LeakyInjector and LeakyStealer Duo Hunts For Crypto and Browser History

Nov. 7, 2025, 9:33 a.m.

Description

A new two-stage malware named LeakyInjector and LeakyStealer has been identified, targeting cryptocurrency wallets and browser history. LeakyInjector uses low-level APIs for injection to avoid detection and injects LeakyStealer into explorer.exe. LeakyStealer implements a polymorphic engine to modify its memory area at runtime. Both stages were signed with valid Extended Validation certificates. The malware performs reconnaissance on infected machines, targeting multiple crypto wallets, including browser extensions, and searches for browser history files from various browsers. It establishes persistence through registry manipulation and beacons to the C2 server at regular intervals. The malware exfiltrates sensitive data and can execute additional commands received from the C2 server.

External References

https://hybrid-analysis.blogspot.com/2025/11/leakyinjector-and-leakystealer-duo.html
https://otx.alienvault.com/pulse/690db5a261a7a153805c2dfe
Tags
cryptocurrency
persistence
injection
polymorphic
data-exfiltration
2025-11-07
two-stage
leakystealer
browser-history
leakyinjector

Date

  • Created: Nov. 7, 2025, 9:02 a.m.
  • Published: Nov. 7, 2025, 9:02 a.m.
  • Modified: Nov. 7, 2025, 9:33 a.m.

Indicators

  • dea8653698cea84e063165524c3e8c8141de246a29b9b8de40be3943fd1c6f14
  • 9b8bd9550e8fdb0ca1482f801121113b364e590349922a3f7936b2a7b6741e82
  • 45.151.62.120
  • paycnex.com
  • everstead.group
Download all indicators here!

Attack Patterns

  • LeakyStealer
  • LeakyInjector