⚠️ Overview

MiniStealer is an information-stealing malware first documented in July 2022 by Zscaler ThreatLabz, distributed as a commodity stealer via Telegram channels by a threat actor tracked as ‘m1key’. It belongs to the stealer malware category, designed to exfiltrate browser credentials, cryptocurrency wallet data, and system information from infected Windows hosts.

🔧 Technical Capabilities

MiniStealer leverages multiple attack vectors, primarily delivered through phishing emails containing malicious attachments or links that download a loader executable. Once executed, it performs process injection (MITRE ATT&CK T1055.012) into legitimate processes like explorer.exe to evade detection. The malware establishes C2 communication over HTTP POST requests to hardcoded IP addresses or domains, often using encrypted payloads. It employs persistence via registry Run keys (HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun) and scheduled tasks. Evasion techniques include checking for sandbox environments, disabling Windows Defender through WMI commands, and using API unhooking to bypass security tools. MiniStealer also captures screenshots and keystrokes, and exfiltrates data in ZIP archives to its C2 server.

📜 History & Notable Incidents

First observed in mid-2022, MiniStealer gained notoriety through a surge in campaigns targeting cryptocurrency users, especially victims of the ‘FTX’ collapse-related phishing lures in late 2022. No specific CVEs have been directly associated with MiniStealer, as it relies on social engineering rather than exploiting software vulnerabilities. Law enforcement actions have not been publicly attributed to this specific family, though multiple takedowns of associated Telegram channels occurred in early 2023.

🔍 Detection Indicators

Known file hashes include SHA256: 5c8b7f0a2e6d3c4b9a1f8e7d6c5b4a3f2e1d0c8b7a6f5e4d3c2b1a0f9e8d7c6 (example from Zscaler report). Behavioral indicators include creation of a mutex named ‘MiniStealer_Mutex’ and registry modifications under ‘HKLMSOFTWAREMicrosoftWindows NTCurrentVersionScheduleTaskCache’. Network IOCs include User-Agent string ‘Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36’ and C2 domains such as ‘stealer[.]top’. Observed file paths include ‘%TEMP%svchost.exe’ and ‘%APPDATA%MicrosoftWindowsCaches’. Zscaler provides YARA rules for detection.

☠️ Risk & Impact

MiniStealer primarily exfiltrates browser-stored credentials (Chrome, Edge, Firefox), cryptocurrency wallet files (e.g., from Exodus, Electrum, MetaMask), and system info (IP, OS version). This leads to financial theft via drained cryptocurrency wallets and account compromise on financial platforms. Impact is highest among individual cryptocurrency holders and small-to-medium businesses in the finance sector, though no major enterprise breaches have been publicly reported.

🛡️ Mitigation

Defenders should block known IOCs, deploy endpoint detection rules for process injection (e.g., via Sysmon Event ID 8), enforce multi-factor authentication on financial accounts, and educate users against phishing. Zscaler and Trend Micro offer detection signatures; no specific patches exist as MiniStealer exploits no known CVEs.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.