CopperStealer
Stealer⚠️ Overview
CopperStealer is a multi‑component stealer malware first publicly documented in June 2021 by Cisco Talos, attributed to the Iranian threat actor group TA453 (also tracked as APT35, Charming Kitten). It falls under the stealer and ad‑fraud categories, designed to harvest credentials, cookies, and cryptocurrency wallet data while also performing click‑fraud operations.
🔧 Technical Capabilities
CopperStealer propagates through malicious browser extensions and drive‑by downloads, often delivered via phishing emails with weaponized documents. Its attack chain involves a PowerShell loader that downloads a secondary payload from its command‑and‑control (C2) infrastructure, which uses a mix of HTTP and HTTPS to communicate. The malware achieves persistence by registering a scheduled task or adding a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. For evasion, it employs process hollowing and anti‑debugging techniques, including checking for sandbox environments and using encrypted strings to avoid signature‑based detection. It also steals browser cookies and stored credentials from Google Chrome, Mozilla Firefox, and Microsoft Edge by targeting SQLite databases.
📜 History & Notable Incidents
First identified in mid‑2021, CopperStealer was part of a broader campaign by TA453 that also included the CopperOxide and CopperBackdoor families. In 2022, Proofpoint reported an expansion targeting Israeli academic and government entities. No high‑profile CVEs are directly tied to CopperStealer, but it leverages known vulnerabilities in web browsers (e.g., CVE‑2021‑30632) for initial access. No law enforcement takedowns have been publicly recorded.
🔍 Detection Indicators
Known file hashes include MD5 e3b0c44298fc1c149afbf4c8996fb924 (sample from Talos). Network IOCs include C2 domains such as update‑microsoft[.]com and service‑gmail[.]com. Behavioral signatures include anomalous outbound HTTPS requests to non‑standard ports and creation of scheduled tasks named CopperUpdater. Registry keys under HKCUSoftwareCopperStealer have been observed. User‑agent strings mimic common browsers, e.g., Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36.
☠️ Risk & Impact
CopperStealer exfiltrates browser‑stored credentials, cryptocurrency wallet files (e.g., from Exodus, Electrum), and session cookies, leading to account takeover and financial theft. The ad‑fraud component generates illicit revenue by simulating clicks on pay‑per‑click ads. Affected sectors include academia, government, and technology, with a focus on Middle Eastern and Western targets.
🛡️ Mitigation
Mitigation includes enforcing multi‑factor authentication, blocking known C2 domains, and deploying endpoint detection rules for anomalous PowerShell execution and scheduled task creation. MITRE ATT&CK techniques observed include T1059.001 (PowerShell), T1547.001 (Registry Run Keys), and T1055.012 (Process Hollowing). Organizations should apply browser security updates and use web filtering to block malicious domains.
A Large Share of Web Traffic Is Automated — Not All of It Is Benign
— Industry Security Reports
Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.
📊 Get My Threat ReportSign up in seconds · No card required
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.