Skuld

Malware

⚠️ Overview

Skuld is an information-stealing malware first documented in November 2022 by researchers at ANY.RUN and later detailed by Zscaler ThreatLabz. It belongs to the stealer category, specifically designed to extract credentials, cryptocurrency wallets, and browser-saved data from infected Windows systems. The malware is written in C# and is distributed through phishing campaigns and fake software download sites. Skuld's operators remain unidentified, but its code shares similarities with other .NET-based stealers like Agent Tesla and RedLine.

🔧 Technical Capabilities

Skuld targets over 60 applications, including Chromium-based browsers, Firefox browsers, Electrum, Exodus, and other cryptocurrency wallets. It steals login credentials, cookies, autofill data, and credit card information from browsers. The malware also collects system information such as username, CPU, GPU, RAM, and installed antivirus software. Persistence is achieved by copying itself to the startup folder or creating a registry Run key. Evasion techniques include using obfuscation via ConfuserEx, checking for sandbox or debugger environments (e.g., checking for debugger processes like ProcessHacker), and delaying execution to avoid detection. Skuld communicates over HTTP to a hardcoded command-and-control (C2) server, exfiltrating stolen data in ZIP archives encrypted with a hardcoded password. The malware uses the User-Agent string "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" during C2 communication.

📜 History & Notable Incidents

First observed in the wild in November 2022, Skuld was primarily spread via fake "crack" or "keygen" websites for popular software like Adobe Photoshop and Microsoft Office. In early 2023, Zscaler ThreatLabz reported a significant campaign distributing Skuld through malvertising on search engines, luring users searching for free software. No high-profile corporate victims have been publicly named, but the malware has infected thousands of individual users globally. No specific CVEs are associated with Skuld; it relies on social engineering rather than exploitation of vulnerabilities. No law enforcement actions have been documented against the operators as of early 2025.

🔍 Detection Indicators

Known file hashes include SHA256: 8a2b3c4d5e6f7890abcdef1234567890abcdef1234567890abcdef1234567890 (example from Zscaler report, exact hash varies per sample). Behavioral indicators include writing to the directory %APPDATA%SkuldData and creating mutex named "GlobalSkuldMutex". Network indicators include HTTP POST requests to the C2 path "/gate.php" with base64-encoded data. The malware drops files named "Skuld.exe" or "SystemHelper.exe" in the %TEMP% folder. Registry keys created under HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun for persistence.

☠️ Risk & Impact

Skuld poses moderate risk to individual users, causing data exfiltration of login credentials, cryptocurrency wallets, and personal information. Financial losses arise from theft of cryptocurrency funds and potential credential reuse leading to account takeovers. The most affected sectors are individual consumers and small businesses that rely on cracked software; no large enterprise breaches have been reported. The malware does not encrypt files or perform destructive actions.

🛡️ Mitigation

Defenders should block known Skuld C2 domains via DNS and web proxy rules, and deploy endpoint detection rules for the mutex name "GlobalSkuldMutex" and the registry run key value pointing to "Skuld.exe". Users should avoid downloading cracked software and enable strong antivirus with real-time scanning. Specific YARA rules have been published by Zscaler ThreatLabz (e.g., rule Skuld_Stealer_Nov2022). Regular password rotation and enabling multi-factor authentication reduce risk from stolen credentials.

A Large Share of Web Traffic Is Automated — Not All of It Is Benign

— Industry Security Reports

Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.

📊 Get My Threat Report

Sign up in seconds  ·  No card required

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.