A prolific threat actor has been operating on Russian-language forums since 2020, but then he accidentally infected his own computer and sold off its contents to threat researchers.

Dark Reading Staff, Dark Reading

July 18, 2023

1 Min Read
Image of aluminum foil brand Foiled Again

Malicious actor "La_Citrix" built a reputation on gaining access to organizations' Citrix remote desktop protocol (RDP) VPN servers and selling them off to the highest bidder on Russian-language Dark Web forums.

The threat actor was using an infostealer to rip off credentials in campaigns dating back to 2020 — until La_Citrix accidentally infected his own computer with the malware and sold off his own data, along with a cache of other stolen data, to threat researchers with Hudson Rock who were lurking on the Dark Web to gather threat intelligence.

The first clue that there was something unusual afoot was when Hudson Rock's API detected a single user in the stolen data who appeared as an employee at nearly 300 different companies, the report explained.

"Surprisingly, it was discovered that this threat actor orchestrated all of the hacking incidents using his personal computer, and browsers installed on that computer stored the corporate credentials used for the various hacks," Hudson Rock's report noted.

Ujpon digging further, Hudson Rock's team was quickly able to ascertain the threat actor's identity, along with his address, phone, as well as evidence of his malicious activities.

"Hudson Rock will forward the data to relevant law enforcement agencies," the report added.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights