Menu
Browse

Cyber Threat Actor: Trojan-Heur

Actor Type Location Known Incidents
 Icon
Criminal
Russia
1 incident
Profile

The threat actorknown by the alias Trojan‑Heur has been observed operating from Russia. Public reporting links this alias to a campaign that targeted a major Russian real estate firm in February 2019. The actor’s objectives in that incident were to generate immediate profit through ransomware encryption, covert cryptocurrency mining, and credential theft. No evidence has been presented to suggest state sponsorship or espionage goals in this activity. The actor is therefore characterized as a cybercriminal group rather than an espionage‑focused entity.

Initial access was achieved via a phishing email containing a malicious ZIP file that appeared to hold order details. Inside the archive, heavily obfuscated JavaScript was executed, launching a multi‑stage payload. The payload deployed three distinct modules: the Troldesh ransomware, which encrypted files and appended the ".crypted000007" extension while altering the desktop wallpaper; a cryptocurrency miner that generated approximately 4.89 ZCash for the attackers; and the Trojan‑Heur malware itself, which enabled credential theft, remote system control, and brute‑force attacks against WordPress sites. The inclusion of noisy brute‑force activity contrasted with typical stealth objectives, indicating possible botnet misuse or profit‑maximizing tactics. This combination of ransomware, mining, and credential‑harvesting tools indicates a blended operational focus rather than a purely stealth‑oriented operation.

The February 2019 incident remains the most detailed publicly reported operation associated with Trojan‑Heur, illustrating the actor’s use of obfuscated script delivery and a blended malware suite. Attribution to a specific criminal group or consortium has not been established in open sources, and the activity lacks hallmarks of state‑sponsored espionage. No further campaigns involving Trojan‑Heur have been publicly documented at the time of this writing. Consequently, the actor is currently understood as a group whose known activity is confined to this single case.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
0 sources