Profiling Трафферы: KZ Team Reborn

20 min readMar 8, 2024

In the infostealer ecosystem, there are communities of malware operators spreading its malicious builds in a daily basis, working under a common organization, more known as a team.

In this blog series I will be exposing very briefly the activity of some of these “traffers teams”: what they did, what are they doing and what they will do in the future. If possible, I’ll let them to talk freely in a quick interview.

Today, KZ Team Reborn:

The KZ Team Reborn is a traffer team specialized at working with infostealers. It started registering his activity at September 28, 2022 and is still active.
It is administrated by individual “TOKAEFFF”

Heads — The interview

Sadly, TOKAEFFF didn’t accepted the interview request:

Приветствую, спасибо за предложение, но я вынужден отказаться.
Не люблю публичности, извините

Hello, thanks for the offer, but I have to decline.
I don’t like publicity, sorry

Tails — The overview

~ Advertisements

The “KZ Team Reborn” team is advertised at Zelenka forum:
KZ Team REBORN | SEO | The Bay | Channels | 30% Crypto Cutout | Page 2 — Social engineering forum — (Lolzteam)

It offers the opportunity to work with stealers (providing free crypted builds), free SEO and a payout for every 100 logs provided to the team, also giving you 70% of the cryptocurrencies stolen. Everyone is invited to join the team, with or without prior experience.

~ Managing the Telegram Bot

The operations of the team are managed by

Applying to join the team

To fill an application on the team you will be asked the following things:

🔗 Укажите ссылку на ваш профиль на
💣 Расскажите, был ли у Вас опыт в данной сфере?

🔗 Provide a link to your profile on
💣 Tell us, did you have experience in this area?

After filling the information and a successful administration approval, you will be accepted into the team.

The functionality of the bot is written in Russian, I will be providing both original and translated screenshoots.

Everything is detailed by “manuals” writte by the team administration or fellow team members:
KZ TEAM: WIKI — Telegraph
KZ TEAM — Общий мануал — KZ TEAM — Команда для лучших! (


The bot has the following sections:

Rules are shown there:

⚠️ Основные правила команды:

- Запрещено проверять билд на VirusTotal.
- Запрещено передавать билд третьим лицам.
- Запрещено мешать воркерам лить траффик.
- Запрещено вести себя неадекватно в чате.

За нарушение одного из этих правил грозит наказание! Уважайте друг друга и занимайтесь соответствующей работой.

⚠️ Basic team rules:

- It is forbidden to check the build on VirusTotal.
- It is prohibited to transfer the build to third parties.
- It is forbidden to interfere with workers’ flow of traffic.
- It is prohibited to behave inappropriately in the chat.

Violation of one of these rules will result in punishment! Respect each other and do the right work.

Also general statistics (Top / Group) from the team that will be discussed later.

The “get a build” section gives you the option to generate an infostealer build, protected with a crypter that you chose with only two clicks of effort, and ready to be used in the wild.

Stealers / Crypters
🌈 Build successfully created and encrypted

Also giving you the option to run a detection analysis with two more clicks

Under “My profile” section, you see this:

Your information, statistics, and options on the team allow you to get notifications on new logs received from your builds generated by the team, display your username in the general statistics, and automatically check Youtube and Discord accounts from your logs.

In the information section, you can see a general summary of the team, and you will find the channels of the team.

As you can see, at the time of writing this blog, there is a total amount of 592957 logs provided by workers to the team.

The Otctyk channel refers to the records that I discussed on the first release of this blog series, and we can also find a general chat for team members. Manual has been shared previously.

