Analyst1 > Resources > Digital reports > Smoked Out: Uncovering the Life & Personality of a SmokeLoader Actor Targeted by Operation Endgame
Dark Mode
Smoked Out: Uncovering the Life & Personality of a SmokeLoader Actor Targeted by Operation Endgame

Smoked Out: Uncovering the Life & Personality of a SmokeLoader Actor Targeted by Operation Endgame


Written by Anastasia Sentsova

Introduction

Between May 27 and 29, 2024, Operation Endgame, coordinated from Europol’s headquarters, targeted six droppers: IcedID, SystemBC, Pikabot, SmokeLoader, Bumblebee, and TrickBot. As a result of the operation, four arrests took place (one in Armenia and three in Ukraine), and 16 location searches were conducted in Armenia, the Netherlands, Portugal, and Ukraine. Over 100 servers were taken down or disrupted in Bulgaria, Canada, Germany, Lithuania, the Netherlands, Romania, Switzerland, the United Kingdom, the United States, and Ukraine, with over 2,000 domains being taken under the control of law enforcement.

In addition, eight individuals linked to these criminal activities, wanted by Germany, were added to Europe’s Most Wanted list on May 30, 2024. These individuals include Oleg Vyacheslavovich Kucherov, Sergei Valerievich Polyak, Anton Aleksandrovich Bragin, Fedor Aleksandrovich Andreev, Andrei Andreevich Cherepanov, Nikolai Nikolaevich Chereshnev, Georgy Sergeevich Tesman, and Gruber Airat Rustemovich. All eight individuals are believed to reside in Russia.

When investigating cybercrime, actor attribution plays a significant role in combating these activities. Beyond bringing cybercriminals to justice – depending on the willingness of the jurisdictions in which they are physically located – attribution also helps in understanding their behavior and motives. Combating cybercriminals involves carefully studying their personalities, which in turn can be used in PsyOps, as widely implemented during the ongoing Operation Endgame.

In a series of carefully crafted videos, law enforcement hid many “Easter eggs” in the messages to reach the actors’ minds. In this report, we will walk you through these tactics, solving the riddles left by Operation Endgame masterminds and uncovering the stories of those targeted during the operation. This time, we’ll tell the story of Gruber Airat Rustemovich, who became the main character of the very first video released by law enforcement.

Through our investigation, we traced Gruber’s digital footprint and pieced together a detailed life story, forming a comprehensive portrait of his personality. We aim to contribute to the broader understanding of modern cybercriminal profiles by analyzing his character and motivational mindset. Gruber’s case highlights the complexities of individuals involved in cybercrime, blending their real-life personas with illicit activities driven by personal beliefs, cultural identity, and opportunistic motivations.

The Downfall of a SmokeLoader Actor & The Start of Their Endgame

Cyber battles are similar to real ones, except they primarily target the minds of enemies rather than their bodies. After Operation Cronos, Operation Endgame became the second known campaign to use PsyOps against cybercrime and individuals involved in illicit activities.

From May 31, 2024, to July 10, 2024, law enforcement used the dedicated website Operation Endgame to release a 37-second pilot video, followed by seven videos split into seasons and episodes, each tailored to address those involved in cybercrime. The message, “No one is untraceable, not even online,” highlighted the reality that cybercriminals cannot remain anonymous despite the perceived illusion of it.

The first video released targeted SmokeLoader actors. The opening scene of Episode 1, Season 1, of Operation Endgame, titled “GREENHORSE,” shows a man sitting in front of a laptop, portraying the day-to-day life of a botnet seller. Among the many individuals wanting to buy botnet services is an undercover officer wearing a cap with the logo “Endgame,” who infiltrates the group according to the plot.

The video’s climax showed law enforcement dismantling the botnet infrastructure, piece by piece. The implication was clear – their time was running out, and law enforcement was closing in. The actors’ names were in law enforcement’s hands, and the clock had started ticking for them. The final scene left a warning message for the criminals: “Think about (y)our next move” (Rus: “Подумай о своем следующем ходе”) reinforcing the idea that the era of unchecked cybercrime is coming to an end.

One of the cleverly embedded monikers was Superstar75737. These appeared as subtle clues throughout, pointing to the actor’s identity. The message was clear: this criminal had been identified and was being watched.

Another clue related to the persona of Superstar75737 was left in one of the scenes when an officer, sitting at a table, had a notepad with the moniker Superstar75737 crossed out and what appeared to be the actor’s real name: Airat (Rus. Айрат) and the number 1982, suggesting actor’s year of birth. The individual behind this persona is Airat Rustemovich Gruber (Rus: Айрат Рустемович Грубер), who was added to the wanted list and identified as being behind SmokeLoader botnet operations. According to the announcement, Gruber was born on May 21, 1982, which explains the “1982” part of the note left in the video.

