Threat Intelligence Blog

Posted February 20, 2019

What is more attractive than an undetectable, money-making, remote access malware to a cybercriminal? How about one that is already made for you, is fully customizable, and comes with tech support? Just as security-as-a-service (SaaS) solutions are flourishing within the cyber industry, threat actors are employing this business model for their own gain.

Like the SaaS model, cybercriminals use Cybercrime-as-a-Service across the dark web. A search on the right dark web forums can lead you to these service providers. Cybercrime-as-a-Service includes Malware-as-a-Service, Ransomware-as-a-Service, and Business Email Compromise-a-Service, among other “as-a-service” offerings. Each actor provides a full-service model of crime; many of them even have tech support to accompany their offerings. Instead of providing security, a cybercriminal provides malicious software and tools to other criminals. For example, Malware-as-a-Service (MaaS) is very attractive to an average cybercriminal who isn’t the best programmer and is looking to make a quick buck in the cybercrime world.

LookingGlass’ STRATISS team encounters these types of MaaS providers often; both in crime networks and lone-wolf cases. A good example of the popularity and success of the Cybercrime-as-a-Service model is through Russian threat actor Glad0ff.  To better understand the business model of a cybercriminal, let’s explore the CV of a cybercriminal.

Glad0ff Cryptomining: A Case Study

In recent years, there has been a rise in cryptomining malware, which takes over the idle processing power of a victimized machine and uses it to mine cryptocurrency. No industry or sector is safe from enterprising criminals looking to siphon off high-powered computing power. Recently, education, healthcare, and financial services have been targets of illegal cryptomining. Crytomining has become the cybercriminal attack vector du-jour; this practice has even surpassed the use of ransomware in 2018.

Malware Chart

Source: 2018

This trend is expected to continue into 2019. If you are a talented programmer like Glad0ff, this expanding market is your opportunity to capitalize on this trend. As it happens, Glad0ff advertised and sold two of these illegal cryptominers on dark web forums in 2018. How did Glad0ff become so successful? By taking a look at his CV, it is easy to understand how he climbed the cybercrime ladder.


Glad0ff is one of the cybercriminals that can do it all. Here are some of his recent accolades.

Decrux: Need a fully concealed, high-functioning cryptominer that operates on all Windows operating systems? He’s got it! And with tech support to boot. Decrux is downloaded on a victim computer through a contaminated file, which, after opening, creates a folder on the victim computer in the criminal’s specified directory. The miner installs itself in this folder, and deletes the executable file, then creates tasks for autoloading the installed file. This can’t be disabled by deletion. Its lifetime is about 1.5 weeks on the victim computer.

Acrux: What about a cryptominer that is customizable and also runs keyloggers and file stealers, in which you can choose your own mining algorithm? He has that too! Acrux is very unique from other miners, including Decrux. It doesn’t rely on dependencies, is built on clean code, and integrates a modern algorithm. Acrux mines both the computer processing unit and the graphics card on the victim computer. Glad0ff is happy to customize this miner based on your criminal needs.

Mimosa: But wait, there is more! He also sells a malware Remote Access Tool (RAT) that has its own support forum and includes free updates. Mimosa has two versions: one standard and one custom. The standard functionality includes many features like a loader that enables the download and hidden launch of files, anti-virus immunity, a keylogger, and much more.

Professional References

On top of his impressive product portfolio, Glad0ff receives glowing reviews from his criminal customers. On the dark web forums and marketplaces in which he operates, his product reviews all state that he is easy to work with, answers all questions customers have, and even fixes any bugs that arise in his code. Some customers state that though they themselves don’t have the technical ability to code at Glad0ff’s level, he still answers their “stupid” questions. Glad0ff appears to be working alone, which means he is not slowed down by any red tape that a larger criminal operation might come with; making him accessible to his customer base.

Cybercriminals and You

So, you may be wondering how this could affect you or your organization. Cybercrime-as-a-service continues to expand, fueling the increase in profit of cybercrime to USD 1.5 trillion per year. With such a large illegal cryptomining market, many different industries are negatively affected by these attacks as criminals take advantage of high-powered computing operations to turn a profit. This trend is not expected to slow down anytime soon.

Actors like Glad0ff enable cybercrime to proliferate to less knowledgeable and less talented criminals. The repercussions of cybercrime becoming more accessible are far reaching—it is very easy for an end user or a business to become a victim of this type of crime. As data breaches and malware continue to hit many organizations’ bottom lines, it will be important to stop these types of actors at their marketplaces.

A threat actor operating alone is great for both the actor and their criminal customers; the actor not only gets to rely on their great reputation and credibility, but they are also able to distance themselves from the crimes their customers commit. On the other hand, the customer is free to act alone with the product and keep any profits to themselves. Continuing to identify threat actors like Glad0ff, including their motivations and tactics, techniques, and procedures will be increasingly important as the cost of malware attacks increase in 2019. Reliable malware is a necessary part of the cybercrime ecosystem. Without it, cybercriminals are easier to catch. Threat actors like Glad0ff allow cybercrime to cause serious damage to individuals and enterprises alike. If you would like to know more about the finished intelligence our STRATISS team provides, click here.

Additional Posts

Zero-Day Vulnerabilities: An Inside Look at Luxor2008

When it comes to breaches, we have seen this time and again: an exploited vulnerability that costs ...

Nullcon International Security Conference

Allan Thomson presents at Asia's Premier Information Security Conference. Training for security & ...