Redazione RHC : 8 July 2025 09:12
After the Far East and Iran, we continue our series of articles on IAB actors with an actor believed to be based in Europe, in a NATO country.
According to researchers at KelaCyber (Cyber Threat Intelligence vendor from Tel Aviv, Israel), the Drumrlu actor is an IAB that is believed to be based in Türkiye.
Drumrlu is also known by the name/moniker “3LV4N”.
As seen in the first article about the access broker miyako, the IAB’s search for victims’ revenue is a very common practice for these actors, whose posts tend to mention the victims’ income to entice potential buyers. It is assumed that organizations with higher revenues have the potential to secure a multi-million dollar ransom.
–
“drumrlu” (aka 3lv4n) is an initial access broker and credential database vendor active in underground forums since at least May 2020. drumrlu has sold domain access to various organizations in many countries around the world (EMEA, APAC, and AMER) in the education, utilities, insurance, healthcare, cryptocurrency, gaming, and government sectors. In October 2020, the actor began selling root access to VMware ESXi software with prices ranging from $250 to $500.
Analysts at Outpost24 noted that “Nosophoros,” the actor behind the Thanos Ransomware as a Service (RaaS), likely works with (is a customer of) drumrlu. On July 18, 2020, Nosophoros posted on the “Exploit” forum the message: “drumrlu is a good vendor, I vouched for him before and I still do. Glad you are back.”
“drumrlu is a good vendor, I vouched for him before and I still do. Glad you are back.”
Simon Roe, researcher and product manager at Outpost24, in his report highlights how drumrlu/3LV4N operated in the RaaS operation Thanos.
drumrlu also left a review on Nosophoros’ profile saying “Best RaaS, Best Programmer”. Another comment from the actor “peterveliki” confirms the potential partnership between drumrlu and Nosophoros: “I bought access from this seller (drumrlu) – everything went smoothly. A very helpful dude. He also recommended using Thanos from Nosphorus; which turned out to be very helpful in this case. Good seller, I recommend.”
“I bought access from this seller – everything went smoothly. A very helpful dude. He also recommended using Thanos from Nosphorus; which turned out to be very helpful in this case. Good seller, I recommend”
According to ProofPoint an attack chain on RaaS Thanos with initial access provided by IAB drumrlu could be this:
1. Sending emails containing a malicious Office document
2. A victim user downloads the document and activates macros that release a payload (a RAT and/or InfoStealer)
3. Actor uses backdoor access to exfiltrate system/login information
4. Initial access broker can then sell access to other actors
5. Also can distribute Cobalt Strike via malware backdoor access allowing lateral movement within the network
6. Then achieves full domain compromise via Active Directory
7. The RaaS-affiliated actor distributes the ransomware to all workstations connected to the domain.
Possible credential stealing email phishing with malicious Office document attachment from free GMX.COM email address.
EXCEL vbdropper).
Source ProofPoint
Target Countries
Australia, United States, Thailand, Pakistan, France, Italy, Switzerland, United Arab Emirates, Jordan, Israel, Egypt, Kuwait, and Saudi Arabia.
Target Industries
Education, Utilities, Insurance, Healthcare, Cryptocurrency, Gaming, and Government Entities.
US DoJ Alleges Cardiologist as Developer Who Created Thanos Ransomware: Moises Luis Zagala Gonzalez, 55, a French and Venezuelan citizen living in Ciudad Bolivar, Venezuela, is charged with committing attempted computer intrusion and conspiracy to commit computer intrusions, according to a US criminal complaint made public on Monday, May 16, 2022.
Zagala allegedly sold and rented ransomware packages he developed to cybercriminals. He is also accused of training would-be attackers/affiliates on how to use his products to extort victims and then bragging about successful attacks.
A series of mistakes by Zagala allowed investigators to identify him as a suspect, the DoJ said. In September 2020, an undercover FBI agent allegedly purchased a license for Thanos from Zagala and downloaded the software. Additionally, an FBI informant spoke to Zagala about the possibility of establishing an affiliate program using Thanos, according to the DoJ document.
Zagala has reportedly bragged publicly on the DarkWeb that his brainchild, Thanos RaaS, was being used by an Iranian state-sponsored threat actor group to attack Israeli companies.
PDF Source (FBI.GOV)
https://www.fbi.gov/wanted/cyber/moises-luis-zagala-gonzalez/@@download.pdf
In this article of the series on initial access brokers we have seen how credential theft occurs through phishing campaigns with Office attachments containing malware/infostealer… So Let’s remember some of the best practices mentioned above to be ready for any eventuality
–
KelaCyber
https://www.kelacyber.com/blog/uncovering-your-adversaries-with-kelas-threat-actors-hub
https://www.kelacyber.com/blog/the-secret-life-of-an-initial-access-broker
Report by Outpost24
RaaS THANOS on RecordedFuture
https://www.recordedfuture.com/research/thanos-ransomware-builder
Bleeping Computer on Thanos
https://www.bleepingcomputer.com/news/security/european-victims-refuse-to-bow-to-thanos-ransomware
PortSwigger on Thanos
ProffPoint on Thanos
Malpedia Fraunhofer on GuLoader/CluodEyE
https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
FBI
https://www.fbi.gov/wanted/cyber/moises-luis-zagala-gonzalez/@@download.pdf
Redazione