PureLand — A Fake Project Related to the Sandbox Malspam

11 min readMar 7


On February 27, 2023, a “The Sandbox” employee was compromised, resulting in sending malspam which introduced them to “PureLand”. It leads to a RedLine Stealer and an unknown stealer for macOS.


Let’s take a closer look at this “PureLand”…

A Gitbook version can be read here: https://iamdeadlyz.gitbook.io/malware-research/march-2023/pureland-a-fake-project-related-to-the-sandbox-malspam

Details of “PureLand”

Twitter: https://twitter.com/PureMetaLand (1431291438248210441)
Linktree: https://linktr[.]ee/purelandmetaverse
Gitbook: https://pure-land.gitbook.io/pureland/
OpenSea collection: https://opensea.io/collection/pureland
Discord: https://discord[.]gg/pureland
Medium: https://www.medium.com/@pure-land
PULA ERC20 token: 0xf4FB0e69B3f1322971C813C18B1ffF4dD4872ca3
Domain: thepureland[.]io

Similar to the Cthulhu World findings, the fake project has several alt accounts to show support and lure other users

Tweets from alt accounts that support the fake project, while the other two are reports from users who were approached by the workers

Also, the real game is called Rune Teller (https://store.steampowered.com/app/1944360/Rune_Teller/). As confirmed by these two users.

Left: https://twitter.com/Marimocha4/status/1630860680399319041 | Right: https://twitter.com/ny4n_nft/status/1631495657004605440

The OpenSea collection has several sales, which was a wash trading to mislead people

Pure Land’s OpenSea collection page and sales activity
Graph of the on-chain activities of the wallets related to the OpenSea wash trading and PULA ERC20 token

The website

Visiting https://thepureland[.]io/ auto-redirects you to https://thepureland[.]io/metaverse/ and with this landing page

The landing page of the website

To make it look more realistic with a feeling of game testing, an access code is required to download the file.

A form asking for the access code

There are several access codes with the respective worker and file type.

-2/2/2023 & 2/21/2023- (based on a URLscan result)
100001 - Coder 😎 - Launcher (exe)
220022 - Coder 😎 - Archive (rar)
AWEHKQ - Benji 👑 - Launcher (exe)
ERTHKB - Benji 👑 - Archive (rar)
AOPHKQ - Aizik (сучка) ✨ - Launcher (exe)
ERTHOP - Aizik (сучка) ✨ - Archive (rar)
TUHKQF - Bevads 🧠 - Launcher (exe)
FEKPSD - Bevads 🧠 - Archive (rar)
FSEKQF - H4⚡️ - Launcher (exe)
PDFIDA - H4⚡️ - Archive (rar)
HKEKQF - John 📈 - Launcher (exe)
PDFIHK - John 📈 - Archive (rar)
AFHHKQ - Rio 🏝 - Launcher (exe)
PDTHKB - Rio 🏝 - Archive (rar)
ANMHKQ - Rob 🍀 - Launcher (exe)
PDTHMN - Rob 🍀 - Archive (rar)
WYEKQF - Nongreyd 🤙🏻 - Launcher (exe)
NYFPHU - Nongreyd 🤙🏻 - Archive (rar)
FTDKQF - Amiri 🐼 - Launcher (exe)
YDFIDO - Amiri 🐼 - Archive (rar)
RNTHKQ - Soul 🫡 - Launcher (exe)
ZDJHMN - Soul 🫡 - Archive (rar)
RNTRKZ - Jaiden 🥷 - Launcher (exe)
ZULHMC - Jaiden 🥷 - Archive (rar)
PWCHKA - Asian King🍾 - Launcher (exe)
CQJHMN - Asian King🍾 - Archive (rar)
PNDXKZ - Babbl 🛹 - Launcher (exe)
CUXHMC - Babbl 🛹 - Archive (rar)
ASPHCQ - Kofi 🎲 - Launcher (exe)
EXTHQP - Kofi 🎲 - Archive (rar)
HQPXKZ - Tvizi 🧸 - Launcher (exe)
CUXXKZ - Tvizi 🧸 - Archive (rar)

