SecuriTricks - infostealer

Impersonation, Click Hijacking, and TDS: Inside a Malware Distribution Ecosystem

A large-scale operation impersonates open-source and freeware projects to capture search traffic, targeting tools such as Ghidra, dnSpy, and SpiderFoot. The professionally designed sites load CloudFront-hosted JavaScript that converts download button clicks into handoffs to a Traffic Distribution S…

infostealer

click hijacking

traffic distribution system

cryptocurrency clipper

Published: June 3, 2026

Downloadable IOCs: 25

Smart Contracts for C&C: How ClearFake Hid in Plain Sight on BSC Testnet

Threat actors exploited the EtherHiding technique to store ClearFake payload routing instructions within smart contracts on the BNB Smart Chain testnet, creating an immutable command-and-control infrastructure that cannot be taken down. The attack began with injected JavaScript on a compromised Swi…

Published: May 26, 2026

Downloadable IOCs: 4

PureLogs: Delivery via PawsRunner Steganography

Attackers are concealing .NET infostealers within seemingly innocuous images to evade detection. A phishing campaign uses TXZ archive attachments with invoice-themed lures to initiate infection. The embedded JavaScript leverages environment variables to hide malicious commands, launching PowerShell…

cryptocurrency wallets

2026-05-21

pawsrunner

Published: May 21, 2026

Downloadable IOCs: 8

SEO poisoning campaign leverages Gemini and Claude Code impersonation to deliver infostealer

Financially motivated eCrime actors are conducting an ongoing infostealer campaign targeting software developers through SEO poisoning techniques. The operation impersonates AI platforms including Gemini CLI and Claude Code, as well as developer tools like Node.js, Chocolatey, and KeePassXC. Attack…

ai platform impersonation

fileless powershell

supply chain risk

Published: May 21, 2026

Downloadable IOCs: 34

Infostealer Campaign Using Trading App as Lure

A sophisticated infostealer operation was discovered masquerading as a cryptocurrency trading application called Tralert FX. The malicious MSI installer achieved only 3/52 AV detections by using a valid EV code signing certificate from a likely front company, AgilusTech LLC. The campaign has been a…

Published: May 20, 2026

Downloadable IOCs: 4

The Evolution of ClickFix: From Cleartext to Server Side Polymorphism

The ClickFix campaign has evolved from basic disk-based infections to sophisticated, obfuscated attacks using fake CAPTCHA pages that trick victims into executing malicious PowerShell commands. Initial variants used cleartext commands downloading batch scripts to deploy DeerStealer InfoStealer. The…

server-side polymorphism

Published: May 20, 2026

Downloadable IOCs: 605

Copycat hits another npm package

A Shai-Hulud copycat worm has infected the npm package chalk-tempalte, appearing just five days after the original worm was open-sourced by its creators. The same threat actor also published three additional malicious npm packages containing infostealer code: @deadcode09284814/axios-util, axois-uti…

Published: May 18, 2026

Downloadable IOCs: 1

Vidar v1.5 in Go: same family, new language, heavy sandbox checks

Vidar is a name most infostealer trackers know well -- an Arkei descendant that has been snatching browser credentials and crypto wallets since 2018. It usually ships as a .NET binary or a C++ PE. The v1.5 sample we pulled from Triage on May 13, 2026 is neither. It is a 7 MB Go 1.25.4 native PE wit…

Published: May 18, 2026

Downloadable IOCs: 4

macOS Stealer Spoofs Apple, Google, and Microsoft in a Single Attack Chain

A new variant of SHub Stealer dubbed 'Reaper' targets macOS users through fake WeChat and Miro installers, employing sophisticated multi-stage delivery chains that spoof Apple, Google, and Microsoft services. The malware leverages the applescript:// URL scheme to bypass Terminal-based defenses, con…

credential harvesting

persistence mechanism

2026-05-18

shub reaper

Published: May 18, 2026

Downloadable IOCs: 5

Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight With Resource Files

This analysis examines new obfuscation techniques employed by Gremlin stealer malware to conceal malicious payloads within embedded resources. A variant protected by sophisticated commercial packing utility uses instruction virtualization, transforming code into custom bytecode executed by a privat…

infostealer

quasar rat

credential harvesting

guloader

agent tesla

obfuscation techniques

gremlin stealer

session hijacking

telegram exfiltration

2026-05-15

cryptocurrency clipper

discord token theft

lokibot

Published: May 15, 2026

Downloadable IOCs: 12

AI-Assisted Lure Factory Targets Developers & Gamers

A large-scale malware campaign tracked as TroyDen's Lure Factory has been identified distributing LuaJIT-based infostealers through over 300 delivery packages hosted on GitHub. The operation uses AI-generated lure names incorporating obscure biological taxonomy and medical terminology to target dev…

prometheus obfuscator

troyden

two-component payload

Published: May 8, 2026

Downloadable IOCs: 9

ClickFix campaign uses fake macOS utilities lures to deliver infostealers

Threat actors are leveraging ClickFix-style social engineering tactics to distribute infostealers targeting macOS users through fake system utility lures. Attackers host malicious Terminal commands on blog sites and content platforms, disguised as troubleshooting advice for macOS issues. When execu…

Published: May 6, 2026

Linked vulnerabilities : CVE-2026-31431

Downloadable IOCs: 28

LofyStealer: Malware targeting Minecraft players.

A sophisticated two-stage infostealer named LofyStealer, also known as GrabBot/Slinky, targets Minecraft players through social engineering. The malware comprises a 53.5MB Node.js-based loader disguised within legitimate libraries and a 1.4MB native C++ payload that executes directly in memory. It …

Published: April 29, 2026

Downloadable IOCs: 3

GachiLoader adopts AI skill lure

Threat actors are exploiting AI agent skill formats as a novel attack vector, using convincingly packaged OpenClaw skills to distribute malicious payloads. The latest campaign employs pure social engineering, with skills containing no malicious code themselves but instead tricking users into downlo…

Published: April 29, 2026

Downloadable IOCs: 9

TwizAdmin -- Multi-Stage Crypto Clipper, Infostealer & Ransomware Operation

A sophisticated multi-stage malware operation was identified through an exposed C2 panel at 103.241.66[.]238:1337, combining cryptocurrency clipboard hijacking across eight chains, BIP-39 seed phrase theft, browser credential exfiltration, ransomware module (crpx0), and Java RAT builder managed via…

Published: April 22, 2026

Downloadable IOCs: 19

StepDrainer MaaS Platform Targeting Multi-Chain Crypto Wallets and NFT Assets

StepDrainer is a Malware-as-a-Service (MaaS) platform engineered to steal digital assets from cryptocurrency wallets, including fungible tokens and high-value NFT collections. The malware supports more than 20 blockchain networks and incorporates multiple draining techniques, particularly abusing E…

Published: April 21, 2026

Downloadable IOCs: 3

macOS ClickFix Campaign: AppleScript Stealers & New Terminal Protections

A sophisticated ClickFix campaign targets both Windows and macOS users through fake CAPTCHA pages that trick victims into executing malicious commands. The macOS variant deploys an AppleScript-based infostealer that harvests sensitive data including keychain databases, credentials, and session cook…

social engineering

infostealer

macos

credential harvesting

clickfix

applescript

session hijacking

cryptocurrency wallet theft

2026-04-21

browser data exfiltration

Published: April 21, 2026

Downloadable IOCs: 6

From fake Proton VPN sites to gaming mods, this Windows infostealer is everywhere

Multiple campaigns are distributing NWHStealer through diverse delivery methods including fake VPN downloads, hardware utilities, and gaming modifications. The malware collects browser data, saved passwords, and cryptocurrency wallet information. Distribution occurs via fake websites impersonating …

cryptocurrency wallet theft

fake vpn

Published: April 17, 2026

Downloadable IOCs: 3

Tracking an OtterCookie Infostealer Campaign Across npm

Between April 6-9, 2026, multiple obfuscated malicious npm packages were identified as variants of the OtterCookie infostealer attributed to North Korean threat actors. The campaign employs a two-layer distribution strategy where benign wrapper packages clone legitimate libraries like big.js while …

javascript obfuscation

2026-04-13

koalemos

vercel c2

Published: April 13, 2026

Downloadable IOCs: 9

Stealer Campaign Impacting SLTT macOS Users

MacSync Stealer is a macOS infostealer operating as Malware-as-a-Service (MaaS), distributed through SEO poisoning and fake ClickFix CAPTCHAs. The campaign has evolved through three iterations since November 2025, shifting from fake download sites to malicious ChatGPT conversations and finally to s…

cryptocurrency wallet

2026-04-09

ledger trojanization

Published: April 9, 2026

Downloadable IOCs: 12

Canis C2 Exposed: Previously Undocumented Cross-Platform ...

