Sys01

SYS01, also known as Album Stealer and S1deload Stealer, is a harmful malware that has been in existence since 2022. The malware, which started as a C# stealer, has evolved into a PHP stealer, making it more potent and effective in its malicious activities. It's spread through Meta's advertising platform as part of an increasingly prominent campaign. In a novel approach, the SYS01 malware is now delivered through an ElectronJs application, broadening its reach and making it more difficult to detect and counteract. The distribution tactics of the SYS01 Infostealer campaign are highly sophisticated, typically utilizing ads that point to a MediaFire link or similar, enabling direct download of the malware. Indicators of Compromise (IoCs) have been identified across numerous domains, including krouki.com, kimiclass.com, goodsuccessmedia.com, among others. Command-and-Control (C2) Domains like musament.top, enorgutic.top, untratem.top, and several others are also linked to the SYS01 campaign. The adaptability of the cybercriminals behind these attacks makes the SYS01 Infostealer campaign especially dangerous. Analysis of a memory dump of the php.exe index.php process reveals the presence of the 'SYS01' string multiple times, indicating the malware's activity. The malware can use a plethora of C2 domains, and even more can be obtained via Telegram bots or Google pages. Moreover, the process employs SQL commands with potentially malicious intentions, such as 'SELECT * FROM moz_cookies', further emphasizing the threat posed by this malware.