LeakyInjector and LeakyStealer represent a complex, multi-stage malware campaign focused on stealing sensitive cryptocurrency wallet information and browser history from infected Windows systems. The initial stage, LeakyInjector, leverages low-level Windows API calls to inject the secondary payload, LeakyStealer, into the legitimate explorer.exe process. This injection method helps evade detection by traditional endpoint security solutions. LeakyStealer is polymorphic, dynamically altering its code in memory to avoid signature-based detection. Both malware stages are signed with valid Extended Validation (EV) certificates, which increases their credibility and reduces suspicion by security products that trust signed binaries. Once deployed, the malware conducts system reconnaissance to locate various cryptocurrency wallets, including those managed via browser extensions, and extracts browser history files from multiple browsers, potentially exposing user activity and credentials. Persistence is maintained through registry modifications, ensuring the malware survives system reboots. The malware periodically beacons to a C2 server (identified IP 45.151.62.120 and domains everstead.group, paycnex.com) to exfiltrate stolen data and receive further instructions, which may include executing additional malicious commands. The polymorphic nature and use of legitimate certificates complicate detection and mitigation efforts. Although no known exploits are currently reported in the wild, the malware’s capabilities and stealth techniques indicate a medium severity threat, especially for users involved in cryptocurrency transactions.

For European organizations, the LeakyInjector and LeakyStealer malware poses significant risks, particularly for entities involved in cryptocurrency trading, financial services, and any business or individual using browser-based crypto wallets. The theft of cryptocurrency wallet credentials can lead to direct financial losses and undermine trust in digital asset management. The exfiltration of browser history can expose sensitive browsing habits, potentially revealing confidential business activities or personal information. The malware’s persistence and stealth injection techniques increase the difficulty of detection and removal, potentially allowing prolonged unauthorized access. This can lead to further compromise, lateral movement, or data breaches. Additionally, the use of valid EV certificates may reduce the effectiveness of security controls, increasing the likelihood of successful infection. The malware’s ability to receive and execute additional commands from the C2 server means attackers can adapt their tactics post-infection, escalating the threat. European organizations with remote or hybrid workforces using personal devices for crypto transactions are particularly vulnerable. The medium severity rating reflects the potential for financial and privacy impacts, though the lack of widespread exploitation currently limits immediate large-scale impact.

European organizations should implement targeted defenses beyond generic advice: 1) Employ advanced endpoint detection and response (EDR) solutions capable of detecting low-level API injection and polymorphic behaviors, focusing on monitoring explorer.exe for anomalous activity. 2) Enforce strict code-signing policies and certificate validation to detect misuse of EV certificates, including certificate revocation checks and anomaly detection for signed binaries. 3) Harden registry permissions and monitor for unauthorized modifications to persistence-related keys, using behavioral analytics to flag suspicious changes. 4) Restrict or monitor the use of browser extensions related to cryptocurrency wallets, applying application control policies to limit installation of untrusted extensions. 5) Implement network segmentation and egress filtering to detect and block suspicious C2 communications, particularly to known malicious IPs and domains such as 45.151.62.120, everstead.group, and paycnex.com. 6) Conduct regular threat hunting exercises focusing on indicators of compromise (IOCs) including the provided hashes and network indicators. 7) Educate users on the risks of phishing and social engineering, as initial infection vectors may involve user interaction. 8) Maintain up-to-date backups and incident response plans tailored to data exfiltration and credential theft scenarios. 9) Utilize threat intelligence feeds to stay informed about evolving tactics related to LeakyInjector and LeakyStealer. 10) Consider deploying browser isolation or hardened browser environments for users handling cryptocurrency wallets.