On March 19, a researcher on X posted a suspicious Android APK tied to a phishing page impersonating Paidy, a Japanese buy-now-pay-later service. A quick look at the infrastructure behind it revealed an unauthenticated API sitting wide open, with endpoints exposing payloads, command logs, and the C…

Published: April 8, 2026

Downloadable IOCs: 4

ClickFix Malware Uses macOS Script Editor to Deliver Atomic Stealer

Jamf Threat Labs discovered a ClickFix-style macOS attack that abuses the applescript:// URL scheme to launch Script Editor and deliver an Atomic Stealer infostealer payload — bypassing Terminal entirely.

Published: April 8, 2026

Downloadable IOCs: 4

Unmasking The 64-bit Variant of the Infamous Lumma Stealer

Gen Threat Labs has identified Remus, a new 64-bit infostealer attributed to the Lumma Stealer family, emerging after Lumma's takedown and the doxxing of its alleged core members. First campaigns date back to February 2026, with the malware switching from Steam/Telegram dead drop resolvers to Ether…

application-bound encryption bypass

Published: April 8, 2026

Downloadable IOCs: 56

Latest Xloader Obfuscation Methods and Network Protocol

Xloader is an information stealing malware family that evolved from Formbook and targets web browsers, email clients, and File Transfer Protocol (FTP) applications. Additionally, Xloader may execute arbitrary commands and download second-stage payloads on an infected system. The author of Xloader c…

Published: April 1, 2026

Downloadable IOCs: 3

Infiniti Stealer: a new macOS infostealer using ClickFix and Python/Nuitka

A new macOS infostealer called Infiniti Stealer has been discovered, utilizing ClickFix delivery and Python/Nuitka compilation. The malware spreads through a fake CAPTCHA page, tricking users into running a command themselves. The final payload is a Python-based stealer compiled with Nuitka, making…

Published: March 27, 2026

Linked vulnerabilities : CVE-2026-20963 (CVSS 8.8)

Downloadable IOCs: 2

GlassWorm attack installs fake browser extension for surveillance

GlassWorm is a sophisticated malware targeting developers through compromised code repositories and package managers. It executes in stages, starting with a stealthy infection that fingerprints the machine and fetches further payloads via the Solana blockchain. The malware steals sensitive data, in…

Published: March 26, 2026

Downloadable IOCs: 1

Widespread GitHub Actions Tag Compromise Exposes CI/CD Secrets

A new supply chain attack targeting Trivy has compromised 75 out of 76 version tags in the aquasecurity/trivy-action GitHub repository. The attacker force-pushed these tags to serve malicious payloads, effectively turning trusted version references into a distribution mechanism for an infostealer. …

teampcp cloud stealer

trivy

typosquat

Published: March 20, 2026

Downloadable IOCs: 2

VoidStealer: Debugging Chrome to Steal Its Secrets

VoidStealer is an emerging infostealer that employs a novel debugger-based Application-Bound Encryption (ABE) bypass technique. This method leverages hardware breakpoints to extract the v20_master_key directly from browser memory, requiring neither privilege escalation nor code injection. The techn…

debugger-based technique

hardware breakpoints

memory analysis

v20_master_key extraction

voidstealer

Published: March 20, 2026

Downloadable IOCs: 1

Analyzing the Current State of AI Use in Malware

Unit 42 researchers investigated the use of large language models (LLMs) in malware creation and functionality. They examined two samples: a .NET infostealer incorporating OpenAI's GPT-3.5-Turbo model via API, and a Golang-based malware dropper leveraging an LLM for environment assessment. The info…

Published: March 19, 2026

Linked vulnerabilities : CVE-2026-0628 (CVSS 8.8)

Downloadable IOCs: 4

Hacked sites deliver Vidar infostealer to Windows users

A recent cybercrime campaign uses compromised WordPress websites to distribute the Vidar infostealer malware to Windows users. The attack employs fake CAPTCHA pages that trick victims into running malicious commands. The infection chain involves an HTA script, which downloads and executes a malicio…

Published: March 17, 2026

Downloadable IOCs: 4

Fake CleanMyMac site installs SHub Stealer and backdoors crypto wallets

A deceptive website impersonating CleanMyMac tricks users into installing SHub Stealer, a sophisticated macOS malware. The malware steals sensitive data, including passwords, browser data, cryptocurrency wallets, and Telegram sessions. It can also modify wallet apps to steal recovery phrases. The a…

Published: March 9, 2026

Downloadable IOCs: 3

Fake Homebrew Pages Deliver Cuckoo Stealer via ClickFix | macOS Threat Hunting Analysis

A sophisticated malware campaign targeting macOS users has been discovered, utilizing typosquatted domains impersonating the Homebrew package manager. The attack, dubbed ClickFix, exploits users' trust in command-line installation processes. Victims are tricked into executing malicious curl command…

credential harvesting

Published: February 19, 2026

Linked vulnerabilities : CVE-2026-25253 (CVSS 8.8)

Downloadable IOCs: 5

Arkanix Stealer targets a variety of data, offers a MaaS referral program

Arkanix Stealer, a newly discovered malware operating under a Malware-as-a-Service model, targets a wide range of user data including cryptocurrencies, gaming, and online banking information. The stealer, available in both Python and C++ versions, offers configurable features and employs various te…

Published: February 19, 2026

Downloadable IOCs: 10

Infostealers without borders: macOS, Python stealers, and platform abuse

Infostealer threats are expanding beyond Windows, targeting macOS and leveraging cross-platform languages like Python. Recent campaigns use social engineering to deploy macOS-specific infostealers such as DigitStealer, MacSync, and AMOS. These stealers use fileless execution and native macOS utilit…

Published: February 2, 2026

Downloadable IOCs: 23

MacSync Stealer Returns: SEO Poisoning and Fake GitHub Repositories Target macOS Users

An active infostealer campaign is targeting macOS and Windows users across various sectors. The threat actors are using SEO poisoning to direct victims to fake GitHub repositories impersonating legitimate tools like PagerDuty. The campaign involves over 20 malicious repositories active since Septem…

Published: January 26, 2026

Downloadable IOCs: 3

Inside MacSync's Script-Driven Stealer and Hardware Wallet App Trojanization

MacSync is a sophisticated macOS infostealer that targets cryptocurrency users. It is delivered through a phishing lure disguised as a cloud storage installer, tricking users into executing a malicious Terminal command. The malware employs a multi-stage infection process, using a script-based appro…

Published: January 21, 2026

Downloadable IOCs: 6

VVS Discord Stealer Using Pyarmor for Obfuscation and Detection Evasion

This analysis examines the VVS stealer, a Python-based malware targeting Discord users to steal sensitive information like credentials and tokens. The stealer employs Pyarmor for obfuscation, hindering analysis and detection. Key capabilities include exfiltrating Discord data, injecting malicious c…

Published: January 20, 2026

Downloadable IOCs: 3

December 2025 Infostealer Trend Report

This analysis examines Infostealer malware trends during December 2025, focusing on distribution methods, volume, and disguising techniques. Key findings include the prevalence of ACRStealer, LummaC2, and Stealc Infostealers, with malware primarily distributed through SEO poisoning and compromised …

Published: January 16, 2026

Downloadable IOCs: 9

Guloader Malware Being Disguised as Employee Performance Reports

ASEC discovered Guloader malware being distributed through phishing emails masquerading as employee performance reports. The emails, claiming to be about October 2025 performance, contain a RAR file with an NSIS executable named 'staff record pdf.exe'. This file is actually Guloader malware, which …

Published: January 8, 2026

Downloadable IOCs: 2

EmEditor Homepage Download Button Served Malware for 4 Days

Between December 19-22, 2025, EmEditor's official website suffered a security breach, causing the main download button to serve malicious software. The fake installer, signed by WALSHAM INVESTMENTS LIMITED, contained infostealer malware targeting login credentials, browser history, and VPN settings…

