"The malware is written in Node.js and packaged as an Inno Setup installer. It uses Run registry keys and scheduled tasks to establish persistence, hides its payloads as system and hidden attributes, conducts detailed host reconnaissance, and extracts sensitive information such as credentials, cookies, and cryptocurrency wallet data through reflective DLL injection into browsers to bypass protections like Chrome's AppBound encryption."
"Once executed, the malware hides in a directory named "Microsoft Updater" under %localappdata%\Programs. It creates Run registry keys and a scheduled task to gain persistence before launching updater.exe, its main component. "From this point, the malware conducts extensive system reconnaissance, screen capturing, and credential theft, with a particular focus on web browsers and cryptocurrency wallets," the researchers wrote. The password-decrypting functionality is embedded in infoprocess.exe, written in Go and obfuscated for stealth."
Maranhão Stealer spreads via social engineering websites offering pirated software, cracked game launchers and cheats, delivered as malicious installers like DerelictSetup.zip and Fnaf Doom.zip from domains such as derelictsgame[.]in. The malware is written in Node.js and packaged as an Inno Setup installer, uses Run registry keys and scheduled tasks for persistence, hides payloads with system and hidden attributes, performs host reconnaissance and screen capture, and extracts credentials, cookies, and cryptocurrency wallet data via reflective DLL injection into browsers. The malware hides under %localappdata%\Programs\Microsoft Updater and includes a Go-based, obfuscated password-decrypting component. Active since May 2025 and under ongoing development, successful infections can enable credential compromise, account hijacking, digital asset theft, and further malware deployment.
Read at The Cyber Express
Unable to calculate read time
Collection
[
|
...
]