Date: 05/22/2026
Severity: Medium
Summary
A Russian-speaking threat actor known as “bandcampro” operated a MAGA-themed Telegram channel (@americanpatriotus, ~17,000 subscribers) for five years before shifting to AI-driven fraud and credential theft in September 2025. Using a jailbroken Google Gemini as a “co-worker,” the actor generated QAnon-style content, managed infrastructure, rotated stolen API keys, and modeled victim passwords. The AI also powered a QAnon-themed chatbot called QFS 2.0 Terminal and supported explicit pump-and-dump schemes. Safety controls were bypassed through jailbreak techniques and non-English prompts, exposing weaknesses in frontier-AI guardrails across languages. The campaign demonstrates how AI drastically lowers the cost and effort required to run influence and cybercrime operations at scale. Despite cracking 29 WordPress admin accounts, infiltrating one company, and draining one crypto wallet, the operation showed that AI amplifies scale more than guaranteed success.
Indicators of Compromise (IOC) List
Domains\URLs : | tralalarkefe.com c2.tralalarkefe.com payloads.tralalarkefe.com catchall1.tralalarkefe.com dzbank.capital www.dzbank.capital bpfi.digital www.bpfi.digital docs.bpfi.digital security.bpfi.digital induspayments.com indusx.tech www.indusx.tech |
IP Address : | 213.165.51.115 34.34.57.141 34.34.81.129 35.192.41.201 |
Hash : | 981036cec38c6fd9796fc64a102100b97983f56b3482cc3e1f1610e14a1fae58
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "catchall1.tralalarkefe.com" or url like "catchall1.tralalarkefe.com" or siteurl like "catchall1.tralalarkefe.com" or domainname like "www.indusx.tech" or url like "www.indusx.tech" or siteurl like "www.indusx.tech" or domainname like "payloads.tralalarkefe.com" or url like "payloads.tralalarkefe.com" or siteurl like "payloads.tralalarkefe.com" or domainname like "c2.tralalarkefe.com" or url like "c2.tralalarkefe.com" or siteurl like "c2.tralalarkefe.com" or domainname like "tralalarkefe.com" or url like "tralalarkefe.com" or siteurl like "tralalarkefe.com" or domainname like "induspayments.com" or url like "induspayments.com" or siteurl like "induspayments.com" or domainname like "dzbank.capital" or url like "dzbank.capital" or siteurl like "dzbank.capital" or domainname like "www.dzbank.capital" or url like "www.dzbank.capital" or siteurl like "www.dzbank.capital" or domainname like "bpfi.digital" or url like "bpfi.digital" or siteurl like "bpfi.digital" or domainname like "www.bpfi.digital" or url like "www.bpfi.digital" or siteurl like "www.bpfi.digital" or domainname like "docs.bpfi.digital" or url like "docs.bpfi.digital" or siteurl like "docs.bpfi.digital" or domainname like "security.bpfi.digital" or url like "security.bpfi.digital" or siteurl like "security.bpfi.digital" or domainname like "indusx.tech" or url like "indusx.tech" or siteurl like "indusx.tech" |
Detection Query 2 : | dstipaddress IN ("213.165.51.115","34.34.57.141","34.34.81.129","35.192.41.201") or srcipaddress IN ("213.165.51.115","34.34.57.141","34.34.81.129","35.192.41.201") |
Detection Query 3 : | sha256hash IN ("981036cec38c6fd9796fc64a102100b97983f56b3482cc3e1f1610e14a1fae58")
|
Reference:
https://www.trendmicro.com/en_us/research/26/e/inside-the-influence-and-fraud-patriot-bait-campaign.html