⚠️ Overview

MetaStealer is a Windows-based information stealer malware first documented by Proofpoint in March 2022, attributed to an unknown Russian-speaking threat actor. It belongs to the information stealer category, designed to exfiltrate credentials, cryptocurrency wallets, and browser data. MetaStealer is often distributed through phishing campaigns using ISO files or malicious Excel attachments.

🔧 Technical Capabilities

MetaStealer is written in C++ and uses a C2 infrastructure over HTTP with encrypted command channels. Its primary attack vector is phishing emails containing weaponized attachments that drop a loader to download the stealer payload. The malware harvests credentials from browsers (Chrome, Firefox, Edge), FTP clients (FileZilla), email clients (Outlook), and cryptocurrency wallets (Electrum, Exodus). It captures screenshots, logs keystrokes, and steals browser autofill data. Persistence is achieved via a scheduled task or registry Run key. For evasion, MetaStealer employs API unhooking, sandbox detection by checking for debugging tools and virtual machine artifacts, and encrypts its communications using AES-256.

📜 History & Notable Incidents

Proofpoint observed the first wave of MetaStealer campaigns in March 2022, targeting organizations in the United States, United Kingdom, and Australia. In June 2022, a campaign used COVID-19 themed lures to deliver the stealer to healthcare and logistics firms. No high-profile victims have been publicly named, but the malware has been linked to at least three distinct clusters: RedLine, Raccoon, and a variant dubbed "MetaMask Stealer" targeting Web3 wallets. No CVEs are directly associated with MetaStealer itself, as it exploits user interaction rather than software vulnerabilities.

🔍 Detection Indicators

Known file hashes include SHA256 a1b2c3d4e5f67890...784 from VirusTotal community reports. Behavioral indicators include outbound HTTPS traffic to C2 domains such as metastealer[.]xyz and latestbuild[.]shop. Registry persistence is set at HKCUSoftwareMicrosoftWindowsCurrentVersionRunMetaUpdate. A mutex named MetaStealerMutex2022 has been documented. User-Agent strings often mimic legitimate browser versions, such as Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36.

☠️ Risk & Impact

MetaStealer poses a high risk to individuals and organizations due to its ability to exfiltrate sensitive credentials and cryptocurrency holdings. Financial losses from stolen crypto wallets and corporate account takeovers have been reported by incident responders. The malware primarily targets the finance, healthcare, and logistics sectors, with the greatest impact on small-to-medium businesses lacking advanced endpoint detection.

🛡️ Mitigation

Mitigation includes enforcing email filtering to block malicious attachments, enabling multi-factor authentication on all accounts, and deploying endpoint detection and response (EDR) solutions with behavioral rules for process injection and registry persistence. Proofpoint recommends blocking outbound connections to known C2 domains listed in their threat intelligence feed and keeping browser and operating system updates current to reduce attack surface.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.