SmokeLoader, which Gruber was identified to be affiliated with, first appeared in 2011 and is known under the names Dofoil, Sharik, and Smoke. Based on the law enforcement announcement during Operation Endgame, his involvement in SmokeLoader botnet operations started on November 16, 2022.

Its “business” follows the pay-per-install (PPI) malware services model. In this model, a malware operator provides payment, malicious payloads, and targeting information while those running the service handle the distribution and delivery. Intel471 studied the activities of such services in detail, with SmokeLoader identified as a leading player, according to the report published on February 8, 2022.

These infections are also often referred to as “installs” (Rus: “Инсталлы”) across the DarkWeb when promoting such services. Installs are typically categorized as mixed or targeted according to geographical location, with US-based installs often being the most expensive on dark markets.

SmokeLoader was promoted on multiple DarkWeb forums, including XSS and Exploit. One of the accounts, “SmokeLdr,” was registered on XSS on July 2, 2011. The account profile included a Jabber contact smoke@exploit[.]im and listed working hours from “1 PM to 7 PM Moscow time.” The message promoting the botnet was published on October 30, 2018, highlighting its technical capabilities, which included geo-targeting and selective downloads for specific countries.

The account on XSS had very little public activity, but interestingly, on December 24, 2023, a forum member operating under the moniker Synd1c4t submitted a complaint stating they had made a payment but received no services in return. In response to the complaint, SmokeLdr claimed they were no longer the owners of the botnet since May 2023. It remains to be seen if any of the SmokeLdr accounts across Dark Web forums were operated by Gruber himself.

SmokeLoader (still active) has been widely used in cyberattacks, including those launched against Ukraine. According to the joint report by Palo Alto and the State Cyber Protection Centre of the State Service of Special Communications and Information Protection of Ukraine (SCPC SSSCIP), SmokeLoader was identified as a prominent type of malware targeting entities across multiple sectors, including Government and Finance. For instance, between May and December 2023, a mass distribution of SmokeLoader via phishing emails containing malicious files was identified. These emails were tailored to engage the victim to click on them, leading to malware execution upon opening the file.

SmokeLoader was also involved in multiple ransomware attacks, including detailed research published by Talos that uncovered its role in the operations of the 8BASE ransomware, which distributed Phobos variants. According to the research, “This commodity loader typically drops or downloads additional payloads when deployed. In 8Base campaigns, however, it has the ransomware component embedded in its encrypted payloads, which is then decrypted and loaded into the SmokeLoader process’ memory.”

SmokeLoader wasn’t the first botnet operation that Gruber was involved in. According to the BKA, Gruber operated his own botnet since at least July 2021. This likely refers to the Superstar75737 services, the name of the botnet service and moniker that Gruber used across Telegram and forums. Promoted across multiple forums, the services offered by Gruber included “installs” with prices varying from geo-locations to the package size. According to the message posted on the forum, the package of 1,000 installs was offered for $40, 10,000 installs for $350, and 100,000 installs for $3,000.  

In addition, Superstar75737 services could have been purchased through a Telegram bot. Customers were provided with cryptocurrency addresses for payment by choosing a package size and geo-location of purchased installs. Based on the BKA’s investigation, this business allowed Gruber to generate profits worth over one million euros.

During the investigation, when we tried to interact with the bot, it returned to us this message indicating that it was seized by The Netherlands police with the teasing invitation message to watch the next episode of the Operation Endgame series. “Please post a comment on your latest user experience on a platform of your choice.” A part of the message says to put pressure on those who have ever used Superstar75737’s illicit services.

Operation Endgame undoubtedly reached the actors, crushing the illusion of invisibility that often exists in cybercriminals’ minds. It was met with massive backlash from the Dark Web community. Comments were observed on the XSS forum pointing to inconsistencies in the translation to Russian and a “too creative” approach to the style of the videos. Overall, underground members tried to create a narrative that the operation had little impact on the targeted actors and botnet operations.

It is yet to be identified if the two other monikers mentioned in the video, MrFawkes84 and 3nDg@Me, are related to the persona of Superstar75737 or if they belong to separate individuals. Notably, during the investigation, we identified a Telegram channel named MrFawkes84. Among the messages posted was “mfs think they avengers. operation endgame n****s [REDACTED] CANT DOX ME” (posted on June 9, 2024, and deleted soon after), which might have been their emotional response to the ongoing Operation Endgame.

