Recently in SprintHost (Спринтхост) have creating websites with malicious purpose. The telegram group is Click Here. The scammer/s has sell this tool for 50 Рублей / russian ruble. The website still is admin panel / dashboard, like XBALTI.
Small information about malware. → It’s normal stealer / RAT Stealer (executable file mostly) whose steal passwords, emails, etc. The login is mysql (database) from phpmyadmin. The tool steals information from:
- Information from Chromium / Edge / Google Chrome (port: 80) / Mozila FireFox (Passwords, credit cards)
- Sessions from Telegram, Discord, FileZilla, Steam
- Passwords from NordVPN.
- Steals wallet files.
This picture is example config.php in the server.
How he said → ‘Могу отказать вам в установке из-за неадекватного поведения.’ which means (He can stop future updates in your tool if you do something he dont like). Due to selfusing this tool or selling I censored the chat id and token.