-3/1/2023- (based on a URLscan result)
Same access codes as above, but the following were added:
SQPXKZ - Flaherty 🦍 - Launcher (exe)
CPXXSZ - Flaherty 🦍 - Archive (rar)
SLPXKZ - Ionbib 🐬 - Launcher (exe)
CKXXSZ - Ionbib 🐬 - Archive (rar)
MUXXKZ - На дознании 🔎 - Билд для мака (pkg)

-3/4/2023 till 3/5/2023-
Same access codes as above with the added workers

-3/6/2023 and as of 3/7/2023-
На дознании 🔎 was removed and inserted to the current workers with new access codes:
1A00A1 - Coder 😎 - Launcher (exe)
2Q0Q22 - Coder 😎 - Archive (rar)
2Q0Q21 - Coder 😎 - Билд для мака (pkg)
AWEHKQ - Benji 👑 - Launcher (exe)
ERTHKB - Benji 👑 - Archive (rar)
ERTHK1 - Benji 👑 - Билд для мака (pkg)
AOPHKQ - Aizik (сучка) ✨ - Launcher (exe)
ERTHOP - Aizik (сучка) ✨ - Archive (rar)
ERTHO1 - Aizik (сучка) ✨ - Билд для мака (pkg)
TUHKQF - Bevads 🧠 - Launcher (exe)
FEKPSD - Bevads 🧠 - Archive (rar)
FEKPS1 - Bevads 🧠 - Билд для мака (pkg)
FSEKQF - H4⚡️ - Launcher (exe)
PDFIDA - H4⚡️ - Archive (rar)
PDFIDA - H4⚡️ - Билд для мака (pkg)
HKEKQF - John 📈 - Launcher (exe)
PDFIHK - John 📈 - Archive (rar)
PDFIH1 - John 📈 - Билд для мака (pkg)
AFHHKQ - Rio 🏝 - Launcher (exe)
PDTHKB - Rio 🏝 - Archive (rar)
PDTHK1 - Rio 🏝 - Билд для мака (pkg)
ANMHKQ - Rob 🍀 - Launcher (exe)
PDTHMN - Rob 🍀 - Archive (rar)
PDTHM1 - Rob 🍀 - Билд для мака (pkg)
WYEKQF - Nongreyd 🤙🏻 - Launcher (exe)
NYFPHU - Nongreyd 🤙🏻 - Archive (rar)
NYFPH1 - Nongreyd 🤙🏻 - Билд для мака (pkg)
FTDKQF - Amiri 🐼 - Launcher (exe)
YDFIDO - Amiri 🐼 - Archive (rar)
YDFID1 - Amiri 🐼 - Билд для мака (pkg)
RNTHKQ - Soul 🫡 - Launcher (exe)
ZDJHMN - Soul 🫡 - Archive (rar)
ZDJHM1 - Soul 🫡 - Билд для мака (pkg)
RNTRKZ - Jaiden 🥷 - Launcher (exe)
ZULHMC - Jaiden 🥷 - Archive (rar)
ZULHM1 - Jaiden 🥷 - Билд для мака (pkg)
PWCHKA - Asian King🍾 - Launcher (exe)
CQJHMN - Asian King🍾 - Archive (rar)
CQJHM1 - Asian King🍾 - Билд для мака (pkg)
PNDXKZ - Babbl 🛹 - Launcher (exe)
CUXHMC - Babbl 🛹 - Archive (rar)
CUXHM1 - Babbl 🛹 - Билд для мака (pkg)
ASPHCQ - Kofi 🎲 - Launcher (exe)
EXTHQP - Kofi 🎲 - Archive (rar)
EXTHQ1 - Kofi 🎲 - Билд для мака (pkg)
HQPXKZ - Tvizi 🧸 - Launcher (exe)
CUXXKZ - Tvizi 🧸 - Archive (rar)
CUXXK1 - Tvizi 🧸 - Билд для мака (pkg)
SQPXKZ - Flaherty 🦍 - Launcher (exe)
CPXXSZ - Flaherty 🦍 - Archive (rar)
CPXXS1 - Flaherty 🦍 - Билд для мака (pkg)
SLPXKZ - Ionbib 🐬 - Launcher (exe)
CKXXSZ - Ionbib 🐬 - Archive (rar)
CKXXS1 - Ionbib 🐬 - Билд для мака (pkg)

