deerstealer
DeerStealer is a malware-as-a-service infostealer platform, also referred to in the content as XFiles Spyware, and is sold by @LuciferXfiles on Telegram-based cybercrime forums, with pricing reported from $200 to $3,000 per month. The reporting indicates affiliate-operated deployment, including campaigns likely distributed via malvertising and fake software updates, such as fake Google Chrome updates, as well as use within the Rugmi/DeerStealer ecosystem. Observed DeerStealer delivery chains include malicious WiX Burn installer bundles that use legitimate decoy software while loading the final payload in memory via a masqueraded Adobe component and, in another campaign, loading via HijackLoader. The malware is described as a multi-stage infostealer that uses deception, persistence mechanisms, signed binaries, and rootkit-like capabilities to evade detection. Capabilities directly described in the content include theft of credentials, cookies, autofill data, credit cards, browsing history, Discord tokens, Telegram tdata, WhatsApp and Signal sessions, OpenVPN configurations, WinSCP credentials, FileZilla credentials, and data from more than 50 browsers, more than 800 browser extensions, and more than 14 cryptocurrency wallets including Electrum, Exodus, Atomic, MetaMask, and Phantom. DeerStealer also captures screenshots, clipboard contents, and installed software inventory, and includes a hidden VNC server for live desktop surveillance and a live keylogger. Persistence mechanisms observed include an HKCU Run key named AppVTemplate and scheduled tasks named zceWriter, dyApp, and Pluginsecurity_dbg. Exfiltration and communications described in the content include HTTPS communications with Cloudflare-fronted C2 domains, XOR-encrypted HTTPS POST requests, AES-encrypted ZIP archives routed through a Gasket proxy layer, and Telegram abuse. Telegram usage includes POST requests to the /sendMessage endpoint to notify a bot of malware actions, and the content also states DeerStealer used Telegram for execution notifications in a campaign distributed via infected websites and fake Chrome updates. Known aliases mentioned in the content are DeerStealer and XFiles Spyware. The content does not support attribution to a nation state.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Recent activity
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malware-as-a-Service infostealer platform used to steal browser credentials, cookies, crypto wallets, messaging sessions, and other sensitive data; observed here with hidden VNC, live keylogging, persistence, and encrypted exfiltration.
Malware-as-a-Service infostealer operation distributed via likely malvertising, using a WiX installer bundle and decoy software to steal browser credentials, crypto wallets, messaging sessions, VPN/FTP configs, screenshots, clipboard data, and to enable hidden VNC and keylogging.
DeerStealer is a multi-stage infostealer distributed via fake browser update campaigns, using Telegram for execution notifications and exfiltration of sensitive data.
Infostealer malware operation focused on stealing sensitive information from infected systems.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.