CDumper
CDumper is a browser data-stealing malware used by the OilRig threat actor during the Juicy Mix campaign. It is the Google Chrome-focused counterpart to EDumper, which targeted Microsoft Edge. High-confidence reporting in the provided content states that CDumper was used to collect cookies, browsing history, and credentials from Chrome, including credentials stored in web browsers. During Juicy Mix, OilRig used CDumper and EDumper as dedicated browser dumpers/data stealers, and staged stolen browser data locally in the %TEMP% directory; associated staged filenames mentioned in the campaign include Cupdate, Eupdate, and IUpdate. The malware is associated with OilRig’s broader Juicy Mix activity, which also involved VBS and PowerShell scripts, Mango backdoor delivery and persistence, and use of compromised infrastructure including an Israeli job portal as C2. The content does not provide specific infection vectors or standalone IOCs for CDumper beyond its role and staging behavior within the campaign.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
OilRig used the CDumper (Chrome browser) ... to collect credentials.
Techniques & procedures
2 distinct techniques documented for this family, organized by ATT&CK tactic.
Credential Access
1 technique"Agent Tesla can gather credentials from a number of browsers." / "...custom-developed malware, which collected passwords from the Firefox browser storage." / "...used BrowserGhost, a tool designed to obtain credentials from browsers, to retrieve information from password stores."
Discovery
1 technique“...leveraged ICONICSTEALER to steal browser information to include browser history...” / “...collected browser bookmark information...” / “...retrieve browser history...” / “...gather browser data such as bookmarks and visited sites...”
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Browser data stealer focused on Google Chrome; used to collect cookies, browsing history, and credentials, and to stage stolen data locally (e.g., files named Cupdate in %TEMP%).
Browser credential dumping tool used to collect credentials from Google Chrome.
Browser credential dumping tool targeting Google Chrome credentials.
Chrome-focused data stealer used to collect cookies, browsing history, and credentials.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.