MalwareRansomwareUsed by 1 actor

CRYPTBOT

CryptBot is an information-stealing malware family used to harvest browser credentials, cookies, session tokens, financial data, social media accounts, and cryptocurrency wallet data. Multiple sources in the content explicitly describe it as an infostealer, and one report notes later-stage malware assessed as CryptBot searched for browser cookies, passwords, and cryptocurrency wallet files, captured a screenshot, and packaged stolen data into a ZIP archive for upload. Mandiant reported victim workstations infected with CRYPTBOT shortly before stolen Microsoft 365 session tokens were generated, and assessed with moderate confidence that a Russian espionage actor linked to UNC2452 / Nobelium / APT29 obtained session tokens from operators of the CRYPTBOT infostealer.

Observed delivery methods in the content include HijackLoader / RUGMI / IDAT Loader, Emmenhtal, fake CAPTCHA or “paste-and-run” / ClickFix social-engineering chains using obfuscated PowerShell and mshta.exe, SEO-poisoned cracked-software sites, password-protected ZIP-based droppers, malware delivery via CDN cache, and DLL side-loading campaigns. Red Canary observed HijackLoader leading to CryptBot in ClickFix-style activity. Sophos described cracked-software lures and droppers where Windows Defender sometimes raised Conti alerts, but assessed CryptBot as the primary payload. Trellix reported DLL side-loading campaigns abusing trusted signed binaries, including a GitKraken ahost.exe / c-ares-linked chain, to distribute CryptBot alongside other commodity malware. Cisco Talos reported CoralRaider distributing CryptBot, LummaC2, and Rhadamanthys globally, including to entities in Germany and Poland.

The content also shows CryptBot adapting to Chromium cookie protections. Samples were observed spawning Chrome with --remote-debugging-port=9222 and --profile-directory="Default" to recover cookies from Chromium-based browsers after application-bound encryption changes. Unlike some other stealers, CryptBot was noted as not using --headless or off-screen window-position flags in the command line, instead hiding the spawned Chrome window via CreateProcess flags.

Associated actors and ecosystems mentioned in the content are primarily financially motivated cybercrime operators and malware-as-a-service distribution chains, though stolen data from CryptBot infections has also been leveraged by higher-end intrusion actors. Targeting in the content is broad and opportunistic, with global distribution noted; sector-specific DLL side-loading campaigns distributing CryptBot targeted oil and gas, import/export, and business functions such as finance, procurement, supply chain, and administration. High-confidence indicators directly mentioned include the Chrome remote-debugging behavior using port 9222 and profile-directory Default, and infrastructure/delivery associations such as HijackLoader, Emmenhtal, ClickFix/mshta.exe chains, DLL side-loading, and CoralRaider distribution.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

APT29

Mandiant analyzed the workstations belonging to the end user and discovered that some systems had been infected with CRYPTBOT, an info-stealer malware, shortly before the stolen session token was generated.

via mandiant threat intelligencecloud.google.com

MITRE ATT&CK

Techniques & procedures

20 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique

T1608.006SEO PoisoningEvidence1

All of these networks use search engine optimization to put a “bait” webpage on the first page of results for search engine queries seeking “crack” versions of a variety of software products.

Initial Access

1 technique

T1189Drive-by CompromiseEvidence1

The sort of “watering hole” attack we saw here uses carefully cultivated search engine optimization to draw in a specific kind of victim: computer users seeking pirated software.

Execution

5 techniques

T1059Command and Scripting InterpreterEvidence1

Next, it copies a third file ( Fra.pptx ) to a file with a single letter name ( H here). That file contains an obfuscated script and then passes that as a runtime parameter to the just-extracted AutoIT script.

T1059.001PowerShellEvidence1

We’ve been observing an initial access technique that tricks users into copying, pasting, and executing malicious PowerShell code... users are presented with the typical Verify You Are Human prompt... Clicking the button silently copies an obfuscated PowerShell command to the clipboard and presents the user with “Verification Steps” instructing them to: Press Windows Button + R... Press CTRL + V... Press Enter. | One technique we’ve recently seen lead to LummaC2 involves tricking users into copying a PowerShell script from a pop-up message, pasting it into the Windows Run dialogue box, and executing malicious PowerShell code.

T1059.003Windows Command ShellEvidence1

The dropper launches one of them with cmd.exe, essentially using it as a batch script to create the second-stage malware.

T1204User ExecutionEvidence1

The download was a .zip archive file named after the alleged “cracked” product sought by the target.

T1204.002Malicious FileEvidence1

Completing the download resulted in the delivery of a malware payload.

