Tag: information stealer

26 Attack Reports | 0 Vulnerabilities

Attack reports

Operation Hanoi Thief: Vietnam APT

A spear-phishing campaign dubbed 'Operation Hanoi Thief' is targeting Vietnamese IT professionals and recruitment teams. The attack uses a malicious ZIP file containing a fake resume and an LNK file. The LNK file executes a pseudo-polyglot payload, which deploys a C++ DLL implant called LOTUSHARVES…
vietnam
spear-phishing
information-stealer
dll-sideloading
2025-11-28
it-professionals
lotusharvest
browser-credentials
recruiters
Published: November 28, 2025
Downloadable IOCs: 6

Eye of the Storm: Analyzing DarkCloud's Latest Capabilities

eSentire's Threat Response Unit detected a spear-phishing campaign targeting a manufacturing customer, attempting to deliver the DarkCloud information-stealing malware. The malware, distributed through a malicious zip archive, has undergone significant updates including a VB6 rewrite and enhanced e…
exfiltration
information stealer
evasion techniques
spear-phishing
darkcloud
2025-09-29
crypto-wallet targeting
vb6
Published: September 29, 2025
Downloadable IOCs: 0

Malicious Appsuite PDF Editor Spreads Tamperedchef Malware

A large cybercrime campaign has been observed involving multiple fraudulent websites promoted through Google advertising. The campaign aims to trick users into downloading and installing a trojanized PDF editor containing the TamperedChef information-stealing malware. The malware harvests sensitive…
obfuscation
credential theft
information stealer
trojanized software
tamperedchef
2025-08-28
google advertising
appsuite pdf editor
Published: August 28, 2025
Downloadable IOCs: 97

UNC Cluster Targeting South Asian Countries

A South Asian APT group has been consistently targeting Sri Lanka, Bangladesh, Pakistan, and Turkey. The operation involves phishing campaigns using military-themed lures to compromise phones of military personnel. The attackers employ various tactics, including PDF phishing documents, fake login p…
phishing
credential theft
remote access
rafel rat
information stealer
android malware
2025-08-27
military targets
south asian apt
Published: August 27, 2025
Downloadable IOCs: 0

Malvertising campaign leads to PS1Bot, a multi-stage malware framework

A malware campaign utilizing malvertising has been distributing PS1Bot, a sophisticated multi-stage framework implemented in PowerShell and C#. PS1Bot features modular design, enabling information theft, keylogging, reconnaissance, and persistent system access. The malware minimizes artifacts and u…
malvertising
powershell
cryptocurrency
modular
in-memory execution
information stealer
multi-stage
c#
2025-08-12
ahk bot
ps1bot
skitnet
Published: August 12, 2025
Downloadable IOCs: 0

Unveiling a New Variant of the DarkCloud Campaign

A new DarkCloud campaign was observed in July 2025, targeting Windows users with a sophisticated infection chain. The attack begins with a phishing email containing a RAR archive, which leads to the execution of obfuscated JavaScript and PowerShell code. This code downloads and deploys a fileless .…
powershell
credential-theft
anti-analysis
process-hollowing
fileless
information-stealer
2025-08-08
darkcloud
Published: August 8, 2025
Downloadable IOCs: 2

Back to Business: Lumma Stealer Returns with Stealthier Methods

Lumma Stealer, an information-stealing malware, has resurfaced shortly after its takedown in May 2025. The cybercriminals behind it are now employing more covert tactics and expanding their reach. The malware is being distributed through discreet channels and uses stealthier evasion techniques. Lum…
social engineering
lumma stealer
malware-as-a-service
infrastructure
information stealer
evasion tactics
cracked software
2025-07-23
github abuse
Published: July 23, 2025
Downloadable IOCs: 52

Crypto Wallets Continue to be Drained in Elaborate Social Media Scam

An ongoing social engineering campaign is targeting cryptocurrency users through fake startup companies impersonating AI, gaming, and Web3 firms. The scammers create elaborate facades using spoofed social media accounts and project documentation on platforms like Notion and GitHub. They contact vic…
malware
social engineering
impersonation
windows
cryptocurrency
macos
fake companies
atomic stealer
information stealer
realst
2025-07-16
Published: July 16, 2025
Downloadable IOCs: 1

