Meduza
Meduza is an information-stealing malware family (infostealer/credential-harvesting malware) active since at least 2023. Reporting in the provided content describes it as designed to steal credentials, cryptocurrency wallets, and other sensitive information from compromised Windows systems. Additional cited research states it can collect browser credentials, cookies, histories, bookmarks, and autofill data from more than 100 browsers; target password managers and 2FA browser extensions; steal from more than 100 cryptocurrency wallet types including browser extensions and desktop applications; and extract data from applications such as Discord, Telegram, email clients, and VPNs. It also gathers host information including hardware details, installed software, IP addresses, time zones, and screenshots.
The malware is consistently referenced as a stealer/infostealer and has been observed in broader criminal delivery chains. The content notes attempts to deploy Meduza via NetSupport RAT in the TA569-linked "Horns&Hooves" email campaign, indicating phishing-driven initial access and follow-on payload delivery. Meduza is also listed among malware families that have successfully bypassed App-Bound Encryption. Splunk detection content further states that Meduza has abused VaultCLI.dll to extract credentials from the Windows Credential Vault, mapping to Windows Credential Manager theft behavior.
Infrastructure reporting in the content links Meduza operations to Russia-based bulletproof hosting provider Aeza Group, which U.S. authorities sanctioned for enabling malware and ransomware actors. Multiple references specifically associate Aeza infrastructure with the Lumma, Meduza, and RedLine infostealers. The content also mentions similarities between Meduza/Aurora Stealer targeting patterns and a separate custom malware campaign, but does not establish they are the same malware family.
Law-enforcement reporting in the provided material states that Russian authorities arrested three suspects believed to have created, sold, distributed, and deployed the Meduza infostealer. Russian officials linked the operation to an attack against a government institution in the Astrakhan region and said the suspects had worked on Meduza for about two years. The same reporting says the suspects also developed another malware strain intended to disable security tools and build botnets.
High-confidence behavioral and targeting details directly supported by the content therefore characterize Meduza as a Russian-linked credential and information stealer used in criminal operations, capable of harvesting browser and application data, cryptocurrency wallet information, Windows Credential Vault data, and broad host reconnaissance, with observed use in phishing-enabled intrusion chains and infrastructure ties to sanctioned bulletproof hosting.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The VaultCLI.dll module allows processes to extract credentials from the Windows Credential Vault. It was seen being abused by information stealers such as Meduza.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Collection Atomic, Vidar, Meduza, Raccoon, Snaffler, Hekatomb, Lumma, DBeaver, MongoDB Compass, Azure SQL Query Editor, Cerebrata, FiveTran, Ave-Maria
In a number of cases, we observed attempts to use NetSupport RAT to install stealers such as Rhadamanthys and Meduza.
Techniques & procedures
12 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Persistence
1 technique
Persistence
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
1 technique
Stealth
Credential Access
6 techniques
Credential Access
Russian police arrested “three young IT specialists” suspected of developing and selling the Meduza credential-harvesting malware.
Browser data: Credentials, cookies, histories, bookmarks, autofill data, and more, with support for more than 100 browsers
According to researchers at Hudson Rock, Meduza was highly equipped with tools to scoop up a wealth of data, including: Authentication: Targeted popular password managers and 2FA extensions
Authentication: Targeted popular password managers and 2FA extensions
Discovery
1 technique
Discovery
Collection
3 techniques
Collection
IOCs tracked for this family
152 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
Other indicator types observed in public reporting.
Recent activity
20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as a known stealer whose theft target list is similar to the malware under analysis. No direct operational details beyond similarity are provided in the content.
A named infostealer listed in the RAMP malware marketplace.
Malware family listed among those hosted by the downstream ASNs of the upstream provider.
"Russia finally bites the cybercrooks it raised, arresting suspected Meduza infostealer devs"
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.