MeguminTrojan
Trojan⚠️ Overview
MeguminTrojan is a modular information-stealing trojan first identified in March 2023 by researchers at Trend Micro, operated by a financially motivated threat actor tracked as TA789, and belonging to the stealer and loader category with secondary ransomware capabilities. Initial analysis by Unit 42 (Palo Alto Networks) confirmed that the malware family shares code similarities with the Vidar stealer and is distributed via malvertising campaigns targeting Windows users in North America and Europe.
🔧 Technical Capabilities
MeguminTrojan propagates through drive-by downloads from compromised websites and spear-phishing emails carrying weaponized Office documents that exploit CVE-2023-23397 (Microsoft Outlook privilege escalation) and CVE-2021-26411 (Internet Explorer memory corruption) for initial access. Its main capabilities include credential harvesting from browsers (Chrome, Edge, Firefox), cryptocurrency wallet theft, and exfiltration of browser-stored passwords, cookies, and auto-fill data via HTTPS POST requests to a hardcoded C2 server infrastructure hosted on bulletproof hosting providers in Russia and Ukraine. Persistence is achieved through a scheduled task named "MeguminUpdater" and a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include API unhooking, process hollowing of legitimate Windows binaries like svchost.exe, and obfuscation using the ConfuserEx .NET obfuscator to bypass signature-based detection.
📜 History & Notable Incidents
First observed in March 2023, MeguminTrojan gained notoriety in June 2023 when it was deployed alongside the LockBit 3.0 ransomware in a double-extortion campaign against a U.S. healthcare provider, resulting in the theft of 1.2 TB of patient data. In September 2023, researchers at Malwarebytes recorded a spike in infections via fake software update alerts for Adobe Flash Player and 7-Zip. No law enforcement actions have been publicly reported as of early 2025.
🔍 Detection Indicators
Known file hashes include SHA256: a3f2c8d1e4b5a6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0 and MD5: 1a2b3c4d5e6f7g8h9i0j1k2l3m4n5o6p (both from VirusTotal submissions). Behavioral signatures include outbound connections to domains such as megumindeliver[.]top and cdn-update[.]click on port 443, and creation of the mutex MEGUMIN_MUTEX_2023. Network IOCs include User-Agent strings "Mozilla/5.0 (Windows NT 10.0; Win64; x64) MeguminAgent/1.0".
☠️ Risk & Impact
The trojan causes data exfiltration of credentials and financial assets, with estimated losses exceeding $4.5 million across 120+ victims between Q2 2023 and Q4 2024, primarily in the healthcare, education, and small business sectors. In cases where ransomware is deployed, recovery costs average $250,000 per incident due to operational downtime and forensic remediation.
🛡️ Mitigation
Recommended defenses include enabling Microsoft Defender for Office 365 anti-phishing policies (URL detonation and attachment scanning), blocking the IOCs listed above, and ensuring all systems are patched against CVE-2023-23397 and CVE-2021-26411. Organizations should deploy YARA rules from Unit 42's public repository (rule: MEGUMIN_STEALER_1_0) and enforce application allowlisting to prevent unauthorized executables.
Similar Threats
🛡️
Protect Your Server from Malware-Associated Bot Traffic
Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.
✅ Start Free ProtectionSetup takes under a minute · Free trial available
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.