To notify the malicious actors that an access code was entered, a POST request is sent to https://thepureland[.]io/js/send[.]PHP with the following details:

- ip
- country_name
- worker
- file
- deviceInfo
- browser
- version
- platform

The files

There are three Dropbox links that give you:

  • an executable (.exe)
  • an archive (.rar)
  • and an installer package for macOS (.pkg) [worth mentioning that this was not added before March 1, 2023; based on public scans via URLscan]
-2/2/2023- (based on a URLscan result)

-2/21/2023- (based on a URLscan result)
Same exe since 2/2/2023

-3/1/2023- (based on a URLscan result)
Same exe since 2/2/2023

Same exe since 2/2/2023
Same rar since 3/1/2023



Same exe since 3/5/2023
Same pkg since 3/5/2023

Same exe since 3/5/2023
Same rar since 3/6/2023
Same pkg since 3/5/2023


Pure Land Launcher v1.2.exe is packed using NSIS (Nullsoft Scriptable Install System).

Detect It Easy results for Pure Land Launcher v1.2.exe

Running the executable file displays the following window

It is a dropper; once the “JOIN GAME” button is clicked, it invokes checkUpdate()

checkUpdate() at index.js of the Electron application
“check-update” invoked by checkUpdate() and other functions at index.js of the Electron application

What happens here is that it retrieves a paste


That has only a value of


Once pureland.7z is downloaded, it uses 7zr.exe and the password “pureland” to extract and get another executable file called pureland.exe.

pureland.7z and the content: pureland.exe

The final executable file is pumped, 688.145872 MB, and packed using Smart Assembly. It is a RedLine Stealer malware that connects to a C&C: 162.55.188[.]117:48958 with a botnet ID: 5pur

Detect It Easy results of pureland.exe

-3/7/2023 change-

The paste was edited on March 7, 2023, 09:02:48 AM CDT. It now points to


The extracted pumped executable file is the same as the commit f973a65a46e8cb0f7b491d5aca81f459eb5b7a12 on the GitHub repo. It is still a RedLine Stealer with the same configuration as above

Detect It Easy results of pureland.exe — 3/7/2023


Pure Land Metaverse Alpha.rar can be extracted using the password “pureland2023”. It contains a folder that has several files to deceive the user into thinking that it contains the game files. And also, an executable file: Pure Land Launcher v1.4.exe

Contents of Pure Land Metaverse Alpha.rar | taken before 3/7/2023

The same pumped file was used on the dropper. And yes, it is still RedLine Stealer with the same configuration.

Detect It Easy results of pureland.exe | taken before 3/7/2023

For the 3/7/2023 rar download link, the extracted pumped executable file is the same with the latest change on the paste as well.


This one surprised me; I was not expecting to encounter malware designed for macOS.

PureLand Launcher.pkg is a straightforward unknown stealer. The Mach-O binary’s name is “Installer”.

Detect It Easy results for the Installer Mach-O binary

After installing and running the application, it asked for a password to access the “Chrome Safe Storage”. That alone should be a red flag for the user when trying to run it.

