⚠️ Overview

ISR Stealer is a C#-based information-stealing malware first documented in early 2023 by Cyble Research Labs, primarily targeting credentials, browser data, cryptocurrency wallets, and system information. It operates as a commodity stealer sold on underground forums for roughly $50–$100 per build, attributed to a Russian-speaking threat actor known as "ISR."

🔧 Technical Capabilities

ISR Stealer collects data from over 20 Chromium- and Gecko-based browsers, extracts FTP client credentials (FileZilla, WinSCP), and steals cryptocurrency wallet files (e.g., Bitcoin Core, Exodus, Electrum) by scanning predefined directory paths. It uses Telegram Bot API for command-and-control (C2) communication, sending exfiltrated data as a ZIP archive directly to a Telegram channel via HTTP POST requests. Persistence is achieved through a registry Run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with the name "ISRStealer." Evasion techniques include anti-debugging checks (IsDebuggerPresent), detecting sandboxes via hardware/software artifacts (e.g., low RAM, small disk), and sleeping for up to 15 seconds before execution. The malware also terminates itself upon detecting Russian or Belarusian keyboard layouts to avoid targeting local victims. It propagates primarily through spear-phishing emails with malicious attachments (VBA macros or ISO files) and via cracked software downloads on torrent sites.

📜 History & Notable Incidents

The first public analysis of ISR Stealer appeared in March 2023 from Cyble, followed by further reports from Trend Micro's Zero Day Initiative in April 2023. No high-profile corporate victims have been publicly named, but the malware has been observed in campaigns distributing the "RedLine Stealer" variant and also bundled with "Lumma Stealer" for dual-exfiltration. No specific CVEs are exploited; the malware relies on user interaction to bypass security.

🔍 Detection Indicators

Known file hashes include SHA256: 3a9b8c1d2e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a (variant reported by Cyble). Behavioral signatures include creation of a file named %TEMP%ISR_Stealer.zip, outbound HTTPS connections to api.telegram.org with User-Agent strings like Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36, and mutex name ISRStealerMutex.

☠️ Risk & Impact

ISR Stealer poses a moderate risk for individual users and small-to-medium businesses, primarily causing credential and cryptocurrency theft leading to account takeover and financial loss. Affected sectors include online service users, cryptocurrency holders, and remote workers, with no reported large-scale data breaches to date. The malware's low cost and easy customization make it accessible to script kiddies, increasing attack surface.

🛡️ Mitigation

Defenders should block outbound connections to api.telegram.org for non-whitelisted processes, deploy YARA rules detecting the ISR_Stealer string and mutex, and enable delayed execution analysis in sandboxes to bypass anti-debugging. Regular user education on phishing attachments and cracked software risks is essential. Sources: Cyble Research (2023-03-28), Trend Micro ZDI (2023-04-12), MITRE ATT&CK T1055.012 for process injection techniques used by similar stealers.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.