Malware

Katz Stealer Malware Targets Browsers Wallets and Messaging Platforms

Cybersec Sentinel

May 27, 2025 • 3 min read

Threat Group: Unknown (operates via MaaS model)
Threat Type: Credential and information-stealing malware (Infostealer)
Exploited Vulnerabilities: Chrome ABE Bypass, UAC Bypass via cmstp.exe, Process Hollowing via MSBuild.exe
Malware Used: Katz Stealer
Threat Score: 🔴 High (8.2/10)
Last Observed Activity: May 278 2025

Overview

This report delivers a detailed threat assessment on Katz Stealer, an emerging credential stealer operating as a Malware-as-a-Service (MaaS). Since its appearance in May 2025, Katz Stealer has leveraged a sophisticated infection chain, targeting browsers, cryptocurrency wallets, communications platforms, and gaming services.

Its effectiveness stems from its bypassing of Chrome's App-Bound Encryption (ABE), User Account Control (UAC) via cmstp.exe, and stealthy process hollowing techniques. The attack typically starts with phishing emails distributing GZIP archives containing obfuscated JavaScript.

Microsoft classifies the malware as "Trojan:Win64/KatzStealer.RH!MTB" with a Severe rating. Indicators include the use of domains such as katz-stealer.com, payloads like received_dll.dll, and unique User-Agent strings. Security vendors like Nextron have released detection signatures and behavioral rules to aid defenses.

Threat Actor and MaaS Operation

Threat Group Attribution

There is no direct attribution to a known APT group. Development in C/ASM, presence of enterprise-grade C2 panels, and build customizability point to a professional criminal operation.

Malware-as-a-Service Model

Katz Stealer is sold via underground forums, offering subscription-based access to payload builders and web C2 interfaces. These include:

Payload customization (anti-VM, geofence, modules)
Encrypted logs and searchable dashboards
Cryptocurrency payment integration
Built-in support and updates

This model reduces the barrier to advanced TTPs for financially motivated cybercriminals.

Malware Analysis

Overview and Capabilities

Harvests browser credentials, cookies, session tokens
Extracts private keys/seed phrases from 154+ crypto wallet extensions
Steals chat tokens from Discord, Telegram, and Teams
Gathers Steam, Outlook, VPN, FTP, Ngrok, and system data
Executes BitBlt screenshots and clipboard monitoring
Uses .NET reflection, base64 obfuscation, and memory-only payloads

Obfuscation and Evasion Techniques

GZIP + JavaScript > PowerShell > Obfuscated.NET payload
Uses archive.org image downloads to smuggle code
VM checks via BIOS, resolution, uptime
Geofencing by locale and keyboard layout

Delivery Method and Infection Chain

Delivered via phishing or trojanized software:

GZIP archive (JavaScript)
Obfuscated PowerShell > image payload
.NET loader via reflection
Loader uses cmstp.exe for UAC bypass
Injects stealer DLL into MSBuild.exe

Persistence Mechanisms

Modifies Discord's index.js to connect to twist2katz.com over HTTPS, using a spoofed Chrome UA (katz-ontop). This enables remote JavaScript payload execution within the Discord process.

Exploited Techniques

ABE Bypass: Extracts decryption key from browser Local State
Process Hollowing: Uses CreateRemoteThread in MSBuild.exe
UAC Bypass: cmstp.exe + malicious INF script
Persistence: Discord app.asar hijacking with backdoor JavaScript
Other Vectors: SEO poisoning, malvertising, phishing, payload hosting via R2.dev

Indicators of Compromise

FileHash-MD5

470f0db6a56a879985c62cd71c5a98a4
8e7ded0089b6adfdd951b5d8175078f7
97f1414fc38589e3f6897b2a7a3de9bc
07a7f829677af65f778369a3fc4e1f86
38331f134a3f5ee9a945c2d1d4f0768a
3f3ada874a48e48d72ac26d12f8c7e60
f0220f5d1f935f09d58e869247cfdb5d