Another message posted on the channel on June 11, 2024 (also deleted soon after) and then reposted on June 22, 2024, showed individuals behind the channel interacting with the official Operation Endgame Telegram account. “This is the police, how can we help you?” read a message, to which an actor replied with a check-host[.]net link, apparently suggesting that the website was down. It is unclear whether this Telegram channel has any connection to the targeted actors or if any DDoS attack took place on the Operation Endgame website. However, there is a likely possibility that the actors could have attempted retaliation in some way.

Despite the expected pushback, it is clear that cybercriminals are beginning to realize that they are not as invisible as they believe, and that law enforcement is continuously evolving to outsmart them. With the ultimate goal of a cybercrime investigation being to identify and bring to justice the individuals involved, unraveling the mysteries behind actors’ personas is challenging and revealing. In the next section, we will delve into the life of Airat Gruber to shed light on the man behind the SmokeLoader botnet.

Uncovering Gruber’s Rebel Personality: Peace Maker by Day, Cybercriminal by Night

With its multitude of social media platforms and forums, the internet has become a place where people freely express themselves, sometimes excessively. A digital footprint left by Gruber has given us a great understanding of his personality and the activities he was involved in over the years.

Before we delve into the artifacts uncovered during the investigation, let’s first explore some fundamental traits linked to Gruber’s origins and birthplace. The region’s history and the life of its Tatar population, to which Gruber belongs (judging by his name), offer valuable insights that may aid us in understanding his character. Although the following historical context might initially appear unnecessary, it plays a crucial role in understanding his personality and behavior.

Gruber was born in Kazan, the capital of the Republic of Tatarstan in Russia, on May 21, 1982. In modern times, the republic has a population of over 4 million, primarily Russians and Tatars. With Tatar and Russian as its two official languages, the region accommodates two major religions: Sunni Islam and Orthodox Christianity.

The Tatar nation (known as Tartars) dates back to the 5th century, with a large concentration of its population currently in the Tatarstan region. In 1920, it was established as the Tatar Autonomous Soviet Socialist Republic. In 1990, it declared its sovereignty from the Soviet Union to revive its cultural identity, which Soviet national policies had largely repressed. This sovereignty movement was portrayed in opposition to what citizens perceived as the Russian state’s prejudice against their national culture.

One of the movements was Tatar Community Center, WTOC (Rus: Всетатарский общественный центр, ВТОЦ, Tatar: Bötentatar İctimaği Üzäge),  a public centrist nationalist organization established on July 7, 1988. In the late 1980s and early 1990s, the WTOC organized many demonstrations and public meetings demanding that the government of Autonomous Tatarstan declare the republic independent from Russia. On multiple occasions, these demonstrations led to clashes and fights.

Autonomous Tatarstan was renamed the Republic of Tatarstan in 1992, a year after the fall of the Soviet Union, and remains a part of Russia to this day. Despite its attempt to operate with a degree of self-government, this autonomy was cut off in 2005 and 2007 under the presidency of Vladimir Putin. Any attempts for decentralization are being suppressed by the Russian government, including the liquidation of the WTOC on June 10, 2022, which was recognized as an extremist organization and closed by the decision of the Supreme Court of Tatarstan.

In trying to understand Gruber’s personality, we can assume that he likely has some proficiency in Tatar language (at least in hearing and understanding). That might be in addition to having a native level of proficiency in Russian, which we have established from analyzing multiple of his language samples (both oral and written).

Gruber listed the Russian language as his primary language skill along with multiple other information about himself when filling out a questionnaire (originally in Russian) when registering one of his accounts on Russian social media VK (the equivalent of Facebook) in January 2014. Among his responses, Gruber listed his political view as “Socialist” and specified his religion as “My own” without further elaboration.

Another observation comes from Gruber, stating that the most important thing for him is improving the world and that “the desire to change the world” is his source of inspiration. While such a desire might stem from pure goodwill, it can also indicate a potential sense of perceived unfairness that motivates him to pursue these goals. Interestingly enough, this striving for fairness and honesty is something we would observe later when investigating his business activity. Ironically, Gruber also stated that “kindness and honesty” are the most important qualities in people, a sentiment that contradicts his involvement in illicit activities.

One more interesting detail emerged when investigating accounts used by Gruber under different names. Using variations of the name Radomir (also used as Radamir) and different last names, we identified multiple accounts, including several accounts registered by him on social media VK. One such account is under the name Radomir Mirolyubov was registered in May 2014, and last accessed in July 2014. Featuring his photo as the avatar, the status on the page reads: “I am a son of God! Who are you?”