Published: December 30, 2025

Downloadable IOCs: 1

MacSync Stealer Evolves: From ClickFix to Code-Signed Swift Malware

MacSync Stealer malware has evolved from using drag-to-terminal and ClickFix techniques to a more sophisticated approach. The new variant is delivered as a code-signed and notarized Swift application within a disk image, eliminating the need for direct terminal interaction. The malware retrieves an…

Published: December 23, 2025

Downloadable IOCs: 11

GachiLoader: Defeating Node.js Malware with API Tracing

A new malware distribution campaign utilizing compromised YouTube accounts to spread infostealers has been identified. The campaign employs GachiLoader, a heavily obfuscated Node.js loader, to deploy the Rhadamanthys infostealer. GachiLoader implements anti-analysis techniques and uses a novel PE i…

Published: December 17, 2025

Downloadable IOCs: 10

Teams Social Engineering Attack: Threat Actors Impersonate IT to Steal Credentials via Quick Assist

A sophisticated social engineering attack utilizing Microsoft Teams' new 'Chat with Anyone' feature has been uncovered. Threat actors impersonated IT support to trick users into initiating Quick Assist sessions, ultimately leading to credential theft and potential data exfiltration. The attack invo…

Published: December 3, 2025

Downloadable IOCs: 0

Arkanix Stealer: Newly discovered short term profit malware

A new information stealer named Arkanix has emerged, likely designed for short-term financial gains. Advertised on Discord, it has rapidly evolved from a Python-based to a C++ version. The malware steals data from various browsers, crypto wallets, VPN accounts, and system information. It employs so…

Published: December 1, 2025

Downloadable IOCs: 2

Analysis of the Lumma infostealer

The Lumma infostealer is a sophisticated malware distributed as Malware-as-a-Service, targeting Windows systems. It primarily steals sensitive data such as browser credentials, cryptocurrency wallets, and VPN/RDP accounts. Lumma is often used in the initial stages of multi-vector attacks, including…

Published: November 27, 2025

Downloadable IOCs: 3

ClickFix Gets Creative: Malware Buried in Images

A multi-stage malware execution chain originating from a ClickFix lure has been discovered, leading to the delivery of infostealing malware like LummaC2 and Rhadamanthys. The campaign utilizes steganography to hide malicious code within PNG images. Two distinct ClickFix lures were observed: a stand…

Published: November 24, 2025

Downloadable IOCs: 12

Contagious Interview Actors Now Utilize JSON Storage Services for Malware Delivery

The Contagious Interview campaign, linked to North Korean actors, has evolved to use JSON storage services for hosting and delivering malware. This campaign targets software developers, particularly those in cryptocurrency and Web3 projects, across Windows, Linux, and macOS. The attackers use socia…

Published: November 14, 2025

Downloadable IOCs: 84

Increase in Lumma Stealer Activity Coincides with Use of Adaptive Browser Fingerprinting Tactics

Trend Research observed a resurgence in Lumma Stealer activity since October 20, 2025, accompanied by new behaviors and C&C techniques. The malware now employs browser fingerprinting as part of its command-and-control tactics, collecting and exfiltrating system, network, hardware, and browser data …

browser fingerprinting

2025-11-14

cybercriminal activity

Published: November 14, 2025

Downloadable IOCs: 3

From infostealer to full RAT: dissecting the PureRAT attack chain

An investigation into what appeared at first glance to be a “standard” Python-based infostealer campaign took an interesting turn when it was discovered to culminate in the deployment of a full-featured, commercially available remote access trojan (RAT) known as PureRAT.

Published: October 10, 2025

Downloadable IOCs: 7

The ClickFix Factory: First Exposure of IUAM ClickFix Generator

Palo Alto Unit42 have uncovered a phishing kit named the IUAM ClickFix Generator that automates the creation of these attacks. The kit is designed to generate highly customizable phishing pages that lure victims by mimicking browser verification challenges often used to block automated traffic. It …

Published: October 10, 2025

Downloadable IOCs: 59

Shuyal Stealer: Advanced Infostealer Targeting 19 Browsers

Shuyal Stealer is a sophisticated infostealer malware targeting 19 different browsers. It conducts deep system reconnaissance, collecting detailed hardware information and user data. The malware disables Windows Task Manager, ensures persistence through startup folder insertion, and exfiltrates sto…

system reconnaissance

Published: October 8, 2025

Downloadable IOCs: 1

FileFix in the wild! New FileFix campaign goes beyond POC and leverages steganography

A sophisticated FileFix attack campaign has been discovered, marking the first use of this technique beyond proof-of-concept. The attack employs a complex phishing infrastructure, including a multilingual site mimicking Facebook security. It uses steganography to conceal malicious code in images, w…

Published: September 16, 2025

Downloadable IOCs: 17

August 2025 Infostealer Trend Report

This analysis examines Infostealer trends in August 2025, focusing on distribution volume, methods, and disguises. AhnLab's automated systems collect and analyze malware, providing real-time IOC services. Infostealers, often disguised as cracks, are distributed through SEO poisoning. Notable varian…

Published: September 16, 2025

Downloadable IOCs: 0

Deconstructing a Cyber Deception: An Analysis of the Clickfix HijackLoader Phishing Campaign

This analysis delves into the HijackLoader malware campaign, which has gained prominence since 2023 for its sophisticated payload delivery and evasion techniques. The campaign initiates with a CAPTCHA-based phishing attack, progressing through multiple stages of obfuscated PowerShell scripts. It em…

Published: September 12, 2025

Downloadable IOCs: 14

Unmasked: Salat Stealer – A Deep Dive into Its Advanced Persistence Mechanisms and C2 Infrastructure

Salat Stealer, also known as WEB_RAT, is a sophisticated Go-based infostealer targeting Windows systems. It exfiltrates browser credentials, cryptocurrency wallet data, and session information while employing advanced evasion techniques. The malware uses UPX packing, process masquerading, registry …

Published: September 10, 2025

Downloadable IOCs: 14

Not Safe for Work: Tracking and Investigating Stealerium and Phantom Infostealers

Proofpoint researchers have observed an increase in cybercriminals using Stealerium-based malware, an open-source infostealer available on GitHub. Multiple stealers share code with Stealerium, including Phantom Stealer. Campaigns delivering Stealerium have used various lures and file types, targeti…

Published: September 4, 2025

Downloadable IOCs: 8

Think before you Click(Fix): Analyzing the ClickFix social engineering technique

The ClickFix social engineering technique has gained popularity among threat actors, targeting thousands of devices globally. It tricks users into executing malicious commands on their devices by exploiting their tendency to solve minor technical issues. The technique often impersonates legitimate …

atomic macos stealer (amos)

lampion

2025-08-21

windows run dialog

Published: August 21, 2025

Downloadable IOCs: 10

New Variant of ACRStealer Actively Distributed with Modifications

A modified version of the ACRStealer infostealer is being actively distributed, featuring enhanced detection evasion and analysis obstruction techniques. The malware uses the Heaven's Gate technique for executing x64 code in WoW64 processes and implements low-level NT functions for C2 communication…

Published: August 21, 2025

Downloadable IOCs: 0

Behind the Curtain: How Lumma Affiliates Operate

This analysis reveals the complex operations of Lumma affiliates within a vast information-stealing ecosystem. Affiliates utilize various tools and services, including proxy networks, VPNs, anti-detect browsers, and crypting services. The investigation uncovered previously undocumented tools and sh…

Published: August 20, 2025

Downloadable IOCs: 0

Distribution of SmartLoader Malware via Github Repository Disguised as a Legitimate Project

A massive distribution of SmartLoader malware has been discovered through GitHub repositories masquerading as legitimate projects. These repositories focus on topics like game cheats, software cracks, and automation tools to attract users. The malware is distributed via compressed files containing …

Published: August 13, 2025

Downloadable IOCs: 11

Silent Watcher: Dissecting Cmimai Stealer's VBS Payload

A VBS-based infostealer called Cmimai Stealer has emerged, targeting Windows systems since June 2025. It collects system information, browser metadata, and screenshots, exfiltrating data via Discord webhooks. The malware uses PowerShell scripts for browser data collection and screen capture, runnin…

