Chuck From Montreal

"Chuck from Montreal" is a malware, part of a criminal operation that was active on the Russian-language Exploit.in forum under the pseudonym "badbullzvenom". He is one of two key figures behind this operation, the other being an individual known as "Jack". Their activities were first brought to light by cybersecurity firm eSentire in August 2022, when they revealed the real-world identity of "Chuck from Montreal", a Moldavian national residing in Canada. This revelation followed extensive research into the activities of these individuals who had been operating on various underground forums since around 2013. The partnership between "Chuck from Montreal" and "Jack" appears to have formed sometime between late 2012 and October 4, 2013. This conclusion is based on a message posted from Chuck's badbullz account on the Lampeduza forum, which contained contact information associated with "Jack", also known as "LUCKY". The duo's operations involved the distribution of the Golden Chickens Malware-as-a-Service (MaaS), with Jack characterized as the true mastermind behind it. Both individuals used multiple aliases across different platforms to obfuscate their identities and activities. "Jack" has reportedly gone to great lengths to make the Golden Chickens malware undetectable by most antivirus companies, allowing only a small number of customers to buy access to the MaaS. This strategic move has made their operation particularly difficult to track and counter. The discovery of the Jabber ID associated with "LUCKY" eventually led Threat Response Unit (TRU) researchers to uncover the real threat actor behind both "LUCKY" and "Chuck from Montreal". Despite these revelations, both individuals have shown a high level of sophistication in disguising their identities and evading detection.