Katz Stealer Threat Analysis

May 27, 2025, 7:50 a.m.

Description

Katz Stealer is a sophisticated credential-stealing malware-as-a-service that targets multiple browsers, cryptocurrency wallets, and communication platforms. It employs advanced evasion techniques like geofencing, VM detection, and process hollowing. The infection chain involves obfuscated JavaScript, PowerShell scripts, and .NET payloads. Key features include browser credential theft, crypto wallet exfiltration, and Discord process hijacking. The malware also gathers system information, captures screenshots, and monitors clipboards. Detection opportunities include network traffic analysis, file system monitoring, and process behavior analysis. The analysis provides YARA and Sigma rules for detection, along with a comprehensive list of IOCs.

External References

https://www.nextron-systems.com/2025/05/23/katz-stealer-threat-analysis
https://otx.alienvault.com/pulse/6834f67e32272e392524397b
Tags
cryptocurrency
process-hollowing
credential-stealer
2025-05-26
katz stealer
uac-bypass
browser-targeting
discord-hijacking
evasion-techniques

Date

  • Created: May 26, 2025, 11:17 p.m.
  • Published: May 26, 2025, 11:17 p.m.
  • Modified: May 27, 2025, 7:50 a.m.

Indicators

  • e73f6e1f6c28469e14a88a633aef1bc502d2dbb1d4d2dfcaaef7409b8ce6dc99
  • fb2b9163e8edf104b603030cff2dc62fe23d8f158dd90ea483642fce2ceda027
  • e4249cf9557799e8123e0b21b6a4be5ab8b67d56dc5bfad34a1d4e76f7fd2b19
  • e345d793477abbecc2c455c8c76a925c0dfe99ec4c65b7c353e8a8c8b14da2b6
  • c601721933d11254ae329b05882337db1069f81e4d04cd4550c4b4b4fe35f9cd
  • b912f06cf65233b9767953ccf4e60a1a7c262ae54506b311c65f411db6f70128
  • b249814a74dff9316dc29b670e1d8ed80eb941b507e206ca0dfdc4ff033b1c1f
  • 96ada593d54949707437fa39628960b1c5d142a5b1cb371339acc8f86dbc7678
  • 964ec70fc2fdf23f928f78c8af63ce50aff058b05787e43c034e04ea6cbe30ef
  • 925e6375deaa38d978e00a73f9353a9d0df81f023ab85cf9a1dc046e403830a8
  • 5dd629b610aee4ed7777e81fc5135d20f59e43b5d9cc55cdad291fcf4b9d20eb
  • 2852770f459c0c6a0ecfc450b29201bd348a55fb3a7a5ecdcc9986127fdb786b
  • 2798bf4fd8e2bc591f656fa107bd871451574d543882ddec3020417964d2faa9
  • 25b1ec4d62c67bd51b43de181e0f7d1bda389345b8c290e35f93ccb444a2cf7a
  • 22af84327cb8ecafa44b51e9499238ca2798cec38c2076b702c60c72505329cb
  • 15953e0191edaa246045dda0d7489b3832f27fdc3fcc5027f26b89692aefd6e1
  • fdc86a5b3d7df37a72c3272836f743747c47bfbc538f05af9ecf78547fa2e789
  • fcad234dc2ad5e2d8215bcf6caac29aef62666c34564e723fa6d2eee8b6468ed
  • e1a0d6929662bcbc9e5e0827cb8b6d7818088e996cf971d2a4a1c1ca4208e533
  • d92bb6e47cb0a0bdbb51403528ccfe643a9329476af53b5a729f04a4d2139647
  • b10796c41e1cec7c84a3c68bfcaa7b20f49b620d1c94304a6b3ed73471fa9031
  • ad76e2727469525dec7e56977589dd250ca57a29b8b0d42cd5c42e536c285241
  • 6dc8e99da68b703e86fa90a8794add87614f254f804a8d5d65927e0676107a9d
  • 5a984e2e308fe84e4e2071dd877772361719ba0217c2c23da79dbb82dc15eac8
  • 4f12c5dca2099492d0c0cd22edef841cbe8360af9be2d8e9b57c2f83d401c1a7
  • 1ac196ac6393d786618c944a7ab77fb189a6b4ba00af5c0f987c3dc65876c060
  • 0df13fd42fb4a4374981474ea87895a3830eddcc7f3bd494e76acd604c4004f7
  • 31.177.109.39
  • 185.107.74.40
  • http://twist2katz.com/
  • pub-ce02802067934e0eb072f69bf6427bf6.r2.dev
  • twist2katz.com
  • katzstealer.com
  • katz-stealer.com
Download all indicators here!

Attack Patterns

  • Katz Stealer