Alibaba2044

Alibaba2044 is a threat actor identified by Cyble Research and Intelligence Labs (CRIL) as operating a malicious spam campaign observed on 2022-12-14 targeting users in Italy. According to the reporting, the campaign delivered the PureLogs .NET information stealer via spam emails containing a link to a password-protected ZIP archive, with the password included in the email. The ZIP archive contained a CAB file disguised as a BAT file; execution of this stage dropped and ran a .NET loader (x.exe) from the victim temp directory. The loader decrypted a custom-encrypted payload in memory and loaded the final PureLogs DLL (Ixqwqtt.dll) using .NET Assembly.Load/reflection. Reported ATT&CK techniques associated with the observed activity include T1204 (User Execution), T1140 (Deobfuscate/Decode Files or Information), T1562 (Impair Defenses), T1082 (System Information Discovery), T1083 (File and Directory Discovery), T1119 (Automated Collection), T1005 (Data from Local System), T1071 (Application Layer Protocol), and T1020 (Automated Exfiltration). The delivered malware, PureLogs, is described in the source as a commercial .NET stealer developed by 'PureCoder' that steals browser data, cryptocurrency wallet data, and credentials or tokens from applications including Discord, Telegram, Steam, Outlook, Thunderbird, Pidgin, OpenVPN, and ProtonVPN. No additional aliases or sub-groups for Alibaba2044 are provided in the content.