Stealth

5 techniques

T1036MasqueradingEvidence1

In most of the samples we studied, these files were labeled as PowerPoint (.pptx) files. Others had extensions that associate them with graphics files, Word template files, and other (normally) benign filetypes. But they were not any of these.

T1218.005MshtaEvidence1

An encoded PowerShell command then leverages Microsoft HTML Application Host (mshta.exe) to download and execute a malicious payload from a remote resource... Detection opportunity: mshta.exe utility making external network connections.

T1497Virtualization/Sandbox EvasionEvidence1

The strings in the real second-stage dropper includes a number of anti-analysis checks, looking for virtual machine artifacts, tools used for web traffic analysis, and other sandboxing tools.

T1497.001System ChecksEvidence1

It performs a bit of anti-analysis by checking to see if the target has a system name that includes “DESKTOP-“. If it does, it uses the ping command as a timer to delay execution long enough to cause some sandbox environments and analysis tools to time out.

T1497.003Time Based ChecksEvidence1

If it does, it uses the ping command as a timer to delay execution long enough to cause some sandbox environments and analysis tools to time out.

Credential Access

2 techniques

T1539Steal Web Session CookieEvidence1

"gained access to the target organization’s Microsoft 365 environment using a stolen session token"; "used a stolen session cookie for a Privileged Access Management (PAM) account"

T1555Credentials from Password StoresEvidence1

The third-stage binary deploys a malicious browser extension. It also steals Facebook cookies... grabs saved passwords from browsers on the affected machine...

Discovery

4 techniques

T1082System Information DiscoveryEvidence1

The third stage also gathers up all system information, passwords and cookies from browsers, and other data...

T1497Virtualization/Sandbox EvasionEvidence1

The strings in the real second-stage dropper includes a number of anti-analysis checks, looking for virtual machine artifacts, tools used for web traffic analysis, and other sandboxing tools.

T1497.001System ChecksEvidence1

T1497.003Time Based ChecksEvidence1

If it does, it uses the ping command as a timer to delay execution long enough to cause some sandbox environments and analysis tools to time out.

Collection

2 techniques

T1113Screen CaptureEvidence1

All this data is packed into a .zip archive for upload, along with a screen shot of the victim’s system.

T1560Archive Collected DataEvidence1

The third stage also gathers up all system information, passwords and cookies from browsers, and other data... All this data is packed into a .zip archive for upload, along with a screen shot of the victim’s system.

Command and Control

2 techniques

T1071.001Web ProtocolsEvidence1

The first call home to the dropper’s own command and control server. In our sample, this phone-home was followed by the retrieval of a third-stage dropper executable from another domain

T1105Ingress Tool TransferEvidence1

Meanwhile, the real second-stage installer is calling home to retrieve yet another payload.

Exfiltration

1 technique

T1041Exfiltration Over C2 ChannelEvidence1

All this data is packed into a .zip archive for upload, along with a screen shot of the victim’s system.

INDICATORS OF COMPROMISE

IOCs tracked for this family

8 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

6 tracked

IPs, domains, and DNS infrastructure linked to this family.

Other

2 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting

uri●●●●●●●●●●●●View more in app6 months ago

domain●●●●●●●●●●●●View more in app6 months ago

ACTIVITY FEED

Recent activity

15 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

15 SOURCESView more in app

breakglass intelNews

Mar 14, 2026

RUGMI/IDAT Loader + Aurora Stealer - Multi-Stage DLL Sideloading Campaign - Breakglass Intelligence - Breakglass Intelligence

A stealer malware family explicitly listed as distributed by RUGMI/IDAT Loader.

securityaffairsNews

Jan 20, 2026

PDFSIDER Malware – Exploitation of DLL Side-Loading for AV and EDR Evasion

In another campaign identified by Trellix, DLL sideloading was used to distribute a wide assortment of malware, such as Agent Tesla, CryptBot, Formbook, Lumma Stealer, Vidar Stealer, Remcos RAT, Quasar RAT, DCRat, and XWorm.

resecurity blogNews

Jan 18, 2026

Resecurity | PDFSIDER Malware - Exploitation of DLL Side-Loading for AV and EDR Evasion

"...DLL sideloading was used to distribute a wide assortment of malware, such as Agent Tesla, CryptBot, Formbook, Lumma Stealer, Vidar Stealer, Remcos RAT, Quasar RAT, DCRat, and XWorm."

scworldNews

Jan 15, 2026

Multiple payloads deployed via c-ares DLL side-loading exploit | SC Media

Stealer payload delivered via DLL sideloading in this campaign.

+8 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching8

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping20

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.