MicroStealer

The malware spreads through fake software installers, malicious downloads hosted on platforms like Dropbox and SourceForge, and phishing lures disguised as game launchers or software updates.

It does not rely on vulnerability exploitation to get into a system. Instead, it counts on the user trusting a file enough to run it, making social engineering its primary entry point.

This Electron app, disguised as a “Game Launcher,” presents a UAC prompt requesting administrator privileges. Once the user grants access, the application extracts a bundled Java Runtime Environment and a JAR payload...

This Electron app, disguised as a “Game Launcher,” presents a UAC prompt requesting administrator privileges... the Java executable is renamed “miicrosoft.exe,” a deliberate misspelling designed to mimic a legitimate Windows process name.

Before it begins, it checks the environment for signs of a virtual machine. If it detects analysis tools or sandbox processes, it stops immediately.

Once inside a system, MicroStealer steals active browser sessions for SaaS platforms, VPNs, cloud services, and corporate portals.

It goes after browser credentials, session cookies, desktop screenshots, cryptocurrency wallet files, and account data from platforms like Discord and Steam.

Before it begins, it checks the environment for signs of a virtual machine. If it detects analysis tools or sandbox processes, it stops immediately.

If the environment appears to be a real user machine, it harvests credentials, cookies, session tokens, screenshots, and wallet files...

...then exfiltrates everything through two simultaneous channels: a Discord webhook and an attacker-controlled server.

...then exfiltrates everything through two simultaneous channels: a Discord webhook and an attacker-controlled server.