FileHash-SHA1

501e5cc4cb65d55cff934e7447528fef5243578d
b5326b0946e59f91a39d51975b9f6e33a60d309b
ceaec46f7d65706ffc639e75c515d0a35a21338d
02af00adcf0c8655e16c5a4d936ece2b10d77c2e
091e8340ce21785d49f6827e75a13e810efeccce
0a68170a7b1d45bb800496e801dcef77be62bfd6
611c9da09ce3948b2094d8552d2e41d8388cf93f
6b0c20ca100b0b8fc8b6dac17a68a34fb1fe5dac
1d5ef46357eb2298b1c3c4faccbaafa729137613
2f2ced67e87101f4d1275456f0861209809492fc
3cf4f3ababa912e0e6bb71ab5abb43681d8e7ecc
5492947d2b85a57f40201cd7d1351c3d4b92ae88

FileHash-SHA256

0df13fd42fb4a4374981474ea87895a3830eddcc7f3bd494e76acd604c4004f7
1ac196ac6393d786618c944a7ab77fb189a6b4ba00af5c0f987c3dc65876c060
4f12c5dca2099492d0c0cd22edef841cbe8360af9be2d8e9b57c2f83d401c1a7
5a984e2e308fe84e4e2071dd877772361719ba0217c2c23da79dbb82dc15eac8
6dc8e99da68b703e86fa90a8794add87614f254f804a8d5d65927e0676107a9d
ad76e2727469525dec7e56977589dd250ca57a29b8b0d42cd5c42e536c285241
b10796c41e1cec7c84a3c68bfcaa7b20f49b620d1c94304a6b3ed73471fa9031
d92bb6e47cb0a0bdbb51403528ccfe643a9329476af53b5a729f04a4d2139647
e1a0d6929662bcbc9e5e0827cb8b6d7818088e996cf971d2a4a1c1ca4208e533
fcad234dc2ad5e2d8215bcf6caac29aef62666c34564e723fa6d2eee8b6468ed
fdc86a5b3d7df37a72c3272836f743747c47bfbc538f05af9ecf78547fa2e789
15953e0191edaa246045dda0d7489b3832f27fdc3fcc5027f26b89692aefd6e1
22af84327cb8ecafa44b51e9499238ca2798cec38c2076b702c60c72505329cb
25b1ec4d62c67bd51b43de181e0f7d1bda389345b8c290e35f93ccb444a2cf7a
2798bf4fd8e2bc591f656fa107bd871451574d543882ddec3020417964d2faa9
2852770f459c0c6a0ecfc450b29201bd348a55fb3a7a5ecdcc9986127fdb786b
5dd629b610aee4ed7777e81fc5135d20f59e43b5d9cc55cdad291fcf4b9d20eb
925e6375deaa38d978e00a73f9353a9d0df81f023ab85cf9a1dc046e403830a8
964ec70fc2fdf23f928f78c8af63ce50aff058b05787e43c034e04ea6cbe30ef
96ada593d54949707437fa39628960b1c5d142a5b1cb371339acc8f86dbc7678
b249814a74dff9316dc29b670e1d8ed80eb941b507e206ca0dfdc4ff033b1c1f
b912f06cf65233b9767953ccf4e60a1a7c262ae54506b311c65f411db6f70128
c601721933d11254ae329b05882337db1069f81e4d04cd4550c4b4b4fe35f9cd
e345d793477abbecc2c455c8c76a925c0dfe99ec4c65b7c353e8a8c8b14da2b6
e4249cf9557799e8123e0b21b6a4be5ab8b67d56dc5bfad34a1d4e76f7fd2b19
e73f6e1f6c28469e14a88a633aef1bc502d2dbb1d4d2dfcaaef7409b8ce6dc99
fb2b9163e8edf104b603030cff2dc62fe23d8f158dd90ea483642fce2ceda027

