All things infostealers. Week 44, 2024


A brief look at all things infostealers for the week 44, 2024 (28.10.2024–03.11.2024). Oh boy, what a crazy start of the week! Yes, you guessed it right, I mean the dropping the bombshell with the Operation Magnus. On Monday, the Dutch National Police, alongside with a bunch of other LEAs, announced taking over the servers used by RedLine and META infostealers. See the Articles/News section for the links on Operation Magnus.

Speaking of Articles/News, I have included 3 interesting articles:

  1. A report from Cisco’s Talos Intelligence where they observed a phishing lure in the form of copyright infringements are used to deploy Lumma and Rhadamanthys infostealers.
  2. BitDefender Labs were tracking a malvertising campaign targeting facebook business pages with aim of deploying SYS01 stealer.
  3. Elastic Security Labs done a superb job (I just love their research) on how various infostealer families are bypassing implementations of Chrome 127’s Application-Bound Encryption.

On the infostealer updates front, I have spotted developments realted to Lumma, Vidar and Ailurophile stealers. Oh, and XFiles stealer has a rough time with the Telegram.

Lumma Update

Note: The update posts are copy-pasted as is (and machine-translated if post wasn’t available in English)

Update 2.11 EN

  1. Uploads are now in zip archives
  2. Added delay between sending messages in Telegram
  3. Stabilized processing of data from the build
  4. Fixed bug (+added notification) when pads were unavailable for purchase
  5. Fixed a bug where Edge cookies were not always collected
  6. Fixed incognito cookie detection in Edge
  7. Increased processing speed, build now collects faster
  8. Cleaned WD 10/11 + Cloud

Screenshot from XSS forum

Vidar Update

Note: The update posts are copy-pasted as is (and machine-translated if post wasn’t available in English)

Upgrades 11.4

Made an important update that greatly reduces the chance of getting blanks, if you have encountered it.

  1. Fixed the reception of blanks
  2. changed the proxies
  3. Cleaned up the build

Update if possible!

Screenshot from XSS forum

XFiles Update

Well, seems that XFiles folks are having a bad day with the Telegram.

Screenshot from XSS forum

Ailurophile Update

Note: The update posts are copy-pasted as is (and machine-translated if post wasn’t available in English)

Version 3.0 Released!

We’re excited to announce the release of Version 3.0 with powerful new features and enhancements designed to give you more control and privacy:

Main Features

  • Comprehensive Cookie Extraction: Retrieve cookies from all major browsers based on Gecko and Chromium, including support for the latest Chrome version (v.130).
  • Full Password Access: Extract saved passwords from all supported browsers (Gecko-based and Chromium-based).
  • Enhanced Wallet Extension Support:Seamlessly retrieve data from popular wallet extensions. Supported wallets include: Copy code
    Metamask, Coinbase, Cara, BinanceChain, Phantom, TronLink, Ronin, Exodus, Coin98,
    Authenticator, MathWallet, YoroiWallet, GuardaWallet, JaxxxLiberty, Wombat, EVERWallet,
    KardiaChain, XDEFI, Nami, TerraStation, MartianAptos, TON, Keplr, CryptoCom,
    PetraAptos, OKX, Sollet, Sender, Sui, SuietSui, Braavos, FewchaMove, EthosSui,
    ArgentX, NiftyWallet, BraveWallet, EqualWallet, BitAppWallet, iWallet, AtomicWallet,
    MewCx, GuildWallet, SaturnWallet, HarmonyWallet, PaliWallet, BoltX, LiqualityWallet,
    MaiarDeFiWallet, TempleWallet, Metamask_E, Ronin_E, Yoroi_E, Authenticator_E, MetaMask_O
  • Private Telegram Logging: Logs are sent securely to your Telegram account – we no longer store your logs.
  • Facebook ADS Account Check: Retrieve detailed information from Facebook ADS accounts, including balance, page details, subscriptions, and admin access. Additional Enhancements
  • Updated Interface: A fresh look with an added stats feature for better tracking and insights.
  • File Scanning with Antivirus: Files are now scanned with antivirus (non-destructive) before release to ensure security.

Upgrade to Version 3.0 to explore these powerful new features!

Screenshot from XSS forum

Articles/News

Threat actors use copyright infringement phishing lure to deploy infostealers

  • https://blog.talosintelligence.com/threat-actors-use-copyright-infringement-phishing-lure-to-deploy-infostealers/

Unmasking the SYS01 Infostealer Threat: Bitdefender Labs Tracks Global Malvertising Campaign Targeting Meta Business Pages

  • https://www.bitdefender.com/en-us/blog/labs/unmasking-the-sys01-infostealer-threat-bitdefender-labs-tracks-global-malvertising-campaign-targeting-meta-business-pages

Katz and Mouse Game: MaaS Infostealers Adapt to Patched Chrome Defenses

  • https://www.elastic.co/security-labs/katz-and-mouse-game

Operation Magnus

  • https://www.operation-magnus.com/
  • Malware targeting millions of people taken down by international coalition
    • https://www.eurojust.europa.eu/news/malware-targeting-millions-people-taken-down-international-coalition
  • U.S. Joins International Action Against RedLine and META Infostealers
    • https://www.justice.gov/usao-wdtx/pr/us-joins-international-action-against-redline-and-meta-infostealers
  • US names and charges Maxim Rudometov with developing the Redline infostealer
    • https://therecord.media/redline-infostealer-malware-criminal-complaint-maxim-rudometov