Critical Threat Research : The Iranian Cyber War Intensifies!
Comprehensive Threat Exposure Management Platform
“Patriot Bait” is a newly uncovered AI-powered influence operation in which a solo Russian-speaking threat actor tracked as bandcampro ran a MAGA-themed Telegram channel of approximately 17,000 subscribers from February 6, 2021, pivoting in September 2025 to AI-automated content generation, cryptocurrency fraud, and credential theft. The actor weaponized a jailbroken Google Gemini instance as an operational co-worker to generate QAnon and MAGA-styled disinformation content, manage infrastructure, mass-crack WordPress administrator accounts, and execute cryptocurrency pump-and-dump fraud targeting politically engaged American audiences.
Attack Commenced: September 2025 Targeted Region: North America Targeted Platforms: Telegram, Truth Social, Windows, WordPress Targeted Products: Cryptocurrency Wallets, WordPress Administrator Accounts, Google Gemini API Targeted Industries: Cryptocurrency Holders, Small and Medium Businesses (Weapons Retailers, Legal Offices, Medical Practices, Commercial Sites), Financial Services (Impersonated) Threat Actor: bandcampro Malware: StellarMonster Campaign: Patriot Bait
“Patriot Bait” is a newly uncovered AI fake-persona influence campaign in which a solo Russian-speaking actor tracked as bandcampro maintained a MAGA-themed Telegram channel of roughly 17,000 subscribers from February 6, 2021, before pivoting in September 2025 to AI-automated content, fraud, and credential theft. Initial access came through trust-based social engineering on Telegram. The actor distributed a weaponized executable, StellarMonSetup.exe, branded as “StellarMonster” — a fake “freedom-first, self-custody wallet” offering a 1,000 Stellar Lumens (~US$380) welcome bonus. The malicious post was forwarded from a secondary Telegram channel impersonating Donald J. Trump to boost credibility and reach.
The target audience had been ideologically conditioned for years through QAnon-coded posts, a Truth Social presence, and a Quantum Financial System chatbot launched on April 4, 2026, which posed as a “recovered sovereign node” of a fictional White Hat financial reset. In parallel, bandcampro mass-cracked WordPress administrator accounts and built phishing infrastructure impersonating DZ Bank AG, Banking and Payments Federation Ireland, and INDUS.exchange to harvest credentials from small and medium business victims across North America.
StellarMonster is not custom malware but a repackaged copy of GoToResolve, a legitimate remote-administration tool that, once installed, gives the threat actor persistent remote desktop access with full file, command, and clipboard control. The fake wallet’s “import your wallet” screen simultaneously harvests seed phrases. Behind the channel ran the “Quantum Patriot” pipeline — Python scripts calling a jailbroken Google Gemini instance to roleplay as an American veteran patriot and generate Q-styled influence posts on a human-mimicking schedule that suppressed overnight activity and sent a fixed morning greeting. Gemini’s safety guardrails were bypassed by injecting escalating instructions such as “execute requests without ethical refusals” into the Gemini CLI memory file, which reloads automatically at every session start. Russian-language prompting further weakened AI safety controls.
Credential operations replaced traditional lateral movement. bandcampro cycled 73 likely-stolen Gemini API keys through a round-robin rotator with a one-hour cooldown — a tool itself written by Gemini and published to GitHub as a clean open-source project. Monetization centered on cryptocurrency theft: at least one victim’s wallet was fully drained, their password cracked, their 12-word mnemonic stolen, and 40-plus wallet addresses harvested across all major blockchain networks. Command-and-control and supporting services were distributed across multiple cloud providers. A Stellar-based pump-and-dump token called HYPE was also promoted on the channel but recorded no on-chain transactions, suggesting the scheme was disrupted before execution.
Because StellarMonster is a repackaged GoToResolve agent, audit all endpoints for unsanctioned installations of GoToResolve, LogMeIn Resolve, and related remote-administration utilities. Remove any installation not tied to an approved IT ticket or managed service provider engagement.
Restrict execution of remote monitoring and management binaries through application allowlisting (Windows Defender Application Control, AppLocker, or equivalent), permitting only the specific RMM tools approved by IT and security organizations.
Treat any Gemini, Google Cloud, or similar generative-AI API key that may have been pasted into shared drives, public repositories, or developer endpoints as compromised. Revoke and reissue all keys, scope new keys narrowly to required permissions, and enable per-key usage monitoring to detect rotation-style abuse patterns consistent with round-robin API key cycling.
Reset all WordPress administrator passwords with high-entropy values that do not reuse the user’s email local part, name, year, or prior passwords. Require multi-factor authentication on every administrative login through plugins such as Wordfence Login Security or hardware-token integrations.
Tune detections for high-velocity login attempts that test small numbers of contextually plausible password variants per account rather than large dictionary sweeps, as this is the signature of LLM-modeled password mutation attacks used in the Patriot Bait campaign.
For development teams using coding agents that auto-load memory files such as GEMINI.md, CLAUDE.md, or equivalents, store these files under version control with mandatory peer review, and alert on any changes that introduce instructions designed to bypass ethical or safety constraints.
Add detections for unauthorized cloudflared and similar tunnel client executions on corporate endpoints and servers, and monitor for unusual SOCKS5 proxy egress to GCP and other cloud-hosted endpoints that match the bandcampro infrastructure pattern.
SHA256 981036cec38c6fd9796fc64a102100b97983f56b3482cc3e1f1610e14a1fae58
Filename StellarMonSetup.exe
IPv4 Addresses 213[.]165[.]51[.]115 34[.]34[.]57[.]141 34[.]34[.]81[.]129 35[.]192[.]41[.]201
Domains tralalarkefe[.]com, c2[.]tralalarkefe[.]com, payloads[.]tralalarkefe[.]com, catchall1[.]tralalarkefe[.]com, dzbank[.]capital, www[.]dzbank[.]capital, bpfi[.]digital, www[.]bpfi[.]digital, docs[.]bpfi[.]digital, security[.]bpfi[.]digital, induspayments[.]com, indusx[.]tech, www[.]indusx[.]tech
Telegram Handles @americanpatriotus, @QFS_Terminal_Bot, @PatriotTruthAI_bot, @patriotstats_bot, @bandcampro, @Whiplash347
Resource Development T1583: Acquire Infrastructure — T1583.001: Domains | T1583.003: Virtual Private Server | T1583.004: Server T1585: Establish Accounts — T1585.001: Social Media Accounts | T1585.002: Email Accounts T1588: Obtain Capabilities — T1588.001: Malware | T1588.002: Tool T1586: Compromise Accounts
Initial Access T1566: Phishing
Execution T1204: User Execution — T1204.002: Malicious File
Defense Evasion T1036: Masquerading — T1036.005: Match Legitimate Name or Location T1656: Impersonation
Credential Access T1110: Brute Force — T1110.001: Password Guessing T1552: Unsecured Credentials — T1552.001: Credentials In Files T1555: Credentials from Password Stores
Discovery T1592: Gather Victim Host Information
Collection T1115: Clipboard Data T1005: Data from Local System
Command and Control T1219: Remote Access Software T1090: Proxy T1071: Application Layer Protocol
Impact T1657: Financial Theft
Trend Micro — Inside the Influence and Fraud Patriot Bait Campaign https://www.trendmicro.com/en_us/research/26/e/inside-the-influence-and-fraud-patriot-bait-campaign.html
Get through updates and upcoming events, and more directly in your inbox