EXECUTIVE SUMMARY
Socelars is an information-stealing malware family designed to harvest authenticated session data that can be used for fast account takeover, especially in advertising and e-commerce environments. Instead of disrupting systems, it quietly collects browser-stored authentication artifacts, system identifiers, and active session cookies that allow attackers to access online business services as legitimate users. Activity has been linked to the theft of session cookies from platforms such as Facebook and Amazon, enabling access without waiting for password resets or triggering clear login alerts. Campaigns delivering Socelars have used social-engineering lures such as fake PDF reader installers and other common utility tools that appear harmless in workplace settings. Because the malware avoids visible damage, the initial infection often goes unnoticed.
Technically, Socelars follows a quiet execution flow focused on access and data collection. After running, it performs system reconnaissance by gathering the computer name, Machine GUID, system language settings, internet configuration, and certificate details to profile the host. It then attempts a User Account Control bypass by launching dllhost.exe with a CLSID linked to the ICMLuaUtil interface in cmlua.dll, using the ShellExec method to execute with elevated privileges. Once elevated, it creates a mutex named “patatoes,” which serves as a recognizable artifact of this variant. The malware contacts an IP-logging service to record victim telemetry such as IP address, User-Agent, and location before redirecting traffic further. Its main objective is extracting browser session cookies and stored authentication data that provide ready-to-use access.
Socelars creates serious business risk because it targets active sessions that directly connect to revenue-generating platforms. By stealing valid session cookies, attackers may bypass normal login protections and immediately control advertising dashboards, e-commerce services, and other online tools. This can result in fraudulent ad spending, unauthorized campaigns, resale of compromised accounts, and customer-facing scams. The malware spreads mainly through repeated social-engineering tactics rather than automatic network propagation, making user interaction the main entry point. Since it focuses on silent access instead of system damage, detection can be delayed. Early behavioral monitoring and visibility into suspicious installers, browser data access, and unusual outbound connections are key to identifying infections before attackers convert stolen sessions into financial and reputational harm.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-Technique |
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| Execution | T1204.002 | User Execution | Malicious File |
| Privilege Escalation | T1548.002 | Abuse Elevation Control Mechanism | Bypass User Account Control |
| Defense Evasion | T1036.005 | Masquerading | Match Legitimate Name or Location |
| Credential Access | T1555.003 | Credentials from Password Stores | Credentials from Web Browsers |
| T1539 | Steal Web Session Cookie | — | |
| Discovery | T1082 | System Information Discovery | — |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
MBC MAPPING:
| Objective | Behaviour ID | Behaviour |
| Privilege Escalation | F0015 | Hijack Execution Flow |
| Collection | E1560 | Archive Collected Data |
| Discovery | E1082 | System Information Discovery |
| Defense Evasion | B0036 | Capture Evasion |
| Command and Control | B0030 | C2 Communication |
REFERENCES:
The following reports contain further technical details: