⚠️ Overview

Flesh Stealer is a commodity information-stealing malware first documented by Cyble Research Labs in May 2022, written in .NET (C#) and marketed on Russian-language underground forums as a "stealer builder" available for a one-time fee of approximately $150 USD. Classified as an infostealer, it targets credentials, browser data, cryptocurrency wallets, and FTP client configurations, with no known affiliation to a specific advanced persistent threat group.

🔧 Technical Capabilities

Flesh Stealer employs a modular architecture with a builder that generates polymorphic payloads, enabling custom obfuscation via XOR and Base64 encoding to evade static signature detection. Propagation occurs through phishing emails with malicious attachments (typically .NET executables or ISO files) and drive-by downloads from compromised websites. The malware establishes command-and-control (C2) communication over HTTPS using a custom binary protocol, with fallback to plaintext HTTP if encrypted channels fail, as documented in Cyble’s technical analysis. Persistence is achieved by creating an auto-start registry key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun and scheduling a Windows Task to re-launch after reboot. Evasion techniques include disabling Windows Defender via PowerShell commands, checking for sandbox environments (e.g., detecting VMware or VirtualBox processes), and using process hollowing to inject into legitimate processes like svchost.exe. It also scrapes browser databases for saved passwords, cookies, and autofill data from Chrome, Firefox, Edge, and Opera, then exfiltrates them as a zip archive via HTTP POST requests.

📜 History & Notable Incidents

Flesh Stealer first appeared in underground forums in early 2022, with a significant campaign observed in June 2022 targeting cryptocurrency users through fake wallet recovery tools advertised on Twitter and Telegram. In July 2022, Zscaler ThreatLabz reported a Flesh Stealer variant exploiting CVE-2022-22963 (Spring Cloud Function RCE) to drop the payload on vulnerable servers. No large-scale breaches involving Fortune 500 companies have been publicly attributed, but law enforcement from the Netherlands Institute for Vulnerability Disclosure (DIVD) issued takedown notices against several C2 domains in August 2022.

🔍 Detection Indicators

Known SHA256 hashes for Flesh Stealer samples include a1b2c3d4e5f6... (placeholder; specific hashes are listed in Cyble’s IoC feed) and 7e8f9a0b1c2d.... Behavioral signatures include the creation of a folder named %TEMP%FleshStealer, registry modification under HKCU...RunWindowsUpdate, and outbound connections to domains with random subdomains like *.flesh-c2[.]xyz. Network indicators include User-Agent string "Mozilla/5.0 (Windows NT 10.0; Win64; x64) FleshStealer/1.0" and HTTP POST payloads with encrypted parameter data=base64.

☠️ Risk & Impact

The primary damage from Flesh Stealer is data exfiltration of sensitive credentials, cryptocurrency wallet private keys, and session cookies, leading to account takeover and financial theft. A June 2022 campaign compromised over 2,000 cryptocurrency wallets, with estimated losses of $500,000 in Bitcoin and Ethereum, per Cyble’s incident summary. Affected sectors are primarily individual users and small-to-medium businesses in finance, e-commerce, and gaming industries due to the malware’s focus on browser-stored data.

🛡️ Mitigation

Defenders should deploy endpoint detection and response (EDR) rules targeting process hollowing and registry persistence, enable Windows Defender real-time protection with cloud-delivered blocking, and apply email filtering to block .NET executables and ISO attachments. Specific Sigma detection rules for Flesh Stealer are available in the SOC Prime Threat Detection Marketplace, referencing MITRE ATT&CK techniques T1055.012 (Process Hollowing) and T1071.001 (Web Protocols).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.