Marco Stealer
Marco Stealer is a Windows-oriented information-stealing malware first observed in June 2025. It has been reported as being delivered via a downloader contained in a ZIP archive. The stealer is designed for financial theft and targets sensitive data from web browsers and cryptocurrency-related artifacts, including cryptocurrency wallet information from browser extensions. It also searches for and steals sensitive local files, including files in cloud-synced folders associated with popular cloud services such as Dropbox and Google Drive, which has been highlighted as a risk to corporate environments where sensitive documents may be synchronized.
Marco Stealer performs victim/system profiling by collecting details such as OS version, hardware ID, IP address, and geolocation, which is used to help operators prioritize higher-value victims. It includes anti-analysis features: it decrypts encrypted strings at runtime to hinder static analysis and scans for/attempts to terminate common analysis tools including Wireshark, x64dbg, and Process Hacker.
For data handling and exfiltration, Marco Stealer encrypts stolen data using AES-256 (reported as AES-256-CBC) with a key derived by hashing a hardcoded value, then exfiltrates via HTTP POST to a command-and-control server. Reported exfiltration includes an encrypted bundle containing a victim client ID, hardware ID, and stolen files.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
11 distinct techniques documented for this family, organized by ATT&CK tactic.
Stealth
2 techniques
Stealth
Credential Access
2 techniques
Credential Access
Discovery
2 techniques
Discovery
Collection
2 techniques
Collection
Command and Control
2 techniques
Command and Control
Exfiltration
1 technique
Exfiltration
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Windows information stealer (first observed June 2025) delivered via a ZIP downloader; steals browser data, crypto wallet info, and files from cloud services (e.g., Dropbox/Google Drive), uses runtime string decryption and anti-analysis checks, and encrypts stolen data with AES-256 before HTTP POST exfiltration.
Windows information stealer delivered via a ZIP downloader; targets browser data, crypto wallet info, and files from cloud services (e.g., Dropbox, Google Drive); uses runtime string decryption, anti-analysis checks, and AES-256 encryption for exfiltrated data.
Information-stealing malware focused on harvesting browser data, cryptocurrency wallet data from browser extensions (to enable theft of private keys/funds), and sensitive files from local storage and synced cloud folders (notably Dropbox and Google Drive). Performs host profiling (OS version, hardware ID, IP, geolocation), uses anti-analysis (runtime string decryption; attempts to terminate tools like Wireshark, x64dbg, Process Hacker), and exfiltrates data to C2 over HTTP with AES-256-CBC encryption.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.