Russian researchers identify alleged Ukrainian developer of malicious remote access tool
Researchers claim to have uncovered the identity of the developer of a malicious remote access tool used to attack Russian organizations.
Its developer, who goes by the alias Mr. Burns, has been active on darknet forums since 2010 and is known for creating malicious versions of remote administration tools, such as TeamViewer and RMS (Remote Utilities). The Russian cybersecurity firm F.A.C.C.T., which says it has identified the hacker, tracks the tool as BurnsRAT.
According to the company, the developer is a 38-year-old Ukrainian national named Andriy R. from the city of Ternopil.
The attribution of BurnsRAT to a Ukrainian developer couldn’t be verified. Given that the majority of Western cyber companies left Russia when it invaded Ukraine, they have limited visibility inside Russian networks.
According to researchers, Mr. Burns is a “client/partner” of another cybercriminal known as VasyGrek who has been attacking Russian companies since at least 2016. VasyGrek has been using Mr. Burns’ remote access trojan for at least five years, they said.
F.A.C.C.T., which is a spinoff of the Singapore-based cybersecurity firm Group-IB, claims to have identified Telegram accounts and other social media pages, as well as darknet forum profiles, linked to the two cybercriminals.
In addition to BurnsRAT, VasyGrek has deployed tools such as MetaStealer, WarzoneRAT and the RedLine information stealer against Russian companies and has used “financially-themed” emails, such as payment orders, as lures. The latest VasyGrek attack on an unnamed victim in Russia was detected in May 2024.
A BurnsRAT rental costs $1,200 a month, the researchers said, allowing its operators to manage, upload, and delete files, lock the victim’s keypad and screen, and turn off or reboot the computer.
The researchers said for ethical reasons they are not disclosing Mr. Burns' personal data, “but all information collected during the study is transferred to law enforcement agencies.”
Ukrainian cyber police declined to comment on F.A.C.C.T.'s findings.
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.