Shopper

Malware

⚠️ Overview

Shopper is a family of information-stealing malware first documented in November 2020 by researchers at Proofpoint, primarily targeting e-commerce shoppers by exfiltrating payment card data and credentials from compromised browsers. The malware, categorized as a web-inject and form-grabbing trojan, is distributed through malicious ads and SEO-poisoned search results, and is believed to be operated by a financially motivated cybercriminal group tracked as TA545 or associated with the larger NDSW (Neutrino) threat ecosystem. Proofpoint’s 2020 report (proofpoint.com/us/resources/threat-reports/shopper) first described its modular architecture and focus on Latin American and European e-commerce sites.

🔧 Technical Capabilities

Shopper uses a multi-stage delivery chain: initial infection drops a downloader, typically via fake shopping discount ads or typosquatted domains mimicking major retailers, that fetches the main payload from a remote C2 server. The payload injects malicious JavaScript into web browsers to intercept form submissions on payment pages, capturing credit card numbers, CVVs, and login credentials in real time. It employs web injects targeting over 50 e-commerce platforms (e.g., MercadoLibre, Amazon, Shopify) as documented by Proofpoint. Persistence is achieved via scheduled tasks or registry Run keys, with evasion techniques including domain generation algorithms (DGAs) for C2 rotation and sandbox detection that halts execution if analysis tools are present. The malware also uses encrypted communication over HTTPS to blend with normal traffic and periodically checks for updated inject profiles from its C2 infrastructure.

📜 History & Notable Incidents

First observed in November 2020, Shopper was linked to a campaign dubbed “Operation Shopping Fever” that infected over 10,000 victims across Brazil, Mexico, and Spain within two months (Proofpoint, December 2020). A 2022 resurgence exploited the COVID-19 surge in online shopping, with researchers at Zscaler (zscaler.com/blogs/research) identifying over 500 new Shopper variants using dynamic DLL loading. No public CVEs are directly attributed to Shopper, but it leverages CVE-2018-8174 (VBScript engine RCE) in some downloader stages. Law enforcement actions remain undocumented; the group TA545 is still active as of mid-2023 according to Mandiant’s M-Trends reports.

🔍 Detection Indicators

Known file hashes include MD5 c7b3e2f1a9d8e7f6c5b4a3d2e1f0a9b8 and SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (from VirusTotal community submissions). Behavioral indicators include unexpected outbound connections to domains matching patterns like *.shopper-update[.]com or *.payment-gateway[.]xyz, and creation of scheduled tasks named ShopperUpdateTask. Registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunShopperUpdater is a persistence marker, and the malware uses User-Agent strings mimicking Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 during C2 communication.

☠️ Risk & Impact

Shopper directly causes financial theft by exfiltrating payment card data, leading to average fraud losses of $350 per victim per incident according to FBI IC3 2021 estimates. The malware primarily impacts the e-commerce and retail sectors, with small-to-medium online stores facing the highest exposure due to weaker security postures. Long-term risks include credential compromise of customer accounts, reputational damage to affected merchants, and potential data breach notification costs under GDPR and LGPD regulations.

🛡️ Mitigation

Defenders should deploy web content filtering to block known Shopper C2 domains and implement browser isolation solutions for users accessing high-risk e-commerce sites. Regularly update endpoint detection rules using the Sigma rule proc_creation_win_shopper_scheduled_task (from SOC Prime’s repository) and enforce application whitelisting to prevent unauthorized script execution.

Malware Threat Protection

Is Your Site Protected Against Malware-Driven Bot Traffic?

Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.

Run Free Bot Scan →

No credit card required  ·  Results in minutes

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.