Published: August 13, 2025

Downloadable IOCs: 0

New Infection Chain and ConfuserEx-Based Obfuscation for DarkCloud Stealer

Unit 42 researchers have observed changes in the distribution and obfuscation techniques of DarkCloud Stealer. The new infection chain, first seen in April 2025, involves ConfuserEx obfuscation and a final payload written in Visual Basic 6. The attack begins with a phishing email containing an arch…

Published: August 8, 2025

Downloadable IOCs: 10

Ghost in the Zip | New PXA Stealer and Its Telegram-Powered Ecosystem

SentinelLABS and Beazley Security uncovered a series of infostealer campaigns delivering the Python-based PXA Stealer. The malware, which first appeared in late 2024, has evolved to incorporate sophisticated anti-analysis techniques and a hardened command-and-control infrastructure. Over 4,000 uniq…

python

infostealer

data theft

credential harvesting

2025-08-04

pxa stealer

Published: August 4, 2025

Downloadable IOCs: 5

FAKE TELEGRAM PREMIUM SITE DISTRIBUTES NEW LUMMA STEALER VARIANT

A malicious campaign using the domain 'telegrampremium[.]app' is distributing a new variant of Lumma Stealer malware. The fake site mimics the official Telegram Premium platform and automatically downloads an executable file 'start.exe' upon access. This sophisticated information-stealing trojan ca…

Published: August 3, 2025

Downloadable IOCs: 0

RAVEN STEALER UNMASKED: Telegram-Based Data Exfiltration

Raven Stealer is a modern information-stealing malware developed in Delphi and C++, designed to extract sensitive data from victim machines. It targets Chromium-based browsers, extracting passwords, cookies, payment details, and autofill information. The malware uses a modular architecture and a bu…

Published: August 1, 2025

Downloadable IOCs: 0

MaaS Appeal: An Infostealer Rises From The Ashes

NOVABLIGHT is a NodeJS-based Malware-as-a-Service (MaaS) information stealer developed by a French-speaking threat group. It's sold as an educational tool but used for credential theft and cryptowallet compromise. The malware features heavy obfuscation, multiple anti-analysis techniques, and variou…

Published: July 31, 2025

Downloadable IOCs: 8

Powerful MaaS On the Prowl for Credentials and Crypto Assets

Katz Stealer is a sophisticated infostealer marketed as Malware-as-a-Service (MaaS), launched in early 2025. It features robust credential and data theft capabilities, along with modern evasion and anti-analysis techniques. The stealer targets a wide range of personal and sensitive information, inc…

Published: July 17, 2025

Downloadable IOCs: 31

Evolution of macOS Odyssey Stealer: New Techniques & Signed Malware

A new variant of the Odyssey infostealer for macOS has been discovered, featuring code signing, notarization, and a persistent backdoor. The malware mimics a Google Meet updater and uses a SwiftUI-based 'Technician Panel' for social engineering. It steals sensitive data, including passwords, browse…

Published: July 17, 2025

Downloadable IOCs: 0

June 2025 Infostealer Trend Report

This analysis provides insights into Infostealer malware trends observed in June 2025. The data, collected through various automated systems, reveals changes in distribution methods and malware types. While LummaC2 has been dominant, June saw increased activity from Rhadamanthys, ACRStealer, Vidar,…

anti-analysis techniques

Published: July 16, 2025

Downloadable IOCs: 0

NordDragonScan: Quiet Data-Harvester on Windows

A sophisticated infostealer dubbed NordDragonScan has been discovered, targeting Windows systems through weaponized HTA scripts. The malware is distributed via shortened links leading to RAR archives containing malicious LNK shortcuts. Once installed, NordDragonScan performs extensive reconnaissanc…

Published: July 14, 2025

Downloadable IOCs: 11

Fix the Click: Preventing the ClickFix Attack Vector

This article discusses the rising threat of ClickFix, a social engineering technique used by threat actors to trick victims into executing malicious commands under the guise of quick fixes for computer issues. The technique has been observed in campaigns distributing various malware, including NetS…

Published: July 10, 2025

Downloadable IOCs: 65

Snake Keylogger in Geopolitical Affairs: Abuse of Trusted Java Utilities in Cybercrime Operations

The S2 Group’s intelligence team has identified through adversary tracking a new phishing campaign by Snake Keylogger, a Russian origin stealer programmed in .NET, targeting various types of victims, such as companies, governments or individuals. The campaign has been identified as using spearphish…

Published: June 30, 2025

Downloadable IOCs: 34

Part 2: Tracking LummaC2 Infrastructure

An investigation into domains associated with the LummaC2 infostealing-malware campaign revealed a broader network of nearly 500 domains with highly malicious risk scores. These domains share similar registration patterns, including the use of Eastern European names and the inbox[.]eu email domain.…

domain infrastructure

technical education lure

eastern european names

Published: June 19, 2025

Downloadable IOCs: 504

May 2025 Infostealer Trend Report

This analysis examines the distribution trends of Infostealer malware in May 2025. It highlights the use of SEO poisoning to distribute malware disguised as cracks and keygens. LummaC2, Vidar, StealC, Rhadamanthys, and Amadey were the main Infostealers observed. Distribution methods included posts …

Published: June 18, 2025

Downloadable IOCs: 3

Fake Minecraft mods distributed by the Stargazers Ghost Network to steal gamers’ data

A multistage malware campaign targeting Minecraft users has been discovered, distributed through the Stargazers Ghost Network on GitHub. The malware impersonates popular Minecraft mods and cheats, using a Java-based downloader that evades detection. The infection chain includes multiple stages: a J…

infostealer

minecraft

stargazers ghost network

2025-06-18

java malware

minecraft mods

Published: June 18, 2025

Downloadable IOCs: 17

From ClickFix deception to information stealer deployment

The article describes a surge in ClickFix campaigns using GHOSTPULSE to deploy Remote Access Trojans and data-stealing malware. It analyzes a multi-stage attack that begins with ClickFix social engineering, deploys GHOSTPULSE loader, and ultimately delivers ARECHCLIENT2, a potent remote access troj…

Published: June 18, 2025

Downloadable IOCs: 47

The strange tale of ischhfd83: When cybercriminals eat their own

This investigation uncovered a large-scale campaign involving backdoored GitHub repositories targeting game cheaters and inexperienced cybercriminals. The threat actor, possibly linked to a Distribution-as-a-Service operation, uses multiple types of backdoors and a convoluted infection chain leadin…

Published: June 4, 2025

Downloadable IOCs: 52

Chasing Eddies: New Rust-based InfoStealer used in CAPTCHA campaigns

A novel Rust-based infostealer called EDDIESTEALER has been discovered, distributed through fake CAPTCHA campaigns. The malware uses deceptive verification pages to trick users into executing a malicious PowerShell script, which deploys the infostealer. EDDIESTEALER targets sensitive data including…

Published: May 29, 2025

Downloadable IOCs: 27

Vietnam-Nexus Hackers Distribute Malware Via Fake AI Video Generators

A hacking group with alleged ties to Vietnam has been exploiting social media ads promoting AI video generators to distribute malware since mid-2024. The campaign, discovered by Mandiant, uses fake websites mimicking legitimate AI tools to deploy payloads including Python-based infostealers and bac…

Published: May 28, 2025

Downloadable IOCs: 1

Russian Unit 26165 Targets Western Logistics and Technology Companies

Chihuahua Infostealer is a sophisticated .NET-based malware discovered in April 2025, targeting browser credentials and cryptocurrency wallet data. It employs multi-stage delivery through obfuscated PowerShell scripts, often using trusted platforms like Google Drive for initial distribution. The ma…

chihuahua infostealer

browser-data-theft

.net-malware

Published: May 27, 2025

Downloadable IOCs: 10

Malicious attack method on hosted ML models now targets PyPI

A new malicious campaign has been discovered targeting the Python Package Index (PyPI) by exploiting the Pickle file format in machine learning models. Three malicious packages posing as an Alibaba AI Labs SDK were detected, containing infostealer payloads hidden inside PyTorch models. The packages…

