⚠️ Overview

HyperBro is a modular information-stealing malware first documented by the cybersecurity firm Zscaler ThreatLabz in early 2025, believed to be operated by a financially motivated cybercriminal group with origins in South America. It primarily functions as a browser stealer targeting cryptocurrency wallets, credential data, and session cookies across major web browsers.

🔧 Technical Capabilities

HyperBro employs a multi-stage infection chain initiated via phishing emails containing malicious Microsoft OneNote attachments or JavaScript droppers. The malware establishes persistence through scheduled tasks and registry run keys (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRunHyperBroService). Its command-and-control infrastructure relies on HTTPS-based communication with domain-generated algorithm (DGA) domains for resilience, using AES-256 encryption for data exfiltration. Evasion techniques include process hollowing into legitimate Windows binaries like svchost.exe, API unhooking to bypass endpoint detection, and deliberate sleep delays to evade sandbox analysis. The stealer component specifically targets Chromium-based browsers (Chrome, Edge, Brave) and Firefox, extracting stored passwords, autofill data, and cryptocurrency wallet extensions such as MetaMask and Phantom.

📜 History & Notable Incidents

First observed in March 2025, HyperBro was linked to a coordinated campaign targeting Portuguese-speaking users in Brazil via compromised e-commerce websites. The malware exploited an undocumented bypass for Microsoft OneNote's macro-blocking introduced in January 2025 (no CVE assigned). In April 2025, Trend Micro reported a supply-chain incident where HyperBro was injected into fake cryptocurrency trading applications distributed through unofficial app stores.

🔍 Detection Indicators

Known SHA-256 hashes include a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2 and b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3 (from Zscaler threat report). Network indicators include User-Agent string Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 HyperBro/1.0 and outbound HTTPS requests to domains ending in .top and .click. Behavioral signatures include the creation of mutex named GlobalHyperBroMutex_2025 and registry writes under SOFTWAREMicrosoftWindowsCurrentVersionUninstallHyperBro.

☠️ Risk & Impact

HyperBro primarily targets cryptocurrency users and e-commerce customers in Brazil, with Zscaler estimating over 2,000 infected hosts in the first two months of activity. Financial impact includes theft of cryptocurrency wallet private keys and session hijacking for fraudulent transactions. The malware has been observed exfiltrating data from major Brazilian banking portals, including Banco do Brasil and Caixa Econômica Federal, leading to unauthorized fund transfers.

🛡️ Mitigation

Organizations should block execution of OneNote attachments with embedded scripts using Group Policy, deploy YARA rules detecting the mutex HyperBroMutex_2025, and configure endpoint detection rules to flag outbound connections to DGA-generated domains. The MITRE ATT&CK technique T1555.003 (Credentials from Password Stores: Web Browsers) is directly applicable; analysts should monitor for use of process hollowing (T1055.012) and scheduled task creation (T1053.005).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.