Another variation, Radamir Ramiev, was used to register on a Russian job search website. His profile includes a description stating he is looking for “programmers with knowledge of PHP, C#, C++, Java, HTML.” In addition, Radamir Asov (username radamirasov) was used to register yet another VK account in January 2018, which was last accessed in February 2024. All the information, including the date of birth and photo, matches Gruber’s persona.

Radomir/Radamir is likely one of Gruber’s pseudonyms. The name Radamir was also mentioned in the video as part of Operation Endgame. In one scene, the sender’s name appears as “Radamir Ra…,” perhaps designed to give Gruber a clue that law enforcement knows his second identity.

Overall, judging by his online presence, Gruber appears to be a regular, law-abiding citizen. His social media profiles are filled with family photos and hobbies, including art. He seemed to maintain this image until he decided to take a wrong turn and enter the world of cybercrime. Next, let’s delve into his business endeavors before his involvement in cybercrime in the following section, providing an excellent context for understanding his personality.

Entrepreneur, Crypto Startupper, and Other Businesses Activities During Gruber’s Pre-Cybercrime Era

If there is anything clear from analyzing Gruber’s persona and activities, one thing is evident – the man has an entrepreneurial nature. He has been operating multiple businesses for almost 20 years now. His first company, TIALAB, opened in 2005 and specialized in wholesale non-food consumer goods. The company ceased its activities on June 28, 2011, after the decision of the tax service. According to official records, the owners abandoned the company; they did not carry out activities or file any taxes.

Among his various business ventures, one of the most interesting was his attempt to launch his cryptocurrency. On September 26, 2014, Gruber posted a message on the forum forum[.]bits[.]media promoting GruberCoin, a new cryptocurrency he claimed to have launched with a team of enthusiasts.

Navigating the profile with the username “Galaheym” reveals Gruber’s date of birth, 05/21/1982, and place of residence, Kazan. The profile also links to GruberCoin’s official website, gruber[.]co[.]in (no longer accessible), suggesting that Gruber managed the account himself.

In support of the GruberCoin promotion, Gruber recorded a video of himself discussing the benefits of his cryptocurrency. The video was published on YouTube (an account registered on December 4, 2011) and RuTube (a Russian equivalent of YouTube). “The current monetary system has already compromised itself many times over,” he begins, promoting GruberCoin as a revolutionary tool that would provide freedom and decentralization from the traditional financial system in Russia. In the three-and-a-half-minute video, he answers questions primarily related to the technical characteristics and future of the coin, aiming to convince people to join the project.

You can watch the full video posted on YouTube here:
https://www.youtube.com/watch?v=m2VC761D76M

In addition to various promotional efforts that included webinars and physical meetups in Kazan, GruberCoin was also allegedly supported by local businesses. A message posted on October 2, 2014, announced that local businesses, including beauty salons, dental clinics, and others, were accepting GruberCoin as a means of payment. However, the message didn’t specify the exact names of these companies or dates, explaining that it might have a “negative impact on them, because the political situation is not stable.” Despite this, GruberCoin failed to attract customers and supporters, leading to the project’s early demise around the end of 2014.

Gruber launched another crypto project later in 2018. This time, he promoted cloud mining services named Tartaria tied to GRIF, a new coin he was actively endorsing. Cloud mining allows individuals to rent processing power from remote data centers to mine cryptocurrency without the need to manage physical hardware. The concept is the following: users lease hash power from a provider, becoming part of a larger mining operation without requiring personal equipment. Miners choose a package based on the desired hashrate and duration. The provider then uses this power for mining activities and distributes rewards based on the proportion of power leased.

The project was announced on the forums altcoinstalks[.]com and bitcointalk[.]org on November 8, 2018. The project was tied to the company “Social Growth Fund of the Population ‘Tartaria,” which Gruber registered on July 4, 2018. An important detail is the company’s address in Krasnodar Krai, Tuapsinsky District, Dzhubga. It is unclear whether Gruber changed his place of residence sometime in 2018 and how much of his time he spent there. However, Gruber also listed Tuapse as his city of residence when registering another VK account under the username tartarin3000 in April 2018 (the account is currently deleted).  

In August 2020, the Tartaria project introduced new updates, announcing the listing of the GRIF coin on the exchange bitfex[.]trade and the launch of a new coin, Tarcoin, on August 25, 2020. According to a message posted on bitcointalk, GRIF could now be exchanged for Tarcoin at a 1000:1 ratio, and a lending program was announced with “deposits yielding 100% per annum.”

Like Gruber’s first crypto project, GruberCoin, he launched a massive promotion campaign supporting the Tartaria project. Notably, the project concept was presented as a social initiative designed to create a decentralized community and improve the financial situation of those in need. To increase audience involvement, Gruber and his partners announced a couple of giveaways of cell phones to promote the project. Additionally, those who reposted project-related information on social media would receive monetary prizes distributed through QIWI and Yandex Money.

