Cybersecurity researchers have uncovered a sophisticated campaign targeting the Albion Online gaming community through impersonation of the Electronic Frontier Foundation (EFF).
The operation, discovered in early March 2025, leverages decoy documents designed to appear as official EFF communications while deploying malware in the background.
Albion Online, a multiplayer online role-playing game with a player-driven economy, has become a lucrative target due to third-party markets where in-game assets are exchanged for real money.
Researchers at Hunt.io identified messages on the game’s forum directing players to phishing websites under the pretext of discussing security for in-game assets tied to their accounts.
The attackers employed an exposed open directory containing a mix of PDFs, ZIP archives, and PowerShell scripts, revealing their operational infrastructure.
A key component of the attack is a Windows shortcut (LNK) file named “Report-Albion-Online.lnk” which executes PowerShell with an Execution Policy Bypass to run malicious scripts.
The attack chain begins when users receive phishing messages with links to what appears to be an official EFF report titled “Electronic Report on Investigation of Virtual Asset Theft in Albion Online.”
.webp)
This PDF was programmatically generated and designed to create urgency by informing victims of unauthorized login attempts.
Malware Analysis
Upon execution, the PowerShell script retrieves malicious components and drops them into the victim’s system.
The script contains Russian-language comments, suggesting the involvement of Russian-speaking developers.
Besides this, one of the critical malware component, albion.exe, is a renamed legitimate Python 3.10.8 executable used to execute an accompanying script named 12.py.
This Python script contains two encoded portions that, when decoded, reveal connections to command and control servers at 104.245.240.19:443 and 212.87.222.84:443, identified as Stealc stealer and Pyramid C2 infrastructure respectively.
Communication with these servers occurs through HTTP requests such as:-
http[:]//104.245.240.19:443/login/3keXipGb5Rr+gpGO9Cj sSfdz+of5
The malware then initiates multiple POST requests to extract stored credentials from browsers before sending them back to the C2 server.
.webp)
This campaign shows that how threat actors combine legitimate organizations’ reputations with technical sophistication to target specific communities.
Users are advised to verify the authenticity of communications and exercise caution with unsolicited messages, especially those requesting immediate action.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free