Prompt asking for the user’s password to access the “Chrome Safe Storage”. Ran using tria.ge: https://tria.ge/230303-j6lsmagg34/behavioral1

Based on the network requests, it sends a POST request to the following:

  1. http://193.168.141[.]107:8888/serialinfo
  2. http://193.168.141[.]107:8888/
  3. http://193.168.141[.]107:8888/lastroute
HTTP connections to 193.168.141[.]107:8888

http://193.168.141[.]107:8888/serialinfo is for the exfiltration of the user’s hardware details. The header has “Expect: 100-continue” to determine whether to send the request body or not. The response is an MD5 hash of the text file name.

Request details to http://193.168.141[.]107:8888/serialinfo

http://193.168.141[.]107:8888/ is used to send other files that contain the target data. The hexid is now replaced with the MD5 hash which was a response from the /serialinfo request.

For some reason, this part where it exfiltrates the Chrome password doesn’t have the ‘Expect’ header

Request details to http://193.168.141[.]107:8888/ | without the ‘Expect’ header

Then afterward, it has the ‘Expect’ header again

Request details to http://193.168.141[.]107:8888/ | with the ‘Expect’ header

After all of the available target data is exfiltrated, http://193.168.141[.]107:8888/lastroute is used to send the stealer’s configuration, the MD5 hash (which was returned earlier by /serialinfo), and the username of the device. And for some reason again, it doesn’t have the ‘Expect’ header.

Request details to http://193.168.141[.]107:8888/lastroute

The notable details in the traffic are the following:

Expect: 100-continue

userbot = ixcozlabraham
buildname = BigSurApplication

What’s papka? Let’s ask ChatGPT…

ChatGPT’s response to what is papka. “The word “papka” is a common noun in several Slavic languages, including Russian, Ukrainian, and Belarusian. In Russian, “papka” (папка) means a folder, binder or portfolio used to store documents or papers.”

Oh, that makes sense. The list that I shared earlier started with only one “worker” for this file, which is “На дознании 🔎” (On inquiry 🔎).

Let’s take a look at the strings to get an idea of what the “Installer” MachO does

Detect It Easy strings results for the “Installer” MachO

These are the notable function names


And targets

/Library/Application Support/Exodus/exodus.wallet/
/Library/Application Support/Google/Chrome/Default/Local Extension Settings/nkbihfbeogaeaoehlefnkodbefgpgknn/
/Library/Application Support/Google/Chrome/Default/Local Extension Settings/bfnaelmomeimhlpmgjnjophhpkkoljpa/
/Library/Application Support/Google/Chrome/Default/Local Extension Settings/ibnejdfjmmkpcnlpebklmnkoeoihofec/
/Library/Application Support/Google/Chrome/Default/Local Extension Settings/efbglgofoippbgcjepnhiblaibcnclgk/
/Library/Application Support/Google/Chrome/Default/Login Data
/Library/Application Support/Google/Chrome/Default/Cookies
/Library/Application Support/atomic/Session Storage/
/Library/Application Support/zoom.us/data/zoomus.enc.db

With no attribution to already named info stealers out there, I noticed something which got me wondering


Perhaps, we can name this as Vakksdr Stealer…

As I’ve already uploaded the sample to MalwareBazaar, Daniel Stinson (shellcromancer) took a look at the sample and created a YARA rule. It is interesting to see that:

  • “/.dkdbsqtl/vakkdsr” is an Electrum path of the malware author
  • The code used to steal Zoom and document files is unused

The PureLand GitHub repository

Since the dropper earlier retrieves the final payload in a GitHub repository, I decided to check it as well.

The “PURELANDMETAVERSE” GitHub account has only one repository, which is named “PureLand”.

Based on the commits, the first was on Jan 26, 2023, 12:03 PM EST

History of commits for the PureLand repository

The past commits have the same C&C for the RedLine Stealer with different botnet IDs, except for a few…

Notable commits

  • b1b9450984be000006f0970c9fe4bf8d439d1dc7 on Jan 26, 2023, 12:06 PM EST
  • 3852dfa400842b440e5700436f2a3eb25dfbee8e on Jan 26, 2023, 3:24 PM EST


  • have the same file name and type, which is pureland.7z
  • can be accessed using the password “pureland”
  • contains the same pumped executable
Detect It Easy results for the pureland.exe | commit 3852dfa400842b440e5700436f2a3eb25dfbee8e
Detect It Easy results for the pureland.exe | commit b1b9450984be000006f0970c9fe4bf8d439d1dc7 | with the Herobots icon

A victim’s experience

One user who goes by the handle “Pineconebob” fell to this scheme on February 20, 2023.


