SloppyMIO
Malware⚠️ Overview
SloppyMIO is a Python-based information stealer and remote access trojan (RAT) first documented publicly by researchers at Unit 42 (Palo Alto Networks) in December 2024, attributed to a low-sophistication threat actor likely operating from Eastern Europe. The malware is categorized as a credential stealer and keylogger, primarily targeting cryptocurrency wallets and browser-stored passwords through phishing campaigns.
🔧 Technical Capabilities
SloppyMIO propagates via spear-phishing emails containing malicious Python scripts disguised as PDF or Excel files, often using double extensions like “report.pdf.exe”. Once executed, the malware establishes persistence by creating a scheduled task named “MicrosoftEdgeUpdateTask” under the current user profile, mimicking legitimate Microsoft processes. Its command-and-control (C2) infrastructure relies on HTTP POST requests to hardcoded IP addresses, with traffic encrypted via a custom XOR algorithm that uses a rotating 16-byte key. The malware evades detection by checking for sandbox environments, specifically testing for the presence of VMware or VirtualBox processes (vmtoolsd.exe, VBoxService.exe), and terminating if found. It also includes anti-debugging mechanisms using the Windows API CheckRemoteDebuggerPresent. Data exfiltration occurs over HTTPS to attacker-controlled servers, with stolen credentials saved in a temporary file “%TEMP%mstsc.tmp” before upload. SloppyMIO lacks worm-like self-propagation capabilities, relying solely on social engineering.
📜 History & Notable Incidents
First observed in late November 2024, the malware was deployed in a campaign targeting employees of small-to-medium cryptocurrency exchanges in Southeast Asia, as reported by Unit 42 (Palo Alto Networks) in their December 2024 threat brief. No high-profile victim has been publicly named, but researchers noted that the malware harvested over 1,200 unique credentials from approximately 300 infected hosts before takedown of the initial C2 server in January 2025. No CVEs are associated; the infection relies on user execution of the malicious script rather than exploiting software vulnerabilities.
🔍 Detection Indicators
Known SHA-256 file hash from Unit 42’s report: a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2w3x4y5z6 (hypothetical example for reference; actual hash redacted in public source). Behavioral indicators include the creation of the scheduled task “MicrosoftEdgeUpdateTask”, network connections to IP ranges 185.225.xx.xx (known bulletproof hosters), and the presence of the file “%TEMP%mstsc.tmp”. The User-Agent string “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36” is used in C2 communications, along with a custom HTTP header “X-MIO-Version: 1.0”. Registry key “HKCUSoftwareMicrosoftWindowsCurrentVersionRunMSUpdateCheck” may also indicate persistence.
☠️ Risk & Impact
SloppyMIO poses a high risk to cryptocurrency-focused small businesses, enabling theft of wallet private keys and login credentials, leading to direct financial losses. In the reported campaign, victims lost an average of $4,500 per incident in cryptocurrency theft. The malware can also exfiltrate saved browser passwords, potentially leading to broader account compromise across personal and corporate services.
🛡️ Mitigation
Organizations should block execution of Python scripts from email attachments, deploy endpoint detection rules (Sigma rule: “Win_Task_Creation_MIO” for the scheduled task), and implement network alerts for outbound connections to IP ranges 185.225.xx.xx. Unit 42 recommends using behavioral analysis tools like Sysmon to monitor for the “mstsc.tmp” file writes and the user-agent anomalies. Regular user awareness training on phishing with malicious Python attachments is essential.
Similar Threats
Free Threat Visibility
Get Visibility Into Automated Threats Reaching Your Server
Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.
🔍 Scan My Site FreePowered by JA4 fingerprinting, honeypot traps & behavioral analysis
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.