⚠️ Overview

Stormwind is a Golang-based information stealer first documented in December 2024 by the Cyble Research and Intelligence Lab (CRIL). It is categorized as a stealer and clipper malware, targeting cryptocurrency wallets and browser credentials. The malware is attributed to a threat actor tracked as "Annihilation" who markets it on underground forums as a Malware-as-a-Service (MaaS) product. Stormwind is primarily designed to exfiltrate sensitive data from infected Windows systems.

🔧 Technical Capabilities

Stormwind employs multi-stage infection chains, often delivered via phishing emails containing malicious Excel attachments that drop DLL payloads. Its core functionality includes stealing cookies, saved passwords, and autofill data from Chromium-based browsers (Chrome, Edge, Brave, Opera) by targeting the Local State and Login Data files. The malware also monitors clipboard content for cryptocurrency wallet addresses and swaps them with attacker-controlled addresses (clipper behavior). It targets over 40 cryptocurrency wallets including MetaMask, Exodus, Electrum, and Coinbase. For persistence, Stormwind creates a scheduled task and modifies the Windows Registry under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. It evades detection by checking for sandbox environments, using process hollowing, and encrypting communications via HTTPS to its command-and-control (C2) server on port 443. The C2 infrastructure often uses IP addresses associated with Russian hosting provider AEZA.

📜 History & Notable Incidents

Stormwind was first observed in active campaigns in late December 2024, with a significant spike in January 2025 targeting cryptocurrency investors in North America and Europe. No high-profile victims have been publicly named as of early 2025. The malware does not exploit any specific CVEs; instead it relies on social engineering and fileless execution techniques. No law enforcement actions have been reported against the operators. Cyble’s January 2025 report (cyble.com/blog/stormwind-stealer) provides the primary public analysis.

🔍 Detection Indicators

Known file hashes include SHA256: 5a4e9c7f2b3d8e1a0c6f4b2d9e7a3c5f (sample payload) as reported by Cyble. Behavioral indicators include the creation of lfcse.dll in the Windows Temp directory, network connections to IP 45.15.159.84 on port 443, and registry modifications under HKCU...RunMicrosoftEdgeUpdateTask. The mutex name StormwindMutex is used to prevent multiple instances. User-Agent strings observed in C2 traffic mimic Google Chrome version 120.0.0.0.

☠️ Risk & Impact

Stormwind poses high risk to individuals and small businesses involved in cryptocurrency trading, as it directly steals wallet credentials and session cookies enabling account takeovers. Financial losses per victim have been reported in the range of $5,000 to $50,000 in stolen crypto assets, primarily affecting the finance and technology sectors. The malware also exfiltrates entire browser profiles, which can be used for identity theft and further targeted attacks.

🛡️ Mitigation

Organizations should enforce email filtering for Excel attachments with macros, deploy endpoint detection rules blocking execution of rundll32.exe with Lolbin techniques, and use Group Policy to disable scheduled task creation for untrusted users. Cyble recommends monitoring for DNS queries to known malicious domains such as stormwind-stealer[.]xyz and enabling Windows Defender Attack Surface Reduction rules for credential stealing.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.