Russian-speaking hacker group disrupted by local researchers

Russian cybersecurity researchers have identified and dismantled a network of domains operated by a relatively obscure hacking group known as NyashTeam. The group has been selling malware and offering hosting services for cybercriminals since at least 2022, the Russia-based firm F6 said.

In a report published Tuesday, analysts said they uncovered and began dismantling more than 110 domains used by NyashTeam. The takedown was carried out with support from Russia’s Coordination Center for national domain names.

No detailed public reports on NyashTeam have been published previously, although other researchers first flagged some of the group’s associated domains in 2022.

NyashTeam has operated as a malware-as-a-service scheme primarily targeting Russian victims. It sells two main types of malware — DCRat and WebRat — via Telegram bots and dedicated websites.

DCRat, a remote access trojan known since 2018, allows attackers to steal data, log keystrokes, access webcams, exfiltrate passwords, and execute commands on infected devices. WebRat, a more advanced tool, focuses on harvesting browser credentials and cookies and supports features like screen streaming and webcam spying.

In addition to malware sales, the group offers custom plugins, user guides, and hosting solutions for other cybercriminals, attracting both novice and experienced threat actors. Its services were popular due to their low cost and ease of use, with malware subscriptions starting at just 349 rubles (about $4) per month. Payments are accepted through Russian platforms and cryptocurrency wallets, according to F6.

The wide range of NyashTeam’s offerings — including pre-configured malware, command-and-control (C2) servers, and educational materials — appeal to both beginner hackers and experienced cybercriminals.

NyashTeam’s customers use YouTube and GitHub to distribute malware disguised as game cheats or pirated software. Videos and repository descriptions include links to password-protected archives containing the malware, often tricking users into downloading the files.

“Attackers take advantage of the popularity and trust associated with YouTube and GitHub, as well as gaps in content moderation, to distribute their malware,” the researchers said.

In addition to blocking the malicious domains linked to NyashTeam, F6 also requested the removal of a Telegram channel hosting WebRat’s source code, along with four instructional videos on an unnamed video platform.

The analysis and subsequent takedown of NyashTeam’s infrastructure have significantly — if temporarily — disrupted the group’s operations and limited its ability to spread malware, researchers said.