Katz Stealer: The $100/Month MaaS Threat Plundering Digital Identities Undetected

In the crowded arena of information-stealing malware, Katz Stealer is quickly establishing itself as one of the most dangerous and accessible threats of 2025. First observed in early 2025, this Malware-as-a-Service (MaaS) offering combines stealthy delivery, deep credential theft capabilities, and broad application targeting into one turnkey package for cybercriminals.

“Katz Stealer is a feature-rich infostealer marketed and operated as Malware-as-a-Service… and quickly garnered attention within the infostealer landscape,” according to SentinelOne’s recent threat analysis.

Katz Stealer doesn’t just swipe credentials—it plunders entire digital identities.

• Extracts passwords, cookies, session tokens, autofill data
• Steals cryptocurrency wallet keys, VPN configs, WiFi credentials
• Logs browser history, private messaging data, and even Steam and Discord sessions
• Captures screenshots, audio, and clipboard content
• Injects into browser processes to bypass encryption barriers like Chrome’s ABE

“Katz also has the ability to decode encrypted browser data in some cases… by programmatically masquerading as the browser once injected,” the report explains.

What makes Katz Stealer especially dangerous is its accessibility. For as little as $100/month, attackers gain access to a web-based control panel that manages:

• Payload generation
• Campaign tracking
• Stolen data browsing and exporting

“The turnkey nature of the Katz Stealer service, along with accessible pricing, have led to rapid adoption by threat actors across the spectrum of capability,” the report warns.

It’s not just limited to the dark web. Katz is advertised on Telegram, Discord, and public forums like BreachForums, broadening its reach.

Katz Stealer uses a multi-stage infection chain starting with:

• Phishing or trojanized downloads deliver .gz archives.
• These contain an obfuscated JavaScript dropper, which runs hidden PowerShell.
• PowerShell pulls a weaponized image file using steganography.
• A base64-encoded payload hidden between <<INICIO>> and <<FIM>> markers is extracted and executed entirely in memory.

“The image contains a base64-encoded string embedded between specific markers… decoded entirely in memory, ensuring that no malicious payload is written to disk,” the report details.

Once decoded, Katz abuses cmstp.exe (a legit Windows utility) to bypass User Account Control and gain elevated privileges. It then persists by creating scheduled tasks and injecting its final payload via process hollowing into MSBuild.exe—a stealthy tactic to remain undetected.

“Running in this context, elevated and within the privileged memory space of MSBuild.exe, the malware is able to operate with SYSTEM-level access,” the report warns.

Katz Stealer is heavily optimized for crypto theft. It targets wallets such as Exodus, MetaMask, Coinomi, Phantom, and over 150 crypto browser extensions.

“The malware scans the browser’s extension data for these IDs, and when found, gathers all relevant files and data such as extension logs, wallet vault files, and any cached seed phrases,” the report notes.

Katz also bypasses modern browser security by decrypting encrypted credentials using the Windows Cryptography API and the browser’s “Local State” file.

Katz Stealer maintains a persistent connection with hardcoded C2 servers, using HTTP/HTTPS for exfiltration.

• Sends harvested data line-by-line
• Breaks up larger files (screenshots, wallets) into transferable chunks
• Deletes all temporary files once exfiltration is complete to cover tracks

“Katz Stealer is not a ‘one-shot’ infostealer; it is designed to continually exfiltrate the victim’s data,” the report concludes.

Related Posts:

• Katz Stealer: New Stealthy MaaS Steals Everything, Hides in Images, and Hijacks Discord
• Beware Katz Stealer: Sophisticated Malware-as-a-Service Steals Everything
• AMOS Stealer Reloaded: Inside a Fully Undetected macOS Data Heist
• Rhadamanthys Stealer: MaaS Malware Hits Oil & Gas
• Lumma Stealer MaaS: Clipboard Hijacking and LOLBins Used in Latest Campaign