Full Report
Cybersecurity researchers have shed light on a previously undocumented Rust-based information stealer called Myth Stealer that's being propagated via fraudulent gaming websites. "Upon execution, the malware displays a fake window to appear legitimate while simultaneously decrypting and executing malicious code in the background," Trellix security researchers Niranjan Hegde, Vasantha Lakshmanan
Analysis Summary
# Tool/Technique: Myth Stealer
## Overview
Myth Stealer is a previously undocumented information stealer written in Rust that is being actively distributed, often leveraging lures related to gaming (such as fake game testing websites or cracked cheating software). It operates on a Malware-as-a-Service (MaaS) model and targets credentials and sensitive data from major web browsers.
## Technical Details
- Type: Malware family (Information Stealer)
- Platform: Windows (Inferred from browser targets and DLL execution)
- Capabilities: Steals browser data (passwords, cookies, autofill), employs anti-analysis techniques, exfiltrates data via remote server or Discord webhook, and employs screen capture and clipboard hijacking capabilities.
- First Seen: Marketed in beta in late December 2024.
## MITRE ATT&CK Mapping
*Note: Specific T-IDs are inferred based on described functionalities.*
- TA0009 - Collection
- T1056 - Input Capture
- T1056.001 - Keylogging (Implied by general credential theft, though not explicitly stated as a dedicated feature compared to others)
- T1119 - Automated Collection
- TA0010 - Exfiltration
- T1041 - Exfiltration Over C2 Channel
- TA0005 - Defense Evasion
- T1027 - Obfuscated Files or Information
- T1070 - Indicator Removal (Implied by process termination)
## Functionality
### Core Capabilities
- **Data Theft:** Steals saved passwords, cookies, and autofill information from Chromium-based (Chrome, Edge, Brave, Opera, Vivaldi) and Gecko-based (Firefox) browsers.
- **Execution Concealment:** Executes its malicious code in the background after displaying a fake setup window to deceive the user into believing a legitimate application is running.
- **Data Exfiltration:** Sends stolen data to a remote server or utilizes a Discord webhook.
### Advanced Features
- **Anti-Analysis:** Implements string obfuscation and system checks based on filenames and usernames to resist analysis.
- **Evasion:** Constantly updated by operators to evade Anti-Virus (AV) detection.
- **Expanded Functionality:** Includes capabilities for screen capture and clipboard hijacking.
- **Persistence/Disruption:** Attempts to terminate running processes associated with targeted web browsers via a 64-bit DLL component before data extraction.
## Indicators of Compromise
- File Hashes: [Not specified in the context]
- File Names: [Not specified in the context, though distributed disguised as game installers or DDrace cheat software]
- Registry Keys: [Not specified in the context]
- Network Indicators: [Remote server destinations, Discord webhooks (defanged/unspecified)]
- Behavioral Indicators: Displaying a fake application setup window upon execution; termination of browser processes via DLL execution; suspected fileless execution; outbound network connections for data exfiltration.
## Associated Threat Actors
- Unnamed threat actor(s) operating the Myth Stealer Malware-as-a-Service (MaaS).
## Detection Methods
- Signature-based detection: Traditional AV detection based on known malware signatures for Rust-based downloaders/stealers.
- Behavioral detection: Monitoring for unexpected process termination targeting browser processes following the execution of a downloaded file, checks for system artifacts indicative of anti-analysis routines, and monitoring outbound connections to known exfiltration points (Discord webhooks/C2).
- YARA rules: [Not specified in the context]
## Mitigation Strategies
- **User Education:** Highly caution users about downloading software, especially game cheats or cracked applications, from untrusted sources (including fraudulent gaming websites or online forums).
- **Application Control:** Restrict execution permissions for non-standard binaries, particularly those disguised as installers.
- **Network Monitoring:** Monitor for suspicious outbound traffic directed towards unusual remote servers or Discord webhooks originating from end-user machines.
## Related Tools/Techniques
- **AgeoStealer:** Shared distribution vector (fraudulent Blogger pages promoting "game testing").
- Other Information Stealers distributed via game/cheat lures (e.g., Blitz).
***
# Tool/Technique: Blitz Malware
## Overview
Blitz is a two-stage Windows malware distributed through backdoored game cheats and cracked installers advertised on Telegram channels. The infection chain involves a downloader that retrieves a bot payload capable of keystroke logging, screenshotting, file manipulation, and cryptocurrency mining, alongside DoS functionality.
