An infostealer campaign leveraging Maranhão Stealer is spreading via fake crack and pirated software sites. Its goal: to steal credentials, cookies, and crypto wallets.
Cyble researchers have revealed a campaign active since May 2025 spreading the Maranhão Stealer malware. Distributed through crack and cheat sites, it uses booby-trapped installers to infect machines. Developed in Node.js and Go, the infostealer installs stealthily under “Microsoft Updater,” bypasses browser protections, and steals credentials, cookies, histories, and crypto wallets. Its use of reflective DLL injection and advanced evasion techniques shows a high level of sophistication. This campaign highlights the convergence of social engineering, common tooling, and modern stacks to execute large-scale data theft.
Distribution through social engineering
The initial vector relies on sites luring victims with cracks for popular games and software. Among them is derelictsgame[.]in, offering fake files like DerelictSetup.zip or Fnaf Doom.zip. Once downloaded, these packages appear as standard Inno Setup installers. The malicious code, written in Node.js, is embedded into these executables, tricking unsuspecting users.
Researchers emphasize that the appeal of free software and cheats is an effective distribution lever. By posing as coveted resources, threat actors quickly expand their infection surface. This method, common in cybercrime, is combined here with stealthy installation techniques.
Persistence and malware evolution
Once executed, Maranhão Stealer lodges itself in a directory named “Microsoft Updater” under %localappdata%\Programs. The main element, updater.exe, is programmed to auto-launch via Run registry keys and a scheduled task. Dropped files are hidden using system and hidden attributes, enhancing discretion.
The malware then performs deep reconnaissance of the host, including screenshot capture via PowerShell and collection of sensitive data. Researchers note a major technical evolution: early versions used PsExec to spawn child processes, now replaced with direct Win32 API calls, far stealthier.
Another component, infoprocess.exe, written in Go and obfuscated, handles decryption of stored passwords. This modularity reflects growing sophistication and continuous development effort from the authors.
Browser targeting and data exfiltration
The core threat lies in data theft. Maranhão Stealer injects DLLs reflectively into memory to bypass protections like Chrome’s AppBound. Analysis showed active collection on Google Chrome, Edge, Brave, and Opera: user profiles, histories, cookies, downloads, and saved credentials.
Researchers also report adaptability, identified through memory dump analysis: the malware can expand targets to other browsers and cryptocurrency wallets. Data is then exfiltrated via APIs tied to the domain maranhaogang[.]fun, used for victim tracking and data theft.
Cyble warns: a successful infection paves the way for mass credential theft, account hijacking, loss of digital assets, and the subsequent deployment of other malware. The combination of social engineering, standard components, and advanced techniques demonstrates a worrying level of professionalization.
The Maranhão Stealer campaign illustrates the rise of modular infostealers blending social engineering and advanced stealth. The open question remains: what cyber defense countermeasures can truly contain the rapid evolution of these threats? [ZATAZ News English version]
