{"id":95908,"date":"2026-04-04T07:00:00","date_gmt":"2026-04-04T04:00:00","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=95908"},"modified":"2026-04-04T09:06:21","modified_gmt":"2026-04-04T06:06:21","slug":"prank-trojan-in-russia-european-commission-data-leak-and-other-cybersecurity-news","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/prank-trojan-in-russia-european-commission-data-leak-and-other-cybersecurity-news\/","title":{"rendered":"Prank trojan in Russia, European Commission data leak, and other cybersecurity news"},"content":{"rendered":"<p>Here are the week\u2019s key cybersecurity developments.<\/p>\n<div class=\"wp-block-text-wrappers-keypoints article_keypoints\">\n<ul class=\"wp-block-list\">\n<li>Spied, swapped crypto addresses and taunted victims: a prankish trojan found in Russia.<\/li>\n<li>C2 addresses for crypto-stealing malware found on Spotify and Chess.com.<\/li>\n<li>Hacker charged over $53m theft from the Uranium exchange.<\/li>\n<li>Researchers found an updated seed-phrase stealer for Apple and Android.<\/li>\n<\/ul>\n<\/div>\n<h2 class=\"wp-block-heading\">Spied, swapped crypto addresses and taunted victims: prank trojan uncovered in Russia<\/h2>\n<p>Researchers at Kaspersky Lab <a href=\"https:\/\/securelist.ru\/crystalx-rat-with-prankware-features\/115077\/\">identified<\/a> an active campaign in Russia spreading a new trojan. CrystalX is marketed under a <a href=\"https:\/\/forklog.com\/en\/news\/a-subscription-to-crime-how-rented-hacking-software-imperils-web3\">CaaS<\/a> model via ads on the social platforms Telegram and YouTube.<\/p>\n<p>The software acts as both a spy and a stealer, enabling the following:<\/p>\n<ul class=\"wp-block-list\">\n<li>steal browser credentials as well as Steam, Discord and Telegram accounts;<\/li>\n<li>silently replace crypto-wallet addresses in the clipboard;<\/li>\n<li>covertly record audio and video from the screen and webcam.<\/li>\n<\/ul>\n<p>Its distinguishing feature is real-time mockery of the user. The panel includes a dedicated Rofl section with commands to:<\/p>\n<ul class=\"wp-block-list\">\n<li>download an image from a specified URL and set it as the desktop background;<\/li>\n<li>rotate the display by 90\u00b0, 180\u00b0 or 270\u00b0;<\/li>\n<li>shut down the OS via shutdown.exe;<\/li>\n<li>swap left- and right-mouse-button functions;<\/li>\n<li>turn off the monitor and lock input;<\/li>\n<li>make the cursor jitter at short intervals;<\/li>\n<li>hide all desktop icons and disable the taskbar, Task Manager and cmd.exe.<\/li>\n<\/ul>\n<p>The attacker can also send a message to the victim, opening a dialog box for two-way chat.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/forklog.com\/wp-content\/uploads\/img-fa9f6b40d7f5f8c9-847123200966698.webp\" alt=\"image\" class=\"wp-image-277969\"\/><figcaption class=\"wp-element-caption\">Source: Kaspersky Lab.<\/figcaption><\/figure>\n<p>As Leonid Bezvershenko, a senior Kaspersky GReAT expert, said in a <a href=\"https:\/\/kod.ru\/pranker-crystalx\">comment<\/a> to \u201cKod Durova\u201d, the malware is under active development and support by its creators. He expects victim numbers to rise as the campaign\u2019s geography widens.<\/p>\n<p>Experts advise downloading apps only from official stores, installing a reputable antivirus, and enabling file-extension display in Windows to avoid accidentally launching .EXE, .VBS or .SCR files.<\/p>\n<h2 class=\"wp-block-heading\">C2 addresses for crypto-stealing malware found on Spotify and Chess.com<\/h2>\n<p>Researchers at <a href=\"https:\/\/rt-solar.ru\/solar-4rays\/blog\/6482\/\">Solar 4RAYS<\/a> found that hackers hide the controlling servers for the MaskGram stealer in Spotify and Chess.com profiles.\u00a0<\/p>\n<p>MaskGram targets the theft of accounts and cryptocurrencies and can fetch additional modules.<\/p>\n<p>The malware collects data about the system, running processes and installed applications, and takes screenshots. It harvests information from Chromium-based browsers, crypto wallets, email clients, messengers and VPN apps.