Malicious actor "La_Citrix" built a reputation on gaining access to organizations' Citrix remote desktop protocol (RDP) VPN servers and selling them off to the highest bidder on Russian-language Dark Web forums.
The threat actor was using an infostealer to rip off credentials in campaigns dating back to 2020 — until La_Citrix accidentally infected his own computer with the malware and sold off his own data, along with a cache of other stolen data, to threat researchers with Hudson Rock who were lurking on the Dark Web to gather threat intelligence.
The first clue that there was something unusual afoot was when Hudson Rock's API detected a single user in the stolen data who appeared as an employee at nearly 300 different companies, the report explained.
"Surprisingly, it was discovered that this threat actor orchestrated all of the hacking incidents using his personal computer, and browsers installed on that computer stored the corporate credentials used for the various hacks," Hudson Rock's report noted.
Ujpon digging further, Hudson Rock's team was quickly able to ascertain the threat actor's identity, along with his address, phone, as well as evidence of his malicious activities.
"Hudson Rock will forward the data to relevant law enforcement agencies," the report added.