Security Affairs
Bad Epoll Flaw Gives Attackers Root Access on Linux and Android|Medtronic Notifies 3.8 Million After ShinyHunters Data Breach|SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 104|Security Affairs newsletter Round 584 by Pierluigi Paganini – INTERNATIONAL EDITION|U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|Bad Epoll Flaw Gives Attackers Root Access on Linux and Android|Medtronic Notifies 3.8 Million After ShinyHunters Data Breach|SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 104|Security Affairs newsletter Round 584 by Pierluigi Paganini – INTERNATIONAL EDITION|U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Masad Stealer Malware exfiltrates data via Telegram

Experts at Juniper Threat Labs have discovered a new piece of malware dubbed Masad Stealer that exfiltrates cryptocurrency wallet files via Telegram. Security researchers at the Juniper Threat Labs discovered a strain of malware dubbed Masad Stealer that is actively distributed. The malware could steals files, browser information, and cryptocurrency wallet data and send them […]

Masad Stealer

Experts at Juniper Threat Labs have discovered a new piece of malware dubbed Masad Stealer that exfiltrates cryptocurrency wallet files via Telegram.

Security researchers at the Juniper Threat Labs discovered a strain of malware dubbed Masad Stealer that is actively distributed. The malware could steals files, browser information, and cryptocurrency wallet data and send them to the botmasters using a Telegram.

“The malware is being advertised on black market forums as “Masad Clipper and Stealer”. It steals browser data, which might contain usernames, passwords and credit card information. Masad Stealer also automatically replaces cryptocurrency wallets from the clipboard with its own.” reads the analysis published by the experts.

Masad Stealer sends all of the information it collects – and receive commands from – a Telegram bot controlled by the threat actor deploying that instance of Masad. Because Masad is being sold as off-the-shelf malware, it will be deployed by multiple threat actors who may or may not be the original malware writers.”

The Masad Stealer is written in Autoit scripts and is compiled into a Windows executable. The size of most of the samples analyzed by the experts was about 1.5 MiB, but experts revealed that it is possible to find larger executables bundled into other applications. 

The malware appears to be linked to another threat dubbed “Qulab Stealer”. 

Crooks are advertising the malware on hacking forums as a stealer and clipper, the ‘fully-featured’ variant is offered for sale at $85.

Masad Stealer is distributed masquerading it as a legitimate tool or bundling it into third party tools, such as CCleaner and ProxySwitcher.

Attackers attempt to trick users into downloading the malware by advertising it in forums, on third party download sites or on file sharing sites.

Victims can also get infected installing tainted versions of popular software and game cracks, and cheats.

Once infected a machine, Masad Stealer will collect a wide range of data, including system info, screenshots, desktop text files, Steam Desktop Authenticator sessions, Cryptocurrency Wallets, browser cookies, usernames, passwords, and Credit Card Browser Data.

Masad Stealer is also able to automatically replaces MoneroBitcoin Cash, Litecoin, Neo, and Web Money cryptocurrency wallets from the clipboard with its own.

The malware achieves persistence by creating a scheduled task on all Windows devices it manages. 

Once the malware has collected the information from the victims’ computers will zip them using a 7zip executable bundled within its binary, then it will exfiltrat the data to the command and control (C2) server using unique Telegram bot IDs.

The analysis of unique Telegram bot IDs and usernames associated to the malware allowed the experts to determine that there are at least 18 threat actors or campaigns actively targeting potential victims with the Masad Stealer.

“Of the more than 1,000 samples we identified to be variants of this malware, there where 338 unique Telegram Command and Control bot IDs. From this data, we can estimate the number of threat actors – or at least the number of different campaigns being run using the Masad Stealer malware – and the size of their operations.” continues the report.

Juniper Threat Labs pointed out that Masad Stealer is an active threat and the malicious code is still available for purchase on the black market.

Experts also published a list of indicators of compromise (IOCs) with malware sample hashes and domains involved in the attacks.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]