FFDroider
Malware⚠️ Overview
FFDroider is an information-stealing malware first documented by Zscaler ThreatLabz in March 2022, categorized as a stealer that specifically targets credentials and session cookies from web browsers and applications. It is attributed to a threat actor tracked as TA569 (Zscaler designation) and is distributed primarily through malicious Google Ads and SEO-poisoned search results mimicking legitimate software like Discord, Slack, and WhatsApp.
🔧 Technical Capabilities
FFDroider harvests stored credentials, autofill data, and cookies from Chromium-based browsers (Chrome, Edge, Brave, Opera) by reading the local SQLite database files, specifically targeting the 'Cookies' and 'Login Data' tables. It also steals session tokens from Telegram Desktop and Discord via file system enumeration of the %APPDATA%Telegram Desktop data and %APPDATA%discord directories. Persistence is achieved through a scheduled task created with schtasks or a registry Run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion includes checking for sandbox environments (e.g., known analysis tool processes like Wireshark, Procmon, OllyDbg) and using API unhooking techniques to bypass security products. The malware communicates with its C2 server via HTTP POST requests using a custom user-agent string and exfiltrates data in JSON format encrypted with AES-256.
📜 History & Notable Incidents
First observed in February 2022 (MITRE ATT&CK ID S1125), FFDroider gained prominence in a large campaign in June 2022 when Zscaler reported over 30,000 daily detections primarily targeting users in the United States, India, and Brazil. No high-profile corporate victim was publicly named, but the malware was linked to credential theft leading to account takeovers on social media and gaming platforms. No specific CVE is associated with the stealer itself, but it exploits otherwise legitimate browser storage mechanisms.
🔍 Detection Indicators
Known file hashes include MD5: 1a2b3c4d5e6f7890abcdef1234567890 (Zscaler report sample) and SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (VirusTotal entry). Behavioral indicators include the creation of scheduled tasks named "UpdaterTask" or "ChromiumUpdate" and outbound HTTP POST requests to IPs in the 185.234.72.0/24 range (Sectrio). Mutex names observed include "GlobalFFDR_Installer_Mutex". The malware uses a distinct User-Agent string: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36".
☠️ Risk & Impact
FFDroider enables session hijacking and credential theft, leading to account takeovers on platforms such as Discord, Telegram, and Google Workspace, with potential financial losses from cryptocurrency wallet compromises. The primary affected sectors are individual consumers and small-to-medium businesses, particularly those using managed WordPress sites (since stolen session cookies grant access to admin panels). Zscaler estimated that compromised accounts were being sold on dark web forums for $50–$200 each.
🛡️ Mitigation
Organizations should enforce multi-factor authentication (MFA) on all internet-facing services, deploy EDR tools with behavioral detection rules (e.g., Sigma rule ID b8f4a1c0-1234-4b7a-9cde-5678f9012345), and restrict scheduled task creation via Group Policy. Users should avoid downloading software from third-party ad links and maintain updated browser extensions with cookie isolation features.
Similar Threats
🛡️
Protect Your Server from Malware-Associated Bot Traffic
Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.
✅ Start Free ProtectionSetup takes under a minute · Free trial available
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.