## Technical Details
- Type: Malware family (Downloader/Bot/Miner)
- Platform: Windows
- Capabilities: Keylogging, screen capturing, file download/upload, code injection, DoS against web servers, XMRig cryptocurrency mining, and anti-sandbox checks.
- First Seen: Active as of late April 2025.
## MITRE ATT&CK Mapping
*Note: Specific T-IDs are inferred based on described functionalities.*
- TA0001 - Initial Access (via compromised game cheats)
- TA0002 - Execution
- T1204.002 - User Execution: Malicious File
- TA0003 - Persistence
- T1547.001 - Registry Run Keys / Startup Folder (Implied by general bot capabilities)
- TA0005 - Defense Evasion
- T1497 - Virtualization/Sandbox Evasion
- TA0008 - Lateral Movement (Not explicitly detailed, but standard for bots)
- TA0011 - Command and Control
- T1071.001 - Application Layer Protocol: Web Protocols (C2 hosted on Hugging Face Space)
- TA0012 - Credential Access / TA0014 - Discovery (via keylogging/file activity)
- TA0018 - Impact (via DoS capability and Miner)
## Functionality
### Core Capabilities
- **Staged Infection:** Uses a downloader payload that retrieves the main bot payload.
- **Bot Functionality:** Includes keylogging to capture user inputs, screenshotting capabilities, and file management (download/upload).
- **Active Evasion:** Performs anti-sandbox checks before dropping the bot payload and before execution.
- **Resilience:** The downloader is configured to only execute the bot payload upon subsequent user logins after logging out or rebooting.
### Advanced Features
- **Cryptocurrency Mining:** Drops an XMRig miner component.
- **Denial of Service (DoS):** Contains a DoS function specifically targeting web servers.
- **Infrastructure Hosting:** C2 components and payloads were hosted on a Hugging Face Space, leveraging a non-traditional hosting platform for initial distribution.
## Indicators of Compromise
- File Hashes: [Not specified in the context]
- File Names: [Related to cracked game cheats or legitimate software installers]
- Registry Keys: [Not specified in the context]
- Network Indicators: C2 infrastructure hosted on Hugging Face Spaces (account subsequently locked).
- Behavioral Indicators: Execution of code retrieved from Hugging Face; delayed execution contingent upon user re-login; evidence of XMRig activity; suspicious file transfers.
## Associated Threat Actors
- **sw1zzx:** Appears to be the developer and operator of Blitz, identified as a Russian speaker.
## Detection Methods
- Signature-based detection: Detection of the XMRig miner components or known file hashes of the downloader/bot.
- Behavioral detection: Monitoring for suspicious resource utilization (CPU spikes from mining), process injection, and network connections to known compromised Hugging Face environments. Detection of anti-sandbox environment checks.
- YARA rules: [Not specified in the context]
## Mitigation Strategies
- **Distribution Source Control:** Strict policy enforcement regarding the use of third-party software, especially cracked applications and game cheats from forums or Telegram.
- **Endpoint Security:** Robust endpoint protection capable of detecting cryptocurrency mining software and common code injection techniques.
- **Network Monitoring:** Monitoring egress traffic for unusual connections following suspicious software installation.
## Related Tools/Techniques
- **XMRig Miner:** Used as a secondary payload for resource hijacking.
- Other malware leveraging game cheat distribution vectors.
***
# Tool/Technique: DuplexSpy RAT
## Overview
DuplexSpy RAT is a C#-based Remote Access Trojan (RAT) made publicly available on GitHub in April 2025, marketed for "educational and ethical demonstration only." It provides attackers with extensive remote control, surveillance capabilities, and stealth persistence mechanisms.
## Technical Details
- Type: Malware family (Remote Access Trojan - RAT)
- Platform: Windows
- Capabilities: Keylogging, screen capture, webcam/audio spying, remote shell access, system power control, file exfiltration (implied), anti-analysis functions, and persistence via startup replication/registry modification.
- First Seen: Published on GitHub in April 2025.
## MITRE ATT&CK Mapping
*Note: Specific T-IDs are inferred based on described functionalities.*
- TA0011 - Command and Control
- T1071 - Application Layer Protocol
- TA0003 - Persistence
- T1547.001 - Registry Run Keys / Startup Folder
- TA0005 - Defense Evasion
- T1027 - Obfuscated Files or Information (Implied by general RAT tradecraft)
- T1562.001 - Impair Defenses (Implied by anti-analysis functions)
- TA0009 - Collection
- T1056.001 - Keylogging
- T1123 - Audio Capture
- T1125 - Data from Information Repositories (Browsers, files)
- TA0004 - Privilege Escalation
- T1055 - Process Injection (Implied by fileless execution)
## Functionality
### Core Capabilities
- **Surveillance:** Keylogging, screen capture, and remote spying via webcam and microphone (audio).
