Silent Watcher: Dissecting Cmimai Stealer's VBS Payload

Description

A VBS-based infostealer called Cmimai Stealer has emerged, targeting Windows systems since June 2025. It collects system information, browser metadata, and screenshots, exfiltrating data via Discord webhooks. The malware uses PowerShell scripts for browser data collection and screen capture, running in a persistent loop every hour. It leverages WMI for system information gathering and employs JSON formatting for data exfiltration. While lacking advanced features like encrypted communication or credential theft, Cmimai Stealer serves as both an infostealer and a reconnaissance tool. Defensive considerations include monitoring high-risk process combinations, watching for specific PowerShell scripts and image files, and detecting Discord traffic with a unique User-Agent.