Also please find the announcements provided on the bot since June 2023:

June 3, 2023:
@zxckvsdkvkzxvcz seo
June 4, 2023:
Пофиксили билдер люмы, простите за задержку. Насчет апи автосео еще повыясняю (Luma builder has been fixed, sorry for the delay. I’m still finding out about the Auto SEO API.)
June 6, 2023:
Fox work, можете использовать (Fox work, you can use)
@zxckvsdkvkzxvcz сео
June 8, 2023:
Цитата из канал LummaC2 “Работаем. Сегодня весь день вероятно будем недоступны. Работаем над всей инфраструктурой. Поставим все за облако”

(Quote from the LummaC2 channel “We are working. Today we will probably be unavailable all day. We are working on the entire infrastructure. We will put everything behind the cloud”

We’re waiting, sir.)
June 13, 2023:
Люма вернулась в строй, но с переменным успехом. В ближайшие пару дней с небольшим шансом может случится отвал. Следим за новостями.
Еще сейчас был перезапуск дедика, поэтому логи не будут идти блиэайшие пару минут, не паникуйте. Ждем пока мета проснется и все дойдет
(Luma returned to duty, but with varying degrees of success. In the next couple of days, there is a small chance that a dump may occur. Let’s follow the news.
Dedik has just been restarted, so the logs will not appear for the next couple of minutes, don’t panic. We are waiting for the meta to wake up and everything will come)
June 14, 2023
Билдер люмы пофиксили, теперь проблем с обновлением токена и тд не будет. (The Luma builder has been fixed, now there will be no problems with updating the token, etc.)
June 23, 2023
Пофиксили архиватор, ночью ют обновился, я ловко парировал и починил
Теперь люма выдает скрины в логах, добавил их в бота
Пофиксил небольшой баг с отстуком люмы в лс
(The archiver was fixed, the ute was updated at night, I deftly countered and fixed it
Now Luma displays screenshots in the logs, I added them to the bot
Fixed a small bug with luma knocking in PM
June 27, 2023
Архиватор был временно удален из бота в связи с аномальными зависаниями. Просим прощения за неудобство (The archiver was temporarily removed from the bot due to abnormal freezes. We apologize for the inconvenience)
June 28, 2023
@K1T_T Выдаст вам подписку в своем боте — условие: 10 логов за неделю.(@K1T_T Will give you a subscription in his bot — condition: 10 logs per week.)
June 29, 2023
Кто использует люмму сделайте пожалуйста ребилд! (Who uses Lumma, please do a rebuild!)
June 30, 2023
@vyaz1437 фри вяз, если на канале есть хотя бы 1 ролик 100 сео( и наш билд) (@vyaz1437 free elm, if the channel has at least 1 video 100 SEO (and our build))
July 7, 2023
🔥Вернули редлайн в бота, можете заказывать билды (🔥The redline has been returned to the bot, you can order builds)
July 10, 2023
@aizuuwuw залив (@aizuuwuw bay)
July 15, 2023
Автосео кабмек. Жёстко делаем ура ура и бегом проливаться (Autoseo cab. We do it hard hurray hurray and run to spill)
Уважаемые воркеры, покупайте каналы хотя бы от 300 сабов, на 5–15 подписчиков за 1 рубль вам не будут заливать. (Dear workers, buy channels from at least 300 subs; for 5–15 subscribers they won’t charge you for 1 ruble.)
July 20, 2023
М, вау, ого. Архиватор вернулся. В целом, все так же, но чуть чуть поправил оптимизацию. Качаем видосик, заливаемся, подрубаем автосео и на взлет. Всем спок спок
(Mm, wow, wow. The archiver is back. In general, everything is the same, but the optimization has been slightly improved. Download the video, upload it, turn on auto SEO and take off. Spock Spock everyone)
August 2, 2023
Проводятся тех. работы. Отстук будет частично недоступен примерно два часа. (Techniques are being carried out. work. The tap will be partially unavailable for approximately two hours.)
August 4, 2023
Уважаемые воркеры технические работы закончились, сделайте ребилд, старые билды работать не будут. (Dear workers, the technical work is over, do a rebuild, the old builds will not work.)
August 10, 2023
@vyaz1437 фри вяз( от 10 логов в тиме за все время) (@vyaz1437 free elm (from 10 logs in the team for the entire time))
August 12, 2023
Добрый день! Пофиксил архиватор, видео теперь докачиваются. Исправил работу AVCheck в боте. Теперь в нем нет ограничения на количество одновременных сканирований, но есть шанс что сама API сервиса не позволит создать задание, поэтому придется подождать минуту и попробовать снова.

