Wednesday 2 October 14:00 - 14:30, Red room
Lena Yu (ANY.RUN)
The digital landscape teems with diverse malware families, each engineered with distinct capabilities – ranging from data theft, deployment of additional malicious payloads, to destruction of data and more.
Yet, beneath their varied functionalities, these pieces of malware may unite in a complex and orchestrated performance, functioning in concert to unleash potent malware infections. This intricate interplay, which I term a “malware symphony”, mirrors the harmonious collaboration of instruments in an orchestra, where each contributes its unique timbre to the overall composition.
A prime exemplar of such orchestrated cyber malevolence is the CrackedCantil campaign – a moniker derived from its roots in cracked software and its analogy to the venomous Cantil viper. This campaign stands out for its collaborative use of numerous distinct families of malware, including PrivateLoader, Smoke, Lumma, RedLine, RisePro, Amadey, Stealc, Socks5Systemz and STOP.
This specific CrackedCantil campaign was staged on Google Groups, and the ticket to this malware symphony was delivered by cracked software.
In the grand composition of the CrackedCantil symphony, the initial overture is masterfully executed by loaders such as PrivateLoader and Smoke. These serve as the maestros, setting the stage and tempo for the ensuing performance, by seamlessly facilitating the intrusion of various notorious malware into the system. Their role is pivotal, as they cue the entrance of the ensemble, ensuring each malware is perfectly positioned for their part in this dark opus.
As the symphony progresses into its first movement, a cadre of infostealers – Lumma, RedLine, RisePro, Amadey and Stealc – take centre stage. Like virtuoso soloists, they deftly navigate through the system's defences, extracting sensitive data with precision. Their performance is both intricate and devastating, leaving no stone unturned in their quest to pilfer every piece of valuable information.
Simultaneously, the proxy bot malware Socks5Systemz assumes the role of the chorale, subtly transforming the infected system into a proxy botnet. This collective force operates in the background, supporting the soloists by expanding the attack's reach and complexity, much like a chorus enriches a symphony's depth.
The final movement is heralded by the ransomware STOP, delivering a dramatic finale. This malevolent force acts as the crescendo of the campaign, encrypting the victim's files with a potency that demands a ransom for their release. It's a climactic end to a meticulously orchestrated performance, leaving the audience – in this case, the victims – in a state of shock and despair.
This presentation delves deep into the CrackedCantil campaign's symphonic structure, analysing how each malware component contributes to a harmonious yet malicious concert designed to compromise and exploit systems with unparalleled sophistication.
CrackedCantil Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.crackedcantil
![]() |
Lena Yu Lena is a malware analyst and researcher from Japan, and the author of the ANY.RUN malware analysis articles. She has investigated several cyber threats including the Roaming Mantis Smishing Campaigns, IPFS phishing campaigns and international scam operations, and has written numerous articles for open-source education. She has also created the MARC I (Malware Analysis Report Competition), fostering contributions to open-source education in malware analysis. |
Back to VB2024 conference page