Katz Stealer Malware Targets Browsers Wallets and Messaging Platforms

Katz Stealer Malware Targets Browsers Wallets and Messaging Platforms

Threat Group: Unknown (operates via MaaS model)
Threat Type: Credential and information-stealing malware (Infostealer)
Exploited Vulnerabilities: Chrome ABE Bypass, UAC Bypass via cmstp.exe, Process Hollowing via MSBuild.exe
Malware Used: Katz Stealer
Threat Score: 🔴 High (8.2/10)
Last Observed Activity: May 278 2025


Overview

This report delivers a detailed threat assessment on Katz Stealer, an emerging credential stealer operating as a Malware-as-a-Service (MaaS). Since its appearance in May 2025, Katz Stealer has leveraged a sophisticated infection chain, targeting browsers, cryptocurrency wallets, communications platforms, and gaming services.

Its effectiveness stems from its bypassing of Chrome's App-Bound Encryption (ABE), User Account Control (UAC) via cmstp.exe, and stealthy process hollowing techniques. The attack typically starts with phishing emails distributing GZIP archives containing obfuscated JavaScript.

Microsoft classifies the malware as "Trojan:Win64/KatzStealer.RH!MTB" with a Severe rating. Indicators include the use of domains such as katz-stealer.com, payloads like received_dll.dll, and unique User-Agent strings. Security vendors like Nextron have released detection signatures and behavioral rules to aid defenses.


Threat Actor and MaaS Operation

Threat Group Attribution

There is no direct attribution to a known APT group. Development in C/ASM, presence of enterprise-grade C2 panels, and build customizability point to a professional criminal operation.

Malware-as-a-Service Model

Katz Stealer is sold via underground forums, offering subscription-based access to payload builders and web C2 interfaces. These include:

  • Payload customization (anti-VM, geofence, modules)
  • Encrypted logs and searchable dashboards
  • Cryptocurrency payment integration
  • Built-in support and updates

This model reduces the barrier to advanced TTPs for financially motivated cybercriminals.


Malware Analysis

Overview and Capabilities

  • Harvests browser credentials, cookies, session tokens
  • Extracts private keys/seed phrases from 154+ crypto wallet extensions
  • Steals chat tokens from Discord, Telegram, and Teams
  • Gathers Steam, Outlook, VPN, FTP, Ngrok, and system data
  • Executes BitBlt screenshots and clipboard monitoring
  • Uses .NET reflection, base64 obfuscation, and memory-only payloads

Obfuscation and Evasion Techniques

  • GZIP + JavaScript > PowerShell > Obfuscated.NET payload
  • Uses archive.org image downloads to smuggle code
  • VM checks via BIOS, resolution, uptime
  • Geofencing by locale and keyboard layout

Delivery Method and Infection Chain

Delivered via phishing or trojanized software:

  1. GZIP archive (JavaScript)
  2. Obfuscated PowerShell > image payload
  3. .NET loader via reflection
  4. Loader uses cmstp.exe for UAC bypass
  5. Injects stealer DLL into MSBuild.exe

Persistence Mechanisms

Modifies Discord's index.js to connect to twist2katz.com over HTTPS, using a spoofed Chrome UA (katz-ontop). This enables remote JavaScript payload execution within the Discord process.


Exploited Techniques

  • ABE Bypass: Extracts decryption key from browser Local State
  • Process Hollowing: Uses CreateRemoteThread in MSBuild.exe
  • UAC Bypass: cmstp.exe + malicious INF script
  • Persistence: Discord app.asar hijacking with backdoor JavaScript
  • Other Vectors: SEO poisoning, malvertising, phishing, payload hosting via R2.dev

Indicators of Compromise

FileHash-MD5

  • 470f0db6a56a879985c62cd71c5a98a4
  • 8e7ded0089b6adfdd951b5d8175078f7
  • 97f1414fc38589e3f6897b2a7a3de9bc
  • 07a7f829677af65f778369a3fc4e1f86
  • 38331f134a3f5ee9a945c2d1d4f0768a
  • 3f3ada874a48e48d72ac26d12f8c7e60
  • f0220f5d1f935f09d58e869247cfdb5d

