Cmimai Stealer is a VBS-based infostealer malware targeting Windows systems, first observed in June 2025. It primarily functions as an information-gathering and reconnaissance tool rather than a sophisticated credential stealer. The malware collects system information using Windows Management Instrumentation (WMI), browser metadata, and screenshots of the infected host. It leverages PowerShell scripts to extract browser data and capture screenshots, executing these tasks in a persistent loop every hour to maintain continuous data collection. The collected data is formatted in JSON and exfiltrated via Discord webhooks, a technique that abuses legitimate Discord infrastructure for covert command and control communication. Notably, Cmimai Stealer lacks advanced features such as encrypted communication channels or direct credential theft capabilities, which limits its immediate impact but still poses a significant privacy and security risk. The malware’s persistence and hourly data collection enable attackers to maintain ongoing surveillance of compromised systems. Defensive strategies include monitoring for unusual combinations of high-risk processes, detecting specific PowerShell scripts and image files generated by the malware, and identifying Discord traffic with a unique User-Agent string associated with Cmimai Stealer’s exfiltration method. Indicators of compromise include several known file hashes linked to the malware payload. While no known exploits or threat actors have been definitively linked to Cmimai Stealer, its use of common scripting languages and legitimate services makes detection challenging without targeted monitoring.

For European organizations, the impact of Cmimai Stealer centers on unauthorized data exposure and reconnaissance. The malware’s ability to collect system details, browser metadata, and screenshots can lead to leakage of sensitive corporate information, user activity, and potentially intellectual property. Although it does not directly steal credentials or deploy ransomware, the gathered intelligence could facilitate follow-on attacks, including targeted phishing or lateral movement within networks. The use of Discord for data exfiltration complicates detection, as Discord traffic is often allowed through firewalls and may blend with legitimate communications. Organizations in Europe with Windows-based endpoints, especially those with users who have access to sensitive data or critical infrastructure, face risks of privacy breaches and espionage. The persistent hourly data collection increases the window of exposure and the volume of stolen information. Additionally, the malware’s reliance on PowerShell and WMI, common administrative tools, may allow it to evade traditional endpoint protections if not properly monitored. The threat is particularly relevant for sectors with high regulatory requirements for data protection, such as finance, healthcare, and government, where data leakage could result in compliance violations and reputational damage.

To mitigate the threat posed by Cmimai Stealer, European organizations should implement several targeted measures beyond generic best practices: 1) Deploy advanced endpoint detection and response (EDR) solutions capable of monitoring and alerting on suspicious PowerShell activity, especially scripts that perform browser data extraction or screen capture. 2) Configure network monitoring tools to detect and flag Discord webhook traffic exhibiting the unique User-Agent associated with Cmimai Stealer’s exfiltration. 3) Implement strict application control policies to prevent unauthorized execution of VBS and PowerShell scripts, particularly those not signed or originating from untrusted sources. 4) Monitor WMI usage patterns for anomalies, as frequent or unusual WMI queries can indicate reconnaissance activity. 5) Regularly audit and restrict Discord usage within corporate networks, considering blocking or proxying Discord traffic where not business-critical. 6) Employ file integrity monitoring to detect creation of suspicious image files or JSON data files that may be used for staging exfiltrated data. 7) Conduct user awareness training to reduce the risk of initial infection vectors, such as phishing emails delivering the VBS payload. 8) Maintain up-to-date threat intelligence feeds and integrate IoCs such as the provided file hashes into security tools for proactive detection. These measures collectively reduce the attack surface, improve detection capabilities, and limit the malware’s ability to persist and exfiltrate data.