegebos62
@gen_syxa
@gensi79
@gentlemen12348
@gentrytwtowner
@geramkz
@gerlide
@gfasdg
@ghostyrr
@giventak3nn
@glnz3371
@goodybo
@gorshpek
@gothicdiamond
@gr1mmv
@greendevil
@gsj1j
@guap_a
@gxxdboyy
@h3llyx
@haise4
@hanon32
@hardwork66
@hashihi
@heroskop
@hey_rapper
@heysnlo
@hiddenkoi
@holyboss
@hqeewk
@hshshshshsheue
@huikidcady
@hxaasxs
@hywbjla
@i_di_ot
@iamdgghh
@ichotipo
@ididjsjsid
@igorgofmann
@ilovezzersoso
@im_HiLLi
@imen_fam
@imhatetelegram
@imkingtheporno
@influgine
@inttdcld
@irefox0
@itSwYpl
@itnerritz
@ivansvetlov20
@jacherthvh
@jdjfjejrj
@jenebdcheb
@jinadax
@jokersar
@jozkiy1
@jrjrvbs
@jsjsjsjsjsjsjsjsjsjsjsjsjsjscpp
@jumpscout
@kalfty
@kapubaraqq
@kasjushka
@katharzyzz
@keciler2
@kilobyt1
@kimmmmmmmmmmk
@kirillzzzzz
@kiryxakz
@kishechks
@kjlnafklna
@klawzxc
@knowthepainLZT
@koke_lzt
@kostan666
@krinz12888888888888
@kriska_ya
@krypt73839
@kussix
@kyane
@kyokk2
@l0rd667
@lalacocain
@laparissss
@ledger_cz
@legeeeendaa
@leo_bejamin
@lg5sss
@lisaya4545656
@llllllllllllolzteamalerts
@Kateyko
@lolzallert
@lolzlaker
@lolzteamer
@lolztomodachi
@lordes1
@lowerlowerlower
@lpropvgvndvl
@lubitel_vina
@luffy4gear
@lunaku
@lylykote
@lzt_d
@lzt_damakasay
@lzt_damksay
@lzt_patron
@m3tasteal
@maIch4ik
@makulaky
@malinovsksn
@mama_tvia
@mamont0w
@manageira
@mannisx
@markusnft
@mat_dest
@mavro777
@mavrodi_crypto
@maximezz
@mayotiqq
@mcboss123
@mcl0ltc1e
@menegka
@merancy
@metahack777
@mewree_lzt
@mgbbcc
@miawilliz
@michiroplayboy
@mifordron
@milanaadi
@milyokionelove
@miracle1125867
@miracle1134
@miracle_1_1_1
@mirochkae
@mishanin5
@misterpetrushka
@momo201988
@money_cats
@montana_cvv
@mopmap
@morgenshetein
@mranger
@mrfrankfoster
@mskitov
@mwn2ioake91
@mwn2ioake99993939383
@mwqqu
@mxssxngxrrrrrr
@mycvcis
@mymoneylong
@n1pple5
@n30_e
@namesokdsf
@nanotttr
@nawum
@ncpdevelopment
@neakovv1
@negryZI
@nemesyah
@nevermoredie_lzt
@nightwea
@nik_kuprin
@nip_ples
@niples
@nipples_lzt
@nixhuesos1
@nn30vv
@noskos213
@notbantik
@notwend
@ntmuuu
@ntmuuuu
@nulllogseveryday
@nvrmrag
@oblako_support
@obscureobscureobscure
@oddtoddlers
@officialbtc_bs
@officialeth
@ofkofk
@ofuusbehf
@omyonx
@onekomaru
@opS464
@opmrxplusss
@opmrxpluus
@osjakal
@ostaaap
@out_cage
@owner_powercloud
@p3rs1111
@pIumpcone
@pappendi
@par1488
@parallaks_sell
@paypal_lzt
@perda4k
@phobioo
@ping120
@pivapenko
@poaxq
@polyanaoug
@poruter
@pozerov228
@psychiatricbymarry
@puffler_lzt
@qatrol
@qestiny77
@qiwissss
@qkies_new
@qnzers
@qqq1113q
@qquuiinnzxc
@qqyati
@quadroXD
@queenofSilvers
@quetwaf
@quickhunter
@quizzkk
@qukedaxu5
@qunved
@qvorse
@qwerdkfjty
@qwertyvvvcd
@qwestiny
@qwmtx
@qxzxf
@radik_am
@radviq
@ranisss_116
@rastiktt
@ravnodushiiie
@razenovokek
@redbull_crypto7
@redzymode
@reeeebl
@regenerati0n
@reohc
@returnnn
@revenge291
@richfas43
@richmonth
@rise4prove
@rkgisiwkgk
@rostislav_111
@rrrrFenrir
@rtxfgs
@rukoeb_3000
@runawayway
@s8ia0
@s9mbiot
@safai98
@samosado
@saqwator
@scammedshit
@sed0love
@seevhdksns
@sega_saga
@sem_o_o
@senpai12
@sergo_mango
@sexualen
@sfiugkjfhaoijzljkfvhasojkdpofzh1
@shadowraze_work
@shianasu
@shinKyojin
@shopperhey_lzt
@sj29xn3
@sjuix
@sk1llw1n
@skeetcc_lzt
@skeylitg
@skittleswork
@skyegtr
@skywerq5
@slavikkkkkkkkkkkkkkkkkiioko
@slo5ar
@socksware
@softphp
@sosychi
@spacewhale666
@spelxxx
@spliner18
@spyr1xx
@sqadzode
@ssihjdead
@stake_lzt
@strops_s
@style43
@styzix
@suicide_one
@sunsetkiller
@supbely
@superwiser
@swagseasoon
@swegby
@sworeed
@sxmxxx1
@symphonyzxcc
@t1wk4
@tal1nuss
