Fickle Stealer

Fickle Stealer is a Rust-based information stealer observed by FortiGuard Labs in May 2024 and targeting Microsoft Windows systems. Fortinet described it as using multiple delivery methods and a flexible, server-driven targeting model, which led researchers to name it "Fickle Stealer." Reported delivery vectors include malicious Word documents with VBA macros, link downloaders, and a .NET executable masquerading as a PDF viewer. Associated PowerShell stages such as u.ps1/bypass.ps1 were used to bypass UAC, establish persistence via scheduled tasks, and prepare execution. Fortinet reported that the malware uses a disguised packer, in-memory payload decryption and execution, anti-analysis and anti-VM checks, and Telegram bot reporting of victim status. Its theft capabilities include browser data, cookies, credentials, LevelDB data from Discord and Chromium-based browsers, password-manager extensions, cryptocurrency wallet data, targeted documents, application data including Steam, Telegram, Signal, Skype, and FileZilla, plus screenshots and system information.

Fickle Stealer is repeatedly associated in the provided reporting with the threat actor EncryptHub, also tracked as LARVA-208 and Water Gamayun. Trustwave reported EncryptHub delivering Fickle Stealer through PowerShell after social-engineering lures and exploitation of the Microsoft Management Console vulnerability CVE-2025-26633 ("MSC EvilTwin"). In that activity, PowerShell scripts established persistence, communicated with EncryptHub C2 infrastructure, received AES-encrypted commands, and deployed Fickle Stealer as a PowerShell-based information stealer designed to extract sensitive files, harvest system information, and steal cryptocurrency wallet data. PRODAFT also reported EncryptHub using PowerShell scripts to deliver Fickle Stealer alongside Rhadamanthys and Stealc in broader social-engineering campaigns, including operations that compromised hundreds of organizations.

The malware was also reported in Steam-related distribution cases. In the Chemia game compromise, Prodaft and other reporting stated that EncryptHub added Fickle Stealer via cclib.dll, which used worker.ps1 to fetch the payload from soft-gets[.]com. In that context, Fickle Stealer was described as stealing browser credentials, autofill data, cookies, and cryptocurrency wallet data, while running in the background without affecting gameplay. Separate reporting on malicious Steam titles also described Fickle Stealer as stealing credentials, browser data, cookies, and cryptocurrency wallets. Additional lures included fake AI or meeting platforms targeting Web3 developers, where malware disguised as a Realtek HD Audio Driver executed PowerShell to retrieve and deploy Fickle Stealer for theft of cryptocurrency wallets, development credentials, and sensitive project data.

High-confidence indicators mentioned in the content include infrastructure and artifacts associated with campaigns delivering or involving Fickle Stealer: IPs 144.208.127.230, 185.213.208.245, and 138.124.184.210; GitHub URL hxxps://github[.]com/SkorikJR; domains soft-gets[.]com, reaitek[.]com, and safesurf.fastdomain-uoemathhvq.workers[.]dev; and hashes including a reported Fickle Stealer sample 6fb7fd9763d6b269793c80bbc03a1be358390781af4b698fba1591cb8dbb8825 and a related downloader hash ed076c27b420bfa66c251488b4121913fa461367a60c5fa32cee3953efcae32b.