Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareRansomware

InfernoGrabber

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

MITRE ATT&CK

Techniques & procedures

13 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1566PhishingEvidence2

Attackers disguise their request as a photo enhancement tool, convincing victims to hand over folder access voluntarily.

Execution

1 technique
T1204User ExecutionEvidence2

The attack begins with something as simple as opening a webpage that promises to enhance a picture.

Privilege Escalation

1 technique
T1548Abuse Elevation Control MechanismEvidence1

This method relies on the File System Access API, a Chrome feature that lets websites read and write files once a user grants permission.

Credential Access

1 technique
T1056.001KeyloggingEvidence1

In a single front-end, the generated code assembled routines and stubs for keylogging... In this sample, the keylogger observes keystrokes only while the user interacts with the page.

Collection

6 techniques
T1005Data from Local SystemEvidence2

The sample called itself InfernoGrabber and was built as a Discord themed avatar upscaler, though its true purpose was to steal and lock personal files.

T1056.001KeyloggingEvidence1

In a single front-end, the generated code assembled routines and stubs for keylogging... In this sample, the keylogger observes keystrokes only while the user interacts with the page.

T1113Screen CaptureEvidence1

In this sample, the 'desktop screenshot' routine captures the rendered web page.

T1115Clipboard DataEvidence1

In a single front-end, the generated code assembled routines and stubs for keylogging, clipboard monitoring...

T1123Audio CaptureEvidence1

Webcam and microphone capture depend on browser permission prompts.

T1125Video CaptureEvidence1

Webcam and microphone capture depend on browser permission prompts.

Exfiltration

1 technique
T1041Exfiltration Over C2 ChannelEvidence1

Once access is granted, the page can enumerate local files in the selected folder, read and exfiltrate their contents, encrypt and overwrite them.

Impact

3 techniques
T1486Data Encrypted for ImpactEvidence2

Once access is granted, the page can quietly encrypt image files stored on the device.

T1491DefacementEvidence1

After a fake processing step, the page is intended to display a ransomnote-style overlay under the name InfernoGrabber v9.0.

T1565Data ManipulationEvidence1

One part of the messy code stood out, the ability to request folder access and tamper with files inside.

INDICATORS OF COMPROMISE

IOCs tracked for this family

1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Hashes
1 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
hash.sha256●●●●●●●●●●●●View more in apptoday
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
IOC matching1

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping13

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.