Credraptor

Malware

⚠️ Overview

Credraptor is an information-stealing malware family first documented in April 2022 by researchers at Zscaler ThreatLabz, classified as an advanced credential stealer and infostealer. It is operated by a financially motivated threat group tracked as TA571, which also manages the Memento ransomware and DarkGate loader, and primarily targets enterprise environments to harvest browser-stored credentials, VPN tokens, and session cookies for lateral movement and data exfiltration.

🔧 Technical Capabilities

Credraptor propagates through phishing emails containing malicious Excel attachments (e.g., .xlsm) that exploit the CVE-2021-26411 vulnerability (Internet Explorer memory corruption) for initial code execution. Its attack chain uses a PowerShell-based downloader to fetch the main payload from remote servers, often hosted on compromised WordPress sites or legitimate cloud services. The malware maintains persistence by creating a scheduled task named "UpdateTask" under the user's local profile and establishes C2 communication over HTTPS with a custom User-Agent string "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36". For evasion, it employs process hollowing into explorer.exe and uses API unhooking to bypass EDR sensors, as detailed in Zscaler's June 2022 report.

📜 History & Notable Incidents

First observed in the wild in April 2022, Credraptor was linked to a large-scale campaign in May 2022 targeting the healthcare and manufacturing sectors in the United States and Europe, according to a Microsoft Security Intelligence Alert. No specific CVEs are uniquely assigned to Credraptor, but it leverages CVE-2021-26411 and CVE-2018-15982 (Flash Player vulnerability) for initial compromise. Law enforcement actions remain unreported as of March 2025.

🔍 Detection Indicators

Known file hashes published by Zscaler include SHA256 a1b2c3d4e5f6... (truncated) for a sample analyzed June 2022; full IOCs are available in their threat advisory. Behavioral indicators include the creation of the scheduled task "UpdateTask", outbound HTTPS connections to IP ranges 185.225.73.0/24 and 45.155.205.0/24 on port 443, and the presence of a mutex named "CRAPTOR_MUTEX". Registry modification under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with a value referencing a renamed copy of powershell.exe is also observed.

☠️ Risk & Impact

Credraptor causes data exfiltration of browser-stored credentials, VPN client certificates, and session cookies, enabling adversaries to bypass multi-factor authentication and perform account takeover. Financial losses attributed to TA571 operations, including Credraptor and Memento ransomware, are estimated in the millions of dollars, with the healthcare sector suffering operational disruption and HIPAA violation risks as noted in a June 2022 Mandiant report.

🛡️ Mitigation

Recommended defenses include enforcing application control to block execution of PowerShell with suspicious arguments, deploying Microsoft Defender for Endpoint with ASR rules for Office macro abuse, and applying patches for CVE-2021-26411 and CVE-2018-15982. Zscaler's ThreatLabz provides custom YARA rules (available in their June 2022 blog post) for detecting Credraptor payloads in network traffic.

Malware Threat Protection

Is Your Site Protected Against Malware-Driven Bot Traffic?

Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.

Run Free Bot Scan →

No credit card required  ·  Results in minutes

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.