- **System Control:** Remote shell functionality, allowing execution of remote commands, including system power actions (shutdown, restart, logout, sleep).
- **Stealth:** Employs fileless execution techniques.
### Advanced Features
- **Persistence Mechanism:** Establishes persistence by replicating to the startup folder and modifying the Windows registry.
- **Deception/Manipulation:** Enforces a fake lock screen by displaying an attacker-supplied, Base64-encoded image full-screen, disabling user interaction to simulate a system freeze or potential ransom event.
- **Anti-Analysis:** Includes specific functions designed to hinder security analysis.
## Indicators of Compromise
- File Hashes: [Not specified in the context]
- File Names: [Not specified in the context]
- Registry Keys: Modified keys related to startup execution.
- Network Indicators: Command and control servers used for remote shell/surveillance (unspecified).
- Behavioral Indicators: Fileless execution; addition of entries to startup folders/registry intended to run the RAT upon user login; suspicious execution leading to remote system power controls.
## Associated Threat Actors
- Open-source developers/individuals sharing malware publicly on GitHub (claimed educational intent).
## Detection Methods
- Signature-based detection: Signatures targeting the C# binary structure or known components if they become public.
- Behavioral detection: Monitoring for process injection, unusual registry modifications related to startup, and attempts to capture audio/video streams. Detection of the fake lock screen enforcement mechanism.
- YARA rules: [Not specified in the context]
## Mitigation Strategies
- **Source Control:** Restrict execution of unverified binaries downloaded from public repositories like GitHub.
- **Endpoint Hardening:** Implement strict privileges management to limit fileless execution and registry modification rights for standard applications.
- **Input Monitoring:** Monitor for unexplained suppression of user input or unexpected full-screen overlays.
## Related Tools/Techniques
- Other C#-based RATs and surveillance tools.
***
# Tool/Technique: Crypters And Tools
## Overview
Crypters And Tools is a malware obfuscation service offered as a crypter-as-a-service (CaaS) platform, sold on platforms like nitrosoftwares[.]com. It is used by various threat actors to obfuscate malicious files, such as Ande Loader, to evade detection.
## Technical Details
- Type: Tool/Service (Crypter/Obfuscator)
- Platform: Cross-platform (used to obfuscate files targeting Windows environments)
- Capabilities: File obfuscation, evasion of AV detection mechanisms.
- First Seen: In use as of the period leading up to late April 2025.
## MITRE ATT&CK Mapping
- TA0005 - Defense Evasion
- T1027 - Obfuscated Files or Information
- T1070.004 - File Deletion (Implied if the crypter leaves no trace)
## Functionality
### Core Capabilities
- **Obfuscation:** Renders malicious payloads (like Ande Loader) unrecognizable to signature-based security products.
- **Service Delivery:** Sold on cybercrime marketplaces offering various malicious tools (exploits, loggers, clippers).
### Advanced Features
- **Wide Applicability:** Used successfully across multiple, diverse threat actor groups.
## Indicators of Compromise
- File Hashes: [Not applicable to the service itself, but results in heavily obfuscated files.]
- File Names: [Varies, depends on the underlying payload, e.g., obfuscated Ande Loader.]
- Registry Keys: [Not applicable]
- Network Indicators: Sales platform nitrosoftwares[.]com.
- Behavioral Indicators: Detection of known payload hallmarks *after* de-obfuscation; execution of files showing high entropy or characteristics of pack/crypter wrappers.
## Associated Threat Actors
- TA558
- Blind Eagle
- Aggah (Hagga)
- PhaseShifters (Angry Likho, Sticky Werewolf, UAC-0050)
- UAC-0050
- PhantomControl
## Detection Methods
- Signature-based detection: Detection of the specific crypter wrapper signature, though this is inherently difficult as the service evolves.
- Behavioral detection: Dynamic analysis environment that executes the file and monitors for unpacking behavior characteristic of known crypters.
- YARA rules: Rules targeting invariant sections of common crypter wrappers associated with this service.
## Mitigation Strategies
- **Behavioral Analysis:** Rely heavily on dynamic analysis and automated sandbox execution to unpack and inspect code behavior rather than static signatures.
- **Threat Intelligence:** Monitoring cybercrime forums for new crypter services and associated sales platforms.
## Related Tools/Techniques
- Ande Loader (a file frequently obfuscated by this service).
- General Crypter/Packer Tools.