⚠️ Overview

FancyFilter is a sophisticated information-stealing malware first publicly documented in October 2024 by researchers at Trellix, identified as a modular .NET-based stealer targeting credential databases, cryptocurrency wallets, and browser-stored data. It is attributed to a financially motivated threat cluster tracked as TA578, operating as a malware-as-a-service (MaaS) model with underground advertisements on Russian-language forums. The malware falls under the Stealer category, specifically classified as an infostealer with additional capabilities for keylogging and clipboard hijacking.

🔧 Technical Capabilities

FancyFilter propagates primarily through phishing campaigns delivering malicious Microsoft Word documents or ZIP archives containing .NET payloads, often leveraging CVE-2023-38831 (WinRAR flaw) or CVE-2022-30190 (Follina) as initial access vectors. Its C2 infrastructure relies on HTTPS-based communication with domains registered via Namecheap or Njalla, using JSON-encoded POST requests to exfiltrate stolen data. Persistence is achieved via registry Run keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun or scheduled tasks created through schtasks.exe. Evasion techniques include anti-debugging checks (IsDebuggerPresent), string obfuscation via base64 and XOR encryption, and the use of legitimate Windows binaries like certutil.exe for download stagers to bypass application whitelisting. The malware dynamically resolves C2 domains using a DGA (Domain Generation Algorithm) seeded with the current date, and employs process hollowing to inject into Explorer.exe.

📜 History & Notable Incidents

First operational samples of FancyFilter were detected in August 2024, with active campaigns targeting energy, legal, and healthcare sectors in North America and Europe. A notable incident in November 2024 involved the compromise of a U.S. regional healthcare provider, resulting in the exfiltration of over 100 GB of patient records. No CVEs are directly associated with the malware itself, but it exploits publicly known vulnerabilities including CVE-2023-34362 (MOVEit Transfer) for lateral movement in some campaigns. No law enforcement actions have been publicly reported as of early 2025.

🔍 Detection Indicators

Known SHA-256 hashes include d3b0a1c2e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0 (PE loader) and b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0 (config extractor). Behavioral signatures include creation of mutex named GlobalFancyFilter_Mutex and registry key HKCUSoftwareFancyFilterConfig. Network IOCs include C2 domains such as fancyfilter-update[.]com and stat-results[.]net, with User-Agent string Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0. The malware also writes temporary files to %TEMP%FancyLogs with .dat extension.

☠️ Risk & Impact

FancyFilter poses high risk due to its ability to exfiltrate browser credentials, saved passwords from Chrome and Firefox, cryptocurrency wallet files (e.g., Bitcoin Core, Electrum), and clipboard contents for crypto-address replacement attacks. Affected sectors include finance, healthcare, and legal services, with financial losses estimated in the millions due to credential theft and subsequent ransomware deployment in some incidents. The malware also enables follow-on attacks by selling stolen access on underground markets, amplifying the downstream impact.

🛡️ Mitigation

Defenders should implement application allowlisting to block untrusted .NET executables, enable ASR rules to prevent process hollowing, and deploy YARA rules targeting the unique XOR-encrypted string patterns identified in FancyFilter payloads (e.g., rule FancyFilter_Loader). Regular patching of CVE-2023-38831 and CVE-2022-30190 is critical, along with enforcing multi-factor authentication and blocking outbound HTTPS connections to known malicious domains listed in threat intelligence feeds from Trellix and Proofpoint.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.