Scammers take over a Dead Game “Guardians of Throne” — Target Web3 Gamers!

Guardians of Throne — Game on Google Play Store

Well, that is a title sure to capture your interest, am I right? Well it’s simple, when you ask people to try your software, and it doesn’t work, some wonder why it doesn’t work.

OK, this got long…so here is the summary of what I am covering:

• What it looked like in stalling their Malicious program from the beginning
• How I learned about the Game, the scammers process
• Details on the Malicious tool they used, what it can do
• Background and Communications with the Scammers
• How they put it together
• Confirmation
• 3rd Party Confirmation
• Verified their Investor List
• Summary with How to Defend Yourself tips & tools
• Up Skill your Knowledge, Skills and Abilities to better Defense
• Protect Your Digital Gaming Life Today!

Here is why Guardian of Throne didn’t work:

First off I must say, this is all forensics information, so you can see how these things work and how scammers are getting much more advanced in this space. It’s the Bear Market, and they are hungry like everyone else, so they are hunting and working overtime here.

DO NOT DO THIS YOURSELF!

So here is the tutorial: Seriously DO NOT DO THIS YOURSELF! Please, messing with malware is not good, regardless if it was stopped for me. It only takes a second for malware folks to change the code, so detection systems can’t find it.

Guardians of Throne — Let’s Get Started!

Like any gamer I followed the instructions from the team:

Step 1:

Visit Website and click Play Now

Step 2:

Register Name and Password, submit Referral code and click register. It won't work without the Referral Code.

Step 3:

Download the EXE file and watch a short game clip

Step 4:

Launch the EXE

Step 5:

Login

Step 6:

Watch the installation take forever…

Step 7:

It doesn’t work or McAfee tells me it stopped a virus. That is weird…

Step 8:

Launch Forensic Tools to figure out what is happening.

Well…you get the point, what I found was a little nasty surprise. Guardians of Throne has 6 Malicious items identified. 👀

Learning about what is happening:

To set things up, my systems are up-to-date with security. So as I tested the code on different systems with various antivirus programs including Warden (leveraging Xcitium) and McAfee. The “Game” didn’t work…

Warden blocked the unknown files and McAfee stopped the software from finishing. I also used other AV analysis tools. Guess what, they all identified Malicious processes doing bad things to the systems I tried to install the software on. Just to be sure I downloaded the EXE for each test separately.

So what does this EXE do?

It installs a Network Trojan on your system. What is a Network Trojan? I will explain and link to a good source article, if you want to know more.

https://blog.cyble.com/2021/08/12/a-deep-dive-analysis-of-redline-stealer-malware/

Threat Actor (TA) behind RedLine Stealer malware provides their service through Telegram, as shown in Figure 1. This malware belongs to the stealer family and can steal various victims’ data, including browser credentials, cookies, system information, processor details, etc. The rich feature of this stealer makes it popular.

It's going to connect to the owner's C2 network and forward information like the following:

Behavior Graph:

Part 1:

Part 2:

Entire Process:

File activity:

Network Activity:

Ok, so now you know what it does, but how did I find this game you ask? Well through the usual sources, Twitter, Telegram and Discord!

Two different accounts reached out offering a gig. What I don't show is that I reached out to my friends and asked if they had heard of these folks. They had but were not impressed.

But in all things, I figure let’s see what they are offering…an ambassador gig. Ok, let’s see what more they have to say. But in reality they were not really offering me that, they were offering me malware to steel my Crypto, but I didn’t know that then.

So how this all started:

Recruiter:

Their onboarding team member:

Note: If a Telegram account looks like this, it means they have blocked you. If instead you see their initials instead of the profile picture and last seen a long time ago for their online status, you’re likely blocked.

They didn’t want me to use the mobile clearly… I wonder why? 🤔

At this point I had reached back out to the recruiter, who sounded shocked and said he would reach out to the team. Didn’t hear anything from him since. So off to Discord…

Recruiter:

Well that is a dead end.

Discord:

Let’s see what they tell me. Could be they don't know about it, so much is outsourced these days, right?

I got kicked off their Discord server for the above.

So now we know… 100% scammers.

Scam Set-up

So what did they do? It looks like they hunted for a dead game on the Google Play Store, stood up a domain, github, website, and set up a network of Twitter accounts to push this game.

Here is the dead game they found, it's only on Facebook, you can't find it in Google Play unless you have the full name. Plus, their Facebook account is really hard to find. https://www.facebook.com/GOT3136/

Google Play Store View:

Now they figured out what to do. Get everything to look legit…but limit who they target.

Google Play is Real…that game does still work. However, since it’s abandoned, you can’t verify anything. Because their main method of contacting users was actually through Facebook.

So they got to work on building out everything for this.

Website: Key tool in distributing the scammers malware

They started back in March of this year based on the Domain Registration.

Then got to work on the webpage.

Kinda hard to have a road map before your webpage exists, but also don’t list anything in 2023 except your token launch? Didn’t they launch an NFT as well? 🤔

Yeah, they have it here in their Twitter BIO, but no link?

https://opensea.io/collection/guardiansgame

Oh, the potentially profitable NFT game…hmm seems not so profitable.

