Keypoints
- Loaders are distributed inside archives and use .com (and sometimes .exe) extensions to execute on victims’ systems.
- After launch, loaders inject an RC4-encrypted malicious payload into either a randomly named dummy .NET file or the RegAsm.exe process.
- Loaders obfuscate code and encrypt WinAPI function names to hide injection behavior and evade detection.
- MetaStealer (a C# fork of RedLine) is the payload and steals data from many browsers, email clients, crypto wallets, and apps like Steam and FileZilla.
- Adversaries use image and document decoys (JPG, PNG, PDF, DOC/DOCX, ODT) to trick users into running the archive contents.
- Loaders include fake protector section names (Enigma, VMProtect, Themida) to mislead signature analysis tools and AV engines.
MITRE Techniques
- [T1203] Execution – Used to run malicious code via the delivered loaders and injected payloads (‘Exploits vulnerabilities in applications to execute malicious code.’)
- [T1003] Credential Dumping – Harvests credentials from browsers and other local stores (‘Collects credentials from various sources, including browsers and email clients.’)
- [T1213] Data from Information Repositories – Retrieves sensitive application data from targets like Steam and FileZilla (‘Retrieves sensitive information from applications like Steam and FileZilla.’)
- [T1071] Command and Control – Maintains communication channels using multiple C2 domains for exfiltration and control (‘Utilizes multiple command and control domains to maintain communication with compromised systems.’)
- [T1027] Obfuscated Files or Information – Employs code obfuscation and encrypted function/section names to hide malicious behavior (‘Employs obfuscation techniques to hide the presence of malicious code.’)
Indicators of Compromise
- [File extension] Loader files – .com, .exe
- [File names / Decoys] Phishing decoy files observed in archives – Company record.pdf, Company bank details.jpg (also examples like Individual entrepreneur record.png)
- [Process name] Injection target – RegAsm.exe (used as an alternative to dummy .NET process)
- [File path / Artifact] Dummy payload placement – %TEMP%.NET (randomly named dummy .NET file created by loader)
- [PE section names] Fake protector sections used to mislead analysis – .enigma1, .vmp0 (and other sections like .enigma2, .vmp1, .themida)
Venture Wolf campaigns deliver obfuscated portable executables—often disguised with .com extensions—inside archived packages alongside convincing decoy documents and images. Once executed, the loader either creates a randomly named dummy .NET file in %TEMP% (the file has an empty Main method) or targets the legitimate RegAsm.exe process; in both cases the loader allocates memory in a suspended process, writes an RC4-encrypted payload, adjusts the thread context, and resumes execution to run the injected code.
The payload observed is MetaStealer, a C# stealer forked from RedLine. MetaStealer is obfuscated (the operators use .NET Reactor) and is designed to harvest system details, saved browser credentials and cookies from numerous Chromium- and Firefox-based browsers, email client data (e.g., Thunderbird), crypto-wallet information (Electrum, Exodus, etc.), and application data from programs like Steam and FileZilla. To further evade detection, loaders sometimes include PE section names associated with commercial protectors (Enigma, VMProtect, Themida) even when those protectors are not actually present—intended to confuse signature-based tools and antivirus engines.
Defenders should look for the distribution pattern (archives with .com/.exe loaders and decoy documents), suspicious activity creating and running randomly named .NET files from %TEMP%, and injection behavior into RegAsm.exe. Monitoring for the described WinAPI injection sequence and unusual exfiltration to unknown domains can help detect and disrupt these campaigns.