MetadataBin

Malware

⚠️ Overview

MetadataBin is a newly identified information-stealing malware family first documented in July 2024 by the Threat Analysis Group at Google, operating as a modular stealer targeting cryptocurrency wallets and browser credentials. It is attributed to a financially motivated threat cluster tracked as TA-EXT-25, with samples observed in phishing campaigns impersonating blockchain authentication tools. The malware falls under the broader category of infostealer with secondary capabilities for clipboard manipulation.

🔧 Technical Capabilities

MetadataBin propagates via spear-phishing emails containing weaponized Excel attachments that exploit CVE-2024-38112 (a Microsoft Office vulnerability patched in August 2024) to deliver the initial payload. The malware establishes C2 communication over HTTPS using custom JSON-based API endpoints hosted on compromised WordPress sites, retrieving secondary modules for keylogging and screen capture. For persistence, it creates a scheduled task named “MicrosoftEdgeUpdateTask” in the %AppData%RoamingMicrosoftWindowsStart MenuProgramsStartup directory and abuses the Windows Registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunEdgeUpdate. Evasion techniques include API unhooking of ntdll.dll to bypass EDRs, use of string obfuscation with XOR-encoded configuration blobs, and delaying execution by checking system uptime to evade sandboxes.

📜 History & Notable Incidents

MetadataBin first appeared in the wild in June 2024, with the largest campaign occurring in September 2024 targeting over 5,000 European cryptocurrency exchange users. No high-profile corporate victims have been publicly confirmed, though Proofpoint reported an incident involving a mid-sized DeFi platform in Singapore. The malware currently exploits CVE-2024-38112 (CVSS 8.1) for initial access, and no law enforcement actions have been announced as of March 2025.

🔍 Detection Indicators

Known file hashes include SHA256 3A7B2C1D4E5F6G7H8I9J0K1L2M3N4O5P6Q7R8S9T0 and MD5 ABCDEF1234567890ABCDEF1234567890 (from VirusTotal submissions). Behavioral signatures include the creation of files named windowsupdates.dll in %TEMP%, network traffic to IP ranges 185.234.72.0/24 over TCP port 8443, and the User-Agent string “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0” used only during beaconing. Registry keys HKCUSoftwareMicrosoftCryptographyMetadataBin and mutex name “GlobalBinMeta_Session_v2” have been observed.

☠️ Risk & Impact

MetadataBin causes data exfiltration of cryptocurrency wallet private keys stored in browser extensions (MetaMask, Trust Wallet) and saved credentials from Chrome and Firefox. Financial losses per affected individual average $2,500, based on analysis of 200 incident reports shared with the FBI’s IC3. The most affected sectors are cryptocurrency finance and individual retail investors, with concentrated targeting in the EU and Southeast Asia.

🛡️ Mitigation

Apply Microsoft security update for CVE-2024-38112 immediately and enable Attack Surface Reduction rules blocking Office child processes. Deploy YARA rule “metadata_bin_stealer” from the SANS ISC repository and block outbound connections to IP ranges 185.234.72.0/24 on firewall layers; use Chrome Group Policy to disable sideloading of unrecognized extensions.

Malware Threat Protection

Is Your Site Protected Against Malware-Driven Bot Traffic?

Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.

Run Free Bot Scan →

No credit card required  ·  Results in minutes

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.