Since Could 2025, a novel credential stealer dubbed Maranhão Stealer has emerged as a big risk to customers of pirated gaming software program. Distributed by misleading web sites internet hosting cracked launchers and cheats, the malware leverages cloud-hosted platforms to ship trojanized installers that seem innocuous.
Upon execution, the installer unpacks a Node.js–compiled binary encapsulated in an Inno Setup executable, initiating a silent an infection course of that avoids person detection whereas harvesting delicate information.
In its preliminary campaigns, risk actors attracted victims with attractive obtain hyperlinks similar to DerelictSetup.zip, promising modified sport content material.
Behind the scenes, nonetheless, the Inno Setup wrapper drops a number of elements, together with updater.exe, crypto.key, and infoprocess.exe, right into a hidden “Microsoft Updater” listing underneath %localappdatapercentPrograms.
An infection chain (Supply – Cyble)
Cyble analysts famous that the malware establishes persistence by Run registry keys and scheduled duties instantly after deployment.
The impression of Maranhão Stealer extends past easy credential theft. By injecting a reflective DLL into browser processes, it bypasses safety measures like AppBound encryption to exfiltrate saved passwords, cookies, and looking historical past from Chrome, Edge, Courageous, Opera, and different Chromium-based browsers.
Cyble researchers recognized that the malware additionally targets cryptocurrency wallets—Electrum, Exodus, Coinomi, and extra—making it a twin risk to each conventional account credentials and digital asset wallets.
Along with credential harvesting, Maranhão Stealer conducts intensive system reconnaissance. It gathers {hardware} and community info through WMI queries similar to wmic os get Caption and exterior API calls to ip-api.com/json, profiling the working system, CPU, disk house, and geographic location of the contaminated host.
Screenshots captured by inline C# in PowerShell additional increase the stolen intelligence, enabling risk actors to observe person exercise in actual time.
An infection Mechanism
A better examination of the an infection mechanism reveals a multi-stage course of designed for stealth and reliability.
Upon execution of the Inno Setup installer, the principle payload (updater.exe) is launched in /VERYSILENT mode, suppressing any set up dialogs.
Persistence is straight away secured with a registry modification:-
reg.exe ADD HKCUSoftwareMicrosoftWindowsCurrentVersionRun /v updater /t REG_SZ /d “C:CustomersAppDataLocalProgramsMicrosoft UpdaterUpdater.exe” /f
Persistence by registry (Supply – Cyble)
As soon as the Run key’s in place, the malware marks its listing and recordsdata with hidden and system attributes by attrib +h +s, making certain they continue to be obscured from informal inspection.
The subsequent section includes spawning a helper course of, infoprocess.exe, which injects a payload DLL instantly into working browser processes.
Utilizing low-level Home windows APIs—NtAllocateVirtualMemory, NtWriteProcessMemory, and CreateThreadEx—the malicious module is mapped into the goal’s reminiscence house with out touching the disk.
This reflective injection approach not solely evades antivirus scans but additionally runs contained in the context of legit browser executables, making detection much more difficult.
By combining social engineering, cloud-based distribution, and superior injection ways, Maranhão Stealer exemplifies the evolving sophistication of contemporary credential stealers.
Safety groups ought to prioritize software management insurance policies, endpoint monitoring for anomalous registry edits, and behavioral evaluation to detect and block such stealthy threats of their early phases.
Free reside webinar on new malware ways from our analysts! Study superior detection strategies -> Register for Free
