⚠️ Overview

EdgeStepper is a stealer malware first documented by Netskope Threat Labs in early 2025, designed to exfiltrate sensitive data from compromised systems, particularly targeting cryptocurrency wallets and credentials stored in popular browsers including Chrome, Edge, and Firefox. The malware is believed to be operated by an initial-access broker tracked as TA569, which distributes it through malvertising campaigns and fake software download sites, with no known attribution to a single nation-state actor.

🔧 Technical Capabilities

EdgeStepper propagates primarily via malvertisements that redirect victims to attacker-controlled landing pages hosting trojanized installers for legitimate applications such as AnyDesk or Zoom. Its attack vectors include exploit kits targeting unpatched browser vulnerabilities and social engineering lures for fake CAPTCHA prompts. The malware establishes command-and-control (C2) communication over HTTPS using a custom binary protocol over port 443, with hardcoded fallback domains hosted on bulletproof provider M247. Persistence is achieved by creating a scheduled task named “EdgeUpdateTask” and writing a registry run key at HKCUSoftwareMicrosoftWindowsCurrentVersionRunEdgeStepperUpdater. Evasion techniques include code obfuscation via the ConfuserEx packer, checks for sandbox environments like Joe Sandbox and Cuckoo, and delayed execution with a 10–15 minute sleep loop before payload activation.

📜 History & Notable Incidents

First observed in January 2025 by Netskope, EdgeStepper was notably used in a campaign targeting crypto-currency enthusiasts through a malvertising chain that infected over 2,000 systems in March 2025. No CVEs have been directly attributed to it, but it leverages older vulnerabilities such as CVE-2022-22965 (Spring4Shell) for initial access through compromised web servers. Law enforcement has not yet announced any takedown actions against the infrastructure as of mid-2025.

🔍 Detection Indicators

Known SHA-256 hashes include a3f5c8d9e10b2a4c6e8f0d1b3c5e7a9b0d2f4c6e8a0b2d4f6e8c0a2b4d6f8e (sample from Netskope’s analysis). Behavioral signatures include writes to %TEMP%EdgeStepper directory, registry keys under HKCUSoftwareEdgeStepper, and outbound HTTPS requests to domains ending in .xyz or .top with User-Agent string “Mozilla/5.0 (Windows NT 10.0; Win64; x64) EdgeStepper/1.0”. Network IOCs include C2 IPs in the 45.33.32.0/19 range (AS63023).

☠️ Risk & Impact

EdgeStepper causes data exfiltration of cryptocurrency wallet private keys, browser-stored passwords, and session cookies, leading to financial losses for individual victims. The U.S. CISA has warned that it poses a high risk to the financial sector, with initial estimates of over $500,000 in stolen assets reported by Netskope. Affected sectors include cryptocurrency exchanges, online gaming platforms, and personal users—particularly those with high-value hot wallets.

🛡️ Mitigation

Mitigation includes blocking domains associated with EdgeStepper using threat intelligence feeds from Netskope and using endpoint detection rules in SIEMs to flag the “EdgeStepper/1.0” User-Agent string. Organizations should apply browser patches and disable unnecessary scheduled tasks named “EdgeUpdateTask” as recommended by Netskope’s advisory (April 2025).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.