A weird highly-sophisticated hacker crew was stealing information from drug dealers and government entities. The group, dubbed “MiniDuke” after the malware it uses, was initially believed to have been backed by a nation state, as it targeted a range of government agencies and research institutes across the world.

However, the researchers have recently found an anomaly in the logs of Kaspersky Lab – it turned out that the same group targeted people involved in drug deals. After the researchers tracked one of the command and control servers used by MiniDuke, they arrived to a website dispensing illegal substances, like steroids and hormones.

This discovery led Kaspersky experts to some of guesses as to the nature of the hacking group. They believe that the crew could be “cyber mercenaries” with several subdivisions, who sell their services to various groups – perhaps law enforcement or a competing criminal group which wanted to track a rival drug dealer, or government clients.

In any case, MiniDuke members have old-school hacking skills and are very technical, as they were seen tweaking encryption standards in order to make tracking them much harder. The thing that makes them stand out is that the group is more like underground cyber criminals than a typical nation state.

That being said, the main targets this year remain government bodies. Kaspersky Lab says that MiniDuke was seen using open source hacking tools in order to scan the web for useful information on potential victims in such countries as Ukraine, Azerbaijan and Greece. They were gathering emails, names, nicknames and handles. According to the time stamps on their operations, they were residing in Eastern Europe or Asia. Taking into account that Cyrillic characters were used in the code, Europe is more likely.

It is also known that the hacking group has also released a fresh kind of malware dubbed CosmicDuke, which spoofs popular apps like Chrome and Java updaters. This malware can also steal a range of information from MP3s to Word documents to passwords and logins. Its code was also found in a highly-sophisticated malware called Uroboros, which allegedly comes out of Russia.

The hackers have also created lots of Twitter profiles that link to domains used to control the malicious toolkits. This means that even if the hackers’ command and control servers were compromised by the police, they would still have access to infected computers. Overall, MiniDuke took responsibility for at least 139 victims. Most of them are in Georgia (84), Russia (61) and the United States (34).