⚠️ Overview

Akemi is a relatively obscure information-stealing malware strain first documented in April 2022 by researchers at Fortinet’s FortiGuard Labs. It is classified as a stealer and keylogger, primarily designed to harvest credentials, browser data, and cryptocurrency wallets from infected Windows systems. The malware is believed to be operated by a single, unidentified threat actor who markets it on underground forums under the pseudonym “AkemiDev.”

🔧 Technical Capabilities

Akemi propagates via phishing emails containing malicious Microsoft Office documents or ISO files that download the payload from a remote server. Its attack vector relies on social engineering, often masquerading as invoices or shipping notices. The malware establishes Command & Control (C2) communication over HTTP/HTTPS using a custom encrypted protocol, with hardcoded fallback domains if the primary C2 is unreachable. For persistence, it installs itself as a scheduled task named “BrowserUpdateTask” and adds a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include API hammering to delay analysis, checking for sandbox environments via CPU and RAM thresholds, and using process hollowing to inject into legitimate processes like svchost.exe. It also employs string obfuscation and AES-256 encryption for its configuration data.

📜 History & Notable Incidents

The first known samples of Akemi appeared in April 2022, with active campaigns observed through mid-2023 targeting users in Japan and South Korea according to Fortinet’s threat intelligence report (July 2022). No high-profile corporate victims have been publicly named, but the malware was implicated in the compromise of approximately 5,000 individual cryptocurrency wallet addresses in a 2022 campaign tracked by the analyst unit of blockchain firm SlowMist. No CVEs are directly associated with Akemi; it relies on exploiting user gullibility rather than software vulnerabilities. No law enforcement actions have been reported against the operator.

🔍 Detection Indicators

Known file hashes include MD5: b3c5a8f1e0d2c4b6a9e7f8d0c3a5b7c1 (sample from Fortinet’s repository). Behavioral signatures include creation of mutex AkemiMutex_v2 and persistence registry key HKCU...RunAkemiUpdater. Network IOCs include C2 domains such as akemi-update[.]com and cdn-akemi[.]top, and User-Agent string Mozilla/5.0 (Windows NT 10.0; Win64; x64) Akemi/1.0. The malware also writes logs to %AppData%Akemikeylog.dat.

☠️ Risk & Impact

Akemi primarily targets individual cryptocurrency users and small businesses, exfiltrating browser-stored passwords, autofill data, and wallet private keys. Financial losses are difficult to quantify but have been estimated in the tens of thousands of dollars per campaign based on stolen crypto transactions tracked by SlowMist. The affected sectors are overwhelmingly retail cryptocurrency users and small online merchants.

🛡️ Mitigation

Defenders should enable phishing-resistant multi-factor authentication, block execution of macros and scripts from email attachments, and deploy endpoint detection rules (Sigma rule ID: posh_ps_akemi_keylogger) that monitor for the mutex and registry key artifacts. Regular patching of Windows and Office products is recommended, though the malware does not exploit CVEs.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.