PrivateLoader, ruzki pay-per-install malware services linked

Popular pay-per-install malware service PrivateLoader was discovered by SEKOIA researchers to be associated with a separate PPI service by threat actor ruzki, also known as les0k and zhigalsz, The Hacker News reports. Apart from having command-and-control servers overlapping with URLs given by ruzki to help subscribers track campaign-related installation metrics, PrivateLoader also had references to ruzki in the names of its botnet samples that were leveraged to distribute the RedLine Stealer, according to SEKOIA. The report also showed that operations of both PrivateLoader and ruzki began in May 2021, with the term "our loader" used by the ruzki operator to refer to PrivateLoader on its Telegram channel. "Pay-per-Install services always played a key role in the distribution of commodity malware... As yet another turnkey solution lowering the cost of entry into the cybercriminal market and a service contributing to a continuous professionalization of the cybercriminal ecosystem, it is highly likely more PrivacyLoader-related activity will be observed in the short term," said researchers.