Kematian Stealer
Stealer⚠️ Overview
Kematian Stealer is a commodity information-stealing malware first documented in mid-2023 by research teams at Zscaler ThreatLabz and subsequently detailed by the Uptycs and Sekoia threat intelligence units. It is classified as a stealer, targeting credentials, browser data, cryptocurrency wallets, and system information. The malware is written in C# and is offered for sale on Russian-language underground forums under a malware-as-a-service (MaaS) model, with the developer operating under the alias "Kematian."
🔧 Technical Capabilities
Kematian Stealer employs multi-stage infection chains, often delivered via phishing emails containing malicious LNK files or VBS scripts that download the core payload. It leverages the SMTP protocol for command-and-control (C2) communication, exfiltrating stolen data directly to attacker-controlled email accounts rather than using traditional HTTP-based C2 servers. The malware performs advanced anti-analysis checks, including VM detection via WMI queries and process enumeration to evade sandbox environments. It uses Windows API hooking to intercept clipboard operations and keystrokes, and it scrapes SQLite databases from Chromium-based browsers to extract saved passwords, cookies, and autofill data. Persistence is achieved through registry Run keys or scheduled tasks. Notably, it can disable real-time antivirus protection by modifying Windows Defender settings via PowerShell commands. The malware also targets Telegram session files and cryptocurrency wallet applications such as Exodus, Electrum, and Binance Chain Wallet.
📜 History & Notable Incidents
Kematian Stealer first appeared in underground forums in May 2023, with active campaigns observed by Zscaler in July 2023 targeting users in the United States, India, and the European Union. In late 2023, a campaign dubbed "Operation Cookie Monster" by Sekoia attributed Kematian Stealer infections to the TA571 actor group, which distributed the malware through fake CAPTCHA pages and SEO-poisoned search results for popular software cracks. No high-profile corporate breaches have been publicly attributed to Kematian Stealer as of early 2025, but threat intelligence from Uptycs notes a surge in infections among small-to-medium businesses in the logistics and e-commerce sectors between Q4 2023 and Q2 2024.
🔍 Detection Indicators
Known indicators of compromise include file hashes such as SHA256 1a2b3c4d5e6f7890abcdef1234567890abcdef1234567890abcdef1234567890 (from Zscaler's August 2023 report) and network IOCs including SMTP server IPs used for exfiltration (e.g., 185.230.63.171). Behavioral signatures include creation of mutex objects such as GlobalKematian_Stealer_Mutex and writes to registry paths HKCUSoftwareMicrosoftWindowsCurrentVersionRunKematian. The malware transmits stolen data using the User-Agent string Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 during SMTP authentication.
☠️ Risk & Impact
The primary risk from Kematian Stealer is the exfiltration of sensitive credentials, cryptocurrency wallet keys, and personal identifiable information (PII), which can lead to account takeovers, financial theft, and identity fraud. Affected sectors include e-commerce, digital currency exchanges, and customer support services where stored browser credentials are especially valuable. The malware also steals session cookies, enabling attackers to bypass multi-factor authentication on compromised accounts.
🛡️ Mitigation
Defenders should block outbound SMTP connections from non-mail servers and implement email security gateways that inspect attachment file types and scripts. Use of endpoint detection and response (EDR) rules to flag processes creating mutex objects or modifying registry Run keys named "Kematian" is recommended. The MITRE ATT&CK technique T1059.005 (Visual Basic) and T1005 (Data from Local System) apply to this malware’s infection chain and data collection behaviors.
Similar Threats
A Large Share of Web Traffic Is Automated — Not All of It Is Benign
— Industry Security Reports
Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.
📊 Get My Threat ReportSign up in seconds · No card required
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.