2026-05-215 minhigh

One Man, One AI, One Fake Persona: Inside the 5-Year Influence and Fraud ‘Patriot Bait’ Campaign

A solo Russian-speaking threat actor tracked as 'bandcampro' leveraged jailbroken AI models to automate a multi-year influence operation and cryptocurrency fraud campaign targeting American conservative communities. The actor utilized AI for content generation, infrastructure management, password mutation for WordPress brute-forcing, and distributed a fake crypto wallet that installed the legitimate GoToResolve RMM tool for remote access.

Conf:highAnalyzed:2026-05-21Google

Authors: Philippe Lin, Joseph C Chen, Fyodor Yarochkin, Vladimir Kropotov

ActorsbandcamproPatriot BaitAmerican Patriot

Credential Brute-Forcing Crypto Scam AI-Assisted Fraud Information Operations GoToResolve

Source:Trend Micro

IOCs · 8

domain
stellarmonster[.]comFake crypto wallet website used to distribute the GoToResolve remote access tool.
domain
vebrf[.]digitalDomain used to promote fraudulent gold-backed Russian Ruble tokens.
filename
StellarMonSetup.exeMalicious installer masquerading as a crypto wallet, which actually installs GoToResolve for remote access.
ip
213[.]165[.]51[.]115GoToResolve infrastructure IP observed in the campaign.
ip
34[.]34[.]57[.]141GoToResolve infrastructure IP observed in the campaign.
ip
34[.]34[.]81[.]129GoToResolve infrastructure IP observed in the campaign.
ip
35[.]192[.]41[.]201GoToResolve infrastructure IP observed in the campaign.
url
hxxps://stellarmonster[.]com/URL for the fake crypto wallet download.

Detection / HunterGoogle

What Happened

A single cybercriminal used artificial intelligence to run a fake 'American Patriot' social media channel for five years, tricking followers into cryptocurrency scams. The attacker used AI to write posts, manage computer servers, and guess passwords to hack into websites. They also tricked victims into downloading a fake crypto wallet that gave the attacker remote control over their computers. This shows how criminals are using AI to do the work of a whole team, making it easier to run large-scale scams. Users should be very careful about downloading unverified financial apps or sharing their crypto wallet recovery phrases.

Key Takeaways

A solo Russian-speaking actor (bandcampro) used a jailbroken Google Gemini to automate a 5-year MAGA-themed influence and crypto fraud campaign.
The actor distributed a fake crypto wallet (StellarMonSetup.exe) that installed GoToResolve for persistent remote access and credential theft.
AI was used to model victim passwords for brute-forcing, successfully cracking 29 WordPress admin accounts.
The campaign highlights how frontier-AI safety controls can be bypassed via jailbreaking and non-English prompting.

Affected Systems

WordPress
Cryptocurrency Wallets
Windows (via GoToResolve)

Attack Chain

The threat actor established a fake American patriot persona on Telegram to build a targeted audience. Using a jailbroken Google Gemini, the actor automated the generation of QAnon-styled content and managed backend infrastructure. To monetize the audience, the actor promoted fraudulent cryptocurrency tokens and distributed a fake wallet application (StellarMonSetup.exe) that installed GoToResolve for persistent remote access. Additionally, the actor used AI to generate mutated password lists for brute-forcing WordPress administrator accounts.

Detection Availability

YARA Rules: No
Sigma Rules: No
Snort/Suricata Rules: No
KQL Queries: No
Splunk SPL Queries: No
EQL Queries: No
Other Detection Logic: Yes
Platforms: TrendAI Vision One

The article provides a hunting query for TrendAI Vision One to detect network connections to the GoToResolve infrastructure used in this campaign.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions can easily detect the installation and execution of remote access tools like GoToResolve, especially when spawned from unusual parent processes or downloaded from untrusted domains. Network Visibility: Medium — Network monitoring can identify connections to known GoToResolve IPs, but distinguishing malicious use from legitimate administrative use requires behavioral context. Detection Difficulty: Moderate — The use of legitimate RMM tools (GoToResolve) blends in with normal administrative activity, making detection reliant on identifying the initial infection vector or anomalous usage patterns.

Required Log Sources

Process Creation (Event ID 4688 / Sysmon 1)
Network Connections (Sysmon 3)
Web Proxy/Gateway Logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Consider hunting for unexpected installations of GoToResolve (or similar RMM tools) originating from user profile directories or non-standard download locations.	Process Creation, File Creation	Execution / Persistence	Medium
Evaluate network telemetry for connections to GoToResolve infrastructure (213.165.51.115, 34.34.57.141, 34.34.81.129, 35.192.41.201) from non-IT administrative endpoints.	Network Connections	Command and Control	Medium

Control Gaps

Lack of strict application control for RMM tools
Insufficient monitoring of AI API key usage

Key Behavioral Indicators

Execution of StellarMonSetup.exe
Unexpected GoToResolve network connections
High-volume login failures on WordPress with highly specific password mutations

False Positive Assessment

Medium (The primary payload is a legitimate RMM tool (GoToResolve), which may trigger false positives if the organization uses it legitimately. The IPs provided are associated with this legitimate service.)

Recommendations

Immediate Mitigation

Verify against your organization's incident response runbook and team escalation paths before acting.
Consider blocking the identified GoToResolve infrastructure IPs if the tool is not authorized in your environment.
Evaluate whether to block access to the domains stellarmonster.com and vebrf.digital.

Infrastructure Hardening

Consider implementing strict application control policies to prevent the execution of unauthorized Remote Monitoring and Management (RMM) tools.
Evaluate API key management practices, ensuring keys for AI services (like Google Gemini) are rotated regularly and monitored for anomalous usage.

User Protection

If applicable, enforce multi-factor authentication (MFA) on all external-facing administrative interfaces, such as WordPress.
Consider restricting local administrator privileges to prevent users from installing unapproved software.

Security Awareness

Consider educating users on the risks of downloading financial or cryptocurrency applications from untrusted sources or social media links.
Evaluate incorporating examples of AI-generated social engineering and fake personas into security awareness training.

MITRE ATT&CK Mapping

T1566.002 - Phishing: Spearphishing Link
T1219 - Remote Access Software
T1110.001 - Brute Force: Password Guessing
T1583.008 - Acquire Infrastructure: Malicious Bot
T1078 - Valid Accounts

Additional IOCs

Urls:
- hxxps://stellarmonster[.]com/ - URL for the fake crypto wallet download.
- t.me/americanpatriotus - Primary Telegram channel used for the influence operation and fraud distribution.
- t.me/QFS_Terminal_Bot - Telegram bot used as a gamified QAnon-styled chatbot to engage victims.