⚠️ Overview

RisePro is an information-stealing malware classified as a stealer, first publicly documented in December 2022 by cybersecurity firm Recorded Future. It is distributed through the malware-as-a-service ecosystem, primarily via pay-per-install (PPI) networks such as PrivateLoader, and is attributed to Russian-speaking threat actors. The malware belongs to the broader category of credential and data stealers, often targeting browser-stored passwords, cryptocurrency wallets, and system information.

🔧 Technical Capabilities

RisePro employs multiple attack vectors, including phishing campaigns and malvertising that deliver the payload via fake download sites or cracked software. Once executed, it performs initial reconnaissance by collecting system metadata, installed applications, and network configuration. Its C2 infrastructure uses encrypted HTTP POST requests to exfiltrate stolen data, often leveraging JSON-encoded communications. Persistence is achieved through registry run keys or scheduled tasks. Evasion techniques include obfuscation of strings, API hashing, and anti-debugging checks to avoid sandbox detection. The malware targets popular browsers (Chrome, Firefox, Edge) to harvest saved credentials and cookies, and also extracts data from cryptocurrency wallet extensions like MetaMask and Exodus.

📜 History & Notable Incidents

RisePro first appeared in the wild in late 2022, with initial samples observed on underground forums. A significant campaign in early 2023 saw the malware bundled with fake cracks for software such as Adobe Photoshop and Microsoft Office, distributed through torrent sites. No specific high-profile victims or law enforcement actions have been publicly documented as of 2025. The malware does not exploit any known CVEs directly; instead, it relies on social engineering and third-party droppers. MITRE ATT&CK techniques include T1055.012 (Process Hollowing) and T1555.003 (Credentials from Web Browsers).

🔍 Detection Indicators

RisePro samples have known SHA-256 hashes documented in open-source threat intelligence feeds, such as b98e3c8a7f3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d. Behavioral signatures include spawning multiple processes to enumerate browser data and writing temporary files to %TEMP% with random names. Network indicators consist of POST requests to IP addresses associated with bulletproof hosting providers, often using User-Agent strings mimicking legitimate browsers like Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36. Registry modifications create entries under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with pseudo-random value names.

☠️ Risk & Impact

RisePro primarily causes data exfiltration, leading to credential theft, financial account compromise, and cryptocurrency wallet theft. The resulting impact includes unauthorized access to corporate or personal accounts, potential financial losses from drained wallets or fraudulent transactions, and follow-on attacks using stolen credentials. The malware predominantly targets individual users and small businesses, with the highest risk observed in sectors reliant on browser-based authentication and digital assets.

🛡️ Mitigation

Defenders should deploy endpoint detection and response (EDR) solutions with rules blocking execution from %TEMP% and suspicious registry run key modifications. Network filtering should block known C2 IP addresses and monitor for anomalous HTTP POST traffic containing JSON-encoded data. Regular patching of software and user awareness training against cracking sites and phishing remain critical. No specific CVEs or patches apply; mitigation focuses on behavioral detection and blocking the PrivateLoader distribution channel.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.