<\/p>\n<p>Attackers distribute the software via social engineering, posing as cracked versions of paid tools for mass checking of logins and passwords against leaked databases, such as Netflix Hunter Combo Tool, Steam Combo Extractor and Deezer Checker.<\/p>\n<p>According to experts, the malware uses the \u201cdead drop\u201d technique, or Dead Drop Resolver (<span data-descr=\"a cyberattack technique in which malware uses popular web services to locate encrypted information required to communicate with its command-and-control server\" class=\"old_tooltip\">DDR<\/span>), which allows operators to store C2 information on public services and rotate it quickly.<\/p>\n<p>An infected machine reaches out not to a suspicious IP but to Spotify or Chess.com, mimicking ordinary user activity.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/forklog.com\/wp-content\/uploads\/img-2fcfa68c3de28498-847123204802267.webp\" alt=\"image\" class=\"wp-image-277970\"\/><figcaption class=\"wp-element-caption\">The \u201cabout\u201d field in a Chess.com user profile. Source: Solar 4RAYS.<\/figcaption><\/figure>\n<p>Each platform uses its own markers. For Chess.com, for example, it is the user profile\u2019s about field. The extracted string is decoded into the server domain.<\/p>\n<p>In March, Aikido specialists <a href=\"https:\/\/forklog.com\/en\/news\/india-arrests-trafficker-solana-used-as-a-dead-drop-and-other-cybersecurity-developments\">documented<\/a> the use of the dead-drop technique by the GlassWorm stealer in crypto transactions on the Solana blockchain.<\/p>\n<h2 class=\"wp-block-heading\">Hacker charged over $53m theft from Uranium crypto exchange\u00a0<\/h2>\n<p>US prosecutors <a href=\"https:\/\/www.justice.gov\/usao-sdny\/pr\/maryland-man-charged-defrauding-crypto-exchange-over-50-million-hacks\">charged<\/a> Jonathan Spalletta with stealing more than $53m from the Uranium Finance crypto exchange and laundering the proceeds.<\/p>\n<p>In April 2021, Spalletta (also known as Cthulhon) <a href=\"https:\/\/forklog.com\/en\/news\/uranium-finance-project-loses-50-million-in-ethereum-due-to-vulnerability\">hacked<\/a> the BNB Chain-based Uranium decentralized exchange (DEX). The shortfall forced the company to shut down.<\/p>\n<p>In February 2025, during a search, law enforcement <a href=\"https:\/\/forklog.com\/en\/news\/us-authorities-seize-31-million-in-crypto-linked-to-uranium-finance-hack\">seized<\/a> valuables from the suspect\u2019s home and restored access to cryptocurrency worth around $31m.<\/p>\n<p>According to authorities, Spalletta laundered the stolen assets through DEXs and the mixer <a href=\"https:\/\/forklog.com\/en\/news\/what-is-the-tornado-cash-mixer-and-why-was-it-sanctioned\">Tornado Cash<\/a>. He spent the proceeds on collectibles:<\/p>\n<ul class=\"wp-block-list\">\n<li>a Magic: The Gathering \u201cBlack Lotus\u201d card \u2014 ~$500,000;<\/li>\n<li>18 sealed Alpha Edition Magic: The Gathering boosters \u2014 ~$1.5m;<\/li>\n<li>a complete first-edition Pok\u00e9mon base set \u2014 ~$750,000;<\/li>\n<li>an ancient Roman coin minted to commemorate the assassination of Julius Caesar \u2014 over $601,000.<\/li>\n<\/ul>\n<p>He faces up to ten years in prison on computer-fraud charges and up to 20 years if convicted of money laundering.<\/p>\n<h2 class=\"wp-block-heading\">Researchers find updated seed-phrase stealer targeting Apple and Android<\/h2>\n<p>Kaspersky Lab researchers found a new variant of the SparkCat cryptocurrency-stealing malware in the Apple App Store and Google Play Store, <a href=\"https:\/\/thehackernews.com\/2026\/04\/new-sparkcat-variant-in-ios-android.html\">The Hacker News reports<\/a>.<\/p>\n<p>The stealer masquerades as innocuous apps such as corporate messengers and food-delivery services. In the background it scans victims\u2019 photo galleries for crypto-wallet seed phrases.