IPv4

185[.]107[.]74[.]40
31[.]177[.]109[.]39

URL

hxxp://twist2katz[.]com/

Domain

katz-stealer[.]com
katzstealer[.]com
twist2katz[.]com

Hostname

pub-ce02802067934e0eb072f69bf6427bf6[.]r2[.]dev

Detection Rules

YARA Rules

import "hash"

rule Detect_Katz_Stealer_IoCs
{
    meta:
        description = "Detects known file hashes related to Katz Stealer malware"
        author = "Cybersec Sentinel"
        date = "2025-05-26"
        version = "1.0"

    condition:
        hash.md5("470f0db6a56a879985c62cd71c5a98a4") or
        hash.md5("8e7ded0089b6adfdd951b5d8175078f7") or
        hash.md5("97f1414fc38589e3f6897b2a7a3de9bc") or
        hash.md5("07a7f829677af65f778369a3fc4e1f86") or
        hash.md5("38331f134a3f5ee9a945c2d1d4f0768a") or
        hash.md5("3f3ada874a48e48d72ac26d12f8c7e60") or
        hash.md5("f0220f5d1f935f09d58e869247cfdb5d") or

        hash.sha1("501e5cc4cb65d55cff934e7447528fef5243578d") or
        hash.sha1("b5326b0946e59f91a39d51975b9f6e33a60d309b") or
        hash.sha1("ceaec46f7d65706ffc639e75c515d0a35a21338d") or
        hash.sha1("02af00adcf0c8655e16c5a4d936ece2b10d77c2e") or
        hash.sha1("091e8340ce21785d49f6827e75a13e810efeccce") or
        hash.sha1("0a68170a7b1d45bb800496e801dcef77be62bfd6") or

        hash.sha256("0df13fd42fb4a4374981474ea87895a3830eddcc7f3bd494e76acd604c4004f7") or
        hash.sha256("1ac196ac6393d786618c944a7ab77fb189a6b4ba00af5c0f987c3dc65876c060") or
        hash.sha256("4f12c5dca2099492d0c0cd22edef841cbe8360af9be2d8e9b57c2f83d401c1a7") or
        hash.sha256("5a984e2e308fe84e4e2071dd877772361719ba0217c2c23da79dbb82dc15eac8") or
        hash.sha256("6dc8e99da68b703e86fa90a8794add87614f254f804a8d5d65927e0676107a9d")
}

Threat Score and Risk Assessment

Threat Score: 🔴 8.2/10

Justification:

Advanced evasions (ABE/UAC bypass)
Modular MaaS distribution
Extensive data targeting (154+ wallets, browsers, chat apps)
Active development and dark web promotion

Impacts:

Financial theft (crypto, banking, Steam)
Identity theft (email, chat tokens, autofill data)
Data loss (corporate credentials, IP leakage)
Persistent access via Discord, enabling long-term espionage

Mitigation and Prevention

Control	Recommendation	Priority
EDR/XDR	Detect process hollowing, ABE bypass	High
DNS Filtering	Block C2 domains/IPs	High
PowerShell Logging	Script block + Module logging	High
App Whitelisting	Block cmstp.exe misuse	High
MFA	Prevent credential reuse	High
User Training	Phishing, drive-by download awareness	High
Patch Browsers	Stay ahead of exploit adaptations	High
SIEM	Ingest Sigma/YARA/IoCs	High

Conclusion

Katz Stealer is a dynamic and actively maintained MaaS threat with dangerous capabilities. It blends advanced evasion with modular payloads targeting a wide spectrum of applications and users. Organizations must proactively adopt layered defenses, continually monitor emerging IoCs and detection rules, and treat this malware with the same seriousness afforded to precursor threats to ransomware.

References

Nextron Systems - Katz Stealer Threat Analysis
Cybersecurity News - Katz Stealer Attacking Chrome, Edge, Brave & Firefox to Steal Login Details
GBHackers - Katz Stealer Malware Hits 78+ Chromium and Gecko-Based Browsers
OTX AlienVault - Indicators of Compromise (IoCs)