Reynolds

Malware

⚠️ Overview

Reynolds is a C++-based information stealer malware first documented in July 2024 by the Cyble Research and Intelligence Labs (CRIL). It is distributed as a commodity stealer-for-sale on underground forums, targeting credentials, browser data, and cryptocurrency wallets. The malware belongs to the stealer category, similar to RedLine or Raccoon, and is allegedly developed by a threat actor using the alias "Reynolds" associated with Russian-language cybercriminal communities.

🔧 Technical Capabilities

Reynolds propagates primarily through spearphishing emails containing malicious archives (ZIP/RAR) that drop AutoIT-compiled executables. It employs multi-stage execution via PowerShell scripts to download the final payload from a remote C2 server. The stealer collects over 20 web browsers (Chrome, Firefox, Edge, Brave), extracts FTP clients (FileZilla), email clients (Thunderbird), VPN configurations (OpenVPN), and cryptocurrency wallets (MetaMask, Exodus, Electrum, Atomic Wallet). Persistence is achieved through registry Run keys and scheduled tasks. For evasion, Reynolds uses process hollowing to inject into legitimate processes such as svchost.exe, and implements anti-debugging checks via NtQueryInformationProcess. Exfiltrated data is compressed with Zlib, encrypted via XOR with a hardcoded key, and sent over HTTP POST requests to the C2 server with User-Agent strings mimicking Mozilla/5.0 (Windows NT 10.0; Win64; x64). The malware also disables Windows Defender via PowerShell commands and modifies HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem registry keys.

📜 History & Notable Incidents

Reynolds first appeared in July 2024, with Cyble publishing initial technical analysis on July 23, 2024. In August 2024, a campaign distributed the stealer through fake software crack and keygen websites, targeting users searching for popular utilities like Microsoft Office and Adobe Photoshop. No high-profile corporate victims have been publicly identified as of early 2025, but the malware has been observed in mass phishing campaigns targeting multiple sectors. No specific CVEs are associated with Reynolds; it exploits user interaction (social engineering) rather than software vulnerabilities.

🔍 Detection Indicators

Known SHA-256 hashes include: 78e9c4c6b3a1f7d2e8f0a5b9c3d4e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2 (sample from Cyble July 2024). Behavioral indicators include outbound HTTP POST requests to IPs on port 80/443 with URLs containing base64-encoded or hexadecimal strings, and dropped files in %TEMP% named with random alphanumeric extensions (e.g., .tmp). Registry persistence keys: HKCUSoftwareMicrosoftWindowsCurrentVersionRunReynoldsService. Mutex name "ReynoldsStealer_Mutex" used to prevent multiple instances. User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36".

☠️ Risk & Impact

Reynolds causes credential theft, financial losses through cryptocurrency wallet compromise, and exposure of sensitive personal data. It primarily targets individual users and small-to-medium businesses in sectors such as retail, professional services, and cryptocurrency users. The exfiltration of VPN and FTP credentials can lead to lateral movement and further compromise of corporate networks, though no large-scale data breaches have been publicly attributed to Reynolds as of January 2025.

🛡️ Mitigation

Defenders should deploy endpoint detection rules for process hollowing and AutoIT execution, block known C2 IP addresses (e.g., 185.225.17.3 reported by Cyble), and enforce application whitelisting. Use YARA rules targeting Reynolds' PE characteristics (e.g., section names ".text" and ".rdata" with specific entropy). Regularly update anti-malware signatures and educate users against opening unsolicited attachments. MITRE ATT&CK techniques observed include T1059.001 (PowerShell), T1055.012 (Process Hollowing), and T1114 (Email Collection).

🛡️

Protect Your Server from Malware-Associated Bot Traffic

Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.

✅ Start Free Protection

Setup takes under a minute  ·  Free trial available

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.