A sophisticated phishing campaign targeting the Albion Online gaming community has been uncovered, revealing a complex operation involving impersonation of the Electronic Frontier Foundation (EFF) and deployment of advanced malware.
The campaign, discovered on March 4, 2025, showcases the evolving tactics of cybercriminals in exploiting trust in reputable organizations and leveraging the immersive nature of gaming environments.
The threat actors, believed to be Russian-speaking based on code comments, utilized an exposed directory to host malicious payloads and decoy documents.
This infrastructure, identified at IP address 83.217.208.90, contained a mix of PDFs, ZIP archives, and PowerShell scripts designed to facilitate malware delivery.
The primary payload consisted of two malware families: Stealc, a credential stealer, and Pyramid C2, an open-source command and control framework.
Sophisticated Malware Delivery and Infrastructure
The attack chain begins with a Windows shortcut (LNK) file that executes a PowerShell script, bypassing execution policies.
This script opens a decoy PDF purportedly from the EFF while extracting and executing malicious components in the background.
The malware, obfuscated using zlib compression and base64 encoding, communicates with multiple command and control servers, including 104.245.240.19:443 and 212.87.222.84:443.
Hunt analysis of the malware’s behavior revealed that Pyramid C2 is used to deliver encrypted files, potentially evading endpoint detection and response (EDR) solutions.
The Stealc stealer, meanwhile, focuses on extracting credentials from popular web browsers before exfiltrating the data to its command and control server.
The campaign’s infrastructure extends beyond a single server, with 11 additional IPs identified through shared SSH keys, all hosted on the Partner Hosting LTD network.
This extensive network footprint suggests a well-resourced and organized operation.
Implications and Mitigation Strategies
This campaign highlights the ongoing threat to online gaming communities, where the potential for financial gain through compromised accounts makes them attractive targets for cybercriminals.
The impersonation of the EFF adds a layer of credibility to the phishing attempts, exploiting users’ trust in reputable organizations.
To mitigate risks, users are advised to exercise caution with unsolicited communications, verify the authenticity of sources through official channels, and utilize security tools for link and attachment analysis before interaction.
The gaming industry and cybersecurity community must remain vigilant against such sophisticated impersonation tactics and evolving malware deployment strategies.
As this campaign demonstrates, the intersection of social engineering, malware sophistication, and exploitation of gaming ecosystems continues to present significant challenges in the cybersecurity landscape.
Ongoing monitoring and rapid information sharing remain crucial in detecting and mitigating such threats effectively.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free