Atlantida Stealer
Atlantida Stealer is an information-stealing malware family first discovered in January 2024 and active throughout 2024. It has been associated with the threat actor Void Banshee, which used it as the final payload in campaigns exploiting Windows MSHTML/Internet Explorer-related flaws including CVE-2024-38112, and reporting also links similar MSHTML spoofing flaws such as CVE-2024-43461 and CVE-2024-43573 to delivery of this malware. In the documented Void Banshee infection chain, victims were lured with spearphishing-style files disguised as PDF books, often delivered via ZIP archives and distributed through cloud-sharing sites, Discord servers, online libraries, compromised websites, and malicious GitHub repositories amplified through the Stargazers Ghost network. The exploit chain abused .URL files, the MHTML protocol handler, x-usc directives, malicious HTA/VBScript/PowerShell stages, and a .NET loader to execute the payload on Windows systems via the disabled but still present Internet Explorer/MSHTML components. Atlantida Stealer is reported to be built from the open-source stealers NecroStealer and PredatorTheStealer. Its theft capabilities include passwords and browser credentials, cookies, screenshots, desktop files, system information, Telegram data, Steam data, FileZilla data, browser extension data, and cryptocurrency wallet extension data. Collected data is compressed into a ZIP archive and exfiltrated to attacker-controlled infrastructure, including over TCP port 6655. Reported targeting in the Void Banshee campaigns was concentrated in North America, Europe, and Southeast Asia. A reported payload sample, AtlantidaStealer.exe, had SHA256 6f1f3415c3e52dcdbb012f412aef7b9744786b2d4a1b850f1f4561048716c750.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The vulnerability CVE-2024-38112 (ZDI-CAN-24433) was used as a zero-day to access and execute files through the disabled Internet Explorer using MSHTML. | The final payload of this zero-day attack chain is the Atlantida stealer, which was first discovered in January 2024.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The final payload of this zero-day attack chain is the Atlantida stealer, which was first discovered in January 2024.
Techniques & procedures
16 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueVictim is redirected to compromised site which downloads a malicious HTML Application (.HTA).
Initial Access
2 techniques"CVE-2024-43461 ... MSHTML platform spoofing vulnerability similar to CVE-2024-38112, which was exploited by the threat actor to deliver Atlantida stealer malware" ... "exploited as a part of an attack chain relating to CVE-2024-38112"
Void Banshee used zip archives containing copies of books in PDF format, along with malicious files disguised as PDFs in spearphishing links (T1566.002), on online libraries, cloud sharing sites, Discord, and a slew of compromised websites.
Execution
3 techniquesThis script uses PowerShell to download an additional script hosted on a compromised web server and executes the command using the PowerShell irm (Invoke-RestMethod) alias and iex (Invoke-Expression) alias commands.
The HTA file contains a Visual Basic Script (VBScript) that decrypts XOR encrypted content with key 4 and executes the content using PowerShell.
The zero-day attack begins when the victim opens a URL shortcut file designed to exploit CVE-2024-38112.
Privilege Escalation
1 techniqueStealth
4 techniquesThe HTA file contains a Visual Basic Script (VBScript) that decrypts XOR encrypted content with key 4... LoadToBadXml is a .NET Trojan loader that is obfuscated using Eziriz .NET Reactor.
It then injects them into C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe. The malware employs a common process injection technique... CreateProcess ... VirtualAllocEx ... WriteProcessMemory ... CreateRemoteThread API.
By using specially crafted .URL files that contained the MHTML protocol handler and the x-usc! directive, Void Banshee was able to access and run HTML Application (HTA) files directly through the disabled IE process.
Atlantida abuses RegAsm.exe to proxy malicious code execution.
Credential Access
1 techniqueIt targets sensitive information from various applications... web browsers... extracting stored sensitive and potentially valuable data, such as passwords and cookies... Mozilla Firefox and Microsoft Edge’s cookies and credentials.
Discovery
1 techniqueNext, the malware starts to collect system information such as RAM, GPU, CPU, and screen resolution and stores it in “User Information.txt”
Collection
3 techniquesFurthermore, the malware harvests credentials and sensitive files from various applications... All files with the ".txt" extension from the infected system’s desktop directory... Telegram data... Steam configurations... cookies and credentials.
Afterward, it takes a screenshot, saves it as "screenshot.jpeg," and adds it to the ZIP.
The stolen data is then compressed into a ZIP file and transmitted to the attacker via TCP... The malware compresses all the collected data into a ZIP file and exfiltrates it to the attacker's C&C server over TCP port 6655.
Exfiltration
1 techniqueThe malware compresses all the collected data into a ZIP file and exfiltrates it to the attacker's C&C server over TCP port 6655.
IOCs tracked for this family
7 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Atlantida Stealer is a malware used to steal information from infected systems. It has been delivered via exploitation of MSHTML spoofing vulnerabilities by the Void Banshee threat actor.
Information stealer malware used to exfiltrate credentials and sensitive data for financial gain.
An information-stealing malware family used as the final payload in Void Banshee’s CVE-2024-38112 attack chain. It steals passwords, cookies, browser data, Telegram, Steam, FileZilla data, cryptocurrency wallet extension data, desktop files, screenshots, and system information, then compresses and exfiltrates the data to attacker-controlled C2 infrastructure.
Atlantida Stealer is an information stealer malware distributed via malicious GitHub repositories, designed to exfiltrate credentials and sensitive data from infected systems.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.