EXECUTIVE SUMMARY:
A malicious campaign has been observed leveraging a deceptive trading-related website to distribute information-stealing malware capable of taking control of a victims browser. The activity relies on social engineering tactics where users are lured through a fake trading platform that impersonates a legitimate financial tool. Once users interact with the site, they are tricked into downloading and executing malicious content under the guise of a trusted application, ultimately leading to full browser compromise.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A malicious campaign has been observed leveraging a deceptive trading-related website to distribute information-stealing malware capable of taking control of a victims browser. The activity relies on social engineering tactics where users are lured through a fake trading platform that impersonates a legitimate financial tool. Once users interact with the site, they are tricked into downloading and executing malicious content under the guise of a trusted application, ultimately leading to full browser compromise.[emaillocker id="1283"]
The attack chain delivers an information-stealing malware that operates in multiple stages. Initial infection occurs when users download a compressed file from the fake trading portal, which triggers a loader responsible for deploying the main payload. The malware is capable of harvesting browser-stored data such as cookies, saved credentials, browsing history, and session tokens. It also monitors user activity in real time and can manipulate browser behavior through malicious extensions, enabling actions such as redirecting web traffic, injecting scripts into active sessions, replacing downloaded files, and intercepting cryptocurrency wallet interactions. The malware communicates with attacker-controlled infrastructure using multiple command-and-control endpoints to receive instructions and exfiltrate stolen data, effectively enabling persistent browser takeover.
It highlights the growing abuse of trusted financial and AI-related themes to distribute browser-focused infostealers. By leveraging deceptive websites and multi-stage malware delivery mechanisms, threat actors are able to achieve deep visibility and control over victim browsing sessions. The activity underscores the importance of validating software sources, closely monitoring browser extensions, and maintaining strong endpoint security controls to prevent credential theft, session hijacking, and financial fraud.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| T1189 | Drive-by Compromise | - | |
| Execution | T1204.002 | User Execution | Malicious File |
| T1059.003 | Command and Scripting Interpreter | Windows Command Shell | |
| Persistence | T1176.001 | Software Extensions | Browser Extensions |
| T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder | |
| Defense Evasion | T1027.002 | Obfuscated Files or Information | Software Packing |
| Credential Access | T1555.003 | Credentials from Password Stores | Credentials from Web Browsers |
| T1539 | Steal Web Session Cookie | - | |
| Collection | T1119 | Automated Collection | - |
| T1005 | Data from Local System | - | |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | - |
| Impact | T1565.002 | Data Manipulation | Transmitted Data Manipulation |
REFERENCES:
The following reports contain further technical details:
[/emaillocker]