Актуальные детекты:
PackLab — 4\26
FoxCrypt — 2\26
(Good afternoon The archiver has fixed it, the videos are now downloading. Fixed AVCheck in the bot. Now there is no limit on the number of simultaneous scans, but there is a chance that the service API itself will not allow you to create a task, so you will have to wait a minute and try again.

Current detects:
PackLab — 4\26
FoxCrypt — 2\26)
August 31, 2023
Уважаемые воркеры, сейчас будут проводиться тех.работы, Ориентировочно 30–40 минут. Отстук может быть нестабильным.
(Dear workers, technical work will now be carried out, approximately 30–40 minutes. The knock may be unstable.)
September 4, 2023
Возьму 3х человек для ворка по тиктоку, обязательно с опытом! Писать @TOKAEFFF (I’ll take 3 people to work on Tiktok, definitely with experience! Write @TOKAEFFF)
October 2, 2023
Снова вернули LummaC2. Кончилась подписка на PackLab, в течении часа все придет в норму. Все работает всем спасибо
(LummaC2 is back again. The subscription to PackLab has expired, everything will be back to normal within an hour. Everything works thanks everyone)
мета дала ебу и не открывается панель, поменяйте билд на люмму(проблема на стороне меты, ждем фикс)
(the meta gave a fuck and the panel does not open, change the build to Lumma (the problem is on the meta side, we are waiting for a fix))
Исправили проблему с отсуком люмы. Была проблема со сборкой архивов самим стиллером, изза чего бот спотыкался и не мог распаковать архив. Все поправили, теперь все логи дойдут.
(Fixed the problem with luma suction. There was a problem with the assembly of archives by the stealer itself, which caused the bot to stumble and be unable to unpack the archive. Everything has been corrected, now all logs will arrive.)
October 5, 2023
Мета снова упала, поменяйте билд на люмму (The meta has fallen again, change the build to Lumma)
November 9, 2023
Люмма ворк, для того, чтобы вам стучало в бота, нужно сделать ребилд. (Lumma vork, in order for you to knock on the bot, you need to do a rebuild.)
Уважаемые воркеры, сделайте еще раз ребилд люммы, если хотите пользоваться фичами нового обновления. Удачного ворка! (Dear workers, rebuild your lumma again if you want to use the features of the new update. Happy vorking!)
November 10, 2023
Просим прощения за долгий отвал. Старые билды работают. Фокскрипт был удален из бота в связи с неработоспособностью сервиса. Архиватор работает. Сейчас в боте установлена старая база данных, поэтому у некоторых откатились профили. Если вы уже были в тиме, а сейчас бот просит подать заявку: подавайте и указывайте что уже были в тиме.
(We apologize for the long delay. Old builds work. Foxscript was removed from the bot due to the service not working. The archiver is working. Now the bot has an old database installed, so some profiles have been rolled back. If you have already been in the team, and now the bot asks you to submit an application: submit it and indicate that you have already been in the team.)
Используйте пока что люмму, потому что сейчас небольшие проблемы будут с метой. Как только все решим, будет уведомление.
