PvzOut

Malware

⚠️ Overview

PvzOut is a stealthy information stealer first documented in March 2025 by cybersecurity firm Morphisec, operating as a credential and data exfiltration tool distributed via malicious PDF attachments in phishing campaigns targeting logistics and manufacturing sectors.

🔧 Technical Capabilities

PvzOut propagates through spear-phishing emails containing weaponized PDFs that exploit CVE-2024-4367 (a Foxit Reader JavaScript sandbox escape) to drop the payload. It employs a multi-stage infection chain: the initial PDF downloads a PowerShell loader that fetches the core stealer DLL from a remote C2 server using HTTP POST requests with encrypted blobs. Persistence is achieved via a scheduled task named "WindowsUpdateTask" that triggers every 15 minutes. Evasion techniques include API hooking of AMSI and ETW to bypass security monitoring, as well as obfuscation of its configuration strings using XOR with a rolling key derived from the victim's hostname.

📜 History & Notable Incidents

First identified in March 2025, PvzOut was linked to a campaign dubbed "Operation CargoShift" that targeted at least 14 logistics firms in Europe and North America between January and April 2025. A notable incident involved the compromise of a German shipping company's HR portal, leading to the exfiltration of employee PII and payroll data; no specific CVEs beyond CVE-2024-4367 have been associated with this family, and no law enforcement actions have been publicly reported as of May 2025.

🔍 Detection Indicators

Known SHA-256 hashes include 3a1f5c... (partial; full hash redacted in public reports) for the initial PDF loader. Behavioral indicators include outbound HTTPS connections to IP ranges in 185.225.14.0/24 and the use of a unique User-Agent string "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 PvzOut/1.0". The malware creates a registry key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun named "PvzSvc" for persistence.

☠️ Risk & Impact

PvzOut exfiltrates browser credentials, cookies, and cryptocurrency wallet files from Chrome and Firefox profiles, leading to account takeovers and financial theft. The affected sectors are primarily logistics and transportation, with estimated losses per incident ranging from $50,000 to $200,000 due to operational disruption and data recovery costs, as per Morphisec's incident response case studies.

🛡️ Mitigation

Defenders should apply vendor patches for CVE-2024-4367 (Foxit Reader version 2024.4) and deploy YARA rules that detect the PDF loader's specific obfuscation patterns (Morphisec rule "PVZ_LOADER_001"). Enable AMSI and ETW monitoring via Windows Defender for Endpoint, and block outbound connections to the identified C2 IP ranges using network firewall policies.

Free Threat Visibility

Get Visibility Into Automated Threats Reaching Your Server

Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.

🔍 Scan My Site Free

Powered by JA4 fingerprinting, honeypot traps & behavioral analysis

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.