Infostealers Irony: Hacked Foiled by Their Own Infostealer

A specialized company that focuses on obtaining compromised login information from malicious individuals for research and intelligence encountered a threat actor named “La_Citrix.”

This individual is notorious for hacking into companies and selling access to their citrix/vpn/RDP servers. Alternatively, he also sells logs containing stolen information from computers infected with info-stealing malware. La_Citrix primarily operates on Russian-speaking cybercrime forums, starting from 2020 and continuing to the present day.

The provided screenshot displays the profile of the threat actor, exploit.in, revealing the threads created by the actor to sell logs containing stolen information and access to different companies.

Interestingly, it appears that while infecting other computers, La_Citrix unintentionally infected their own computer and probably sold it without realizing it.

During their investigation of hackers infected by info-stealers and active on major cybercrime forums, researchers from Hudson identified La_Citrix. Armed with this information, they needed to conduct a more thorough examination of La_Citrix’s computer

Hackers accidentally getting infected by info-stealers is not an uncommon occurrence, like employees of highly technological companies. A notable example is raidforums.com, a prominent cybercrime forum that was shut down by law enforcement. Hudson Rock’s database contains over 7,000 compromised users from this forum, including numerous hackers.

During the analysis of La_Citrix’s computer data, researchers made a surprising discovery. Hudson Rock’s API identified this individual as an employee associated with nearly 300 different companies. However, upon closer examination of the stored credentials on the computer, the reason behind this finding became evident.

Remarkably, it was found that this threat actor orchestrated all hacking incidents using their personal computer. Corporate credentials used for various hacks were stored in web browsers installed on that system.

A fascinating aspect of La_Citrix’s method of infiltrating companies involves leveraging corporate credentials obtained from computers previously infected by info-stealers. Further examination of the corporate credentials accessible to La_Citrix revealed that a significant portion of them was already present in Hudson Rock’s database. Additional information extracted from La_Citrix’s computer, such as the list of “Installed Software,” unveiled crucial details about the hacker’s real identity, including their address and phone number. Notably, the presence of “qTox,” a well-known messenger frequently utilized by ransomware groups, was discovered installed on the computer