SEKOIA.IO analysts unveiled a large and resilient infrastructure used to distribute Raccoon and Vidar stealers, likely since early 2020. The associated infection chain, leveraging this infrastructure of over 250 domains, uses about a hundred of fake cracked software catalogue websites that redirect to several links before downloading the payload hosted on file share platforms, such as GitHub.
We published a FLINT that presents the current infection chain, distributed payloads and the whole infrastructure tracked by SEKOIA.IO.
Related resources:
