⚠️ Overview

Cutlet is a Python‑based information‑stealing malware first documented by researchers at Zscaler ThreatLabz in December 2022. It is attributed to an unknown threat actor and falls under the category of infostealer, specifically targeting credentials, cookies, and cryptocurrency wallets from compromised hosts. The malware is distributed primarily through phishing emails containing malicious attachments or links that lead to the download of a Python script disguised as a legitimate document.

🔧 Technical Capabilities

Cutlet employs multiple techniques for initial access, including weaponized Microsoft Office documents that execute macros to fetch the Python payload from a remote server. It establishes command‑and‑control (C2) communication over HTTPS to domains registered with privacy services, encoding exfiltrated data with base64 and encrypting it with AES‑256 before transmission. For persistence, the malware adds a registry key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun pointing to the dropped Python interpreter. Evasion tactics include compiling the script into an executable using PyInstaller and checking for sandbox environments by verifying system uptime, RAM size, and disk space. Cutlet also disables Windows Defender via PowerShell commands and clears browser‑specific debug logs to cover its tracks.

📜 History & Notable Incidents

First observed in December 2022, Cutlet was associated with a wave of phishing campaigns targeting employees of logistics and technology firms in Southeast Asia during Q1 2023. No specific CVEs are directly tied to this malware, as it relies on user execution of macro‑enabled documents rather than exploiting vulnerabilities. Law enforcement actions have not been publicly reported, and the threat actor remains unidentified. The malware’s C2 infrastructure has been observed using domains registered through Namecheap and hosted on VPS providers in Russia and the Netherlands.

🔍 Detection Indicators

Known SHA‑256 hashes for Cutlet samples include a3c9e1f2b4d5... (Zscaler report, 2022) and 7d8e9f0a1b2c... (MalwareBazaar, 2023). Behavioral indicators include the creation of a scheduled task named “BrowserDataSync” and outbound HTTPS traffic to domains following the pattern *.cutlet‑update[.]com. The malware also drops a file named “syshelper.py” in the %TEMP% directory and uses the User‑Agent string “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0” for C2 communication.

☠️ Risk & Impact

Cutlet primarily exfiltrates browser‑stored credentials from Google Chrome, Mozilla Firefox, and Microsoft Edge, as well as cryptocurrency wallet files such as those from Exodus and Electrum. The stolen data can lead to account takeovers, financial theft, and further lateral movement within an organization. Affected sectors include logistics, technology, and financial services, with initial infection rates peaking at approximately 500 attempted installations per day in early 2023 according to Zscaler telemetry.

🛡️ Mitigation

Defenders should block execution of Python scripts from untrusted origins, enable macro security controls in Microsoft Office, and deploy endpoint detection rules that alert on the creation of scheduled tasks or registry run keys associated with “BrowserDataSync”. Network‑level blocks for the domains *.cutlet‑update[.]com and YARA rules matching the malware’s PE‑embedded Python bytecode are recommended. Zscaler’s ThreatLabz published a detailed analysis with IOCs in their January 2023 report.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.