Summary Kaspersky Global Emergency Response Team (GERT) has identified a complex campaign, consisting of multiple sub-campaigns orchestrated by Russian-speaking cybercriminals. The sub-campaigns imitate legitimate projects, slightly modifying names and branding and using multiple social media accounts to increase their credibility. In our analysis we observed that all the active sub-campaigns host the initial downloader on Dropbox. This downloader is responsible for delivering additional malware samples to the victim's machine, which are mostly infostealers (Danabot and StealC) and clippers. Besides this, the actors use phishing to trick users into providing additional sensitive information, such as credentials, which can then be sold on the dark web or used to gain unauthorized access to their gaming accounts and cryptocurrency wallets and drain their funds directly. We identified three active sub-campaigns (at the time of analysis) and 16 inactive sub-campaigns related to this activity. We dubbed it "Tusk", as the threat actor uses the word "Mammoth" in log messages of initial downloaders — at least in the three active sub-campaigns we analyzed. "Mammoth" is slang used by Russian-speaking threat actors to refer to victims. Mammoths used to be hunted by ancient people and their tusks were harvested and sold. Analysis of the inactive sub-campaigns suggests that these are either old campaigns or campaigns that haven't started yet. In this post, we analyze three most recently…Read More