LuceDeuce

I got the payload to this malware. It is absurdly silly. This malware is killing me bro. It is so unbelievably silly. This was 100% written using Claude or ChatGPT. I've never seen a malware payload LEAVE NOTES describing what it's doing. The malware has a Powershell script that connects to the C2 for stinky malware stuff. This module is responsible for persistence. Thankfully their persistence script documented the entire code base and file locations. Very cool. Thank you spoopy Russian Counter Strike scammers. Even more silly, the C2 is hardcoded as a string (seen in attached image). The C2 address shows it has been an active malware campaign since at least January 31st, 2026 based off of data present on VirusTotal. It was initially uploaded as "9lixh". This persistence script was from a victim machine so I've censored some data. Regardless, the botched cyrillic notes also makes me giggle. Russian to English translations present in this silly script which documents everything for us: # Пути для удаления # Paths for deletion # Завершаем процессы python и pythonw # Terminate/finish the python and pythonw processes # Удаляем автозапуск из реестра # Remove autorun from the registry # Завершаем процесс монитора # Stop the monitoring process # Новая функция для проверки f.json и убийства процессов # New function for checking f.json and killing processes # Проверяем флаг library # Check the library flag # Список процессов для убийства # List of processes to kill # Проверка флага удаления (каждые 20 секунд) # Check the deletion flag (every 20 seconds) # 20 секунд при интервале 2 секунды # 20 seconds with a 2-second interval # Проверка f.json и убийство процессов (каждые 4 секунды) # Check f.json and kill processes (every 4 seconds)