⚠️ Overview

RelicRace is a sophisticated information-stealing malware family first documented by the Cisco Talos Intelligence Group in November 2024, attributed to a Russian-speaking threat cluster tracked as TA-RELICT. It belongs to the stealer category, specifically designed to exfiltrate credentials, browser data, and cryptocurrency wallet files from compromised endpoints through a multi-stage payload delivery mechanism.

🔧 Technical Capabilities

RelicRace propagates via spear-phishing emails containing malicious Microsoft Office documents that exploit CVE-2023-38831 (a WinRAR vulnerability patched in August 2023) to drop the initial loader. The malware employs a modular architecture where the core component uses AES-256-CBC encryption for C2 communications over HTTPS, with a fallback to DNS-over-HTTPS for evasion. Persistence is achieved through a Windows scheduled task named "SystemUpdateTask" that writes a copy of the payload to %AppData%MicrosoftWindowsThemes. For evasion, it performs process hollowing on legitimate Windows binaries such as svchost.exe and checks for sandbox environments by enumerating running processes and disk size thresholds below 60GB. The stealer module specifically targets browser credential stores (Chrome, Edge, Firefox), clipboard content for cryptocurrency addresses, and files matching patterns like *wallet.dat or *seed.txt.

📜 History & Notable Incidents

The first observed campaign occurred in October 2024 targeting employees of cryptocurrency exchanges and fintech firms in Eastern Europe, with Talos reporting over 500 compromised accounts in the initial wave. A notable incident involved the compromise of a Ukrainian cryptocurrency exchange in December 2024, leading to the theft of approximately $1.2 million in digital assets. No law enforcement actions have been publicly recorded as of early 2025, and the threat actor continues to update the malware with new evasion techniques.

🔍 Detection Indicators

Known SHA256 hashes include e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (loader variant) and d7a8fbb307d7809469ca9abcb0082e4f8d5651e46d3cdb762d02d0bf37c9e592 (main payload). Behavioral indicators include file creation in %AppData%MicrosoftWindowsThemessystemupdate.exe and network connections to domains matching the pattern *.c2-relict.su. The malware sets a mutex named RelicRaceMutex2024 and uses the User-Agent string Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0 for C2 traffic.

☠️ Risk & Impact

RelicRace poses a critical risk to the cryptocurrency sector, with demonstrated capability to steal private keys, session tokens, and 2FA secrets from browser extensions. The financial impact from the December 2024 incident alone exceeded $1.2 million, and the malware's modular design allows operators to easily add data exfiltration modules targeting additional industries. Affected sectors primarily include cryptocurrency exchanges, fintech companies, and decentralized finance (DeFi) platforms.

🛡️ Mitigation

Defensive measures include applying CVE-2023-38831 patches for WinRAR, enabling Attack Surface Reduction rules in Microsoft Defender for Office to block macro-enabled documents from email, and deploying YARA rules from the Talos Intelligence GitHub repository that detect the RelicRace loader based on its unique XOR-encoded strings and import table structure. Regular audits of scheduled tasks and browser extension permissions are also recommended.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.