1/

With #P2E's popularity, threat actors are leveraging on the fact that excited players are ready to jump on board to test the new game (and earn at the same time).

Here's a 🧵about a #Redline stealer #malware from a "project" that recently launched a "beta test"

3/

That project is @rworldp2e (now @R_WorldP2E). As they were called out by Stark, the account changed the username lol. Here's the ID though: 1467094027480625155

It is an impersonation of the original project called @ReptileChronic @R_chronicls

4/

@R_WorldP2E's shared a scam domain claiming to host the game's beta.

☣/reptileworldp2e.com
/reptileworldp2e.com/ReptileWorld_P2E_0.7.3b.rar

🌐@regru 31.31.196.45

5/

Upon unpacking the rar file, a password-locked rar file and a Readme.txt is given which contains the password.

The second rar file, contains the so-called beta game. It looks convincing as it contains the libraries and other files to run a "legitimate" game.

6/

Running the ReptileWorld_Launcher_Setup.exe and granting the admin permission is the start of the #Redline stealer #malware.

It begins to crawl on the victim's files to steal browser data, which also contains the Metamask vault files: metamask.zendesk.com/hc/en-us/artic…

7/

The stolen data is then exfiltrated to a command and control server (C&C) for the threat actors to check your data and begin their devious acts. And one example is stealing your digital assets, which is what @_Starkcrypto experienced.

8/

Interestingly, it is the same C&C used for a fake @rStellaFantasy, which is a #P2E project as well.

The botnet value for the fake stella fantasy was "07.06", and "29.06" for reptile chronicles. This is very likely the starting date of the campaign.