Skip to content
July 13, 2026
  • Linkedin
  • Twitter
  • Facebook
  • Youtube

Daily CyberSecurity

Zero-hour alerts. Unmatched analysis.

Primary Menu
  • Home
  • CVE Data
    • CVE Watchtower
    • Top Exploited CVEs
    • CVE Stats by Vendor
    • Q2 2026 Report
  • Cyber Criminals
  • Data Leak
  • Linux
  • Malware
  • Vulnerability
  • Submit Press Release
  • Vulnerability Report
Light/Dark Button
  • Home
  • News
  • Malware
  • New Vega Stealer malware used Microsoft Word as an attack vector
  • Malware

New Vega Stealer malware used Microsoft Word as an attack vector

Do Son May 15, 2018 3 minutes read
Vega Stealer malware
Add Daily CyberSecurity as a preferred source on Google

Recently, cybersecurity firm Proofpoint observed a spear phishing campaign targeting marketing, advertising, public relations, and retail and manufacturing industries. The attacker’s goal was to spread a new type of malware called “Vega Stealer.”

As one of the features of this malware, it can steal victim login credentials and credit card vouchers from Chrome and Firefox browsers. In addition to its ability to steal credentials, it can also steal sensitive documents from infected computers.

Vega Stealer is considered to be a variant of the malware August Stealer. It includes some of the latter’s features, but it also adds some important new features. Originally discovered in December 2016, August Stealer was able to steal passwords stored in Skype, Opera, Chrome, and Firefox browsers as well as steal sensitive documents and other sensitive data from infected computers.

Proofpoint said that they discovered and blocked a small batch of malicious email distribution activities on Tuesday (May 8th), including topics such as “Need Online Store Developers”. The email contains a malicious attachment called “brief.doc”, which embeds malicious macros for spreading Vega Stealer.

It is worth noting that on the previous day (May 7th), Proofpoint found similar e-mail topics in another event. A malicious attachment named “engagement letter.doc” will download the previously mentioned August Stealer malware from the same IP address, which makes the two activities related to each other.

Let’s return to the analysis of the Vega Stealer malware. Once it infects the target computer, it will begin to steal data and search for a variety of different formats, including .doc, .docx, .txt, .rtf, .xls, and so on. Xlsx and .pdf. After that, these stolen data will be sent to the remote command and control (C&C) server.

Vega Stealer, like August Stealer, is written in .NET. But it seems to be just a lite version of the latter because it is not able to steal data from Skype and Opera browsers, but it has the ability to steal data from the new Firefox browser.

Proofpoint’s researchers also emphasized that the malicious macro used in this event was a commodity macro that he had used in various attacks by different cybercriminal groups, including a group that spread Emotet Bank Trojans.

Although Vega Stealer is not considered to be the most sophisticated or secretive malware currently popular, it demonstrates the flexibility of malware, developers, and operators to commit crimes. Because the propagation mechanism (based on phishing emails and the use of Word documents) is relatively mature, it may evolve as a popular data theft tool for cybercriminals.

For general computer users, our usual advice is still to use relatively complex passwords and to use at least one trusted anti-virus software. And the most important thing is not to open any e-mails from unknown sources, let alone click on links and attachments.

Get Zero-Hour Vulnerability Alerts

Critical CVEs, CVSS scores, and PoC updates — straight to your inbox every week.


We respect your inbox. Unsubscribe anytime.

Related coverage

  • North Korean Threat Group “Jumpy Pisces” Linked to Play Ransomware Attack
  • Vietnam’s economic losses due to computer viruses in 2017 amounted to $540 million
  • Gootloader Returns with Fake Legal Document Lure via Google Ads
  • Zyxel Firewalls Under Attack via Critical CVE-2023-28771
  • Windows Crypto Clipper Malware Exposed
Track all actively exploited CVEs →

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee Logo Buy Me a Coffee PayPal
Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Share this article:

Facebook Post LinkedIn Telegram
Written by
@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.

Tags: Vega Stealer malware

Search

Translation

CVE WATCHTOWER
🚨

Receive alerts for vulnerabilities being exploited in the wild.