Confirmation:

Recruiter remains silent for several days. But why, well he finally gets back to me and won’t get me in touch with the team. But remember he is the one who actually gave me the referral code to access the site. 🤔

3rd Party Confirmation:

Someone on Discord contacted me (NeoNotTheOne) to verify that someone they knew had their Crypto stolen after Discord was shut down. We talked and gathered more information so that we can get the word out about this Crypto scammers approach.

Here is their interaction on Discord:

Investors:

Coin98: Confirmed they are not investors.

https://portfolio.coin98.com/

AvacadoDAO: Confirmed they are not investors.

https://www.avocadodao.io/games/guild-of-guardians/

#Hashed: Waiting, however they are not listed

https://www.hashed.com/portfolio

DeFi Capital: Waiting, however they are not listed

https://www.de-fi.capital/

https://twitter.com/DeFiCapital_

Signum Capital: Waiting, however they are not listed

https://www.signum.capital/portfolio/

HUB: Can’t find this firm

Poolz Ventures: Waiting, however they are not listed

https://ventures.poolz.finance/#portfolio

Hyperchain Capital: Waiting, however they are not listed

https://www.hyperchain.capital/#portfolio

Kyros: Waiting, however they are not listed

https://kyros.ventures/

SOTATEK: Waiting, however they are not listed

https://www.sotatek.com/portfolio-category/game/

Kyber Ventures: Waiting, however they are not listed

https://www.kyber.ventures/

Fomocraft Ventures: Waiting, however they are not listed

https://fomocraft.com/portfolio

Here was the Twitter account that one of their friends got the invite code from:

Other accounts I interacted with:

Something oddly similar between these accounts, I wonder what it is?🤔

Summary:

WOW, what a week. What I can say is a lot about this. They play on people's human nature like all scammers do. This one leveraged a paying gig and had been probing the Web3 gaming space for a while. They were reaching out to low to mid-level entities in the Web3 Gaming space.

On the technical side, clearly I got lucky with having my AV protection on. I am sure the next step if I couldn’t get it to work would have been to tell me to turn off my AV. Never, ever to do these folks.

If tech support, devs, or anyone says to do this option. It’s a clear sign the software, program, website, etc… is the issue. Not your AV.

How to better protect yourself from scammers? WOW, ahmm….

That is hard, stop being human?

No, really you need to start building your defenses now. While I did a 3rd party verification, checked out their Google Play profile, even played the mobile game…all basic checks played out.

You see, they push us into funnels, to add more realism to their end-game. Always cut-out front people that start your push into the funnel. They use multiple fake accounts to push you through the funnel. So if you reach out to others, they might say yeah I have heard of them. Then they run you through layers of SM profiles, different platforms, etc…just like the real process folks are used to find things in this space. The adventure of the human spirit is at play here, for me the thrill of the hunt, is the psychology they are playing into.

It’s sh!t like this that pisses me off to no end. If scammers that they continue to do these things in perpetuity is about to end really, really quickly.

I will use my 20 plus years of experience in Cybersecurity in the DoD to protect as many people as possible in this space. I am not alone, more people like me are coming.

Up Your Skills:

First, you need a good summary of how to build your defenses. I have you covered here. I have spent over a year getting my annual report finished on Blockchain Security Landscape of 2023, covering all the in’s and out’s of 2022. It has an entire section dedicated to just this very topic.

https://cyberstrategyinstitute.com/crypto/

If you want an even better understanding of Cybersecurity you can head over and grab my annual report there as well.

Cybersecurity Landscape Of 2022 and Insights into 2023 and beyond

The next step is to have the right tools. In my report I cover a lot of them. Including some of the tools and capabilities I have assembled for folks operating in the Crypto World.

I am launching a new capability designed to protect users. No more malware, viruses or ransomware impacting your systems. Warden will be a that service. I am excited to announce my partnership with Xcitium. They will be providing their superior AV tool for my fully Managed Security Service Provider (MSSP) offering called Warden.

You remember from above it was one of the tools that stopped this from happening to my system. That is because it automatically blocks all “unknown or known malicious files” from ever impacting your system. I couldn’t ask for a better tool or better partnership than with them. I have been doing Cybersecurity for over 2-decades and detection doesn’t work 100% of the time. I don't want anyone to be patient zero ever again.

Secure My Digital Life Today with Warden!

See all our options using the below link. However, you are not going to see this great offer there. Together, we can stop scammers and criminals from ever impacting your life.

https://openmylink.in/qHSiW

Again, DO NOT download their software and stay away from this scammer project, period!

Part 2: Another Web3 Scammer Targeting the Gaming Community!

Part3: OK, Web3 Gaming is clearly being targeted!

Further Resources about Cyber Strategy Institute:

If interested in other analysis, checkout my other Medium articles and for more of a daily understanding of the Cryptoverse follow my Twitter account.

Cyber Strategy Institute

Medium: https://cyberstrategy1.medium.com/

Twitter: https://twitter.com/CyberStrategy1

Website: https://cyberstrategyinstitute.com