Cybersecurity researchers are shedding light on previously undocumented rust-based information stealing called Myth Stealer, which is being propagated through fraudulent gaming websites.
“When executed, the malware decrypts and executes malicious code in the background and displays fake windows that appear legitimate,” said Niranjan Hegde, Vasantha Lakshmanan Ambasankar and Adarsh S, security researchers at Trellix.
Steelers, which was first sold for free in beta on Telegram in late December 2024, have since moved to the Malware as a Service (MAAS) model. Equipped to steal passwords, cookies and Autfill information from both Chromium and Gecko-based browsers, including Google Chrome, Microsoft Edge, Brave, Opera, Vivaldi, and Mozilla Firefox.
It has been found that malware operators maintain many telegram channels to promote the sale of compromised accounts and provide testimony of the service. These channels are shut down by Telegram.
Evidence shows that Myth Stealer, including those hosted by Google’s bloggers, is distributed through fake websites and offers a variety of video games under the pretext of testing them. It is worth noting that the same almost identical blogger page is used to provide another Stealer malware known as AgeSostealer, as revealed by FlashPoint in April 2025.
Trellix said it had discovered on an online forum that malware was being distributed as a cracked version of the game’s cheating software called DDRACE, highlighting countless distribution vehicles.
Regardless of the initial access vector, the downloaded loader will display a fake setup window to the user, as if the legitimate application is running. In the background, the loader decrypts and launches the steeler components.
In 64-bit DLL files, the steeler attempts to terminate the execution process associated with various web browsers before stealing the data and removing it to a remote server.
“It also includes anti-analytic techniques such as string obfuscation and system checking using file names and user names,” the researchers said. “Malware authors regularly update their Stealer code to avoid AV detection and introduce additional features such as screen capture and clipboard hijacking.”
Myth Stealer is by no means alone when it comes to distributing malware using game cheat lures. Last week, Palo Alto Networks Unit 42 shed light on another Windows malware called Blitz, spreading through background game cheats and crack installers for legitimate programs.
Propagated primarily through attacker-controlled telegram channels, Blitz consists of two stages that cause bot payloads designed to record keystrokes, take screenshots, download/upload files, and insert code. It also has a Denial of Service (DOS) feature for web servers, which drops Xmrig miners.
The background cheat performs an anti-sandbox check before getting the next stage of the malware. The downloader will only run when the victim logs in again after logging out or restarting. The downloader is configured to perform the same sandbox check before dropping the bot payload.
What’s noteworthy about the attack chain is that the Blitz Bot and XMR Cryptocurrency Miner payloads and their command and control (C2) infrastructure components are hosted in the facespace of the hug. The hugging face locked the user account following responsible disclosure.
As of late April 2025, Blitz is estimated to have accumulated 289 infectious diseases in 26 countries led by Russia, Ukraine, Belarus and Kazakhstan. Last month, the threat actor behind the Blitz claimed on the Telegram channel that he was hanging from his boots after it was revealed that the cheat had a Trojan embedded in it. They also provided a removal tool to wipe away malware from victim systems.
“The person behind Blitz Malware seems to be a Russian speaker using Moniker SW1Zzx on social media platforms,” Unit 42 said. “This malware operator is probably the developer of Blitz.”
Cyfirma occurs as detailed a new C#-based remote access Trojan (rat) named DuplexSpy rat, with extensive capabilities for monitoring, persistence and system control. It was published on GitHub in April 2025 and claims it is intended to be “educational and ethical demonstrations only.”
Blitz Infection Chain
“For stealth, we will establish persistence through startup folder replication and Windows registry changes, while employing fireless execution and privilege escalation techniques,” the company said. “Major features include keylogs, screen capture, webcam/audio spy, remote shell and anti-analysis capabilities.”
In addition to being able to remotely play audio or system sounds on the victim’s machine, DuplexSpy RAT includes a power control module that allows an attacker to remotely execute system-level commands, such as shutting down, restarting, logging out, and sleeping on the compromised host.
“[The malware] Cyfirma displays images (base64 encoding) supported by the attacker in full screen and performs a fake lock screen by displaying full screen (base64 encoding). Cyfirma added.
The findings also provide Crypter-as-a-service flunde and flusmens following reports from multiple threat actors, including TA558, Blind Eagle, Aga (aka Haga), Pazeshifter (aka Angry Likho, Sticky Wearwolf, and UAC-0050), UAC-0050, and PhantomControl.
The attack chain using crypto and tools targets the US, Eastern Europe (including Russia) and Latin America. One platform on which Cryptor is on sale is nitrosoftwares[.]It also offers a variety of tools, especially exploits, cryptocurrency clippers.
Source link