Published: May 26, 2025

Downloadable IOCs: 2

Global operation disrupts Lumma Stealer

ESET collaborated with Microsoft and other partners in a global operation to disrupt Lumma Stealer, a prominent malware-as-a-service infostealer. ESET's contribution involved analyzing tens of thousands of malware samples to extract key data like C&C servers and affiliate identifiers. The operation…

Published: May 26, 2025

Downloadable IOCs: 113

Danabot: Analyzing a fallen empire

ESET Research shares insights into Danabot, an infostealer recently disrupted by law enforcement. The malware, tracked since 2018, evolved from a banking trojan to a versatile tool for data theft and malware distribution. Operated as a malware-as-a-service, Danabot offered features like data steali…

Published: May 25, 2025

Downloadable IOCs: 1

Inside DanaBot's Infrastructure: In Support of Operation Endgame II

DanaBot, a versatile and persistent threat since 2018, has evolved from a banking trojan to a multi-purpose malware platform. It maintained an average of 150 active C2 servers daily, with 1,000 daily victims across 40+ countries. The malware's stealth and multi-tiered architecture contributed to it…

Published: May 23, 2025

Downloadable IOCs: 65

Caught in the CAPTCHA: How ClickFix is Weaponizing Verification Fatigue to Deliver RATs & Infostealers

Threat actors are exploiting user fatigue with anti-spam mechanisms through a technique called ClickFix. This method involves compromising websites and embedding fraudulent CAPTCHA images, which, when solved by unsuspecting users, lead to the execution of malicious code. The attack chain typically …

Published: May 22, 2025

Downloadable IOCs: 10

PupkinStealer .NET Infostealer Using Telegram for Data Theft

PupkinStealer is a newly identified .NET-based information-stealing malware that extracts sensitive data like web browser passwords and app session tokens, exfiltrating it via Telegram. It targets Chromium-based browsers, Telegram, and Discord, focusing on credential theft and session hijacking. Th…

Published: May 22, 2025

Downloadable IOCs: 1

The Sting of Fake Kling: Facebook Malvertising Lures Victims to Fake AI Generation Website

A threat actor has orchestrated a sophisticated malvertising campaign impersonating Kling AI, a popular AI-powered image and video synthesis tool. The attackers use counterfeit Facebook pages and paid ads to drive traffic to a convincing fake website. Users are tricked into downloading malicious fi…

Published: May 21, 2025

Downloadable IOCs: 42

DarkCloud Stealer: Comprehensive Analysis of a New Attack Chain That Employs AutoIt

Unit 42 researchers have identified a series of attacks distributing DarkCloud Stealer, an information-stealing malware that has been active since 2022. The latest attack chain incorporates AutoIt to evade detection and uses a file-sharing server to host the malware. The infection process begins wi…

Published: May 14, 2025

Linked vulnerabilities : CVE-2025-31324 (CVSS 10.0)

Downloadable IOCs: 4

New 'Chihuahua Stealer' Targets Browser Data and Crypto Wallets

A novel infostealer named Chihuahua Stealer has been detected, blending standard malware techniques with advanced features. This .NET-based malware employs a multi-stage PowerShell script infection process, utilizing Base64 encoding, hex-string obfuscation, and scheduled tasks for persistence. It t…

powershell

infostealer

.net

multi-stage infection

Published: May 14, 2025

Downloadable IOCs: 2

PyPI package targets Solana developers

A malicious PyPI package named solana-token has been discovered targeting Solana blockchain developers. The package, downloaded over 600 times, attempts to steal source code and developer secrets from infected machines. It uses suspicious behaviors like communicating with IP addresses on non-standa…

Published: May 13, 2025

Downloadable IOCs: 0

A New Breed of Infostealer

A newly discovered .NET-based infostealer, Chihuahua Stealer, combines common malware techniques with advanced features. The infection begins with an obfuscated PowerShell script shared via Google Drive, initiating a multi-stage payload chain. Persistence is achieved through scheduled tasks, and th…

Published: May 13, 2025

Downloadable IOCs: 8

New Noodlophile Stealer Distributes Via Fake AI Video Generation Platforms

As artificial intelligence (AI) surges into mainstream adoption, millions of users turn daily to AI-powered tools for content creation—from generating art and music to transforming photos into videos. But amid this excitement, cybercriminals have uncovered a potent new lure: fake AI platforms promi…

Published: May 12, 2025

Downloadable IOCs: 32

Lampion Is Back With ClickFix Lures

A highly focused malicious campaign targeting Portuguese organizations, particularly in government, finance, and transportation sectors, has been uncovered. The campaign is linked to Lampion malware, an infostealer focusing on banking information. The threat actors have incorporated ClickFix lures,…

Published: May 6, 2025

Downloadable IOCs: 10

Gremlin Stealer: New Stealer on Sale in Underground Forum

A new information-stealing malware called Gremlin Stealer, written in C#, has been identified by researchers. Advertised on Telegram since March 2025, it targets a wide range of data including browser information, crypto wallets, FTP and VPN credentials. The malware exfiltrates stolen data to a web…

Published: April 29, 2025

Downloadable IOCs: 2

Infostealer Malware FormBook Spread via Phishing Campaign – Part I

A phishing campaign delivering a malicious Word document exploiting CVE-2017-11882 was observed spreading a new FormBook variant. The campaign tricks recipients into opening an attached document, which extracts a 64-bit DLL file and exploits the vulnerability to execute it. The DLL acts as a downlo…

microsoft equation editor

Published: April 22, 2025

Linked vulnerabilities : CVE-2017-11882

Downloadable IOCs: 7

Cascading Shadows: An Attack Chain Approach to Avoid Detection and Complicate Analysis

A multi-layered attack chain was uncovered in December 2024, employing distinct stages to deliver malware like Agent Tesla variants, Remcos RAT, or XLoader. The campaign uses phishing emails posing as order release requests with malicious attachments. The attack chain leverages multiple execution p…

Published: April 16, 2025

Downloadable IOCs: 0

Slow Pisces Targets Developers With Coding Challenges and Introduces New Customized Python Malware

Slow Pisces, a North Korean state-sponsored threat group, is targeting cryptocurrency developers through LinkedIn with malicious coding challenges. The group impersonates recruiters and sends malware disguised as project tasks, infecting systems with RN Loader and RN Stealer. Their campaign uses Gi…

Published: April 14, 2025

Downloadable IOCs: 41

A Deep Dive into Strela Stealer and how it Targets European Countries

Strela Stealer, an infostealer targeting email clients in specific European countries, has been active since late 2022. It focuses on exfiltrating credentials from Mozilla Thunderbird and Microsoft Outlook. The malware is delivered through phishing campaigns, primarily targeting Spain, Italy, Germa…

Published: April 13, 2025

Downloadable IOCs: 0

Shuckworm Targets Foreign Military Mission Based in Ukraine

Russian-linked cyber-espionage group Shuckworm appears to be targeting a Western military mission based in Ukraine, according to research by Symantec and its partner, the UK-based security firm.

Published: April 10, 2025

Downloadable IOCs: 56

BeaverTail and Tropidoor Malware Distributed via Recruitment Emails

A sophisticated malware campaign has been uncovered, involving the distribution of BeaverTail and Tropidoor malware through fake recruitment emails. The attackers, suspected to be of North Korean origin, impersonated a developer community to lure victims into downloading malicious code. The campaig…

Published: April 3, 2025

Downloadable IOCs: 6

PJobRAT makes a comeback, takes another crack at chat apps

In the latest campaign, X-Ops researchers found PJobRAT samples disguising themselves as instant messaging apps. In our telemetry, all the victims appeared to be based in Taiwan.

Published: March 27, 2025

Downloadable IOCs: 12

CVE-2025-26633: How Water Gamayun Weaponizes MUIPath using MSC EvilTwin

Trend Research uncovered a campaign by the Russian threat actor Water Gamayun that exploits a zero-day vulnerability in the Microsoft Management Console framework to execute malicious code, named MSC EvilTwin (CVE-2025-26633).

