MicroStealer Propose Change

According to ANY.RUN, MicroStealer is a rapidly spreading infostealer with low current AV detection that uses a multi stage NSIS, Electron, Node.js, and Java (JAR) delivery chain plus heavy obfuscation and VM checks to evade analysis. It is distributed via compromised or impersonated accounts and malicious download sites, with notable activity in the US and Germany and increased targeting of education and telecom sectors. Once executed, it deploys a bundled JRE, persists via a high privilege ONLOGON scheduled task, and may abuse UAC and LSASS token impersonation. Its core capabilities include stealing browser passwords and session cookies, capturing screenshots, exfiltrating crypto wallets, hijacking and profiling Discord accounts, profiling Steam accounts, and sending archived data over HTTPS to Discord webhooks and attacker controlled servers.

References

There is no Yara-Signature yet.