(Use Lumma for now, because now there will be some problems with the meta. As soon as everything is decided, there will be a notification.)
November 11, 2023
мета ворк, можете запрашивать билды. (meta work, you can request builds.)
November 14, 2023
Билдер LummaC2 снова доступен! (Builder LummaC2 is available again!)
November 29, 2023
Внимание! В связи с обновлением меты всем нужно сделать ребилд( старые билды не будут стучать на новой панели). Люмма пока что прилегла, будем держать вас в курсе. Уважаемые воркеры, сделайте пожалуйста ребилд, это обязательно!(не касается тех, кому я отписал лично) (Attention! Due to the meta update, everyone needs to do a rebuild (old builds will not work on the new panel). Lumma is lying down for now, we will keep you posted. Dear workers, please do a rebuild, this is mandatory! (Does not apply to those to whom I wrote personally))
December 5, 2023
Кто использует люмму, сделайте ребилд. (Who uses Lumma, do a rebuild.)
December 19, 2023
Уважаемые воркеры, кто использует люмму и у кого нет юзер инфо в логах, сделайте ребилд пожалуйста. проблему пофиксили. (Dear workers, who uses Lumma and who does not have user information in the logs, please do a rebuild. the problem was fixed.)
January 9, 2024
Уважаемые воркеры, сейчас будут проводиться технические работы, связанные с МЕТОЙ, убедительная просьба перекинуть свои билды на ЛЮММУ, для стабильного отстука. (Dear workers, technical work related to META will now be carried out, we kindly request you to transfer your builds to LUMMA for stable performance.)
January 30, 2024
Люма не работает, тех. работы на сервере. Делайте ребилд на мету (Luma does not work, tech. work on the server. Rebuild the meta)
Отмена, люма ворк. Ребилд не нужен (Cancel, luma work. No rebuild needed)
February 3, 2024
Уважаемые Воркеры! Кто использует мету, возьмите люмму. Мету завтра пофиксим. (Dear Workers! Anyone using meta, take Lumma. We’ll fix the meta tomorrow.)
February 6, 2024
Мета снова доступна, можете запрашивать билды. (The meta is available again, you can request builds.)
February 19, 2024
кто используют люмму, сделайте ребилд, обновились прокладки (who uses Lumma, do a rebuild, update the gaskets)
February 20, 2024
мета временно не ворк. (meta is temporarily not working.)
February 29, 2024
Уважаемые воркеры, перед тем как кинуть сеошеру ссылку, уточняйте пожалуйста есть ли место для накрута. В ближайшее время постараемся докупить дедики, чтобы не было очередей. (Dear workers, before sending a link to the seosher, please check whether there is a place for cheating. In the near future we will try to buy more grandfathers so that there are no queues.)
March 2, 2024
Уважаемые воркеры! Панель меты обновилась, сделайте ребилд в срочном порядке! Старые билды стучать не будут на новой панели. Если во время билда вам пишет, что билдер занят, значит попробуйте взять билд через некоторое время. (Dear workers! The meta panel has been updated, do a rebuild urgently! Old builds will not appear on the new panel. If during a build it tells you that the builder is busy, then try to take the build after a while.)
March 3, 2024
Уважаемые воркеры! В срочном порядке сделайте ребилд меты. (Dear workers! Rebuild the meta as a matter of urgency.)