Gruber seemed to be deeply involved with the project and communicated with its community members. For example, he shared his successful weight loss journey in one message. He also provided information about the relocation of data centers used for mining purposes, stating: “So, from Kazan, near Vasilyevo, our miners moved to the Moscow area because the data center in Kazan was closed (for reasons unknown to me). They moved to the same company that hosted us in Kazan, but just to a site near Moscow. However, there, a three-letter agency seized all the miners, including ours, claiming that the power line was being used illegally… In short, from that point on, it has been a dark story for me as well.”

Despite the perceived growth of the project projected by its owners, it didn’t last long, though it did survive longer than his first crypto project, GruberCoin. The reason behind the decision to end it is unclear, but it may have been related to their inability to grow their community and customer base.

Some people expressed concerns about the project’s legitimacy, with many calling Gruber a scammer. One forum user, for example, pointed to Gruber’s first crypto project, GruberCoin, suggesting that the current Tartaria project might be another “scammer” venture. Gruber responded in his usual manner, explaining that the failure of the first project had nothing to do with the second one, as failures in business happen. He also recorded a video addressing his “haters” and what he called competitors trying to push him out of the market.

The video was posted on the project’s Facebook page, which you can watch here:
https://www[.]facebook[.]com/groups/oftartaria/

Gruber withdrew from the project in November 2020. According to a message posted by his partner on November 6, 2020, on finforum[.]pro, Gruber could no longer participate in the project due to health issues related to coronavirus. “Guys, I am in the hospital, and my condition is terrible. I am freezing the project until I recover, and then I will make it up to you,” Gruber stated in the message. The registered company, “Social Growth Fund of the Population “Tartaria,” tied to the Tartaria crypto project, was liquidated on March 29, 2024.

Based on observations of Gruber’s various business endeavors, several of his characteristics become evident: his strong organizational skills and determination to foster an independent community, reflecting a somewhat rebellious nature. Another aspect apparent in his messages, including those recorded in videos, is his consistent reference to the “world’s unfairness” and his distrust of people’s honesty.

For example, in a message addressing potential clientele of the Tartaria project, he stated, “Once there was a great country – Tartaria. Studying new facts and hypotheses about this state, I discovered an important detail: in this country, a large part of the population lived according to conscience, despite people being of different ranks. The country was vast, with many different races (at that time there was no concept of ‘nationality’), people varied greatly in appearance, but all were united.”

The country Tartaria that he refers to in the message, which became the name of Gruber’s business, is quite an interesting choice by him. While it echoes the Republic of Tatarstan, his birthplace, it relates to Tartaria – a mythical land near Central Asia and Siberia believed by some to have been part of a powerful ancient empire centuries ago. However, others dismiss it as a conspiracy theory. On two Facebook pages – one belonging to Gruber personally and another related to the Tartaria project – a map of Tartaria, often cited by those who believe in the existence of such a land, is prominently displayed.

We’re not here to start a historical debate but to analyze Gruber’s motivational mindset by examining his activities. It’s evident from his persistent message about the unfairness of the world and his desire to change the lives of those around him. This motivational mindset could be interpreted as a calculated strategy to influence public perception, leveraging universal responses to prevalent social inequalities across societies. Alternatively, this behavior might also stem from his struggle to affirm his identity, possibly influenced by experiences in a region where Tatars have faced cultural suppression.

As highlighted earlier in our research, considering the historical context of his birthplace and the ongoing struggle related to the cultural suppression of Tatar citizens in the region, Gruber’s actions may reflect an attempt to reclaim a perceived “greatness” that individuals like him feel have been diminished over time. His efforts to build decentralized communities and challenge inequality could be seen as a response to this historical context, aiming to assert cultural identity and autonomy in the face of past suppression.

Conclusion

Our research efforts aim to contribute to the study of cybercriminal behavior. We also aim to reach those who romanticize cybercrime and believe their actions and identities are well hidden and untraceable. With examples such as Operation Endgame, these efforts greatly expose such misconceptions and shift public perception. The message is clear: no matter how sophisticated or hidden illicit activity might seem, law enforcement can track it down and hold those involved accountable.

It’s challenging to reach a final judgment based on a limited amount of information, but we’ve done our best to analyze his life and character thoroughly and remain eager to learn more. As Mr. Gruber once expressed, “I am who I am; words cannot describe. To understand me, you need to know me personally.”  Would you be willing to speak with us, Mr. Gruber?

Request a Demo Today
Request a Demo
Digital reports