Published: March 25, 2025

Linked vulnerabilities : CVE-2025-26633 (CVSS 7.0)

Downloadable IOCs: 58

Fake Cloudflare Verification Results in LummaStealer Trojan Infections

A malicious campaign targeting Windows users through WordPress websites is deploying the LummaStealer trojan. Attackers use fake Cloudflare verification prompts to trick users into running malicious PowerShell commands. The infection is spread through compromised plugins or injected JavaScript in l…

Published: March 20, 2025

Downloadable IOCs: 4

Infostealer Campaign against ISPs

A campaign targeting ISP infrastructure providers on the West Coast of the United States and China has been identified. Originating from Eastern Europe, the attackers use simple tools to abuse victims' computer processing power for cryptomining and credential theft. The initial access is gained thr…

Published: March 11, 2025

Downloadable IOCs: 0

Lumma Stealer Malware Thrives as Unique Patterns Uncovered in the Infostealer's Domain Clusters

Recent research reveals Lumma Stealer command and control domain clusters share specific technical characteristics, enabling mapping of entire infrastructure clusters. The infostealer's logs are being shared for free on Leaky[.]pro, a new hacking forum, offering billions of stolen credential record…

Published: February 22, 2025

Downloadable IOCs: 0

Targeting of freelance developers

North Korea-aligned cybercriminals are targeting freelance software developers through fake job offers and coding challenges containing malware. The campaign, dubbed DeceptiveDevelopment, uses two main malware families - BeaverTail and InvisibleFerret - to steal cryptocurrency wallets and login cre…

Published: February 21, 2025

Downloadable IOCs: 0

Malicious Signal, Line, and Gmail Installers Target Chinese-Speaking Users with Backdoors

A malicious campaign is targeting Chinese-speaking users by distributing backdoored executables through fake download pages for popular apps like Signal, Line, and Gmail. The attackers use seemingly unrelated domain names and rely on search engine manipulation to lure victims. The malware follows a…

backdoor

infostealer

search engine manipulation

Published: February 18, 2025

Downloadable IOCs: 0

Stealers on the Rise: A Closer Look at a Growing macOS Threat

This analysis examines the increasing prevalence of macOS infostealers, focusing on three prominent threats: Atomic Stealer, Poseidon Stealer, and Cthulhu Stealer. These malware variants target sensitive information, including financial details, credentials, and intellectual property. The article d…

Published: February 4, 2025

Downloadable IOCs: 26

Fileless Python InfoStealer Targeting Exodus

A new Python-based info stealer targeting the Exodus crypto wallet has been discovered. This malware employs fileless techniques, clipboard monitoring, and keylogging to capture wallet passwords and sensitive data. It checks for the existence of 'passphrase.json' and, if not found, uses a keylogger…

Published: January 28, 2025

Downloadable IOCs: 1

Infostealer LummaC2 Spreading Through Fake CAPTCHA Verification Page

A new distribution method for the LummaC2 infostealer malware has been identified, using a fake CAPTCHA verification page. The process begins with a deceptive authentication screen that copies a malicious command to the clipboard when users click 'I'm not a robot'. This command executes an obfuscat…

Published: January 13, 2025

Downloadable IOCs: 4

Increase in Distribution of AutoIt Compile Malware via Phishing Emails

The distribution of malware compiled with AutoIt has been rapidly increasing, surpassing .NET-type malware. AutoIt, a scripting language for Windows automation, is preferred due to its ease of compilation into EXE files and fewer dependencies. The trend began in August 2024, with AutoIt malware nea…

Published: January 10, 2025

Downloadable IOCs: 3

Python-Based NodeStealer Version Targets Facebook Ads Manager

The latest variant of NodeStealer has evolved from JavaScript to Python, expanding its data theft capabilities. Trend Micro's MXDR team uncovered this advanced version in a campaign targeting a Malaysian educational institution, linked to a Vietnamese threat group. The malware now targets Facebook …

Published: December 19, 2024

Downloadable IOCs: 5

VIPKeyLogger Infostealer in the Wild

A new infostealer called VIPKeyLogger has been observed with increased activity. It shares similarities with Snake Keylogger and is distributed through phishing campaigns. The malware is delivered as an archive or Microsoft 365 file attachment, which downloads and executes a .NET compiled file. VIP…

Published: December 16, 2024

Downloadable IOCs: 0

Malicious PyPI crypto pay package aiocpa implants infostealer code

ReversingLabs detected a malicious package named 'aiocpa' on PyPI, engineered to compromise cryptocurrency wallets. Unlike typical attacks, the actors published their own crypto client tool to attract users before compromising them through a malicious update. The package appeared legitimate, with m…

software supply chain

2024-11-29

threat hunting

Published: November 29, 2024

Downloadable IOCs: 0

RobotDropper Automates the Delivery of Multiple Infostealers

A phishing campaign is distributing Trojanized MSI files that use DLL sideloading to execute LegionLoader, a malicious program that delivers multiple infostealers. The campaign is widespread, with over 400 unique malicious MSI files identified since June 2024. Victims are targeted globally through …

Published: November 26, 2024

Downloadable IOCs: 5

An NPM and PyPI Malicious Campaign Targeting Windows Users

Datadog Security Research has uncovered an ongoing supply chain attack targeting both npm and PyPi package repositories, tracked as MUT-8694. This campaign uses malicious packages to deliver infostealer malware to Windows users, leveraging legitimate services like GitHub and repl.it for payload hos…

Published: November 26, 2024

Downloadable IOCs: 11

Life on a crooked RedLine: Analyzing the infamous infostealer's backend

This article provides an in-depth analysis of RedLine Stealer, a notorious information-stealing malware. The research focuses on previously undocumented backend modules and the control panel used by affiliates. Key findings include the identification of over 1,000 unique IP addresses hosting RedLin…

windows communication framework

backend analysis

Published: November 17, 2024

Downloadable IOCs: 0

Fake AI video generators infect Windows, macOS with infostealers

Threat actors are using fake AI image and video generators to distribute Lumma Stealer and AMOS information-stealing malware on Windows and macOS. These malicious programs masquerade as an AI application called EditProAI, targeting users through search results and social media advertisements. The m…

Published: November 16, 2024

Downloadable IOCs: 0

Malware Spotlight: A Deep-Dive Analysis of WezRat

Check Point Research provides a comprehensive analysis of WezRat, a custom modular infostealer attributed to the Iranian cyber group Emennet Pasargad. The malware has been active for over a year, targeting organizations in multiple countries. WezRat's capabilities include executing commands, taking…

Published: November 14, 2024

Downloadable IOCs: 0

InfoStealer Malware Attacking Meta Business Page To Steal Logins

A sophisticated malvertising campaign is distributing the SYS01 infostealer malware through Meta's advertising platform. The attackers impersonate trusted brands and popular software, targeting primarily senior male demographics. The malware, designed to steal personal data and credentials, is dist…

Threat actors use copyright infringement phishing lure to deploy infostealers

An unknown threat actor is conducting a phishing campaign targeting Facebook business and advertising account users in Taiwan. The campaign uses emails impersonating legal departments, claiming copyright infringement to lure victims into downloading malware. The attackers abuse Google's Appspot dom…

Published: October 31, 2024

Downloadable IOCs: 0

Strela Stealer Targets Europe Stealthily Via WebDav

Strela Stealer, first identified by DCSO in late 2022, is a type of information-stealing malware primarily designed to exfiltrate email account credentials from widely used email clients, including Microsoft Outlook and Mozilla Thunderbird. This malware initially targeted Spanish-speaking users thr…

Published: October 30, 2024

Downloadable IOCs: 103

Tenacious Pungsan: A DPRK threat actor linked to Contagious Interview

Datadog Security Research discovered three malicious npm packages: passports-js, bcrypts-js, and blockscan-api, containing BeaverTail malware associated with North Korean threat actors. The packages, downloaded 323 times, targeted job-seekers in the US tech industry through a campaign named Contagi…

software supply chain

namesquatting

Published: October 25, 2024

Downloadable IOCs: 1

The Will of D: A Deep Dive into Divulge Stealer, Dedsec Stealer, and Duck Stealer

This analysis examines three emerging malware threats: Divulge Stealer, DedSec Stealer, and Duck Stealer. These stealers, often promoted on platforms like GitHub and Telegram, target browser data, game information, and sensitive personal details. Divulge Stealer, a successor to Umbral Stealer, feat…

Published: October 21, 2024

Downloadable IOCs: 3

ClickFix tactic: The Phantom Meet

This analysis explores the ClickFix social engineering tactic that emerged in 2024, focusing on a cluster impersonating Google Meet pages to distribute malware. The tactic tricks users into running malicious code by displaying fake error messages. The investigated cluster targets both Windows and m…

Published: October 18, 2024

Downloadable IOCs: 171

Beware of phishing emails impersonating major domestic entertainment agencies

ASEC (AhnLab Security Intelligence Center) has recently confirmed that phishing emails impersonating large domestic entertainment agencies are being distributed domestically.