Pineconebob was approached by “Satomi See” (2392847329) on Twitter via DM on the original account “bob461” (compromised and changed to “unknown22572294” — 159434882).

The Twitter activity of “Satomi See” (2392847329)

Satomi promised rewards such as “an NFT worth 0.5 ETH, a token, and special roles in the Discord server” in exchange for testing the game.

Messages of “Satomi See” (2392847329)

Based on the access code list that was given earlier, the worker behind this is “Aizik (сучка) ✨”. Pineconebob was given an archive (rar) file; hence the password “pureland2023” was mentioned.

After Pineconebob ran the file, the Twitter account was immediately taken along with the ~3.95326666906377 ETH (~$6,127.05) worth of assets.

Graph of the on-chain activities related to Pineconebob’s stolen assets

It was then laundered on an exchange after a few days. The wallet responsible for laundering has been doing this since January 25, 2023, with another exchange.


Samples related to “PureLand” can be retrieved here: https://bazaar.abuse.ch/browse/tag/PureLand/

d1f207efb0f7c011938994d47e8c4b40bc38a112f002281ff08510a6d35d3f59 | Pure Land Launcher v1.2.exe                | dropper                                                                
30e7e8b04fbdd2e6a0abb502d6308c67fc0c42549f05e89198bd2ac0c719334b | pureland.7z |
6cc3f1d076d8c44fb55dfa11c94936fba23153c72402d0ff83733258e7c425c2 | pureland.7z |
de57a7a49d78ccab0c875e193e5e4949a87e394bda3bb1fe950c724ef78f6f73 | pureland.exe / Pure Land Launcher v1.4.exe |
b9fc13ce9933a6b09f4d458d876b1dffc29d9f07a6d3c986d29c772207043c05 | pureland.exe / Pure Land Launcher v1.4.exe | depumped
48680a6a919a53dfb5eb47a798a9d8135601179630e6308023f30e1f9b13301d | pureland.exe / Pure Land Launcher v1.4.exe | 3-7-2023
08ed972fb6d88ef000b2825e2818810b282507ec90dcc406fa5999f507a71fc8 | pureland.exe / Pure Land Launcher v1.4.exe | depumped 3-7-2023
b933051320a7749c3ca109ecdf4a93e3376e2ba916e0ec9fc9b99e5ce9762669 | Pure Land Metaverse Alpha.rar |
54e7f557a38a4e034e32b36f1311fe0288fa2ad2e1b2434af23a5e0ec4f86e7f | Pure Land Metaverse Alpha.rar | 3-7-2023
92df7deea6b7d758f0c0a60a87c68de90e40fa07b3e261bebe7a5a48541656e5 | PureLand Metaverse.rar |
f2a55c47f500efa4bb1b41487cf512c38b0f7438ed955656cceb51a2c11c2d6a | pureland.7z | has the Herobots logo | commit b1b9450984be000006f0970c9fe4bf8d439d1dc7
28fd5ed9fb22c273cecc6c79f009d8ecf2358dfc472cde89f8d169b3e1c55a93 | pureland.7z | has the Herobots logo | commit 3852dfa400842b440e5700436f2a3eb25dfbee8e
7ce78fb87ca8d2691f753907b64147f0de94b236b0e0fbaccf40f2ecbe15cb23 | pureland.exe | has the Herobots logo
f4ae47d0f97a500401a1e5a068dbab57dfbd9cdf0ffebae6e730e5cc3226fc2e | pureland.exe | has the Herobots logo - depumped
845ef90acc34abfce89e3e630265f23c03581918d30256c9e3c3d65250464933 | PureLand Launcher.pkg |
82633f6fec78560d657f6eda76d11a57c5747030847b3bc14766cec7d33d42be | Installer - MachO |
24ace87331051d7d2d83bb9a89781847f47b4c00789c19b5385fce94705c3c40 | X86_64-3 MachO |
0b9a3b00302faf3297b60fff0714f2db87245a613dcd9849645bffa7c4a3df9b | ARM64 MachO |


