A secret weapon of cybercriminals that affects even the most secure systems.
A new player has appeared in the cybercriminal world — the Flesh Stealer malware, which is capable of bypassing browser protection and stealing user data. The malware is actively advertised on underground forums and Telegram channels, and was previously promoted through YouTube.
Flesh Stealer is a malicious .NET executable written in C#. It is equipped with multiple defense mechanisms, including bypassing App Bound encryption in Chrome, anti-debugging, and checking for launching in a virtual environment. First detected in August 2024, it continues to receive updates. The latest significant improvement added support for Chrome 131.
The program collects data from Chrome, Firefox, Edge, and Opera browsers, stealing saved passwords, cookies, and browsing history. In addition, Flesh Stealer is able to extract chats and databases from Signal and Telegram applications, transmitting them to the attackers' server. A special mechanism determines the system region, and if one of the CIS languages is installed, the malicious code does not run.
One of the key mechanisms of the program's protection is its ability to recognize virtual machines. Flesh Stealer analyzes the characteristics of physical memory, BIOS version, and system speed. If there are indicators of operation in the VMware, VirtualBox, Hyper-V, or other similar systems, code execution is terminated. The program also scans running processes for debugging tools such as Wireshark or HttpDebuggerUI, and terminates them if detected.
To increase stealth, Stealer uses code obfuscation methods and data encryption. It checks devices connected to the system via Windows Management Instrumentation (WMI) and saves the collected information to a separate file. Additionally, the program extracts Wi-Fi credentials using the Windows command line, obtaining information about encryption algorithms and passwords of saved networks.
The developer of Flesh Stealer actively promoted its software through specialized forums and chats, and also created a separate website that was used to distribute it. However, the website was removed in October 2024. In turn, the Telegram channel associated with the project is still active at the moment.
Flesh Stealer continues to develop, receiving positive reviews from cybercriminals. Despite the new Telegram moderation rules, attackers continue to use this platform to control infected devices and transfer stolen data.
Experts warn that the emergence of new malware based on existing technologies is becoming more and more common. Flesh Stealer demonstrates how modern cyberattack methods have evolved, and requires organizations to pay increased attention to data protection.
Experts recommend implementing multi-factor authentication, limiting the use of browser extensions, monitoring network traffic, and actively using endpoint protection tools to identify and block such threats.
A new player has appeared in the cybercriminal world — the Flesh Stealer malware, which is capable of bypassing browser protection and stealing user data. The malware is actively advertised on underground forums and Telegram channels, and was previously promoted through YouTube.
Flesh Stealer is a malicious .NET executable written in C#. It is equipped with multiple defense mechanisms, including bypassing App Bound encryption in Chrome, anti-debugging, and checking for launching in a virtual environment. First detected in August 2024, it continues to receive updates. The latest significant improvement added support for Chrome 131.
The program collects data from Chrome, Firefox, Edge, and Opera browsers, stealing saved passwords, cookies, and browsing history. In addition, Flesh Stealer is able to extract chats and databases from Signal and Telegram applications, transmitting them to the attackers' server. A special mechanism determines the system region, and if one of the CIS languages is installed, the malicious code does not run.
One of the key mechanisms of the program's protection is its ability to recognize virtual machines. Flesh Stealer analyzes the characteristics of physical memory, BIOS version, and system speed. If there are indicators of operation in the VMware, VirtualBox, Hyper-V, or other similar systems, code execution is terminated. The program also scans running processes for debugging tools such as Wireshark or HttpDebuggerUI, and terminates them if detected.
To increase stealth, Stealer uses code obfuscation methods and data encryption. It checks devices connected to the system via Windows Management Instrumentation (WMI) and saves the collected information to a separate file. Additionally, the program extracts Wi-Fi credentials using the Windows command line, obtaining information about encryption algorithms and passwords of saved networks.
The developer of Flesh Stealer actively promoted its software through specialized forums and chats, and also created a separate website that was used to distribute it. However, the website was removed in October 2024. In turn, the Telegram channel associated with the project is still active at the moment.
Flesh Stealer continues to develop, receiving positive reviews from cybercriminals. Despite the new Telegram moderation rules, attackers continue to use this platform to control infected devices and transfer stolen data.
Experts warn that the emergence of new malware based on existing technologies is becoming more and more common. Flesh Stealer demonstrates how modern cyberattack methods have evolved, and requires organizations to pay increased attention to data protection.
Experts recommend implementing multi-factor authentication, limiting the use of browser extensions, monitoring network traffic, and actively using endpoint protection tools to identify and block such threats.