
Threat actors are abusing the Bitbucket code hosting service to host seven types of malware that has already claimed more than 500,000 business computers.
The arsenal of attackers includes data stealers,
“
Attackers abuse legitimate online storage platforms to bypass security products due to the trust given to legitimate online services. The use of online storage platform also allows attackers to reduce the exposure to their C2 server infrastructure by separating the delivery infrastructure (online storage platforms) from the C2 server infrastructure.
The attackers are hosting malware on several Bitbucket accounts, the malicious codes receive frequent updates.
- Predator: Predator is an information stealer that steals credentials from browsers, uses the camera to take pictures, takes screenshots, and steals cryptocurrency wallets.
- Azorult: Azorult is an information stealer that steals passwords, email credentials, cookies, browser history, IDs, cryptocurrencies, and has backdoor capabilities.
- Evasive Monero Miner: The Evasive Monero Miner is the dropper for a multi-stage XMRig Miner that uses advanced evasion techniques to mine Monero and stay under the radar.
- STOP Ransomware: The STOP Ransomware is used to ransom the file system and is based on an open source ransomware platform. It also has downloader capabilities that it uses to infect the system with additional malware.
- Vidar: Vidar is an information stealer that steals web browser cookies and history, digital wallets, two-factor authentication data, and takes screenshots.
- Amadey bot: Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information on a target machine.
- IntelRapid: IntelRapid is a cryptocurrency stealer that steals different types of cryptocurrency wallets.
Attackers are using Themida as a p
The attackers
Most of the tainted crackers observed in this campaign include Azorult and Predator the Thief data stealers.

Experts discovered some Bitbucket repositories linked to each other hosting the same p
“Through research of other samples related to the campaign, we have identified additional Bitbucket repositories that are likely created by the same threat actor with the same set of malware samples.” continues the report. “Judging by the number of downloads, we estimate over 500,000 machines have been infected by the campaign so far, with hundreds of machines affected every hour. ”
More than 500,000 machines have been infected already compromised, experts observed hundreds of new infections every hour.
Experts noticed that when there is nothing to steal from the infected system, attackers deploy the STOP ransomware to blackmail the victims and maintain persistence.
“Attackers continue to evolve and look for more effective ways to make a profit. They are finding that, when their tools fail, they can use legitimate ones instead. Security p
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(
[adrotate banner=”5″]
[adrotate banner=”13″]



