Skip to content
July 18, 2026
  • Linkedin
  • Twitter
  • Facebook
  • Youtube

Daily CyberSecurity

Zero-hour alerts. Unmatched analysis.

Primary Menu
  • Home
  • CVE Data
    • CVE Watchtower
    • Top Exploited CVEs
    • CVE Stats by Vendor
    • Q2 2026 Report
  • Cyber Criminals
  • Data Leak
  • Linux
  • Malware
  • Vulnerability
  • Submit Press Release
  • Weekly Recap
Light/Dark Button
  • Home
  • News
  • Malware
  • SquirtDanger malware steals cryptocurrency, passwords/files & takes screenshots
  • Malware

SquirtDanger malware steals cryptocurrency, passwords/files & takes screenshots

Do Son April 23, 2018 3 minutes read
Add Daily CyberSecurity as a preferred source on Google

In a new study released on Tuesday (April 17th), the Unit 42 threat research team of Palo Alto Networks revealed that cybercriminals are using a new type of malware to conduct cyber attacks on a global scale. Based on the dynamic link library file (SquirtDanger.dll) detected during the attack activity, Unit 42 calls this malware “SquirtDanger.”

Unit 42 stated that SquirtDanger was written using C# (C Sharp, an object-oriented, high-level programming language running on the .NET Framework, released by Microsoft Corporation). Allows attackers to achieve a variety of malicious purposes, such as taking screenshots and stealing passwords stored in browsers, and even stealing cryptocurrencies.

For stolen browser passwords, SquirtDanger supports a variety of browsers, including Chrome, Firefox, Yandex Browser, Kometa, Amigo, Torch, and Opera.

For cryptocurrencies, SquirtDanger supports multiple currencies, including Litecoin, Bitcoin, Bytecoin, Dash, Bitcoin Lightweight Electrum, and Ethereum. Ethereum and Monero.

SquirtDanger’s strategy for stealing cryptocurrencies is similar to that used by another malware named “ComboJack,” which detects when the victim of the target has copied the cryptocurrency wallet address to the Windows clipboard and sets the address. Replaced by the address of the wallet held by the attacker to steal funds.

SquirtDange is mainly distributed through malicious advertisements that promote illegal pirated software. So far, Unit 42 has discovered a total of nearly 1277 malicious software samples related to 119 unique commands and control (C&C) servers in various activities. The victims are mainly located in France, the Netherlands, French Guinea and Russia.

In addition to the above-mentioned features, SquirtDanger also has many other malicious features, including delete itself, send files, clear browser cookies, list processes, kill processes, list drives, get directory information, download files, upload files, delete files and execute files.

When SquirtDanger successfully infects the device, it creates and executes a scheduled task called CheckUpdate. This scheduled task is configured to execute automatically every minute to get as much information as possible. When it communicates with the C&C server for the first time, it will try to get an additional module list to install to achieve all the functions mentioned above.

Unit 42 points out that SquirtDange was developed by a Russian hacker codenamed “TheBottle”. TheBottle has been active in various cybercrime forums around the world for many years and its purpose is to promote various malware developed by him.

During the investigation of SquirtDanger, Unit 42 found a self-promotional blog post written by TheBottle. In this article, TheBottle claims to be responsible for the development of multiple malware families, including the Odysseus Project, Evrial, and Ovidi Stealer.

Unit 42 emphasizes that since SquirtDanger is sold, its target of the attack is not limited to a specific industry or a specific region. Global individuals or organizations may be attacked by SquirtDanger. In Unit 42’s investigation, an African telecom company, a Turkish university, and an Internet service provider in Singapore have all become victims of SquirtDanger.

Related coverage

  • North Korea’s Cyber Shadow War: Unmasking RustBucket and KandyKorn
  • WordPress Supply Chain Attack: Gravity Forms Plugin Backdoored Through Official Downloads
  • XMRig Cryptojacking Surges: New Campaign Uses LOLBAS, Steals Monero Undetected
  • Hidden LG Monitor Adware: Stop Unwanted Pop-ups Now
  • CISA Warns of Malicious Listener Malware Exploiting Ivanti Endpoint Manager Mobile
Track all actively exploited CVEs →

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee Logo Buy Me a Coffee PayPal
Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Share this article:

Facebook Post LinkedIn Telegram
Written by
@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.

