Ddos 
A new information-stealing malware has entered the chat, and it is aggressively targeting the digital wallets and cloud storage of victims worldwide. Zscaler ThreatLabz has released a technical analysis of “Marco Stealer,” a sophisticated new threat first observed in June 2025 that is designed to harvest sensitive data from browsers, cryptocurrency extensions, and local files.
Despite recent law enforcement crackdowns on major malware families like Rhadamanthys and Lumma, the cybercrime market remains resilient. Marco Stealer is the latest proof that when one head is cut off, another grows in its place.
Marco Stealer doesn’t just grab everything and run; it methodically builds a dossier on its victim. Upon infection, the malware collects a wide range of system information, including the operating system version, hardware ID, IP address, and even the victim’s geographical location.
This profiling allows attackers to sort their victims by value, prioritizing those with high-end hardware or specific geographic locations that might yield better financial returns.
The malware’s primary goal is financial gain. It specifically targets browser data and “cryptocurrency wallet information from browser extensions”. By raiding the storage of popular extensions, attackers can steal the private keys needed to drain victims’ funds.
But Marco Stealer goes further than just crypto. It also hunts for “sensitive files (both locally and from cloud services)”, specifically targeting files associated with Dropbox and Google Drive. This ability to reach into synced cloud folders makes it a significant threat to corporate environments, where sensitive documents are often stored.
To stay hidden, the malware authors have implemented several anti-analysis techniques.
- String Encryption: The malware “relies on encrypted strings that are decrypted only at runtime to avoid static analysis”, making it harder for security software to read its code.
- Security Tool Termination: It actively scans for and attempts to kill analysis tools like Wireshark, x64dbg, and Process Hacker.
When it comes time to send the stolen data back to the attacker, Marco Stealer uses “AES-256 CBC encryption to protect stolen data that is sent to its C2 server”.
The malware generates a unique encryption key by hashing a hardcoded value, ensuring that even if the traffic is intercepted, it cannot be easily read by defenders. The encrypted bundle—containing the victim’s client ID, hardware ID, and stolen files—is then posted to a command-and-control (C2) server via HTTP.
“Despite recent law enforcement actions… the market for these malware tools remains significant,” Zscaler researchers conclude. As Marco Stealer demonstrates, the demand for stolen data is as high as ever.
Related Posts:
- Mimo’s Multi-Threat Campaign: From CoinMiner to Mimus Ransomware
- Zscaler found 150 Android apps infected with Windows malware
- Zscaler Report: 300% increase in phishing attacks delivered over SSL
- AI Powers a Phishing Frenzy – Zscaler Report Warns of Unprecedented Threat Wave
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