Published: October 16, 2024

Downloadable IOCs: 0

Observes Targeted Attacks Amid FBI Warnings

The report details targeted attacks observed by Jamf Threat Labs that align with FBI warnings about the Democratic People's Republic of Korea (DPRK) targeting individuals in the crypto industry through social engineering tactics for malware delivery. It outlines attack scenarios involving malicious…

Published: September 17, 2024

Downloadable IOCs: 8

A SOC Team’s Guide to Detecting macOS Atomic Stealers

This article provides an analysis of the Atomic Infostealer malware family, which has been targeting macOS users throughout 2024. It discusses the various evolving variants, such as Amos, Banshee, Cthulu, Poseidon, and RodrigoStealer, developed and distributed by competing threat actor groups. The …

Published: September 13, 2024

Downloadable IOCs: 3

There's Something About CryptBot: Yet Another Silly Stealer

This report provides an in-depth technical analysis of a new variant of the CryptBot infostealer, dubbed Yet Another Silly Stealer (YASS). It details the delivery chain, involving the MustardSandwich downloader, and dissects the YASS payload's functionalities, including its data gathering, encrypti…

Published: September 11, 2024

Downloadable IOCs: 13

Atomic macOS Stealer leads sensitive data theft on macOS

The report discusses the Atomic macOS Stealer (AMOS), an infostealer malware targeting macOS systems. It is designed to steal sensitive information like passwords, cookies, cryptocurrency wallets, and other data from infected machines. The malware is distributed through malvertising, SEO poisoning,…

Published: September 9, 2024

Downloadable IOCs: 17

Emansrepo Stealer: Multi-Vector Attack Chains

A Python infostealer named Emansrepo has been observed since November 2023, distributed via phishing emails containing fake purchase orders and invoices. The malware steals browser data, credit card information, and files, sending them to the attacker's email. The attack chain has evolved, becoming…

Published: September 4, 2024

Downloadable IOCs: 42

Exploring AsyncRAT and Infostealer Plugin Delivery Through…

This analysis details an AsyncRAT infection observed in August 2024, delivered via email. The attack chain involves a Windows Script File that downloads and executes various scripts, ultimately leading to the installation of AsyncRAT with an infostealer plugin. The malware targets multiple browsers…

cryptocurrency wallets

browser data theft

Published: September 2, 2024

Linked vulnerabilities : CVE-2024-7593 (CVSS 9.8), CVE-2024-28986

Downloadable IOCs: 8

A Comprehensive Analysis of Angry Stealer: Rage Stealer in a New Disguise

CYFIRMA's research team recently identified a sophisticated dropper binary designed to deploy an information stealer, dubbed 'Angry Stealer,' actively advertised on Telegram and other online platforms. The stealer targets sensitive data from browsers, cryptocurrency wallets, VPN credentials, and sy…

Published: August 28, 2024

Downloadable IOCs: 2

Decoding the Stealthy Memory-Only Malware

This intelligence report provides an in-depth analysis of a complex, multi-stage malware campaign called PEAKLIGHT. It details the infection chain, starting with movie lure ZIP files containing malicious LNK files that initiate a JavaScript dropper. This dropper then executes a PowerShell downloade…

Published: August 23, 2024

Downloadable IOCs: 23

Ailurophile: G DATA has sighted a new info stealer in the wild

G DATA has detected a novel information-stealing malware, dubbed 'Ailurophile Stealer'. It is a PHP-based stealer offered through a subscription model on its dedicated website. Customers utilize a web panel to generate customized malware variants, specifying features such as the malware name, icon,…

Published: August 19, 2024

Downloadable IOCs: 2

Beyond the wail: deconstructing the BANSHEE infostealer

This analysis details the BANSHEE malware, a macOS-based infostealer that targets system information, browser data, and cryptocurrency wallets. Developed by Russian threat actors, it operates across macOS x86_64 and ARM64 architectures. The malware is designed to evade detection through anti-debugg…

Published: August 16, 2024

Downloadable IOCs: 2

Campaign uses infostealers and clippers for financial gain

Kaspersky has uncovered a complex malware campaign orchestrated by Russian-speaking cybercriminals. The threat actors create sub-campaigns mimicking legitimate projects, using social media to enhance credibility. They host initial downloaders on Dropbox to deliver infostealers like Danabot and Stea…

Published: August 16, 2024

Downloadable IOCs: 68

InfoStealer Uses SwiftUI, OpenDirectory API to Capture Passwords

This report analyzes a new macOS stealer malware that leverages SwiftUI for password prompts and the OpenDirectory API for verifying captured passwords. It utilizes APIs to evade detection and carries out malicious operations in distinct stages, first executing a Swift-based dropper that displays a…

Published: August 9, 2024

Downloadable IOCs: 1

LummaC2 Malware Abusing the Game Platform 'Steam'

The report investigates LummaC2, an infostealer malware actively distributed under the guise of illegal software. It highlights LummaC2's tactics of utilizing encrypted strings and abusing legitimate websites like Steam to acquire command-and-control (C2) domains. The malware steals sensitive user …

Published: July 26, 2024

Downloadable IOCs: 21

RAFEL RAT, ANDROID MALWARE FROM ESPIONAGE TO RANSOMWARE OPERATIONS

Check Point Research has identified multiple threat actors utilizing Rafel, an open-source remote administration tool (RAT). The discovery of an espionage group leveraging Rafel in their operations was of particular significance, as it indicates the tool’s efficacy across various threat actor profi…

Published: June 20, 2024

Downloadable IOCs: 6

Fickle Stealer Distributed via Multiple Attack Chain

In May 2024, FortiGuard Labs observed a Rust-based stealer. In addition to its intricate code, the stealer is distributed using a variety of strategies and has a flexible way of choosing its target.

Published: June 20, 2024

Downloadable IOCs: 53

New Agent Tesla Campaign Targeting Spanish-Speaking People

This report analyzes a phishing campaign spreading a new Agent Tesla variant designed to infiltrate victims' computers and steal sensitive information like credentials, email contacts, and system details. It leverages techniques like exploiting Microsoft Office vulnerabilities, executing JavaScript…

Published: June 10, 2024

Linked vulnerabilities : CVE-2017-11882, CVE-2017-0199

Downloadable IOCs: 6

Fake Bahrain Government Android App Steals Personal Data Used for Financial Fraud

An analysis by McAfee's Mobile Research Team uncovered an Android InfoStealer malware masquerading as a government service app in Bahrain. The malicious app, promoted through deceitful Facebook pages and SMS messages, tricks users into providing personal information like CPR numbers, phone numbers,…

Published: June 3, 2024

Downloadable IOCs: 14

Analysis of APT Attack Cases Using Dora RAT Against Companies

This analysis discusses an APT campaign by the Andariel threat group targeting Korean companies and educational institutions. The campaign employed various malware strains, including Nestdoor backdoor, Dora RAT, keyloggers, infostealers, and proxy tools. The attackers exploited vulnerabilities, suc…

Published: May 30, 2024

Linked vulnerabilities : CVE-2021-44228

Downloadable IOCs: 7

Unmasking AsukaStealer: The $80 Malware Threatening Digital Security

AsukaStealer, a malware offered for $80 on a Russian cybercrime forum, is designed to infiltrate popular browsers and extract sensitive data like credentials, cookies, and extension data. It also targets cryptocurrency wallets, messaging platforms, and gaming software. The malware employs customiza…

infostealer

2024-05-30

asukastealer

Published: May 30, 2024

Downloadable IOCs: 4

Threat actors ride the hype for newly released Arc browser

The release of the Arc browser for Windows sparked interest among cyber criminals who quickly launched a malvertising campaign impersonating the new software. The scheme uses Google search ads to lure potential victims with fake Arc installers. These installers employ various techniques, including …

Published: May 28, 2024

Downloadable IOCs: 9

Analysis of APT attack cases targeting domestic companies using Dora RAT (Andariel Group)

