Malware Overview
In the first quarter of 2025, Cegeka CSIRT observed ‘StealeriumPy’ being distributed through ClickFix. ‘ClickFix’ is a popular social engineering technique that was first observed by security researchers in August 2024. Users accessing a suspicious or compromised website are prompted with pop-up messages that resemble ‘CAPTCHA’ or ‘IT support notifications’. These pop-up messages commonly request the users to follow instructions in order to ‘fix’ a non-existent issue or ‘prove’ that they ‘are not a robot’.
Accessing such a website and following the instructions provided in a fake ‘CAPTCHA’ message, results in the execution of ‘StealeriumPy’.
Once executed, the malware injects itself into a legitimate executable and collects:
- System information: Public IP address, Operating system version, Antivirus, Country Code, Windows Key.
- Wireless network profiles and credentials.
- Browser data: Saved credentials, cookies, credit card Information, cryptocurrency wallets, history, bookmarks, extensions.
- Documents and sensitive files that reside in User folders.
- Configuration files, sessions, account metadata of gaming applications.
- Configuration files and credentials from VPN Clients.
- Session data and login credentials from messaging applications.
The collected data is then exfiltrated via HTTP to a public IP address.
Below, a high-level overview of the infection chain can be found:
Recommendations
Cegeka CSIRT encourages organizations to:
- Use Endpoint Detection and Response (EDR) tools to continuously monitor endpoints’ activity, detect and respond to threats.
- Conduct frequent user awareness training and raise awareness on new attacks and techniques employed by threat actors.
- Encourage users to report any suspicious activity.
- Encourage Browser hygiene by avoiding saving sensitive information (credentials, credit card data or personal information) within the browser.
- Consider disabling the ‘Win + R’ shortcut (used for Windows Run Dialog) shortcut (‘Win + R’), as ‘ClickFix’ technique seem to utilize this shortcut to coerce users into running malicious commands.
- Establish an internal Security Operation Center / Cybersecurity Incident Response team or partner with a Managed Security Services Provider to ensure continuous threat detection and prompt incident response.
Malware Analysis Report
Please find the full Cegeka CSIRT malware analysis report along with a YARA rule for the detection/identification of StealeriumPy here:
Cegeka Modern SOC
Our Cegeka Modern SOC, staffed with experienced security professionals, is able to detect these types of attacks and adequately respond to them in a timely manner, minimizing or even fully preventing impact on your organization.