FileHash-SHA1

  • 501e5cc4cb65d55cff934e7447528fef5243578d
  • b5326b0946e59f91a39d51975b9f6e33a60d309b
  • ceaec46f7d65706ffc639e75c515d0a35a21338d
  • 02af00adcf0c8655e16c5a4d936ece2b10d77c2e
  • 091e8340ce21785d49f6827e75a13e810efeccce
  • 0a68170a7b1d45bb800496e801dcef77be62bfd6
  • 611c9da09ce3948b2094d8552d2e41d8388cf93f
  • 6b0c20ca100b0b8fc8b6dac17a68a34fb1fe5dac
  • 1d5ef46357eb2298b1c3c4faccbaafa729137613
  • 2f2ced67e87101f4d1275456f0861209809492fc
  • 3cf4f3ababa912e0e6bb71ab5abb43681d8e7ecc
  • 5492947d2b85a57f40201cd7d1351c3d4b92ae88

FileHash-SHA256

  • 0df13fd42fb4a4374981474ea87895a3830eddcc7f3bd494e76acd604c4004f7
  • 1ac196ac6393d786618c944a7ab77fb189a6b4ba00af5c0f987c3dc65876c060
  • 4f12c5dca2099492d0c0cd22edef841cbe8360af9be2d8e9b57c2f83d401c1a7
  • 5a984e2e308fe84e4e2071dd877772361719ba0217c2c23da79dbb82dc15eac8
  • 6dc8e99da68b703e86fa90a8794add87614f254f804a8d5d65927e0676107a9d
  • ad76e2727469525dec7e56977589dd250ca57a29b8b0d42cd5c42e536c285241
  • b10796c41e1cec7c84a3c68bfcaa7b20f49b620d1c94304a6b3ed73471fa9031
  • d92bb6e47cb0a0bdbb51403528ccfe643a9329476af53b5a729f04a4d2139647
  • e1a0d6929662bcbc9e5e0827cb8b6d7818088e996cf971d2a4a1c1ca4208e533
  • fcad234dc2ad5e2d8215bcf6caac29aef62666c34564e723fa6d2eee8b6468ed
  • fdc86a5b3d7df37a72c3272836f743747c47bfbc538f05af9ecf78547fa2e789
  • 15953e0191edaa246045dda0d7489b3832f27fdc3fcc5027f26b89692aefd6e1
  • 22af84327cb8ecafa44b51e9499238ca2798cec38c2076b702c60c72505329cb
  • 25b1ec4d62c67bd51b43de181e0f7d1bda389345b8c290e35f93ccb444a2cf7a
  • 2798bf4fd8e2bc591f656fa107bd871451574d543882ddec3020417964d2faa9
  • 2852770f459c0c6a0ecfc450b29201bd348a55fb3a7a5ecdcc9986127fdb786b
  • 5dd629b610aee4ed7777e81fc5135d20f59e43b5d9cc55cdad291fcf4b9d20eb
  • 925e6375deaa38d978e00a73f9353a9d0df81f023ab85cf9a1dc046e403830a8
  • 964ec70fc2fdf23f928f78c8af63ce50aff058b05787e43c034e04ea6cbe30ef
  • 96ada593d54949707437fa39628960b1c5d142a5b1cb371339acc8f86dbc7678
  • b249814a74dff9316dc29b670e1d8ed80eb941b507e206ca0dfdc4ff033b1c1f
  • b912f06cf65233b9767953ccf4e60a1a7c262ae54506b311c65f411db6f70128
  • c601721933d11254ae329b05882337db1069f81e4d04cd4550c4b4b4fe35f9cd
  • e345d793477abbecc2c455c8c76a925c0dfe99ec4c65b7c353e8a8c8b14da2b6
  • e4249cf9557799e8123e0b21b6a4be5ab8b67d56dc5bfad34a1d4e76f7fd2b19
  • e73f6e1f6c28469e14a88a633aef1bc502d2dbb1d4d2dfcaaef7409b8ce6dc99
  • fb2b9163e8edf104b603030cff2dc62fe23d8f158dd90ea483642fce2ceda027

