Maranhão Stealer: A New Malware Hijacks Gamers’ PCs Through Pirated Games

The Cyble Research and Intelligence Labs (CRIL) has uncovered an active campaign distributing a new information-stealing malware known as Maranhão Stealer. First detected in May 2025, the malware has rapidly evolved, leveraging social engineering, cloud hosting, and modern development stacks to infiltrate victims’ systems.

According to CRIL, “Maranhão Stealer is actively spreading through social engineering websites that distribute pirated software, cracked game launchers, and cheats, leveraging cloud-hosted platforms for delivery.”

The attackers focus heavily on the gaming community, luring victims with trojanized installers for cracked or modified games. CRIL observed links such as hxxps://derelictsgame.in/DerelictSetup.zip used to trick users into downloading infected installers. The malware is packaged in Inno Setup modules, which run silently to minimize suspicion.

As the report details, “The threat actors primarily target gaming users by distributing gaming-related links, cheats, and pirated software downloads.”

Notable malicious filenames include Fnafdoomlauncher.exe, Silent Client.exe, and RootedTheGameSetup.zip—all designed to appear legitimate to unsuspecting gamers.

Once executed, the stealer disguises itself in a directory named Microsoft Updater under %localappdata%\Programs. It establishes persistence via Run registry keys and scheduled tasks, ensuring execution at every startup.

To hide its presence, files are marked with System and Hidden attributes. CRIL notes: “It establishes persistence through Run registry keys and scheduled tasks, hides its payloads as system and hidden attributes, and performs detailed host reconnaissance, including hardware, network, and geolocation profiling.”

Maranhão Stealer is built to harvest an extensive set of sensitive data. This includes:

• Stored credentials and cookies
• Browsing history and session tokens
• Cryptocurrency wallet information (Electrum, Exodus, Atomic Wallet, Coinomi, and more)

The malware uses reflective DLL injection to bypass security controls such as Chrome’s AppBound encryption, embedding its payload directly into browser processes. As CRIL describes, “Sensitive information such as credentials, cookies, browsing history, and wallet data is harvested through reflective DLL injection into browsers, bypassing protections like AppBound encryption.”

Additionally, it can perform screen captures to visually monitor victim activity.

The stolen data is exfiltrated to attacker-controlled infrastructure, primarily tied to the malicious domain maranhaogang[.]fun. CRIL analysts identified endpoints such as:

• api.maranhaogang.fun/infect
• api.maranhaogang.fun/victim
• api.maranhaogang.fun/upload

These APIs allow the threat actors to track infections, monitor victims, and collect stolen information in bulk.

Interestingly, Maranhão Stealer has shown clear evolution since its initial appearance. Early variants used PsExec and plaintext password recovery utilities, while newer builds obfuscate their code, embed password recovery functions directly, and rely on Win32 API calls instead of easily detected tools.

The report highlights this transition: “The newer versions removed traces of these clear artifacts and have shifted to dropping their components under ‘C:\Users\MalWorkstation\AppData\Local\Programs\Microsoft Updater.’ The password-decrypting functionality is now embedded in infoprocess.exe, written in Go but obfuscated for stealth.”

The Maranhão Stealer campaign exemplifies how cybercriminals exploit the gaming community’s appetite for pirated software to deliver sophisticated credential-harvesting malware. Its use of Node.js, DLL injection, and cloud-hosted delivery reflects a growing trend of hybrid malware campaigns combining commodity tools with advanced stealth techniques.

As CRIL warns, “If successful, infections could lead to widespread credential compromise, account hijacking, theft of digital assets, and further malware deployment within victim environments.”

Related Posts:

• Apple Sued for Training AI on Pirated Books
• Hackers make poisoned Final Cut Pro specifically to target Mac users
• The Hidden Threat in Pirated macOS Applications: Unveiling a New Malware Campaign
• Fake Game Hacks on YouTube Target Kids with Malware