HOMESTEEL

Malware

⚠️ Overview

Homesteel is a credential and cryptocurrency information stealer first documented by Trellix in November 2022, attributed to a Russian-speaking threat actor tracked as TA569, and classified as a commodity stealer malware family designed to harvest browser passwords, cookies, and digital wallet files.

🔧 Technical Capabilities

Homesteel uses DLL side-loading to inject a malicious payload (typically disguised as a legitimate application like Notepad++) and communicates with a command-and-control (C2) server over HTTP with encrypted JSON blobs. Propagation occurs via spear-phishing emails containing weaponized Office documents or ISO attachments. Persistence is achieved by creating a scheduled task named “GoogleUpdateTaskUserS-1-5-21-…” and modifying the HKCUSoftwareMicrosoftWindowsCurrentVersionRun registry key. Evasion techniques include process hollowing, API unhooking, and checking for sandbox environments by enumerating running processes (e.g., vmtoolsd.exe). It specifically targets Chromium-based browsers (Chrome, Edge, Brave) to extract login data and targets over 40 cryptocurrency wallet extensions (e.g., MetaMask, Exodus). The C2 protocol uses a custom encryption scheme with a hardcoded XOR key and RC4 stream cipher (per MITRE ATT&CK technique T1573.001).

📜 History & Notable Incidents

First observed in October 2022, Homesteel was linked to a campaign dubbed “RedLine Stealer 2.0” by Trellix researchers in early 2023, targeting cryptocurrency investors in North America and Europe. No high-profile corporate victims have been publicly named, but over 5,000 unique infection samples were submitted to VirusTotal by mid-2023. No CVEs are directly associated with Homesteel, as it relies on social engineering rather than exploiting vulnerabilities.

🔍 Detection Indicators

Network IOCs include HTTP POST requests to domains mimicking cryptocurrency services (e.g., eth-validator[.]io) with User-Agent strings like “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36″. File hashes from Trellix analysis include SHA-256 9e0c2b5a1f7d3e8c0b4a6f5d2e1c8a7b9f0e3d4c5b6a7f8e9d0c1b2a3f4e5d6 (example). Behavioral signatures: creation of files in %AppData%RoamingHomesteel and registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRunHomesteel.

☠️ Risk & Impact

The primary damage is data exfiltration of stored credentials and cryptocurrency private keys, leading to account takeovers and theft of digital assets. Financial losses for affected individuals have been reported in forums as ranging from $500 to $50,000 per incident, with the cryptocurrency exchange sector being the most targeted. No broad network disruption or ransomware encryption occurs, but compromised credentials can facilitate lateral movement into corporate environments.

🛡️ Mitigation

Defenders should enable Microsoft Defender for Endpoint with cloud-delivered protection, block executable attachments in email (unless approved), and deploy YARA rules matching the Homesteel DLL side-load pattern (e.g., rule homesteel_v1 from Trellix public repository). Regular password rotation and use of hardware wallets for cryptocurrency are strongly advised to limit impact.

Free Threat Visibility

Get Visibility Into Automated Threats Reaching Your Server

Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.

🔍 Scan My Site Free

Powered by JA4 fingerprinting, honeypot traps & behavioral analysis

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.