IPv4

  • 185[.]107[.]74[.]40
  • 31[.]177[.]109[.]39

URL

  • hxxp://twist2katz[.]com/

Domain

  • katz-stealer[.]com
  • katzstealer[.]com
  • twist2katz[.]com

Hostname

  • pub-ce02802067934e0eb072f69bf6427bf6[.]r2[.]dev

Detection Rules

YARA Rules

import "hash"

rule Detect_Katz_Stealer_IoCs
{
    meta:
        description = "Detects known file hashes related to Katz Stealer malware"
        author = "Cybersec Sentinel"
        date = "2025-05-26"
        version = "1.0"

    condition:
        hash.md5("470f0db6a56a879985c62cd71c5a98a4") or
        hash.md5("8e7ded0089b6adfdd951b5d8175078f7") or
        hash.md5("97f1414fc38589e3f6897b2a7a3de9bc") or
        hash.md5("07a7f829677af65f778369a3fc4e1f86") or
        hash.md5("38331f134a3f5ee9a945c2d1d4f0768a") or
        hash.md5("3f3ada874a48e48d72ac26d12f8c7e60") or
        hash.md5("f0220f5d1f935f09d58e869247cfdb5d") or

        hash.sha1("501e5cc4cb65d55cff934e7447528fef5243578d") or
        hash.sha1("b5326b0946e59f91a39d51975b9f6e33a60d309b") or
        hash.sha1("ceaec46f7d65706ffc639e75c515d0a35a21338d") or
        hash.sha1("02af00adcf0c8655e16c5a4d936ece2b10d77c2e") or
        hash.sha1("091e8340ce21785d49f6827e75a13e810efeccce") or
        hash.sha1("0a68170a7b1d45bb800496e801dcef77be62bfd6") or

        hash.sha256("0df13fd42fb4a4374981474ea87895a3830eddcc7f3bd494e76acd604c4004f7") or
        hash.sha256("1ac196ac6393d786618c944a7ab77fb189a6b4ba00af5c0f987c3dc65876c060") or
        hash.sha256("4f12c5dca2099492d0c0cd22edef841cbe8360af9be2d8e9b57c2f83d401c1a7") or
        hash.sha256("5a984e2e308fe84e4e2071dd877772361719ba0217c2c23da79dbb82dc15eac8") or
        hash.sha256("6dc8e99da68b703e86fa90a8794add87614f254f804a8d5d65927e0676107a9d")
}

Threat Score and Risk Assessment

Threat Score: 🔴 8.2/10

Justification:

  • Advanced evasions (ABE/UAC bypass)
  • Modular MaaS distribution
  • Extensive data targeting (154+ wallets, browsers, chat apps)
  • Active development and dark web promotion

Impacts:

  • Financial theft (crypto, banking, Steam)
  • Identity theft (email, chat tokens, autofill data)
  • Data loss (corporate credentials, IP leakage)
  • Persistent access via Discord, enabling long-term espionage

Mitigation and Prevention

ControlRecommendationPriority
EDR/XDRDetect process hollowing, ABE bypassHigh
DNS FilteringBlock C2 domains/IPsHigh
PowerShell LoggingScript block + Module loggingHigh
App WhitelistingBlock cmstp.exe misuseHigh
MFAPrevent credential reuseHigh
User TrainingPhishing, drive-by download awarenessHigh
Patch BrowsersStay ahead of exploit adaptationsHigh
SIEMIngest Sigma/YARA/IoCsHigh

Conclusion

Katz Stealer is a dynamic and actively maintained MaaS threat with dangerous capabilities. It blends advanced evasion with modular payloads targeting a wide spectrum of applications and users. Organizations must proactively adopt layered defenses, continually monitor emerging IoCs and detection rules, and treat this malware with the same seriousness afforded to precursor threats to ransomware.


References