Katz Stealer: New Stealthy MaaS Steals Everything, Hides in Images, and Hijacks Discord

In 2025, cybersecurity analysts witnessed the emergence of a sophisticated and highly evasive info-stealer known as Katz Stealer — a malware-as-a-service (MaaS).

According to a detailed report by Picus, Katz Stealer is engineered for “maximum stealth, modular payload delivery, and rapid data exfiltration.” This threat is not only technically impressive, but also commercially accessible, allowing even novice threat actors to unleash highly effective data-theft campaigns.

The attack begins like many others — with phishing emails or fake cracked software downloads delivering a malicious GZIP archive.

“Within this archive lies a JavaScript dropper, intentionally obfuscated to evade detection and analysis… using deceptive variable names and convoluted JavaScript tricks,” the report notes.

The dropper leverages tricks like +[] coercion and polymorphic string building to confuse analysts. Once executed, it launches a PowerShell command with the -WindowStyle Hidden flag and decodes a Base64 blob entirely in memory — completely evading disk-based detection.

“The script scans the image’s content for markers <<base64_start>> and <<base64_end>>, extracting a chunk of hidden code embedded within the image file,” Picus reveals, showcasing its creative use of steganography.

Katz Stealer escalates its privileges using a known UAC bypass via cmstp.exe, executing with admin rights through a malicious INF file. It then creates a Scheduled Task to ensure persistence across reboots.

The next step is process hollowing, where the malware spawns a legitimate binary — MSBuild.exe — and injects itself into it. This allows the malware to blend into the system, appearing as a trusted Microsoft process.

“By running inside MSBuild… the malware hopes to blend in and bypass security tools,” the report states.

Katz Stealer lives up to its name by aggressively exfiltrating data from virtually every user application that holds sensitive information:

• Browsers: Passwords, cookies, autofill data, session tokens — even credit card CVVs.
• VPNs and Email Clients: Credentials from Outlook, Foxmail, Windows Live Mail, and more.
• Messaging Platforms: Discord and Telegram tokens and session hijacks.
• Crypto Wallets: Exodus, Electrum, MetaMask, Brave Wallet, and 150+ others.

“Put simply, it collects nearly everything of value that resides on a compromised system.”

The malware even injects itself into browsers like Chrome and Firefox using DLL injection, accessing encrypted password stores by replicating the browser’s own decryption logic.

One of Katz Stealer’s most devious features is how it hijacks the Discord app to establish a persistent backdoor:

“It modifies the index.js file inside [Discord’s] app.asar archive… to fetch and execute attacker-supplied JavaScript,” explains Picus.

Because Discord runs at startup and is trusted by users and firewalls alike, this technique allows attackers to reinfect systems silently every time Discord launches.

Communication with the malware’s C2 infrastructure is stealthy and persistent. Katz Stealer maintains a TCP beacon to servers like 185.107.74[.]40, identifies itself with an implant ID (e.g., al3rbi), and downloads modules on demand.

“The string is nearly identical to a legitimate Chrome browser agent, with the addition of katz-ontop at the end,” researchers observe, highlighting a unique IOC for defenders.

Stolen data — passwords, screenshots, crypto keys — is exfiltrated immediately, minimizing on-disk presence and maximizing attacker success.

Related Posts:

• JavaScript-Based Malware Exploits Steganography for Covert Data Theft
• Warning: Discord’s API Exploited for Malicious Takeover
• Beware the Invisible Threat: Phishing Expands with QR Codes, CAPTCHAs, and Steganography
• Malicious PyPI Package Targets Discord Developers with Token Theft and Backdoor Exploit