On Thursday, October 30, 2025, Russian law enforcement executed a surprise operation in Moscow, apprehending three individuals linked to the development and distribution of the notorious Meduza Stealer. The arrests were confirmed by Irina Volk, a spokesperson for Russia’s Interior Ministry, following an extensive investigation by the Investigative Department of the Ministry of Internal Affairs.
Profile and Pricing of Meduza Stealer
The detained suspects, identified as ‘young IT specialists’, allegedly operated Meduza as a lucrative Malware-as-a-Service (MaaS) venture since mid-2023. This C++-based malware quickly rose to infamy as a robust information stealer, capable of collecting sensitive data such as login credentials from over 100 browsers and 27 password managers. It also targeted cryptocurrency information across more than 100 wallets, including those associated with browser extensions, and extracted communications from Telegram and Steam clients.
Prominently, Meduza Stealer was offered for sale on underground forums and Telegram channels. The latest iteration, Meduza 2.2, was available by subscription for $199 per month, with a lifetime membership priced at $1,199. Notably, the malware employed the ChaCha20 encryption algorithm to obfuscate its payload and boasted anti-VM capabilities to evade detection during security assessments.
Key Investigation Turning Point
The investigation reached a critical juncture when it was revealed that the suspects had infiltrated a Russian government organization in the Astrakhan region earlier this year, stealing classified data. This breach was particularly detrimental, as Meduza Stealer featured a geo-filter designed to circumvent targets in Russia, Kazakhstan, and Belarus—an operational security (OpSec) practice adopted by local cybercriminals to avoid detection by authorities.
Police Operation and Outcome
During the policing operation, authorities seized computers, mobile phones, and bank cards. Visual evidence captured during the raids, supported by Rosgvardia forces, shows officers entering multiple apartments, with one suspect notably dressed in ‘Hello Kitty’ pajama pants. Volk noted that all relevant accomplices and instances of illegal activity were being thoroughly investigated.
In addition to the apprehensions, investigators uncovered a secondary, unidentified malware designed to undermine security defenses and facilitate botnet construction. If found guilty on all counts, the three suspects could face prison sentences of up to five years.
This operation signifies a notable shift in Moscow’s approach to cybercrime. Recent assessments from Recorded Future’s Insikt Group indicate that Russia is transitioning from a position of passive tolerance regarding its cybercriminal landscape to one of proactive management. The arrests underscore the state’s strategy of employing selective detentions and public crackdowns to project authority over domestic hackers who have attracted too much attention or posed political challenges.
In light of these events, it is crucial for entities to remain vigilant against potential tactics associated with similar malware distributions. The actions taken by these individuals reflect the persistent threats within the cyber domain, employing techniques that might fall under various categories on the MITRE ATT&CK Matrix, such as initial access, persistence, and privilege escalation, to execute their malicious intent.
