Figure 2. Script saving all the listed IP addresses into a text file
Figure 3. All the downloaded files
The supposed studio or the site itself has no business relevance, with no domain name
linked to its business. It is likely that the whole website is just a covert page used to
confuse the researchers and to disguise their operations.
This was the only seemingly working version of the toolset in development. It had various
parts of open-source codes from other operations, and its initial purpose was to build an
IRC-operated XMR miner with the ability to mask itself as another process. The Linux
hacking tool “Shark” was found within these files.
Figure 4 and 5. Comments in the Romanian language re: the IRC bouncer
We also found open-source hacking tools with custom wrap-up bash scripts with
comments written in the Romanian language. Among the files, there was a new toolkit