<\/p>\n<p>Experts analyzed two tainted apps in the App Store and one in Google Play. They are aimed mainly at crypto users in Asia:<\/p>\n<ul class=\"wp-block-list\">\n<li>iOS variant. Scans crypto-wallet mnemonic phrases in English. This approach makes the iOS version potentially more dangerous globally, as it can affect users regardless of region;<\/li>\n<li>Android variant. The updated version adds several layers of code obfuscation compared with earlier builds. It uses code virtualization and cross-platform programming languages to evade analysis. It also looks for keywords in Japanese, Korean and Chinese, underscoring a focus on Asia.<\/li>\n<\/ul>\n<p>Experts believe a Chinese- or Russian-speaking operator is involved. The threat is actively evolving, and those behind it have strong technical skills.<\/p>\n<h2 class=\"wp-block-heading\">European Commission confirms data breach after ShinyHunters attack<\/h2>\n<p>The European Commission (EC) <a href=\"https:\/\/ec.europa.eu\/commission\/presscorner\/detail\/en\/ip_26_748\">confirmed<\/a> a data leak following a cyberattack on the Europa.eu web platform, for which the <a href=\"https:\/\/forklog.com\/en\/news\/figure-admits-to-customer-data-breach\">ShinyHunters<\/a> extortionists claimed responsibility.<\/p>\n<p>The EC said the incident did not disrupt the portal\u2019s operations and was contained.<\/p>\n<p>Although the Commission provided no details, the attackers told <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/european-commission-confirms-data-breach-after-europaeu-hack\/\">BleepingComputer<\/a> they had stolen more than 350GB of data, including several databases. They did not reveal how they compromised <span data-descr=\"Amazon Web Services\" class=\"old_tooltip\">AWS<\/span> accounts but shared screenshots indicating access to some EC staff accounts.<\/p>\n<p>The group also posted on its dark-web leak site, claiming more than 90GB of files were taken:<\/p>\n<ul class=\"wp-block-list\">\n<li>mail-server dumps;<\/li>\n<li>databases;<\/li>\n<li>confidential documents and contracts;<\/li>\n<li>other sensitive materials.<\/li>\n<\/ul>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/forklog.com\/wp-content\/uploads\/img-b6db973f190ad24f-847123610761091.webp\" alt=\"image\" class=\"wp-image-277971\"\/><figcaption class=\"wp-element-caption\">Source: BleepingComputer.\u00a0<\/figcaption><\/figure>\n<p>Also on ForkLog:<\/p>\n<ul class=\"wp-block-list\">\n<li>Solana project Drift Protocol <a href=\"https:\/\/forklog.com\/en\/news\/drift-protocol-on-solana-loses-280m\">lost<\/a> $280m.<\/li>\n<li>CertiK <a href=\"https:\/\/forklog.com\/en\/news\/certik-warns-of-cryptocurrency-theft-risks-via-openclaw\">warned<\/a> of cryptocurrency-theft risks via OpenClaw.<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\">What to read this weekend?<\/h2>\n<p>Drawing on research teams\u2019 data, corporate reports and the state of play, ForkLog examines how brain\u2013computer interface technologies are evolving.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The week\u2019s key cybersecurity news.<\/p>\n","protected":false},"author":1,"featured_media":95909,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"This week in cybersecurity: a prankish trojan, C2 via Spotify, a $53m DEX hack, and an EU data breach.","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1238,1233],"class_list":["post-95908","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-cybersecurity-digest","tag-industry-digests"],"aioseo_notices":[],"amp_enabled":true,"views":"34","promo_type":"1","layout_type":"1","short_excerpt":"This week in cybersecurity: a prankish trojan, C2 via Spotify, a $53m DEX hack, and an EU data breach.","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/95908","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=95908"}],"version-history":[{"count":1,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/95908\/revisions"}],"predecessor-version":[{"id":95910,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/95908\/revisions\/95910"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/95909"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=95908"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=95908"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=95908"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}