Alleged Meduza Stealer malware admins arrested after hacking Russian org

The Russian authorities have arrested three individuals in Moscow who are believed to be the creators and operators of the Meduza Stealer information-stealing malware. The action was announced on Telegram by Irina Volk, a police general and official from the Russian Ministry of Internal Affairs. "A group of hackers who created the infamous 'Meduza' virus have been detained by my colleagues from the Department for Combating Cybercrime (UBK) of the Russian Ministry of Internal Affairs, together with police officers from the Astrakhan region," stated Volk. "Preliminary investigation established that about two years ago, the perpetrators developed and began distributing software called 'Meduza' through hacker forums," mentioned the official. Medusa is an infostealer that steals account credentials, cryptocurrency wallet data, and other information stored in users' web browsers. It was distributed to cybercriminals under a malware-as-a-service model, in which access was provided in exchange for a subscription fee. Meduza was among the more technically advanced information stealers on the dark web market, capable of "reviving" expired Chrome authentication cookies since December 2023 to facilitate account takeovers. Researcher' g0njxa', who monitors the info-stealer space closely, says the same group of cybercriminals was also behind Aurora Stealer, a malware-as-a-service that gained traction in 2022. While Russia has a history of overlooking cybercriminal activity within its borders as long as the actors do not target Russian people or organizations, Volk said that some Meduza operators targeted an institution in Astrakhan, southern Russia, in May and stole confidential data from its servers. This led the authorities to open a criminal case against the perpetrators under Part 2, Article 273 of the Russian Criminal Code for the "creation, use, and distribution of malicious computer programs." The acquired information helped the investigators determine that the three detainees had developed and were distributing a botnet malware too, capable of disabling security protections on the target systems. Volk concluded the public statement by saying that the authorities are now working to identify all accomplices, so follow-up operations are likely.