AhnLab Security Intelligence Center (ASEC) recently confirmed that the Andariel group carried out APT attacks on domestic companies and institutions. The targeted organizations included manufacturing companies, construction firms, and educational institutions. The attackers employed backdoors, keyl…

Published: May 20, 2024

Downloadable IOCs: 10

Profiling Trafficers: Cerberus

This analysis delves into the activities of a group of malware operators known as Cerberus (formerly Amnesia) Team, who specialize in spreading infostealers, particularly in the Commonwealth of Independent States (CIS) region. It provides insights into their operations, tactics, and the evolution o…

dracula stealer (samurai)

2024-05-09

2024-05-10

Published: May 10, 2024

Downloadable IOCs: 24

macOS Cuckoo Stealer | Ensuring Detection and Defense as New Samples Rapidly Emerge

This analysis discusses the emergence of a new macOS malware family called 'Cuckoo Stealer', which acts as an infostealer and spyware. It describes Cuckoo Stealer's main features, logic, and provides indicators of compromise to assist threat hunters and defenders. The malware employs techniques lik…

Published: May 10, 2024

Downloadable IOCs: 4

Malware: Behaves Like Cross Between Infostealer and Spyware

On April 24, 2024, we found a previously undetected malicious Mach-O binary programmed to behave like a cross between spyware and an infostealer. We have named the malware Cuckoo, after the bird that lays its eggs in the nests of other birds and steals the host's resources for the gain of its young.

Published: May 3, 2024

Downloadable IOCs: 18

Scaly Wolf’s new loader: the right tool for the wrong job

The report analyzes a recent campaign by the Scaly Wolf threat group targeting organizations in Russia and Belarus. The group employs phishing emails disguised as communications from government agencies, containing legitimate documents and password-protected archives with malicious executables. The…

Published: May 2, 2024

Downloadable IOCs: 23

Eight Arms to Hold You: The Cuttlefish Malware

The Black Lotus Labs team at Lumen Technologies is tracking a malware platform named Cuttlefish, targeting enterprise-grade small office/home office (SOHO) routers. This modular malware primarily steals authentication material from web requests transiting the router. It can also perform DNS and HTT…

Published: May 2, 2024

Downloadable IOCs: 40

Distribution of Infostealer Made With Electron

AhnLab Security Intelligence Center (ASEC) has discovered an Infostealer malware strain developed using the Electron framework, which allows the creation of applications using JavaScript, HTML, and CSS. The malware is distributed through Nullsoft Scriptable Install System (NSIS) installer format. O…

Published: April 30, 2024

Downloadable IOCs: 1

Tag: infostealer

Attack reports

Gamers beware: malicious wallpapers on Steam found stealing accounts

Fake Software Tutorials on TikTok Spread Vidar Stealer

Phishing Attacks Leverage TikTok, Instagram Reels

Matryoshka #3/3: Gamaredon's Gammasteel Infostealer

Impersonation, Click Hijacking, and TDS: Inside a Malware Distribution Ecosystem

Smart Contracts for C&C: How ClearFake Hid in Plain Sight on BSC Testnet

PureLogs: Delivery via PawsRunner Steganography

SEO poisoning campaign leverages Gemini and Claude Code impersonation to deliver infostealer

Infostealer Campaign Using Trading App as Lure

The Evolution of ClickFix: From Cleartext to Server Side Polymorphism

Copycat hits another npm package

Vidar v1.5 in Go: same family, new language, heavy sandbox checks

macOS Stealer Spoofs Apple, Google, and Microsoft in a Single Attack Chain

Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight With Resource Files

AI-Assisted Lure Factory Targets Developers & Gamers

ClickFix campaign uses fake macOS utilities lures to deliver infostealers

LofyStealer: Malware targeting Minecraft players.

GachiLoader adopts AI skill lure

TwizAdmin -- Multi-Stage Crypto Clipper, Infostealer & Ransomware Operation

StepDrainer MaaS Platform Targeting Multi-Chain Crypto Wallets and NFT Assets

macOS ClickFix Campaign: AppleScript Stealers & New Terminal Protections

From fake Proton VPN sites to gaming mods, this Windows infostealer is everywhere

Tracking an OtterCookie Infostealer Campaign Across npm

Stealer Campaign Impacting SLTT macOS Users

Canis C2 Exposed: Previously Undocumented Cross-Platform ...

ClickFix Malware Uses macOS Script Editor to Deliver Atomic Stealer

Unmasking The 64-bit Variant of the Infamous Lumma Stealer

Latest Xloader Obfuscation Methods and Network Protocol

Infiniti Stealer: a new macOS infostealer using ClickFix and Python/Nuitka

GlassWorm attack installs fake browser extension for surveillance

Widespread GitHub Actions Tag Compromise Exposes CI/CD Secrets

VoidStealer: Debugging Chrome to Steal Its Secrets

Analyzing the Current State of AI Use in Malware

Hacked sites deliver Vidar infostealer to Windows users

Fake CleanMyMac site installs SHub Stealer and backdoors crypto wallets

Fake Homebrew Pages Deliver Cuckoo Stealer via ClickFix | macOS Threat Hunting Analysis

Arkanix Stealer targets a variety of data, offers a MaaS referral program

Infostealers without borders: macOS, Python stealers, and platform abuse

MacSync Stealer Returns: SEO Poisoning and Fake GitHub Repositories Target macOS Users

Inside MacSync's Script-Driven Stealer and Hardware Wallet App Trojanization

VVS Discord Stealer Using Pyarmor for Obfuscation and Detection Evasion

December 2025 Infostealer Trend Report

Guloader Malware Being Disguised as Employee Performance Reports

EmEditor Homepage Download Button Served Malware for 4 Days

MacSync Stealer Evolves: From ClickFix to Code-Signed Swift Malware

GachiLoader: Defeating Node.js Malware with API Tracing

Teams Social Engineering Attack: Threat Actors Impersonate IT to Steal Credentials via Quick Assist

Arkanix Stealer: Newly discovered short term profit malware

Analysis of the Lumma infostealer

ClickFix Gets Creative: Malware Buried in Images

Contagious Interview Actors Now Utilize JSON Storage Services for Malware Delivery

Increase in Lumma Stealer Activity Coincides with Use of Adaptive Browser Fingerprinting Tactics

From infostealer to full RAT: dissecting the PureRAT attack chain

The ClickFix Factory: First Exposure of IUAM ClickFix Generator

Shuyal Stealer: Advanced Infostealer Targeting 19 Browsers

FileFix in the wild! New FileFix campaign goes beyond POC and leverages steganography

August 2025 Infostealer Trend Report

Deconstructing a Cyber Deception: An Analysis of the Clickfix HijackLoader Phishing Campaign

Unmasked: Salat Stealer – A Deep Dive into Its Advanced Persistence Mechanisms and C2 Infrastructure

Not Safe for Work: Tracking and Investigating Stealerium and Phantom Infostealers

Think before you Click(Fix): Analyzing the ClickFix social engineering technique

New Variant of ACRStealer Actively Distributed with Modifications

Behind the Curtain: How Lumma Affiliates Operate

Distribution of SmartLoader Malware via Github Repository Disguised as a Legitimate Project

Silent Watcher: Dissecting Cmimai Stealer's VBS Payload

New Infection Chain and ConfuserEx-Based Obfuscation for DarkCloud Stealer

Ghost in the Zip | New PXA Stealer and Its Telegram-Powered Ecosystem

FAKE TELEGRAM PREMIUM SITE DISTRIBUTES NEW LUMMA STEALER VARIANT

RAVEN STEALER UNMASKED: Telegram-Based Data Exfiltration

MaaS Appeal: An Infostealer Rises From The Ashes

Powerful MaaS On the Prowl for Credentials and Crypto Assets

Evolution of macOS Odyssey Stealer: New Techniques & Signed Malware

June 2025 Infostealer Trend Report

NordDragonScan: Quiet Data-Harvester on Windows

Fix the Click: Preventing the ClickFix Attack Vector

Snake Keylogger in Geopolitical Affairs: Abuse of Trusted Java Utilities in Cybercrime Operations

Part 2: Tracking LummaC2 Infrastructure

May 2025 Infostealer Trend Report