Amatera Stealer: Rebranded ACR Stealer With Improved Evasion, Sophistication

Proofpoint has identified Amatera Stealer, a rebranded version of ACR Stealer with enhanced capabilities and evasion techniques. Distributed via ClearFake website injects, it utilizes sophisticated attack chains and web injects. Amatera Stealer employs NTSockets for stealthy C2 communication, WoW64…
rhadamanthys
lumma stealer
malware-as-a-service
clickfix
acr stealer
information stealer
clearfake
2025-06-18
web injects
amatera stealer
ntsockets
wow64 syscalls
Published: June 18, 2025
Downloadable IOCs: 12

How a Malicious Excel File (CVE-2017-0199) Delivers the FormBook Payload

A high-severity phishing campaign targeting old version Office Application users exploits CVE-2017-0199 vulnerability to deliver FormBook malware. The attack begins with an email containing a malicious Excel attachment. When opened, it triggers the vulnerability, downloading and executing a malicio…
phishing
autoit
formbook
CVE-2017-0199
2025-06-05
hta
information-stealer
Published: June 5, 2025
Linked vulnerabilities : CVE-2017-0199
Downloadable IOCs: 8

Lumma Stealer is Out... of business!

A coordinated action led by Microsoft's Digital Crimes Unit, with participation from Bitsight and other partners, has successfully dismantled the operational capabilities of Lumma Stealer (LummaC2), a prominent information stealer operating since late 2022. The operation involved seizing over 1,000…
lummac2
data theft
redline
malware-as-a-service
information stealer
2025-05-21
lummac
infrastructure takedown
multi-tiered c2
Published: May 21, 2025
Downloadable IOCs: 1091

I StealC You: Tracking the Rapid Changes To Steal

StealC V2, introduced in March 2025, is an enhanced version of the popular information stealer and malware downloader. Key updates include a streamlined JSON-based C2 communication protocol with RC4 encryption, expanded payload delivery options (MSI packages and PowerShell scripts), and a redesigne…
obfuscation
amadey
credential harvesting
stealc
information stealer
2025-05-02
rc4 encryption
Published: May 2, 2025
Downloadable IOCs: 0

HANNIBAL Stealer: A Rebranded Threat Born from Sharp and TX Lineage

The Hannibal Stealer is a sophisticated information stealer targeting Chromium and Gecko-based browsers, developed in C# and operating on the .NET Framework. It bypasses Chrome Cookie V20 protection and steals data from cryptocurrency wallets, FTP clients, VPNs, and messaging apps. The malware perf…
cryptocurrency
sharp stealer
data exfiltration
information stealer
browser data theft
geofencing
2025-04-26
hannibal stealer
tx stealer
vpn credentials
c2 panel
telegram channels
2025-04-30
rebranded malware
vpn credential theft
Published: April 30, 2025
Downloadable IOCs: 4

New Stealer on the Horizon

SvcStealer 2025 is a novel information stealer delivered through spear phishing email attachments. It harvests sensitive data including machine information, installed software, user credentials, cryptocurrency wallets, and browser data. The malware creates a unique folder, terminates specific proce…
cryptocurrency
information stealer
c2 communication
evasion techniques
spear phishing
data harvesting
svcstealer
2025-04-23
Published: April 23, 2025
Downloadable IOCs: 4

How Lumma Stealer sneaks into organizations

Lumma Stealer, a sophisticated information-stealing malware, has gained prominence in cybercriminal circles since 2022. It employs various distribution methods, with fake CAPTCHA pages being a notable vector. These pages mimic legitimate services and trick users into executing malicious commands. T…
obfuscation
powershell
anti-analysis
lumma stealer
autoit
information stealer
cryptocurrency theft
fake captcha
2025-04-21
Published: April 21, 2025
Downloadable IOCs: 15

Byte Bandits: How Fake PDF Converters Are Stealing More Than Just Your Documents

A sophisticated malware campaign exploits users' trust in online file conversion tools by impersonating the legitimate service pdfcandy.com. The attack involves fake PDF-to-DOCX converters that trick victims into executing a malicious PowerShell command, leading to the installation of Arechclient2,…
phishing
social engineering
credential theft
information stealer
sectoprat
2025-04-15
pdf converter
arechclient2
Published: April 15, 2025
Downloadable IOCs: 0

Unveiling EncryptHub: Analysis of a multi-stage malware campaign

EncryptHub, an emerging cybercriminal entity, has been conducting multi-stage malware campaigns using trojanized applications and third-party distribution services. Their tactics include using PowerShell scripts for system data gathering, information exfiltration, and payload deployment. The threat…
rhadamanthys
kematian stealer
information stealer
2025-04-07
labinstalls
pay-per-install
encryptrat
Published: April 7, 2025
Downloadable IOCs: 69