@tatotattto
@tephael
@thatscelestial
@theF1_steam
@timka_123
@timka_lzt
@timthenoname
@tochkathebest
@toreto4rch
@torszi
@toy0333
@tr_asherrr
@trazll
@treasureX_LZT
@trepaci
@trippin_out
@tsukauch1
@tw121212tw
@twiskkk
@tyt0y
@uabazabbot1
@ubuntu1337
@uces7
@unomaster
@user8name8
@usernameeeeeech
@v1nnn1ty
@vLaDsChAoS
@valid000
@valouser
@valveold
@vasil69771
@vasiliy_pupkevich
@vawnaire
@vidradom1234
@viknyanskyy_21
@violaloveeee
@virtualbirds
@vivalaviidaaaa
@vladoslegalais
@voidlttt
@vovkkic
@vozovich
@vsegdanewtelegramm
@vtarivat
@w1lxxz
@w3llyx
@waitingglobal
@walk_through
@wanwap
@watxrdance
@wazdy
@weakrat
@weeeeeend
@weeeeend
@wer41ss
@werber333
@whitepowerI488
@whoossay
@whyisdreff
@wianix
@winfoudgkdbojdvojvojrb
@wisage88
@withtheyo
@work_nowxd
@workamiri
@wossaanx
@wqewqewqqwe
@wqpxtt
@wwwowowowww
@wyuiiii
@xJamesUSDT
@xLEITOx
@xVB0R
@xXarnix
@x_x_x1_x
@xanaxlog
@xanesss
@xantream
@xapaktep_design
@xdbolno
@xdddddxxddx
@xdxxsddweqweqe
@xtripO_0
@xtypeeee
@xxxartemxxx777
@xxxkochegarxxx
@xycyrrr
@xycyrrrrr
@y2u2jux7d
@y2u2jux7q
@ya_dead_inside2289
@yagavnoed4
@yakooovvvvv
@yamsezzzz
@yanebyaka
@yasdhds
@yatiYAYA
@yawarasf
@yaweeo
@yrftyy
@yungpr1s0n222
@z1treezY
@zalypa3315
@zaurimhaz
@zerdeees
@zfsdfszdxfzxfxcfz
@zitrxx
@znamyapeh
@zuviiiii
@zvoniyavyebu
@zxcUndying
@zxc_yaryy
@zxckomaru1
@zxckvsdkvkzxvcz
@zzpkpk
@zzzerozzzzzz
@zzzzzerozzzzz
@zzzzzzzerozzzzzzz
In the Statistics shown in the Telegram Bot, there is only one undisclosed username left, user Ventenda (with 16003 logs) at the time of writing this.
Some of these usernames have been seen at infostealers traffic working with the builds from this team, also working under other teams or working with his own builds from a private panel. Tracking the activity of each individual would be a massive task that is out of my capabilities atm.
Theree is also a top for the highest payouts with also one disclosed username:
User wanwap earned $4007 in his journey as a malware operator
~ Builds
I generated a META (Easycrypt) build from the Telegram Bot of this team, Find it at:
MalwareBazaar | SHA256 90a24e8cace3fab7ce1638a5cf90684e78715ff098e12dbbebc2a95a3d314b24 (abuse.ch)
In fact, I got a logs back from sandbox machines, damn.
Doing CTI rocks .
The current C2 of KZ TEAM REBORN is 147.45.47.39:80
Detonation of my build: Analysis 90a24e8cace3fab7ce1638a5cf90684e78715ff098e12dbbebc2a95a3d314b24.exe (MD5: 5287B216EB5E9AFCA5EA8B38EC4B2AF0) Malicious activity — Interactive analys
Same done with a Lumma (Packlab Crypt) Build:
MalwareBazaar | SHA256 833821dfd2eef37f7624dd227e49484c20bad5d474b251e1d9fd04ef0476544c (abuse.ch)
Sadly I can’t expose what Lumma ID is using this team at the moment.
Detonation:
~ Past telemetry
Thanks to the usernames disclosed, we can find strong evidence of past C2 used by this traffer team.
You can filter analysis on Anyrun by these c2s in order to find builds and traffers disclosed. This way we can also see non-disclosed traffers usernames
As an example / META 37.220.87.8:42823
4c1cd8fd2d86d65edcd88c9e982ef86e / @Housto_N_n
Analysis https://telegra.ph/Link-To-Download-03-09 Malicious activity — Interactive analysis ANY.RUN
88ff28a1331720f5907c7411eecd788a / @osjakal
Or META 185.106.93.193:48563
? / @deathwill
C3EF845E5961F6B2DBB1914B2F2E60EB / @coufaaiinne
(Not) The end ;)
Expect more content, soon.
Best regards,
Article Link: Profiling Трафферы: KZ Team Reborn | by g0njxa | Mar, 2024 | Medium