~ Otctyk

The records on the KZ Team Reborn otctyk channel looks like these ones:
English words are translations, original message are russian words

✅ Пришёл новый лог! (New log has arrived!)
└🦅 LummaC2 (or Ⓜ️ META) (📈 RedLine is not available anymore)
└🥷Воркер: (Worker:)

💾Системная информация (System information)
└🌐 Страна: (Country:)
└🔮 IP:
└🖥 Система: (System OS:)

🔐 Сводка из браузера (Log Summary)
└🔑 Пароли: (Passwords)
└🍪 Куки: (Cookies:)
└💳 Приложения: (Requests:)
└🧊 Холодки: (Cryptocurrencies or Password Managers:)

Sadly, on February 7th, 2024 this channel was rebooted, and most of the records were lost. BUT, I saved a copy export of the channel at August, 4th 2023, that contains information since the beginning of the operation records of KZ Team until that day.

The analysis of records are made from September 28th, 2022 (First Record) to August 4th, 2023, and then from February 7th, 2024 to March 1st, 2024.

The total amount of unique IP records from victims logs is: 418920

Check the full summarization here : IP Summarization Results of 418920 IPs —

Sorted by countries:

42193 IPs
United States
32955 IPs
17372 IPs
14886 IPs
14760 IPs
14045 IPs
14010 IPs
13344 IPs
12937 IPs
12388 IPs
12376 IPs
11882 IPs
11714 IPs
11209 IPs
10996 IPs
9656 IPs
United Kingdom
8137 IPs
7836 IPs
7816 IPs
6354 IPs
5978 IPs
5197 IPs
5146 IPs
4498 IPs
4125 IPs
3950 IPs
3670 IPs
Dominican Republic
3620 IPs
3436 IPs
3207 IPs
3157 IPs
2948 IPs
South Korea
2864 IPs
2727 IPs
2696 IPs
2631 IPs
2518 IPs
2275 IPs
2236 IPs
2225 IPs
2169 IPs
United Arab Emirates
2074 IPs
1997 IPs
1978 IPs
South Africa
1827 IPs
1787 IPs
Saudi Arabia
1720 IPs
Sri Lanka
1719 IPs
1714 IPs
1554 IPs
1524 IPs
1519 IPs
1459 IPs
1372 IPs
1364 IPs
1325 IPs
1305 IPs
1137 IPs
1136 IPs
Costa Rica
1083 IPs
1038 IPs
1035 IPs
935 IPs
905 IPs
866 IPs
852 IPs
847 IPs
806 IPs
786 IPs
768 IPs
754 IPs
740 IPs
733 IPs
Bosnia and Herzegovina
710 IPs
New Zealand
709 IPs
701 IPs
694 IPs
694 IPs
662 IPs
660 IPs
Hong Kong
598 IPs
Palestinian Territory
590 IPs
571 IPs
508 IPs
467 IPs
465 IPs
461 IPs
458 IPs
El Salvador
429 IPs
416 IPs
Ivory Coast
399 IPs
North Macedonia
387 IPs
Puerto Rico
378 IPs
371 IPs
363 IPs
Trinidad and Tobago
331 IPs
329 IPs
287 IPs
284 IPs
276 IPs
271 IPs
268 IPs
266 IPs
264 IPs
263 IPs
253 IPs
251 IPs
232 IPs
216 IPs
210 IPs
187 IPs
156 IPs
156 IPs
144 IPs
137 IPs
136 IPs
124 IPs
124 IPs
113 IPs
110 IPs
110 IPs
101 IPs
100 IPs
100 IPs
99 IPs
96 IPs
93 IPs
90 IPs
88 IPs
88 IPs
86 IPs
84 IPs
81 IPs
72 IPs
Democratic Republic of the Congo
67 IPs
64 IPs
63 IPs
63 IPs
63 IPs
Republic of the Congo
61 IPs
Burkina Faso
60 IPs
59 IPs
58 IPs
53 IPs
Cabo Verde
50 IPs
50 IPs
49 IPs
45 IPs
43 IPs
43 IPs
43 IPs
40 IPs
37 IPs
34 IPs
New Caledonia
32 IPs
Papua New Guinea
31 IPs
30 IPs
Antigua and Barbuda
28 IPs
27 IPs
25 IPs
French Polynesia
25 IPs
24 IPs
23 IPs
Equatorial Guinea
23 IPs
22 IPs
19 IPs
U.S. Virgin Islands
19 IPs
Saint Vincent and the Grenadines
19 IPs
18 IPs
18 IPs
16 IPs
Cayman Islands
15 IPs
15 IPs
Saint Lucia
14 IPs
13 IPs
12 IPs
Sierra Leone
12 IPs
11 IPs
11 IPs
10 IPs
Turks and Caicos Islands
10 IPs
10 IPs
10 IPs
9 IPs
French Guiana
9 IPs
8 IPs
Timor Leste
8 IPs
8 IPs
Saint Kitts and Nevis
7 IPs
7 IPs
7 IPs
Sao Tome and Principe
6 IPs
6 IPs
Faroe Islands
6 IPs
British Virgin Islands
6 IPs
6 IPs
Isle of Man
6 IPs
5 IPs
5 IPs
5 IPs
5 IPs
Solomon Islands
4 IPs
4 IPs
4 IPs
4 IPs
4 IPs
Bonaire, Saint Eustatius and Saba
3 IPs
Saint Martin
3 IPs
South Sudan
3 IPs
Sint Maarten
2 IPs
2 IPs
Northern Mariana Islands
2 IPs
2 IPs
San Marino
2 IPs
Aland Islands
1 IP
1 IP

The full list of IPs can be found at:

So yes, workers from KZ Team Reborn have acted against people from around the world.