SVC New Stealer on the Horizon

SvcStealer 2025 is a newly discovered information stealer malware distributed through spear phishing emails. It targets sensitive data including machine information, installed software, user credentials, cryptocurrency wallets, and browser data. The malware creates a unique folder, terminates speci…
cryptocurrency
data exfiltration
information stealer
c2 communication
evasion techniques
spear phishing
2025-03-21
svcstealer
Published: March 21, 2025
Downloadable IOCs: 0

Malvertising campaign leads to info stealers hosted on GitHub

A large-scale malvertising campaign impacting nearly one million devices globally was detected in December 2024. The attack originated from illegal streaming websites with embedded malvertising redirectors, leading users through multiple redirections to malware hosted on GitHub and other platforms.…
malvertising
lumma stealer
github
lumma
netsupport rat
information stealer
multi-stage attack
doenerium
2025-03-06
living-off-the-land
Published: March 6, 2025
Downloadable IOCs: 3

DNS Early Detection - Fast Propagating Fake Captcha distributes LummaStealer

Between October 2024 and February 2025, LummaStealer malware was distributed via fake CAPTCHA pages, targeting users who store sensitive information in browsers and cryptocurrency wallets. The malware, available as a Malware-as-a-Service, collects data for fraud and unauthorized access. Threat acto…
lummac2
malware-as-a-service
information stealer
early detection
fake captcha
lummastealer
malicious domains
2025-02-27
dns traffic analysis
adtech
2025-02-28
dns monitoring
Published: February 28, 2025
Downloadable IOCs: 11

Technical Analysis of Xloader Versions 6 and 7

This analysis examines the latest versions of Xloader malware, focusing on its advanced obfuscation techniques. Xloader, successor to Formbook, is an information stealer targeting browsers, email clients, and FTP applications. The malware employs complex encryption layers to protect critical code a…
obfuscation
encryption
formbook
information stealer
process injection
xloader
2025-01-28
api resolution
ntdll hook evasion
Published: January 28, 2025
Downloadable IOCs: 261

MintsLoader: StealC and BOINC Delivery

The eSentire Threat Response Unit identified a campaign involving MintsLoader, a PowerShell-based malware loader, delivering payloads like Stealc and BOINC client. MintsLoader uses a Domain Generation Algorithm and anti-VM techniques to evade detection. The infection process begins with a spam emai…
stealc
boinc
information stealer
2025-01-20
mintsloader
Published: January 20, 2025
Downloadable IOCs: 68

Information Stealer Masquerades as LDAPNightmare (CVE-2024-49113) PoC Exploit

A fake proof-of-concept exploit for the LDAPNightmare vulnerability (CVE-2024-49113) is being used to distribute information-stealing malware. The malicious repository, disguised as a fork from the original creator, contains an executable file that, when run, drops and executes a PowerShell script.…
powershell
github
information stealer
CVE-2024-49112
CVE-2024-49113
2025-01-10
ldapnightmare
poc exploit
ftp exfiltration
Published: January 10, 2025
Downloadable IOCs: 0

A Look Back: The Evolution of Latin American eCrime Malware in 2024

Latin American cybercrime continues to evolve as adversaries refine their tactics and techniques. Key developments in 2024 include the adoption of Rust for improved evasion, consistent use of multi-stage infection chains and malspam campaigns, and evidence of collaboration among threat actors. Nota…
phishing
javascript
rust
banking trojan
information stealer
2024-12-18
nirsoft
Published: December 18, 2024
Downloadable IOCs: 32

Glove Stealer bypasses Chrome's App-Bound Encryption to steal cookies

Researchers have discovered a new .NET-based information stealer called Glove Stealer that targets browser extensions and local software to steal sensitive data like cookies, passwords, and cryptocurrency wallets. It uses a novel technique to bypass Chrome's App-Bound encryption by exploiting the I…
malware
phishing
information stealer
2024-11-16
chrome
encryption bypass
glove stealer
Published: November 16, 2024
Downloadable IOCs: 0

Mint Stealer: A Comprehensive Study of a Python-Based Information Stealer

At Cyfirma, this report offers a comprehensive analysis of Mint Stealer, an information-stealing malware operating within a malware-as-a-service (MaaS) framework. Mint Stealer targets sensitive data and uses sophisticated techniques to evade detection. This in-depth study explores Mint Stealer's ev…
malware-as-a-service
data exfiltration
2024-07-31
information stealer
mint stealer
evasion tactics
Published: July 31, 2024
Downloadable IOCs: 10
Click here to see more Attack Reports