October 2, 2023

Researchers have spotted a phishing campaign targeting Russian-speaking players of Enlisted, a multiplayer first-person shooter.

The hackers used a fake website that closely resembles the official Enlisted webpage to distribute ransomware. Though the campaign is not attributed to any group, it is believed that the campaign is connected to the tussle between Russia and Ukraine

Enlisted is a freely available game that takes place during World War II and revolves around major battles fought across all war fronts. The game was published by Russia-founded company Gaijin Entertainment in 2021 and has between 500,000 and a million active monthly players.


The fake Enlisted website hosts a legitimate game installer and ransomware that mimics the infamous WannaCry crypto worm, created by the North Korean hacking group Lazarus.

WannaCry 3.0 is the name adopted and uses the .wncry file extension for encrypting files, although it is not a genuine variant of WannaCry. The malicious software distributed through Enlisted is a customized variant of open-source ransomware known as Crypter. It is designed for Windows systems and coded in Python.

The ransomware shows the ransom note in the form of a GUI application. WannaCry 3.0 ransomware only contains the Telegram account ID “wncry_support_bot” to negotiate. The ransomware contains time remaining to pay the ransom, keys to encrypt the files, a button to see the list of encrypted files, and the option to enter the decryption key.

Source : Cyble

Threat actors frequently target popular games to reach a larger pool of potential victims. While searching for free or pirated games, some gamers disregard security measures and unknowingly download malicious software onto their systems.


Prevention and Mitigation


  • Conduct regular backup practices and keep those backups offline or in a separate network.
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
  • Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
  • Refrain from opening untrusted links and email attachments without verifying their authenticity.


  • Detach infected devices on the same network.
  • Disconnect external storage devices if connected.
  • Inspect system logs for suspicious events.

This research was documented by researchers from Cyble.

Indicators of Compromise

  • c14081d8d8eff8191eb182e83b106d4ee683768d9c4dabb5a759e41914884dc2
  • c263ac9ce6026fa182066fea8956a3f60cd9c9dd9786ea6aff934ac3b00f43ce
  • 3741580d662ba528004695bf6441fc03e6e195c8d599ea7cbb8a8c4ec59efef4
  • 444383bcff5139c30cc74d5dd7c35bdb236b468e18ed9a28e923acb12c2f3790
  • 51aeac86371a1dafe7601b40a1b897f1c5c62ed6aa6fcdb3fe39e6ebf480763f
  • dd49296f07192452a7394bd99a4d15594961dccea1e0517695d23e2d74bca005
  • hxxp://testsite-beta-ne[.]1gb[.]ru/download/enlisted_beta-v1.0.3.115.exe
  • hxxp://adobe-acrobat[.]1gb[.]ru/download/adobe_acrobat_reader.exe

Leave a Reply

%d bloggers like this: