New prank Trojan in Russia, data leak from the European Commission, and other cybersecurity events - ForkLog: cryptocurrencies, AI, singularity, the future

# A new prank trojan in Russia, data leak from the European Commission, and other cybersecurity events

We’ve gathered the most important news from the world of cybersecurity over the past week.

• Watched, swapped crypto addresses, and mocked: a prank trojan was found in the РФ.
• The addresses of software servers for stealing cryptocurrencies were found in Spotify and Chess.com.
• A hacker was charged with stealing $53 million from the Uranium crypto exchange.
• Experts found an updated stealer seed phrase for Apple and Android.

Watched, swapped crypto addresses, and mocked: a prank trojan was found in the РФ

Experts from Kaspersky Lab identified an active campaign in the РФ to distribute a new trojan. CrystalX is promoted via the CaaS model through ads on the Telegram and YouTube social networks.

The software works as both a spy and a stealer, enabling the following actions:

• stealing browser credentials, as well as Steam, Discord, and Telegram accounts;
• covertly swapping cryptocurrency wallet addresses in the clipboard;
• secretly recording audio and video from the screen and web cameras.

A distinctive feature of the malware was real-time mockery directed at the user. For this, the panel contains a separate Rofl section with the corresponding commands:

• downloading an image from a specified URL and setting it as the desktop background;
• changing the screen orientation to 90°, 180°, or 270°;
• shutting down the OS using the shutdown.exe utility;
• replacing the left mouse button functions with the right one, and vice versa;
• turning off the monitor and blocking input;
• shaking the cursor at short intervals;
• hiding all file icons on the desktop, disabling the taskbar, the task manager, and cmd.exe.

In addition, the attacker can send a message to the victim; after that, a dialog window opens in the system for two-way communication.

Source: “Kaspersky Lab.” As Kaspersky GReAT senior expert Leonid Bezvershenko noted in a comment to “Durov’s Code,” the virus is actively evolving and is supported by its creators. He expects the number of victims to grow as the geography of the attacks expands.

The experts advise downloading apps only from official stores, installing reliable antivirus software, and also enabling the display of file extensions in Windows so you don’t accidentally run dangerous files of formats .EXE, .VBS, and .SCR.

The addresses of software servers for stealing cryptocurrencies were found in Spotify and Chess.com

Researchers at Solar 4RAYS noticed that hackers hide the addresses of the MaskGram stealer’s command servers in the profiles on Spotify and Chess.com.

MaskGram targets the theft of accounts and cryptocurrencies, and also has the ability to load additional modules.

The malicious software collects system data, the list of processes, and installed applications, and takes screenshots. It extracts information from Chromium-based browsers, crypto wallets, email clients, messengers, and VPN apps.

Cybercriminals distribute the software via social engineering: they disguise it as cracked versions of paid programs for mass checking of logins and passwords from leaked databases such as Netflix Hunter Combo Tool, Steam Combo Extractor, and Deezer Checker.

According to experts, the software uses a “dead drop” technique, or Dead Drop Resolver (DDR), which allows storing information about the command server on pages of public services and quickly changing it.

The infected machine contacts not a suspicious IP address but Spotify or Chess.com, displaying normal user activity.

About field in a Chess.com user profile. Source: Solar 4RAYS. For each platform, a different set of markers is used. For example, for Chess.com, it’s the about field in the user profile. The extracted string is decoded and turned into a server domain.

In March, Aikido specialists recorded the use of the “dead drop” technique by the GlassWorm stealer in crypto transactions on the Solana blockchain.

A hacker was charged with stealing $53 million from the Uranium crypto exchange

The U.S. Department of Justice charged Jonathan Spalletta with stealing more than $53 million from the Uranium Finance crypto exchange and money laundering.

In April 2021, Spalletta (also known by the nickname Cthulhon) hacked the BNB Chain-based decentralized exchange (DEX) Uranium. As a result, a shortage of funds forced the company to close.

In February 2025, during a search, law enforcement seized valuable items from the suspect’s home and also restored access to cryptocurrency worth about $31 million.

According to law enforcement, Spalletta laundered the stolen assets through the DEX and the Tornado Cash mixer. He spent the obtained funds on collectible items:

• a Magic: The Gathering “Black Lotus” card — ~$500,000;
• 18 sealed Magic: The Gathering Alpha Edition boosters — ~$1.5 million;
• a complete Base Set Pokémon first edition — ~$750,000;
• an ancient Roman coin minted in honor of the killing of Julius Caesar — more than $601,000.

Spalletta faces up to 10 years in prison for computer fraud charges, and up to 20 years if he is found guilty of money laundering.

Experts found an updated stealer seed phrase for Apple and Android

Researchers from Kaspersky Lab discovered a new version of malicious SparkCat software for stealing cryptocurrencies in the Apple App Store and Google Play Store. The Hacker News reports this.

The stealer disguises itself as harmless apps such as corporate messengers and food delivery services. In the background, it scans victims’ photo galleries in search of cryptocurrency wallet seed phrases.

The experts analyzed two infected apps in the App Store and one in Google Play. They are aimed primarily at cryptocurrency users in Asia:

• iOS variant. Scans mnemonic phrases of crypto wallets in English. This approach makes the iOS version potentially more dangerous on a global scale, since it can affect users regardless of their region;
• Android variant. In the updated version, several layers of code obfuscation were added compared with the previous one. The software uses code virtualization and cross-platform programming languages to bypass analysis. In addition, it looks for key words in Japanese, Korean, and Chinese, confirming a focus on the Asian region.

Specialists believe that a Chinese- or Russian-speaking operator is involved in the operation. According to the latest data, the threat is actively evolving, and the individuals behind it have high technical skills.

The European Commission confirmed the leak as a result of the ShinyHunters cyberattack

The European Commission (EC) confirmed the fact of a data leak after a cyberattack on the Europa.eu web platform, for which the ShinyHunters extortion group took responsibility.

In the EC, they said that the incident did not disrupt the operation of the portal and that it was contained.

Although the Commission did not provide details, the attackers told BleepingComputer that they were able to steal more than 350 GB of information, including several databases. They did not disclose how they hacked AWS accounts, but provided screenshots confirming access to the accounts of some EC employees.

The group also published a post on its dark web leaks site, claiming that more than 90 GB of files were stolen:

• dumps of mail servers;
• databases;
• confidential documents and contracts;
• other sensitive materials.

Source: BleepingComputer Also on ForkLog:

• The Solana project Drift Protocol lost $280 million.
• CertiK warned about the risks of stealing cryptocurrencies via OpenClaw.

What to read over the weekend?

After studying data from research teams, corporate reports, and the current state of affairs, ForkLog figured out how “brain-to-computer” interface technologies are evolving.