Cyber Stealer is a sophisticated and actively developed infostealer and botnet malware discovered in May 2025, targeting a wide range of applications including browsers, cryptocurrency wallets, and communication platforms. It features extensive data theft capabilities, modular functionalities like cryptocurrency mining and DDoS, and communicates with its C2 server for updates and commands. #CyberStealer #eSentire #ClipperModule
Keypoints
- Cyber Stealer was first identified by eSentire’s Threat Response Unit (TRU) in May 2025 and is continuously updated based on hacker forum feedback.
- The malware steals a comprehensive range of data including passwords, credit cards, cookies, and information from cryptocurrency wallets and messaging apps.
- It operates under a tiered subscription model offering features such as remote shell, reverse proxy, DDoS capabilities, and crypto mining.
- The malware evades detection by adding Windows Defender exclusions, manipulates host files for DNS poisoning, and employs keylogging and screenshot capture for monitoring.
- Cyber Stealer communicates with its Command & Control (C2) server via HTTP to exfiltrate data, retrieve tasks, and update configurations dynamically.
- An administration panel allows threat actors to manage victim systems, configure DNS poisoning, control crypto clipper operations, launch DDoS attacks, and run remote commands.
- eSentire’s TRU continuously monitors and develops detection and prevention measures to combat Cyber Stealer and its evolving variants.
MITRE Techniques
- [T1083] File and Directory Discovery – Cyber Stealer enumerates running processes and installed programs by retrieving process lists and registry uninstall keys (‘…getprosess and getprogramlist methods…’).
- [T1119] Automated Collection – The malware harvests credentials and data from browsers, crypto wallets, VPN clients, and various applications (‘…stealing passwords from browsers, FileZilla, NordVPN, Outlook…’).
- [T1140] Deobfuscate/Decode Files or Information – Uses AES-GCM and DPAPI-based decryption to access encrypted Chromium and Firefox stored passwords (‘…DecryptWithKey method uses AES-GCM…’).
- [T1059] Command and Scripting Interpreter – Executes PowerShell commands to add Windows Defender exclusions (‘…powershell.exe -Command Add-MpPreference –ExclusionPath C:’).
- [T1071] Application Layer Protocol – Uses HTTP POST and GET requests for C2 communication and data exfiltration (‘…POST hxxps://paxrobot.digital/webpanel//logs.php…’).
- [T1565] Data Manipulation – Performs DNS poisoning by modifying the hosts file to redirect traffic to attacker-controlled IPs (‘…initializes DNS Poisoning feature and edits hosts file…’).
- [T1218] Signed Binary Proxy Execution – The VIP full package includes an EV code-signed certificate to bypass Windows SmartScreen (‘…comes with an EV code-signed certificate to bypass Windows SmartScreen…’).
- [T1027] Obfuscated Files or Information – Compresses stolen data into encrypted zip archives using embedded .NET PE Zip.exe (‘…All harvested data is compressed into a zip archive using embedded Zip.exe…’).
- [T1056] Input Capture – Implements keylogging by calling Windows API GetAsyncKeyState to capture keystrokes (‘…keylogging achieved through calls to GetAsyncKeyState…’).
- [T1105] Ingress Tool Transfer – Supports tasks to download and execute arbitrary payloads via the C2 server (‘…DownloadAndRun handler downloads and executes arbitrary executables…’).
Indicators of Compromise
- [File Hashes] Malicious payload – Zip.exe file identified with SHA256: 41bb07763250248ddd7273e9c2be51f095a4ad6cadb513bf186c92e5804e4d82.
- [Domains] Command & Control (C2) servers – paxrobot.digital used for C2 communication and data exfiltration.
- [File Names] Stolen logs and credential files – Examples include ProsessList.txt, ProgramList.txt, Cards.txt, Chrome_autofill.txt, and victim HWID formatted zip archives (e.g., USAAEADBC1001109C1DESKTOP-ABCDEFG.zip).
- [Registry Keys] Targeted for installed program enumeration – HKLMSOFTWAREMicrosoftWindowsCurrentVersionUninstall and HKCUSoftwareValveSteam for Steam data.
- [Process Names] Use of powershell.exe for exclusion command and embedded Zip.exe for archiving stolen data.
- [URLs] Pastebin URLs used for dynamic C2 URL retrieval and API endpoints such as /webpanel//logs.php, /panel/crypto_clipper_api.php, and /panel/dns_check.php.