RUGMI

Rugmi is referenced in the provided content as a loader ecosystem associated with an affiliate-operated social-engineering campaign delivering DeerStealer. The analyzed activity involved a malicious WiX Burn bootstrapper bundle disguised as "Antonomasia" from publisher "Cyme," using a legitimate copy of Active@ Password Changer as a visible decoy while delivering DeerStealer in memory. The campaign is assessed in the source content as a deliberate social-engineering operation by a DeerStealer affiliate operating within the Rugmi loader ecosystem, and likely distributed via malvertising targeting users searching for password-management tools. In the described intrusion chain, a weaponized DLL masquerading as Adobe CCMNative.dll decrypted an XOR-obfuscated configuration and an AES-CBC-encrypted DeerStealer payload, then executed the stealer entirely in memory. The resulting DeerStealer activity included theft of credentials and session data from more than 50 browsers, more than 800 browser extensions, and more than 14 cryptocurrency wallets; theft of Discord tokens, Telegram tdata, WhatsApp and Signal sessions, OpenVPN configurations, and WinSCP and FileZilla credentials; hidden VNC-based desktop surveillance; keylogging; persistence via an HKCU Run key named AppVTemplate; and scheduled tasks named zceWriter, dyApp, and Pluginsecurity_dbg. The malware communicated over HTTPS with Cloudflare-fronted C2 infrastructure including telluricaphelion[.]com and loadinnnhr[.]today. No nation-state attribution is stated in the provided content. Known alias in the content: rugmi.