⚡

Get notified instantly when a Proof of Concept (PoC) exploit is published.

🔍

Access critical info on vulnerabilities even when marked as "RESERVED".

🧠

Insights powered by decades of expertise and global intelligence sources.

🎯

Customize alerts with up to 10 keywords for your specific tech stack.

📊

Export the raw CVE database for SIEM integration and reporting.

Upgrade Package

🚨 Active Exploits in the Wild

  • CVE-2026-1207CVSS 5.4
    An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on...
    Admin intel📅 Updated: Jul 10, 2026
  • CVE-2026-48939CVSS 10.0
    A vulnerability in the iCagenda extension for Joomla allows the upload of arbitrary files in the file attachment...
    CISA KEV📅 Added to KEV: Jul 10, 2026
  • CVE-2026-56291CVSS 10.0
    The Joomla extension Balbooa Forms is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files...
    CISA KEV📅 Added to KEV: Jul 10, 2026
  • CVE-2026-55255CVSS 8.4
    Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.1, an Insecure Direct...
    CISA KEV📅 Added to KEV: Jul 7, 2026
  • CVE-2026-48908
    A vulnerability in SP Page Builder for Joomla allows unauthenticated users to upload arbitrary files, ultimately resulting in...
    CISA KEV📅 Added to KEV: Jul 7, 2026
  • CVE-2026-56290
    The Joomla extension Page Builder CK is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable...
    CISA KEV📅 Added to KEV: Jul 7, 2026
  • CVE-2026-20896CVSS 9.8
    Gitea Docker image: `REVERSE_PROXY_TRUSTED_PROXIES = *` default lets any source IP impersonate any user via `X-WEBAUTH-USER`
    Admin intel📅 Updated: Jul 6, 2026
  • CVE-2026-48282CVSS 10.0
    ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted...
    Admin intelCISA KEV📅 Added to KEV: Jul 7, 2026📅 Updated: Jul 3, 2026
Powered by CVE Watchtower

🔴 Live Critical Threats

  • CVE-2026-59518CVSS 9.8
    Deserialization of Untrusted Data vulnerability in wpWax Directorist directorist allows Object Injection.This...
  • CVE-2026-59515CVSS 9.3
    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')...
  • CVE-2026-57813CVSS 9.8
    Incorrect Privilege Assignment vulnerability in properfraction MailOptin mailoptin allows Privilege Escalation.This issue...
  • CVE-2026-57811CVSS 10.0
    Improper Control of Generation of Code ('Code Injection') vulnerability in Realtyna Realtyna...
  • CVE-2026-57770CVSS 9.8
    Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Photography grandphotography allows Object...
  • CVE-2026-57744CVSS 9.8
    Deserialization of Untrusted Data vulnerability in stmcan RT-Theme 18 | Extensions rt18-extensions...
  • CVE-2026-57739CVSS 9.3
    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')...
  • CVE-2026-57738CVSS 9.8
    Deserialization of Untrusted Data vulnerability in axiomthemes 777 triple-seven allows Object Injection.This...
  • CVE-2026-57726CVSS 9.3
    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')...
  • CVE-2026-57724CVSS 9.8
    Deserialization of Untrusted Data vulnerability in Themeum Kirki kirki allows Object Injection.This...
Powered by CVE WATCHTOWER

Our Websites
  • Penetration Testing Tools
  • The Daily Information Technology
  • Top Exploited CVEs
  • Daily CyberSecurity

    • About SecurityOnline.info
    • Advertise with us
    • Announcement
    • Contact
    • Contributor Register
    • Login
    • Disclaimer
    • DCMA
    • Privacy Policy
    • About SecurityOnline.info
    • Advertise on SecurityOnline.info
    • Contact Us

    When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works

    • CVE Watchtower
    • CVE Statistics by Vendor 2026
    • Q2 2026 Report
    • Top Exploited CVEs
    • Linkedin
    • Twitter
    • Facebook
    • Youtube
    © 2017 - 2026 Daily CyberSecurity. All Rights Reserved.