thepureland[.]io | PureLand's domain |
162.55.188[.]117:48958 | C&C of the RedLine Stealer |
167.235.233[.]5:16621 | C&C of the RedLine Stealer |
http://193.168.141[.]107:8888/ | C&C of the unknown stealer for macOS |
http://193.168.141[.]107:8888/serialinfo | C&C of the unknown stealer for macOS |
http://193.168.141[.]107:8888/lastroute | C&C of the unknown stealer for macOS |
https://pastebin[.]com/raw/kVdwKAw1 | Used by the dropper |
https://github[.]com/PURELANDMETAVERSE/PureLand/raw/main/pureland.7z | Used by the dropper |
https://www[.]dropbox[.]com/s/o4qz90bszeogxx0/pureland[.]7z?dl=1 | Used by the dropper |
https://www.dropbox[.]com/s/mm19o7njoz6hnof/Pure%20Land%20Launcher%20v1.2.exe?dl=1 | Used on PureLand's domain |
https://www.dropbox[.]com/s/uoo1asrasxisvcl/Pure%20Land%20Metaverse%20Alpha.rar?dl=1 | Used on PureLand's domain |
https://www.dropbox[.]com/s/lykqsmwaa1fiyyq/Pure%20Land%20Metaverse%20Alpha.rar?dl=1 | Used on PureLand's domain |
https://www.dropbox[.]com/s/o72q3itfi18zway/Pure%20Land%20Metaverse%20Alpha.rar?dl=1 | Used on PureLand's domain |
https://www.dropbox[.]com/s/3yivn8j36ramnvg/Pure%20Land%20Launcher.pkg?dl=1 | Used on PureLand's domain |
https://www.dropbox[.]com/s/tmfj1iemicvu6t0/PureLand%20Launcher.pkg?dl=1 | Used on PureLand's domain |
https://www.dropbox[.]com/s/6k2o43warkry407/Pure%20Land%20Launcher%20v1.2.exe?dl=1 | Used on PureLand's domain |
https://www.dropbox[.]com/s/jyzj2wqlbnbozy3/PureLand%20Metaverse.rar?dl=1 | Used on PureLand's domain |
https://www.dropbox[.]com/s/1qo9cozv8srnx2x/PureLand%20Launcher.pkg?dl=1 | Used on PureLand's domain |
https://www[.]dropbox[.]com/s/gjr4w5x6g9m02r1/Pure%20Land%20Launcher%20v1[.]2[.]exe?dl=1 | Used on PureLand's domain |
https://www[.]dropbox[.]com/s/37vvqyjx6qi43ex/PureLand%20Launcher[.]pkg?dl=1 | Used on PureLand's domain |
https://www[.]dropbox[.]com/s/er04c2iqhnhdgq8/Pure%20Land%20Metaverse%20Alpha[.]rar?dl=1 | Used on PureLand's domain |


0xf306b067d9134564834b462155a5aafeb92e31db | related to Pineconebob's stolen assets
0x865ad78e7ef4193620946e0f23f2d63e3de80c22 | related to Pineconebob's stolen assets
0xb06cfd307e722aef7f6b7fff2e55d84f83631e34 | related to Pineconebob's stolen assets
0xc545efe5ef145ccddfba81a7accacf163e405aa4 | related to Pineconebob's stolen assets
0x9ce0daa2e8ef74c229f93362557ff2b922f45104 | related to Pineconebob's stolen assets