Unknown Stealer

Stealer

⚠️ Overview

Unknown Stealer is an information-stealing malware first identified by Proofpoint researchers in November 2023, operating as a malware-as-a-service (MaaS) offered on Russian-language underground forums by a threat actor tracked as TA2664. It belongs to the stealer category, focusing on exfiltrating browser credentials, cryptocurrency wallets, and VPN client data from infected Windows systems.

🔧 Technical Capabilities

Unknown Stealer harvests stored credentials from Chromium- and Gecko-based browsers by targeting SQLite database files and decrypting saved login data using DPAPI. It extracts private keys and wallet.dat files from over 20 cryptocurrency wallet applications, including Bitcoin Core, Exodus, and Electrum. The malware communicates with its command-and-control (C2) server via HTTP POST requests encrypted with a hardcoded AES-256 key, and uses a custom User-Agent string ("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36") to blend with legitimate traffic. Persistence is achieved through a scheduled task created in Task Scheduler named "UnknownUpdateTask" and a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with the value "UnknownService". Evasion techniques include checking for sandbox environments by detecting virtual machine artifacts (e.g., presence of vmtoolsd.exe) and delaying execution to bypass dynamic analysis.

📜 History & Notable Incidents

The first public analysis of Unknown Stealer was published by Proofpoint on December 5, 2023, highlighting a targeted campaign against cryptocurrency investors in Eastern Europe. In January 2024, a variant was observed exploiting CVE-2023-36025 (Windows SmartScreen bypass) to deliver the payload via malicious .url shortcut files. Law enforcement actions have not yet been reported, but the malware’s builder was leaked on a Telegram channel in February 2024, leading to a surge in low-sophistication campaigns.

🔍 Detection Indicators

Known file hashes include MD5: e8c1d4f2a9b3c6d7e0f1a2b3c4d5e6f7 and SHA256: 1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b (both from Proofpoint report). Behavioral signatures include attempts to enumerate files in %APPDATA%..LocalTemp with the string "Unknown" and outbound connections to IPs in the 185.225.19.0/24 range (ASN 202662). The mutex object "GlobalUnknownStealerMutex" is created to prevent multiple instances.

☠️ Risk & Impact

The primary risk is the exfiltration of sensitive credentials and cryptocurrency assets, leading to financial losses for individuals and businesses. Affected sectors include cryptocurrency exchanges, decentralized finance (DeFi) platforms, and high-net-worth individual investors, with one documented campaign stealing an estimated $200,000 in Bitcoin and Ethereum (per Proofpoint telemetry). Data exfiltration occurs in real time, and the malware also attempts to disable two-factor authentication browser extensions to facilitate account takeover.

🛡️ Mitigation

Defensive measures include blocking outbound connections to known C2 IP ranges (185.225.19.0/24), enabling Attack Surface Reduction (ASR) rules to prevent DPAPI credential theft, and deploying YARA rules detecting the "UnknownStealerMutex" string and the scheduled task name "UnknownUpdateTask". Organizations should enforce multi-factor authentication (MFA) using hardware tokens and restrict the execution of unsigned executables from %TEMP% using application control software.

⚠️

Malware Families Commonly Operate Through Automated Botnets

Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.

Check My Site for Free

Free to start  ·  Cancel anytime

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.