Tags: SquirtDanger

Search

Translation

CVE WATCHTOWER
🚨

Receive alerts for vulnerabilities being exploited in the wild.

⚡

Get notified instantly when a Proof of Concept (PoC) exploit is published.

🔍

Access critical info on vulnerabilities even when marked as "RESERVED".

🧠

Insights powered by decades of expertise and global intelligence sources.

🎯

Customize alerts with up to 10 keywords for your specific tech stack.

📊

Export the raw CVE database for SIEM integration and reporting.

Upgrade Package

🚨 Active Exploits in the Wild

  • CVE-2026-6875CVSS 9.5
    ServiceNow has addressed a remote code execution vulnerability that was identified in the ServiceNow AI platform. This vulnerability...
    Admin intel📅 Updated: Jul 18, 2026
  • CVE-2026-39808CVSS 9.8
    A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox...
    CISA KEV📅 Added to KEV: Jul 16, 2026
  • CVE-2026-25089CVSS 9.8
    A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox...
    CISA KEV📅 Added to KEV: Jul 16, 2026
  • CVE-2026-58644CVSS 9.8
    Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code over a network.
    CISA KEV📅 Added to KEV: Jul 16, 2026
  • CVE-2023-4346CVSS 7.5
    KNX devices that use KNX Connection Authorization and support Option 1 are, depending on the implementation, vulnerable to...
    CISA KEV📅 Added to KEV: Jul 15, 2026
  • CVE-2026-53362
    In the Linux kernel, the following vulnerability has been resolved: ipv6: account for fraggap on the paged allocation...
    Admin intel📅 Updated: Jul 14, 2026
  • CVE-2026-46242CVSS 7.8
    In the Linux kernel, the following vulnerability has been resolved: eventpoll: fix ep_remove struct eventpoll / struct file...
    Admin intel📅 Updated: Jul 14, 2026
  • CVE-2026-56155CVSS 7.8
    Insufficient granularity of access control in Active Directory Federation Services (AD FS) allows an authorized attacker to elevate...
    CISA KEV📅 Added to KEV: Jul 14, 2026
Powered by CVE Watchtower

🔴 Live Critical Threats

  • CVE-2026-16117CVSS 10.0
    Impact: @fastify/http-proxy versions up to and including 11.5.0 fail to rewrite the...
  • CVE-2026-47865CVSS 9.8
    VMware Avi Load Balancer contains an authentication bypass vulnerability. A malicious user...
  • CVE-2026-55518CVSS 9.6
    Avo is a framework to create admin panels for Ruby on Rails...
  • CVE-2026-54159CVSS 10.0
    PrestaShop ps_facetedsearch is a module that adds layered navigation filters. From 3.0.0...
  • CVE-2026-48062CVSS 9.8
    CodeIgniter is a PHP full-stack web framework. Prior to 4.7.3, the ext_in...
  • CVE-2026-13446CVSS 9.8
    IBM Langflow OSS 1.0.0 through 1.10.1 contains hard-coded credentials, such as a password...
  • CVE-2026-8859CVSS 9.9
    IBM Langflow OSS 1.0.0 through 1.10.0 Langflow could allow an attacker to...
  • CVE-2026-8635CVSS 9.9
    IBM Langflow OSS 1.0.0 through 1.10.0 allows authenticated users to escalate privileges...
  • CVE-2026-8505CVSS 9.8
    IBM Langflow OSS 1.0.0 through 1.10.0 has a vulnerability in Langflow's webhook...
  • CVE-2026-8476CVSS 9.9
    IBM Langflow OSS 1.0.0 through 1.10.0 contain a critical remote code execution...
Powered by CVE WATCHTOWER

Our Websites
  • Penetration Testing Tools
  • The Daily Information Technology
  • Top Exploited CVEs
  • Daily CyberSecurity

    • About SecurityOnline.info
    • Advertise with us
    • Announcement
    • Contact
    • Contributor Register
    • Login
    • Disclaimer
    • DCMA
    • Privacy Policy
    • About SecurityOnline.info
    • Advertise on SecurityOnline.info
    • Contact Us

    When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works

    • CVE Watchtower
    • CVE Statistics by Vendor 2026
    • Q2 2026 Report
    • Top Exploited CVEs
    • Linkedin
    • Twitter
    • Facebook
    • Youtube
    © 2017 - 2026 Daily CyberSecurity. All Rights Reserved.