Threat Research

A Two-Stage Info Stealer

Securonix
A Two-Stage Info Stealer

Hybrid Analysis identified a new two-stage Windows malware family — LeakyInjector and LeakyStealer — that injects a ChaCha20-encrypted stealer into explorer.exe, establishes persistence as an Edge update component, and exfiltrates crypto wallet data and browser history to a hard-coded C2. Both components were signed with a valid EV certificate and beacon to everstead[.]group and 45[.]151[.]62[.]120 while implementing a polymorphic engine and backdoor commands for downloading/executing files and running Windows commands. #LeakyInjector #LeakyStealer

Keypoints

  • Two-stage malware: LeakyInjector decrypts and injects the ChaCha20-encrypted LeakyStealer into explorer.exe using low-level process injection APIs.
  • Targets cryptocurrency wallets and browser extensions (Electrum, Exodus, MetaMask, Phantom, Coinbase Wallet, Trust Wallet, etc.) and steals browser history from Chrome, Edge, Brave, Opera, and Vivaldi.
  • Establishes persistence by copying itself to %AppData%MicrosoftEdgeUpdateCore.exe and creating a Run registry entry named EdgeUpdateCore, masquerading as an Edge update component.
  • Implements a polymorphic engine that patches a hard-coded marker region in memory (replacing bytes with NOP-like sequences) and computes a Bot ID from the C: volume serial XOR 0xDEADBEEF.
  • Communicates with hard-coded C2 infrastructure (everstead[.]group and IP 45[.]151[.]62[.]120) over HTTP(S), beaconing at intervals with a registration packet including Bot ID, hostname, user, domain, admin flag, and OS version.
  • Supports two backdoor commands from the C2: download-and-execute arbitrary files and execute Windows commands with output returned via pipe.
  • Samples were signed with an EV code-signing certificate (Signer: Hefei Nudan Jukuang Network Technology Co., Ltd.; thumbprint A8BF7554…) reused across multiple samples and later revoked; additional distribution artifacts (MSI dynatrc.php, paycnex[.]com) and related NetSupportRAT scripts were observed.

MITRE Techniques

  • [T1047 ] Windows Management Instrumentation or system info collection – LeakyStealer retrieves hostname, username, domain, and Windows version for exfiltration (“…Extract information that will be exfiltrated…”).
  • [T1055 ] Process Injection – LeakyInjector searches for explorer.exe and injects the decrypted LeakyStealer into that process using low-level APIs (“…The malware injects the next stage into the explorer process using the low level APIs…”).
  • [T1027 ] Obfuscated Files or Information – The stealer is stored encrypted and decrypted with ChaCha20 using hard-coded key/nonce (“…LeakyStealer is stored in an encrypted form in the injector and is decrypted using the ChaCha20 algorithm…”).
  • [T1547.001 ] Registry Run Keys/Startup Folder – Establishes persistence by creating a Run key entry ‘EdgeUpdateCore’ and copying itself to %AppData%MicrosoftEdgeUpdateCore.exe (“…creates an entry under the Run registry key… copies itself as ‘MicrosoftEdgeUpdateCore.exe’…”).
  • [T1041 ] Exfiltration Over C2 Channel – Exfiltrates registration packets and browser history to C2 endpoints (/api/beacon and /api/beacon/history) using HTTP POST (“…The malware exfiltrates the registration packet to the ‘/api/beacon’ URI… browser history files are sent to the C2 server…”).
  • [T1071.001 ] Web Protocols – Uses HTTP(S) POST requests to hard-coded C2 domain and IP with a browser-like user agent for C2 communications (“…HTTP POST requests used for C2 communications… connects to 45[.]151[.]62[.]120 on port 443 using a browser-related user agent.”).
  • [T1059.003 ] Command and Scripting Interpreter: Windows Command Shell – Implements a backdoor command to execute Windows commands and returns output via anonymous pipe (“…The second command can be used to run Windows commands on the infected machine and sends the output to the C2 server…”).
  • [T1105 ] Ingress Tool Transfer – Implements a command to download and execute arbitrary files from the C2 server (“…first command is used to download and execute a file from the C2 server… CreateProcessA API call…”).

Indicators of Compromise

  • [SHA256 ] Sample hash – dea8653698cea84e063165524c3e8c8141de246a29b9b8de40be3943fd1c6f14 (MSI installer dropping LeakyStealer), and 9b8bd9550e8f…134efb (main reported sample).
  • [Files created ] Persistence and temp artifacts – %AppData%MicrosoftEdgeUpdateCore.exe, C:UsersAppDataLocalTemphistory_%d.db (temporary browser history copies).
  • [Registry value ] Persistence registry entry – EdgeUpdateCore under HKCUSoftwareMicrosoftWindowsCurrentVersionRun or equivalent Run key.
  • [Domains ] C2 and infrastructure – everstead[.]group (C2 domain), paycnex[.]com (installer distribution); related domain: ip-ptr[.]tech.
  • [IP address ] C2 server – 45[.]151[.]62[.]120 (observed on port 443; Shodan shows open 22, 80, 443).

Read more: https://hybrid-analysis.blogspot.com/2025/11/leakyinjector-and-leakystealer-duo.html

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint