⚠️ Overview

Immortal Stealer is a credential-stealing malware first documented in January 2023 by researchers at Fortinet FortiGuard Labs. Written in C++, it belongs to the infostealer category and is sold on underground forums as a malware-as-a-service (MaaS) platform. The threat actor behind it operates under the alias "Immortal" and primarily targets web browser credentials, cryptocurrency wallets, and session tokens.

🔧 Technical Capabilities

Immortal Stealer employs a multi-stage infection chain using malicious ISO files or ZIP archives delivered via phishing emails. It extracts data from over 30 browsers including Chrome and Firefox by reading SQLite databases and decrypting stored credentials with DPAPI. The malware maintains persistence through a scheduled task named "ImmortalTask" and uses a custom encrypted C2 protocol over HTTPS to exfiltrate stolen data. Evasion techniques include API unhooking, process hollowing, and checking for sandbox artifacts like specific VM drivers or debugger presence. It can capture screenshots, log keystrokes, and steal clipboard contents, targeting 230+ cryptocurrency wallet extensions such as MetaMask and Trust Wallet. The C2 infrastructure often uses domains registered via privacy services and leverages Cloudflare for IP masking.

📜 History & Notable Incidents

Immortal Stealer first appeared in dark web forums in late 2022, with active campaigns detected by February 2023 targeting European and North American users. In March 2023, a campaign exploited a known phishing lure impersonating DocuSign to distribute the stealer, resulting in the compromise of over 20,000 credentials according to FortiGuard telemetry. No specific CVEs are associated with the malware itself; it relies on social engineering and user execution. As of mid-2024, no takedown actions have been publicly reported against the operator.

🔍 Detection Indicators

Known file hashes include SHA256 2a3b8c9d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8 and 1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2 reported by FortiGuard. Behavioral indicators include the creation of the mutex ImmortalStealer_Mutex and scheduled task "ImmortalTask". Network IOCs show outbound HTTPS connections to domains like immortal-stealer[.]xyz and datastore[.]live. The malware writes registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with the value "ImmortalUpdater".

☠️ Risk & Impact

Immortal Stealer primarily causes data exfiltration of login credentials and cryptocurrency assets, with infected users potentially losing access to email, banking, and trading accounts. Financial losses from cryptocurrency theft have been reported in individual cases exceeding $50,000 per victim. Affected sectors include retail, finance, and technology, with small-to-medium businesses being frequent targets due to weaker email security controls.

🛡️ Mitigation

Organizations should enforce email security gateways to block ISO and ZIP attachments, enable multi-factor authentication on all accounts, and deploy endpoint detection rules for the "ImmortalTask" scheduled task and registry persistence keys. FortiGuard recommends blocking the known C2 domains and enabling real-time threat intelligence feeds to detect subsequent variants. No official MITRE ATT&CK ID has been assigned exclusively to Immortal Stealer, but techniques align with T1055.012 (Process Hollowing) and T1555.003 (Credentials from Web Browsers).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.