New MrAnon Stealer malware targets German users via booking-themed scam

MrAnon Stealer

A phishing campaign has been observed delivering information theft malware called MrAnon Stealer to unsuspecting victims via seemingly benign booking-themed PDF lures.

“This malware is a Python-based information stealer compressed with cx-Freeze to evade detection,” said Fortinet FortiGuard Labs researcher Cara Lin. said. “MrAnon Stealer steals its victims’ login credentials, system information, browser sessions, and cryptocurrency extensions.”

There are indications that Germany is the main target of the attack as of November 2023, due to the number of times the downloader URL hosting the payload has been requested.

The phishing email, which pretends to be a company looking to book hotel rooms, contains a PDF file that, when opened, activates the infection by asking the recipient to download an updated version of Adobe Flash.

This results in the execution of .NET executables and PowerShell scripts to eventually execute a malicious Python script, which is capable of collecting data from various applications and exfiltrating it to a public file sharing website and the threat’s Telegram channel.

It is also capable of capturing information from instant messaging apps, VPN clients, and files that match a desired list of extensions.

MrAnon Stealer

MrAnon Stealer is offered by the authors for $500 per month (or $750 for two months), in addition to a crypter ($250 per month) and a stealthy loader ($250 per month).

“The campaign initially distributed Cstealer in July and August, but transitioned to distributing MrAnon Stealer in October and November,” Lin said. “This pattern suggests a strategic approach that continually uses phishing emails to spread a variety of Python-based stealers.”

The revelation comes as the China-linked Mustang Panda is chasing a spearphishing email campaign targeting the Taiwanese government and diplomats with the aim of deploying SmugX, a new variant of the PlugX backdoor previously discovered by Check Point in July 2023.


#MrAnon #Stealer #malware #targets #German #users #bookingthemed #scam

Notify of
Inline Feedbacks
View all comments
Previous Post
Go-Based JaskaGO Malware

New Go-based JaskaGO malware targeting Windows and macOS systems

Next Post

Apple releases security updates to fix critical iOS and macOS security flaws

Related Posts