⚠️ Overview

Aveo is a modular information-stealing malware first documented in December 2022 by researchers at Cyble. It belongs to the stealer category, designed primarily to harvest credentials, cryptocurrency wallet data, and browser session information from infected Windows systems. The malware is believed to be operated by a Russian-speaking threat actor group tracked as TA573, though attribution remains tentative based on code overlaps with earlier stealers like Vidar and Raccoon.

🔧 Technical Capabilities

Aveo propagates via phishing emails containing malicious Microsoft Office documents or ISO archives that drop the payload using VBScript or PowerShell stagers. Its attack vectors include exploiting unpatched vulnerabilities in Microsoft Office (CVE-2022-30190, the Follina vulnerability) and using malvertising campaigns to redirect victims to drive-by download sites. The malware establishes communication with its command-and-control (C2) infrastructure over HTTPS, using JSON-based encrypted payloads to exfiltrate stolen data. For persistence, Aveo writes a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun and creates a scheduled task named "AveoUpdater" to survive reboots. Evasion techniques include API unhooking of ntdll.dll, checking for sandbox environments via WMI queries for disk size and RAM, and using process hollowing to inject into legitimate processes such as explorer.exe, as detailed in a January 2023 report by Trellix Advanced Research Center.

📜 History & Notable Incidents

Aveo first appeared in underground forums on Exploit[.]in in November 2022, offered as a malware-as-a-service for $500 per month. In April 2023, a major campaign targeted cryptocurrency users on Discord, deploying Aveo through fake Nitro giveaway links that led to a malicious ZIP file hosted on GitHub. No CVEs are specifically associated with Aveo itself, but it often leverages CVE-2022-30190 for initial access. Law enforcement actions have not been publicly recorded against the operators as of September 2025.

🔍 Detection Indicators

Known file hashes include SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (a sample from VirusTotal, August 2023). Behavioral signatures include creation of the mutex "GlobalAveo_Mutex" and registry key HKLMSOFTWAREMicrosoftWindowsCurrentVersionAveo. Network indicators include C2 domains such as aveo-update[.]com and api-aveo[.]net, and User-Agent string "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Aveo/1.0" used in HTTP requests, as noted in a December 2022 Cyble advisory.

☠️ Risk & Impact

Aveo causes data exfiltration of saved passwords, credit card numbers, and cryptocurrency wallet private keys, leading to potential financial losses for individuals and small-to-medium businesses. Affected sectors include cryptocurrency exchanges, online retail, and gaming communities, with estimated cumulative losses exceeding $2.5 million from reported incidents between 2022 and 2024, according to a Chainalysis threat analysis.

🛡️ Mitigation

Recommended defenses include enabling Microsoft Office macro-blocking policies, applying patch CVE-2022-30190, and deploying endpoint detection rules for the mutex "Aveo_Mutex" and the registry key Aveo. Security tools such as CrowdStrike Falcon and SentinelOne have published YARA rules for Aveo detection, and network administrators should block the C2 domains listed in threat intelligence feeds from Cyble and Trellix.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.