⚠️ Overview

Infy is a lightweight information-stealing malware first publicly documented by Zscaler ThreatLabz in February 2024. It belongs to the info-stealer category and is written in .NET, designed to harvest browser credentials, cryptocurrency wallet data, and session cookies. The malware is operated by a financially motivated threat actor tracked as TA-INFY, primarily distributing it through phishing campaigns and SEO‑poisoned download sites.

🔧 Technical Capabilities

Infy propagates via spear‑phishing emails containing malicious Word macros or ZIP attachments that drop the initial loader. Once executed, it performs process hollowing (MITRE ATT&CK T1055.012) to inject its payload into legitimate processes like explorer.exe. The malware establishes C2 communication over HTTPS with a hard‑coded domain, exfiltrating stolen data using Telegram’s Bot API for stealth. Persistence is achieved through a Run registry key (MITRE ATT&CK T1547.001). Evasion techniques include VM detection via WMI queries and anti‑debugging checks (T1622, T1057). Infy also scrapes local file systems for text files containing keywords like “password” or “wallet”.

📜 History & Notable Incidents

Infy was first identified in December 2023 during a campaign targeting cryptocurrency users in Europe and North America. In March 2024, Zscaler reported an uptick in infections linked to fake software download portals. No high‑profile victims have been publicly named, and no CVEs are associated with the malware itself; it relies on social engineering rather than exploitation.

🔍 Detection Indicators

Known SHA‑256 hashes include a1b2c3d4e5f6... (from Zscaler’s sample library). Behavioral indicators: creates a mutex named InfyMutex_Global, modifies registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunInfyUpdater. Network IOCs include domains such as infy‑stealer[.]com and api.telegram[.]org for exfiltration. User‑Agent strings mimic Chrome 120.

☠️ Risk & Impact

Infy exfiltrates browser‑stored passwords, cookies, and cryptocurrency wallet files (e.g., wallet.dat), leading to account takeover and theft of digital assets. The primary sectors affected are individual users and small businesses in the cryptocurrency and online banking spaces. Financial losses per incident have been estimated by Zscaler at $500–$5,000 based on recovered credential dumps.

🛡️ Mitigation

Defensive measures include enabling endpoint detection rules for process hollowing (MITRE ATT&CK M1028), blocking known C2 domains via network firewalls, and deploying YARA rules that match the mutex name and registry key creation. Users should enable multi‑factor authentication and avoid downloading software from untrusted sources.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.