AlphaLock, Threat Actor Branding, and the World of Cybercrime Marketing

Gradient blue background. There is a light orange oval with the white text "BLOG" inside of it. Below it there's white text: "AlphaLock, Threat Actor Branding, and the World of Cybercrime Marketing" with a light orange arrow pointing down.

Threat actors are not a monolith in their approach to cybercrime. The popular perception is that threat actors steal information for the sake of it, while knowing and accepting that they are doing something wrong. However, some threat actors also justify their actions by promoting an image that their activity ethically advances the cause of cybersecurity. At Flare we regularly see threat groups state that they are “(reverse) pen testers”. Security researchers are very familiar with groupes de ransomwares referring to their actions as “pentesting after the fact.” 

One such entity is the malicious group AlphaLock. The Flare Research team reviewed their Telegram channel, and combed through to identify the ways the group describes itself.

AlphaLock is a Russian hacking group that describes itself as a “pentesting training organization.” The group has a two-part business model designed to both educate cyber criminals, then weaponize them for profit against organizations.:

  • La formation referred to as the Bazooka Code Pentest Training. This training covers the basics of offensive security and is designed to take non-technical users and teach social engineering and technical offensive security skills.
  • Programme d'affiliation: ALPentest Hacking Marketplace, which monetizes the services of the hackers trained through the training program

Threat Actors as Pentesters: AlphaLock Edition

The psychology of justifying cybercrime is fascinating. Going through AlphaLock’s recent Telegram messages, there are generally three areas where we can see that on full display:

  • The language of “pentesting”
  • Donating items and funding to an orphanage and animal shelters
  • Description of training program as supporting cybersecurity

Pentest Messaging 

The language of “pentesting” is sprinkled through the Telegram channel, starting with the name of the channel. 

There were several graphics shared to announce opening up enrollment for training programs with different languages for soon-to-be threat actors. The logo includes the word “pentest.”  

AlphaLock's logo is in the middle with a black background and an American flag on the left side
Graphic to announce enrollment for English-speaking soon-to-be threat actors

In addition, when referring to members of the AlphaLock community, they use terms such as:

  • Pentesters from the AlphaLock Pentest community
  • Freelance pentester
  • Pentest partnership program

Program Language 

The pentesting terminology is most prominently featured in descriptions of Alphalock’s  training program. If you read only what they have published, it can be easy to mistake this for an ethical hacking program.

‼️ Over 250 people have gone through us and many of them stay with us and become cool specialists in the field of Pentesting.

Course Program:

Introduction to Linux and the basics of the command line

  • Introduction to pentesting: basic concepts, methodologies, goals, and the fundamentals of ethical hacking.
  • Understanding the concept and role of network security.
  • Network scanning tools: introduction to Nmap and Masscan, their capabilities, command syntax, and examples of use.
  • Finding open ports, identifying services, identifying vulnerabilities using scanners.
  • Advanced use of Nmap: a wide range of parameters, security assessment using Nmap, determining the operating system and vulnerabilities.
  • Advanced scanning tools: introduction to additional tools such as Zenmap, Unicornscan, and Hping.
  • Protection from scanning: means of detection and protection against passive and active scanning, bypassing firewalls and control tools.

Password cracking, protocol analysis, and web application

  • Password cracking: introduction to Hydra and its capabilities for cracking passwords for SSH, FTP, web forms, and other types of authentication.
  • Password protection methods and strong authentication measures.
  • Vulnerability analysis in web applications: introduction to the OWASP Top 10 and tools for detecting and exploiting vulnerabilities, such as ZAP Proxy and Burp Suite.

Our team is looking for outstanding specialists in the first pentest affiliate program in the world, AL PENTEST.

Don de charité 

Donating to good causes is also a part of AlphaLock’s self-image as ethical hackers.

Around the holiday season in December, AlphaLock published a poll on charitable giving. The message stated that the group would send “50% of the entrance fees to charitable organizations.” 

The group then allocated about $1000 USD to an orphanage in Russia, and the group announced that, “we will create a New Year’s miracle for the children 😍.” Apparently other members of the group advocated to donate to an animal shelter as well.

AlphaLock purchased a “hockey arsenal” for one Russian orphanage, and the gift package included ice skates, pucks, and sleds. The group shared a video in the channel in which an unshown person distributed the items. The video displayed the ice skates with logos: “AL PENTEST.”

Screenshot of Telegram message that shows a paused video of ice skates in a box with text underneath describing the video
Screenshot of message with video that shows items purchased for the orphanage
Black ice skate that shows the AlphaLock logo on the side in white
Ice skates sent to children in orphanage with the AlphaLock logo including the term “pentest”

Qu'est-ce que ça veut dire?

Understanding the Impact of AlphaLock in Cybersecurity

AlphaLock’s activity on Telegram offers valuable insights.

  • L'image de marque: It’s become evident that cybercriminal groups are increasingly emphasizing their branding and identity. This shift towards building a recognizable brand is vividly exemplified by AlphaLock, which has dedicated considerable efforts towards crafting a distinct image and reputation, both within and outside of its direct sphere of influence.
  • Shifting Arena of Cyber Threats: Threat actor activity on Telegram challenges the traditional belief that cyber threats predominantly lurk reside on the dark web. Today, the distinction between the dark web and more accessible platforms is becoming increasingly opaque. Applications like Telegram and clear web sites are merging into a unified space where threat actors can easily network and orchestrate their plans. Modern cybersecurity calls for Continuous Threat Exposure Management across various avenues to most effectively counter threats. 

Monitoring Telegram and Other Sources with Flare

La fusée Gestion de l'exposition aux menaces (TEM) La solution permet aux organisations de détecter, hiérarchiser et atténuer de manière proactive les types d’expositions couramment exploitées par les acteurs de la menace. Notre plateforme analyse automatiquement le Clear & Dark Web et les canaux Telegram illicites 24h/7 et XNUMXj/XNUMX pour découvrir des événements inconnus, hiérarchiser les risques et fournir des informations exploitables que vous pouvez utiliser instantanément pour améliorer la sécurité.

Flare s'intègre à votre programme de sécurité en 30 minutes et remplace souvent plusieurs outils SaaS et open source. Apprenez-en davantage en vous inscrivant à notre essai gratuit.

Partagez cet article

Contenu similaire