Direct-Sys Loader and CGrabber Stealer Five-Stage Malware Chain
Essential information
- Published
- 17/04/2026 09:21
- Modified
- 17/04/2026 10:45
- Tags
- 2026-04-17 anti-analysis cgrabber stealer cryptocurrency theft direct-sys loader dll sideloading github distribution information stealer syscall
- Related entities
- 91 observables, 19 techniques (mitre), 2 malware, 7 others
Description
A sophisticated five-stage malware operation delivers two new malware families: Direct-Sys Loader and CGrabber Stealer. The attack begins with ZIP archives distributed via GitHub user attachment URLs, exploiting a legitimate Microsoft-signed binary (Launcher_x64.exe) for DLL sideloading. Direct-Sys Loader employs ChaCha20 encryption, direct syscall execution, and multiple anti-analysis checks including text file verification, enumeration of 67 analysis tool processes, and hypervisor detection. CGrabber Stealer collects extensive system metadata, browser credentials, cryptocurrency wallets, password managers, VPN configurations, and application artifacts from over 150 applications and extensions. The stealer excludes CIS region systems and uses ChaCha20 encryption with HMAC SHA256 authentication for data exfiltration via custom HTTP headers. Both families share identical cryptographic implementations, suggesting common development origin and representing operationally mature infrastructure designed for larg...