Threat Context monthly: Executive intelligence briefing for November 2024
Welcome to the Threat Context Monthly blog series where we provide a comprehensive roundup of the most relevant cybersecurity news and threat information from KrakenLabs, Outpost24’s cyber threat intelligence team. Here’s what you need to know from November.
Threat actor of the month: Reimann Team
“Reimann Team“ is a financially motivated cybercrime group, that specializes in acquiring, processing, and selling logs from popular online platforms.
Initially observed in June 2020, Reimann Team is a well-established traffer team whose reach spans various regions, notably the US, Canada, Europe, and Asia. They target high-demand accounts like Steam, Fortnite, Minecraft, Riot Games, PayPal, and Amazon.
Their technical methods include phishing, credential harvesting, and a Telegram-based infrastructure that automates log collection and resale through bots. Tools offered to members facilitate seamless log processing, automated distribution, and optimized sales, with the “Reimann Logs Cloud” providing regular updates of fresh logs.
Reimann’s primary source of logs comes from RedLine Stealer, a common credential-stealing malware, which is used to compromise accounts from platforms such as gaming services, financial institutions, and social media. In fact, in the law enforcement “Operation Magnus” action against RedLine and Meta information stealers, the username “REIMANN” was listed as a RedLine VIP user in a video published about the operation.
The team’s infrastructure supports a constant flow of fresh logs, and they incentivize traffers with a 50% revenue split and bonuses. Reimann’s recruitment model focuses on incentivizing new traffers, who are paid based on their log contributions. Furthermore, the adversary restricts log access to paying members and bans any resellers who attempt to distribute logs outside the approved system.
Using the moniker REIMANN, the threat actor is active in the Russian-speaking underground forums Zelenka Guru and BHF, which serve as primary advertising hubs for their services and recruitment efforts.
Spotlight threat: Operation Magnus (Law enforcement action)
In late October 2024, in a coordinated international effort known as Operation Magnus, the US Department of Justice, FBI, and Europol worked alongside other law enforcement agencies to disrupt the RedLine and META infostealers operations.
Law enforcement seized 3 servers and 2 domains, which were used to host and distribute RedLine and META. These seizures disrupted the malware’s distribution channels by dismantling key nodes in its infrastructure. Additionally, Telegram channels that facilitated malware sales and support were taken down.
The operation uncovered over 1,200 malware-infected servers across numerous countries. Belgian authorities subsequently dismantled related communication channels, while ESET launched a tool for potential victims to check if their data was compromised and get guidance on protecting themselves.
Maxim Rudometov, a Russian national, was arrested and charged with wire fraud, money laundering, and device fraud for allegedly developing and profiting from META. If convicted, he could face up to 35 years in prison.
One of the most relevant aspects of Operation Magnus is that law enforcement published a video on the official website listing the names of VIP users of the Redline information-stealer – with VIP meaning “Very Important to the Police” according to the video.
This list sparked widespread concern among users on underground forums. Some confirmed the legitimacy of the nicknames included in the video, which hinted at potential legal consequences for not only the developers and sellers of RedLine but also the clients who used it to conduct data theft campaigns. The fear of exposure resonated deeply with those in the cybercriminal world, leading to discussions about tighter operational security.
The operation’s success also sparked intense criticism within the cybercriminal community. Many users openly condemned the RedLine developer for inadequate OPSEC practices, which they blamed for the operation’s success and their subsequent exposure.
These criticisms spurred further discussions on how to enhance personal and collective security. Forum users debated strategies to evade detection and avoid the fate of their peers, exploring new methods for obfuscating their online identities and activities.
KrakenLabs observed highlights
Regulations
Legal protection to security analysts: Germany’s Federal Ministry of Justice has drafted a law to modify the penal code and provide legal protection to security analysts with benign purposes who discover and responsibly report security vulnerabilities to vendors and authorities. Learn more →
Legal dispute against a cybersecurity provider: Delta Air Lines is suing CrowdStrike, claiming negligence over a software update that caused a major IT outage disrupting flights and customer service. CrowdStrike disputes the allegations, citing Delta’s outdated systems as a factor. Learn more →
Trends
Identity-based attacks: During Q3 2024, identity-based attacks surged, with 25% of incidents involving credential theft through password spraying and brute force attacks. One highlighted technique for credential theft is Adversary-in-the-Middle (AitM), where victims enter credentials on fake login pages after clicking malicious links. Learn more →
Typosquatting attack: Researchers have discovered a malicious typosquatting attack against a popular SSH automation library in Python. The malicious package which exfiltrates AWS credentials has been available on PyPI since 2021 with more than 37,000 total downloads. Learn more →
Credit cards details on sale in Threads: Stolen credit card information is being sold openly on Meta’s Threads, with some posts displaying cardholder data such as CVV and expiration dates. Criminals use polls to verify whether stolen cards work and redirect followers to Telegram for full details. Learn more →
Threat landscape for 2025: Google’s forecast for 2025 cyber threats predicts the increasing use of artificial intelligence for sophisticated phishing, vishing, social engineering attacks and disinformation campaigns. Furthermore, ransomware and infostealer malware will continue to be prevalent yet the entry barriers for less-skilled actors will continue decreasing. Learn more →
Ransomware
Black Basta new technique: A Black Basta ransomware has been observed posing as IT support on Microsoft Teams to trick users into providing their credentials. Learn more →
What’s new in Threat Context this month?
Threat actors: DarkRaaS, Satanic, FlyingYeti, UN5820, APT-C-60, Core Werewolf, STORM-0817, Storm-0940, Reimann Team, APT73, Patr1ck, AdaGrabber, PlayBoy Locker and Kairos.
Tools: CloudScout, MDeployer, MS4Killer, Mamba 2FA, SteelFox, Interlock, iNARi, AdaStealer, NPPSPY, FRP plus more!
Try Threat Compass for yourself
Want more threat intel? Get started with Threat Compass to receive the latest actionable intelligence from our world-class in-house analyst team. Request a live demo here.