FucosReal (Cybercriminals) – Threat Actor

FucosReal
Date of Initial Activity	2024
Location	Unknown
Suspected Attribution	Cybercriminals
Motivation	Financial Gain Data Theft
Software	Windows

Overview

In the increasingly sophisticated world of cybercrime, some threat actors stand out for their persistence, technical skill, and ability to adapt. One such actor is Fucosreal, a hacker linked to the notorious Agent Tesla malware campaign, which has targeted companies worldwide with precision and cunning. Fucosreal is primarily known for leveraging advanced remote access trojans (RATs), such as Agent Tesla, to steal sensitive data from a range of industries, including the diamond, metallurgical, and ocean freight sectors. What makes Fucosreal particularly dangerous is not just their technical expertise, but also their ability to operate under the radar, using complex attack vectors like spam campaigns and the Telegram Bot API to exfiltrate stolen data.

In early 2024, Fucosreal gained further notoriety when their connection to Styx Stealer, another malware family, was uncovered during an investigation by Check Point Research (CPR). This discovery linked Fucosreal to the development of Styx Stealer, a malware variant derived from Phemedrone Stealer, which was designed to steal sensitive data such as passwords, cookies, and cryptocurrency wallet information. This investigation shed light on the deep operational ties between Fucosreal and the developer behind Styx Stealer, revealing the cybercriminal ecosystem at play and how these actors collaborate to distribute malware and collect illicit profits.

Common targets

Information

Individuals

Manufacturing

India

UAE

Philippines

Attack Vectors

Phishing

How they operate

Their primary method of operation involves distributing malicious software via spam campaigns, which are carefully crafted to appear legitimate to potential victims. Once the malware gains access to a victim’s system, it functions as a RAT, granting Fucosreal full control over the compromised device.

The core functionality of Agent Tesla malware is its ability to collect sensitive information. It is designed to extract passwords, cookies, and other valuable data from web browsers, as well as monitor and record messaging activity from platforms like Telegram and Discord. Additionally, the malware is capable of logging keystrokes, capturing screenshots, and recording video, providing attackers with a comprehensive picture of their victim’s online behavior. What sets Fucosreal apart from many other cybercriminals is their use of Agent Tesla in a highly targeted manner, often focusing on organizations in industries like the diamond trade and shipping, which deal with high-value transactions and sensitive data.

One of the most notable techniques employed by Fucosreal is the use of the Telegram Bot API for data exfiltration. Traditionally, malware relies on command-and-control (C&C) servers to send stolen data back to the attacker. However, Fucosreal bypassed this typical method by utilizing Telegram as a communication channel. This approach provides several advantages, such as encryption and resistance to traditional detection methods, since Telegram is a widely-used communication platform. However, it also presents a significant flaw—each malware sample must contain a bot token, which can be extracted to gain access to all data sent through the bot. This vulnerability was exploited by researchers at Check Point Research (CPR) to uncover detailed intelligence on Fucosreal’s operations, including their communication with other cybercriminals.

Fucosreal’s operational security (OpSec) failures have, at times, revealed valuable insights into their tactics and infrastructure. In one high-profile case, the Fucosreal actor’s involvement in the development of Styx Stealer, a malware variant derived from Phemedrone Stealer, was exposed during an investigation into a malware debugging process. This led to the discovery of sensitive data, including Telegram accounts, email addresses, and even the actor’s location in Nigeria. These leaks, combined with the technical analysis of Agent Tesla and Styx Stealer, provided cybersecurity researchers with a window into Fucosreal’s operations. Despite their attempts to remain anonymous and use complex tools, these mistakes offered critical intelligence that could help defenders better understand and mitigate their tactics.