Stealc

Malware updated 23 days ago (2024-08-16T03:17:42.425Z)

Download STIX

Preview STIX

StealC is a prominent malware that specifically targets browser extensions and password managers. It rose to infamy following an attack on the Solana blockchain in 2023, which resulted in a $7 million heist. This heist was orchestrated using Luca Stealer, another malware that targets crypto wallets and password managers. However, StealC sets itself apart by focusing on browser extensions and authenticators provided by password managers. The malware operates by injecting itself into explorer.exe, leading to the execution of multiple info stealers from the malware families Danabot and StealC. The StealC malware communicates with different Command and Control (C2) servers, such as 46.8.238.240 and 23.94.225.177. This communication allows the malware to download additional harmful samples onto the victim's machine, primarily info stealers like Danabot and StealC, and clippers. The injection chain results in the final stage being executed in the context of the explorer.exe process, which is a variant of the info stealer malware family StealC. Vortax, masquerading as a virtual meeting software, has been identified as a delivery mechanism for three potent info stealers—Rhadamanthys, Stealc, and Atomic macOS Stealer (AMOS). On Windows platforms, Vortax delivers Rhadamanthys and Stealc, while it loads the Atomic stealer on macOS platforms. The deceptive nature of Vortax and its ability to spread these info stealers across various platforms make it a significant threat to cybersecurity.

Description last updated: 2024-08-16T03:15:44.127Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Risepro	4	RisePro is a type of malware, specifically an info-stealer, designed to infiltrate and damage computer systems. It operates by exploiting vulnerabilities in a device, often through suspicious downloads, emails, or websites, typically without the user's knowledge. Once inside, RisePro can disrupt ope
Rhadamanthys	2	Rhadamanthys is a type of malware, specifically an information stealer, that has been used in cyber attacks against various organizations. It was initially disseminated through phishing and spam emails before the authors switched to using malicious advertisements as the primary infection vector. Thi
Lumma	2	Lumma is a malicious software, or malware, known for its hard-to-detect nature. It primarily targets cryptocurrency wallets, two-factor authentication browser extensions, and other sensitive information on a victim's device. Lumma operates by exploiting vulnerabilities in systems, such as the Micros

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Exploit

Maas

Infostealer

Infostealers

Macos

Trojan

Credentials

Cybercrime

Windows

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Redline	Unspecified	2	RedLine is a notorious malware that has been widely used by cybercriminals to steal sensitive information. This malicious software infiltrates systems through suspicious downloads, emails, or websites and can cause significant damage by stealing personal data or disrupting operations. RedLine's conf
Vidar	Unspecified	2	Vidar is a type of malware specifically designed to infiltrate and exploit Windows-based systems. It's written in C++ and is based on the Arkei stealer, which means it has the capability to steal personal information from infected devices. Vidar has been found impersonating legitimate software appli
Mars	Unspecified	2	Mars is a malicious software (malware) that has been discovered by Trend Micro's Mobile Application Reputation Service (MARS) team. This malware is particularly damaging as it involves two new Android malware families related to cryptocurrency mining and financially-motivated scam campaigns, targeti

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
White Snake	Unspecified	2	White Snake, a threat actor in the cybersecurity landscape, has been identified as an evolving and substantial threat to both Windows and Linux systems. Originating in February 2023, this malicious entity introduced the White Snake Stealer into the cybercrime scene, a formidable malware distributed

Source Document References

Information about the Stealc Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securelist	23 days ago	Tusk campaign uses infostealers and clippers for financial gain
Recorded Future	2 months ago	The Travels of “markopolo”: Self-Proclaimed Meeting Software Vortax Spreads Infostealers, Unveils Expansive Network of Malicious macOS Applications \| Recorded Future
DARKReading	3 months ago	'Vortax' Meeting App Builds Elaborate Branding, Spreads Infostealers
Recorded Future	3 months ago	The Travels of “markopolo”: Self-Proclaimed Meeting Software Vortax Spreads Infostealers, Unveils Expansive Network of Malicious macOS Applications \| Recorded Future
Securityaffairs	3 months ago	Fake AV websites used to distribute info-stealer malware
CERT-EU	8 months ago	Malware Leveraging Google Cookie Exploit via OAuth2 Functionality
DARKReading	5 months ago	Web3 Game Developers Targeted in Crypto Theft Scheme
CERT-EU	2 years ago	Hackers Advertising New Info-Stealing Malware on Dark Web \| IT Security News
Trend Micro	10 months ago	Attack Signals Possible Return of Genesis Market, Abuses Node.js, and EV Code Signing
CERT-EU	2 years ago	Cyber Security Today, Week in Review for Friday, February 24, 20223 \| IT World Canada News
CERT-EU	a year ago	Warning: AI-generated YouTube Video Tutorials Spreading Infostealer Malware
CERT-EU	8 months ago	Infostealers Abuse Google OAuth Endpoint to ‘Revive’ Cookies, Hijack Accounts
CERT-EU	8 months ago	Google Accounts Hacked Without Need for Passwords \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
Securityaffairs	8 months ago	Malware exploits undocumented Google OAuth endpoint to regenerate Google cookies
Securityaffairs	8 months ago	Multiple organizations in Iran breached by a mysterious hacker
CERT-EU	8 months ago	Google: Malware abusing API is standard token theft, not an API issue
CERT-EU	8 months ago	Hackers Can Access Your Google Account Without a Password \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
Flashpoint	8 months ago	CEO Forecast: Navigating the 2024 Cyber Threat Landscape
CERT-EU	8 months ago	Google Whistles While OAuth Burns — ‘MultiLogin’ 0-Day is 70+ Days Old
CERT-EU	8 months ago	Malware abuses Google OAuth endpoint to ‘revive’ cookies, hijack accounts