As said before, the full number of logs received by the team (at the time of writing this blog) and shown by the statistics at the Telegram Bot is 592957. I believe this number can be trusted, considering 418920 unique records provided here (with some months of activity unrecorded) and several examples of reinfection.

These numbers make the total flow of infections an average of ~1250 unique daily victims of the people working for this team.

In the first months, the record on the Otctyk channel didn’t show what stealer was used, but after some time, yes. There are a total of 30175 records tagged as Redline logs, 303598 as Meta logs, and 56953 as LummaC2 logs.

Some requests that are being checked on the log are:
Session files: Steam, Anydesk, Telegram, Discord, FileZilla
Cookies and Credentials: “BANKS”, “MONEY”, Paypal, GPay, Amazon, Facebook Business
🧊: Authenticator, AuthyDesktop, Bitcoincore, Coinbase, Binance, MetaMask, Exodus, Atomic, Phantom, Electrum, TrustWallet, Yoroi, Nami, CryptoCom, TerraStation, Keplr, OKX, Math, AgrentX, Petra, Coin98, VenomWallet, RoninWallet, BinanceChainWallet, LeapWallet, Martian, UniSat, TronLink, Martian, Sui, PolkadotJS, LedgerLive, ExodusWeb3, iWlt, HavahWallet, BinanceWallet, ZilPay, Backpack, CompasWallet

There should be more

~ Workers

Please keep in mind that there is an option on this team to hide your username on the OTCTYK records, so most of the logs didn’t disclose an actual username, and also the possibility for users to change their username, so more than one username could refer to the same operator.

There are a total of 848 usernames and their victims. Of course, the list is incomplete because of the reasons stated before.

Some of these usernames may be known to you. List:


In the Statistics shown in the Telegram Bot, there is only one undisclosed username left, user Ventenda (with 16003 logs) at the time of writing this.

Some of these usernames have been seen at infostealers traffic working with the builds from this team, also working under other teams or working with his own builds from a private panel. Tracking the activity of each individual would be a massive task that is out of my capabilities atm.

Theree is also a top for the highest payouts with also one disclosed username:

User wanwap earned $4007 in his journey as a malware operator

~ Builds

I generated a META (Easycrypt) build from the Telegram Bot of this team, Find it at:

MalwareBazaar | SHA256 90a24e8cace3fab7ce1638a5cf90684e78715ff098e12dbbebc2a95a3d314b24 (

In fact, I got a logs back from sandbox machines, damn.
Doing CTI rocks 😎.

Sadly I can’t expose what Lumma ID is using this team at the moment.


Analysis 833821dfd2eef37f7624dd227e49484c20bad5d474b251e1d9fd04ef0476544c.exe (MD5: 40F173D5B3066B6E39C7CE4632256679) Malicious activity — Interactive analysis ANY.RUN

~ Past telemetry

Thanks to the usernames disclosed, we can find strong evidence of past C2 used by this traffer team.

You can filter analysis on Anyrun by these c2s in order to find builds and traffers disclosed. This way we can also see non-disclosed traffers usernames

As an example / META

Analysis payload.exe (MD5: 4C1CD8FD2D86D65EDCD88C9E982EF86E) Malicious activity — Interactive analysis ANY.RUN

4c1cd8fd2d86d65edcd88c9e982ef86e / @Housto_N_n

Analysis Malicious activity — Interactive analysis ANY.RUN

88ff28a1331720f5907c7411eecd788a / @osjakal


Analysis Malicious activity — Interactive analysis ANY.RUN

? / @deathwill

Analysis Malicious activity — Interactive analysis ANY.RUN

C3EF845E5961F6B2DBB1914B2F2E60EB / @coufaaiinne

(Not) The end ;)

Expect more content, soon.
Best regards,