Cyber Threat Actor: Matrong
| Actor Type | Location | Known Incidents |
Criminal
|
Russia
|
3 incidents |
|---|
Profile
Matrong, also known as Troldesh, is a threat actor that has been publicly associated with operations originating from Russia. The actor uses the aliases Matrong and Troldesh in separate reporting, with Matrong appearing in communications related to a Brazilian real estate breach and Troldesh identified as the ransomware component in a 2019 attack on a Russian real estate firm. Publicly available information indicates that the actor’s activities have been observed in both Latin America and Eastern Europe, focusing on the real estate sector in those regions. The actor’s stated objectives, as expressed in direct communications with victims and reported by third parties, are financial in nature, involving ransom demands, the deployment of cryptocurrency miners for covert profit, and the exfiltration of data that could be leveraged for further monetary gain. No public sources attribute state sponsorship or espionage motives to Matrong or Troldesh, and the described behavior aligns with financially driven cybercrime.
In terms of tactics, the actor has employed phishing emails containing malicious ZIP files that deliver heavily obfuscated JavaScript, a technique seen in the 2019 incident against a Russian real estate company. This JavaScript launches a multi‑stage payload that includes the Troldesh ransomware, which encrypts files and alters system wallpapers, a cryptocurrency miner that generates ZCash for the attackers, and a Trojan‑Heur module designed to steal credentials, enable remote control, and conduct brute‑force attacks against WordPress sites. For the Brazilian real estate firm Lopes, the actor reported gaining initial access through a backdoor, subsequently contacting company executives with a ransom demand that went unanswered, and exfiltrating approximately 13 GB of internal and customer data without encrypting files. The actor has explicitly stated that they targeted real estate companies because such entities handle large volumes of documents, making them attractive targets for data theft. These observed patterns—phishing‑based initial access, use of ransomware combined with mining and credential‑stealing tools, and a focus on the real estate sector for financial profit—constitute the core of the actor’s known methodology as documented in the cited sources.
