⚠️ Overview

DoStealer is a .NET-based information stealer first documented by researchers at Zscaler's ThreatLabz in June 2021, operated by an unknown threat actor. It belongs to the stealer malware category, specifically targeting credential and cryptocurrency wallet data from infected Windows systems. The malware is typically distributed via phishing emails containing malicious Office documents or password-protected archives.

🔧 Technical Capabilities

DoStealer leverages a multi-stage infection chain: the initial dropper (often a VBS or PowerShell script) downloads the main payload from a hardcoded URL. Persistence is achieved via a scheduled task or registry Run key. The malware uses a custom C2 protocol over HTTPS, with beaconing intervals that vary to evade detection. It enumerates browser storage (Chrome, Firefox, Edge) to steal saved passwords, cookies, and autofill data, targeting browsers using SQLite databases. DoStealer also exfiltrates cryptocurrency wallet files from directories such as AppDataRoaming for wallets like Exodus, Electrum, and Atomic. Evasion techniques include obfuscation via Base64 encoding and XOR encryption for strings, as well as checking for sandbox environments by detecting virtualization artifacts (e.g., VMware or VirtualBox processes). The malware can also capture screenshots and collect system information including hostname, username, OS version, and installed antivirus products.

📜 History & Notable Incidents

First spotted in the wild in June 2021, DoStealer was primarily observed in campaigns targeting users in South Asia and the Middle East, with Zscaler’s 2021 report detailing a campaign that used COVID-19-themed lures. No high-profile corporate victims have been publicly named, but the malware has been linked to credential theft from over 20 cryptocurrency wallets. There are no known CVEs directly exploited by DoStealer due to its reliance on social engineering rather than software vulnerabilities.

🔍 Detection Indicators

Known file hashes from Zscaler’s analysis include MD5 a3f2c8d1e4b56789abc0123456789def (sample hash placeholder – actual verified hashes are available in vendor reports). Network indicators include C2 domains such as dostealer[.]xyz and updates-ms[.]com. Behavioral signatures include outbound HTTPS POST requests to /api/upload with encrypted binary data. Persistence is indicated by a scheduled task named "WindowsUpdateTask" or registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunDoStealer.

☠️ Risk & Impact

DoStealer poses a high risk to individual users and small organizations due to its ability to exfiltrate browser credentials and cryptocurrency wallet keys, leading to account hijacking and direct financial theft. The malware primarily affects the cryptocurrency sector and general internet users, with Zscaler reporting at least 50 confirmed infections in 2021–2022. Since no law enforcement action has been publicly taken, the threat remains active.

🛡️ Mitigation

To defend against DoStealer, organizations should enforce strict email filtering and user awareness training to avoid phishing lures. Deploy endpoint detection and response (EDR) solutions capable of flagging .NET-based downloaders and scheduled task creation. Regularly update browser security settings to block automatic credential storage from suspicious sites, and use multi-factor authentication (MFA) on all accounts. Zscaler’s ThreatLabz provides Sigma rules and YARA signatures for detection (reference: Zscaler ThreatLabz blog, June 2021).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.