Meduza Stealer
Meduza Stealer is a Windows-based malware-as-a-service (MaaS) infostealer first observed in 2023 and described as sophisticated and rapidly evolving. It is designed to steal credentials, browser data, session cookies, financial information, cryptocurrency wallet data, Telegram and Steam information, Windows Credential Manager data, installed software details, environment variables, and selected files. Reported feature sets include a web administration panel, encrypted logs, support for exfiltrating data from more than 100 browsers and cryptocurrency wallets, and anti-analysis capabilities including anti-VM behavior, dynamic obfuscation, polymorphic code, and geo-filtering to avoid selected CIS countries. The malware has also been cited as continuing to harvest Chrome data after Google introduced Application-Bound Encryption (ABE), and public reporting suggests Meduza implemented or claimed bypasses for newer Chromium protections.
Observed behavior includes querying external IP-check services such as api.ipify.org to obtain the victim’s public IP address, HTTP-based communications, and encrypted exfiltration to command-and-control infrastructure. Detection-oriented reporting associates Meduza activity with anomalous network connections, suspicious process execution, unusual registry modifications, DNS queries to abused web services, and access to Windows uninstall registry keys. One reported infrastructure linkage tied Meduza activity to IP address 195.133.18.15.
Distribution and intrusion vectors mentioned in the content include phishing emails, malicious attachments, trojanized software downloads, and broader criminal delivery ecosystems. Meduza has been referenced alongside spearphishing and commodity malware operations, and CERT-UA reporting lists it among tools used by UAC-0050 in campaigns targeting Ukrainian accountants and organizations. Insikt Group also observed a Lumma affiliate using Meduza infrastructure, indicating overlap among infostealer operators.
Russian authorities reported arresting three suspected developers/operators in October 2025, alleging they had run Meduza as a paid MaaS offering since mid-2023 via underground forums and Telegram channels. Reporting states the malware was sold on Russian-language forums including XSS and via Telegram, with one cited pricing model for version 2.2 at $199 per month or $1,199 lifetime. Authorities alleged the malware had been used in attacks in Ukraine, Poland, and Russia, including a breach of a Russian government organization in the Astrakhan region. High-confidence IOCs and technical details directly mentioned in the content include the api.ipify.org lookup, the infrastructure IP 195.133.18.15, and the malware family name Meduza Stealer.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Meduza Stealer is a sophisticated and rapidly evolving malware designed to extract sensitive data from compromised systems. | References https://www.fortinet.com/blog/threat-research/exploiting-cve-2024-21412-stealer-campaign-unleashed
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
…використання широкого спектру програм, таких як: REMCOS, TEKTONITRMS, MEDUZASTEALER, LUMMASTEALER…
Techniques & procedures
19 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
1 technique
Reconnaissance
Initial Access
2 techniques
Initial Access
Execution
2 techniques
Execution
Persistence
1 technique
Persistence
Stealth
3 techniques
Stealth
Defense Impairment
1 technique
Defense Impairment
Credential Access
5 techniques
Credential Access
Once deployed, it scans for browser-stored passwords, cryptocurrency wallets, and keylogging opportunities...
Login Credentials: Passwords and session tokens from over 100 browsers and 27 password managers.
Особенную ценность для злоумышленников представляют собой так называемые сессионные файлы cookie... кража таких файлов позволяет злоумышленнику использовать уже подтвержденную сессию без ввода логина и пароля от лица жертвы.
Discovery
2 techniques
Discovery
Collection
3 techniques
Collection
Cryptocurrency: Data from over 100 wallets, including browser-based extensions. Messaging/Gaming: Information stolen from Telegram IM and Steam clients.
Command and Control
1 technique
Command and Control
IOCs tracked for this family
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Other indicator types observed in public reporting.
Recent activity
22 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named as one of the infostealers whose developers claimed to have bypassed Chrome’s App-Bound Encryption shortly after its release.
An infostealer mentioned as continuing to harvest Chrome cookie data and other secrets despite Google's App-Bound Encryption protections.
Инфостилер, разработчики которого заявляли об обходе защитного механизма Chrome Application-Bound Encryption вскоре после его внедрения.
Associated Analytic Story ... Meduza Stealer ...
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.