Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareRansomwareExploits 1 CVE

InfernoGrabber v9.0

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES
CVE-2023-4863Heap buffer overflow in libwebp WebP decoder

The code includes specific routines for browser exploitation (targeting CVEs like CVE-2023-4863), data exfiltration via a hard-coded Discord webhook, a ransomware 'WinLocker' screen demanding Bitcoin, and an administrative dashboard for the attacker to manage stolen data. | It has been named InfernoGrabber v9.0 by the malware author. The application is designed to operate as a malicious web server that lures victims with a fake Discord avatar AI upscaler, while stealthily running a wide array of harmful actions, including stealing Discord tokens, harvesting credit card numbers and cryptocurrency seed phrases, logging keystrokes, and capturing unauthorized webcam and microphone feeds.

via the hacker newsthehackernews.com
MITRE ATT&CK

Techniques & procedures

10 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1566PhishingEvidence1

The application is designed to operate as a malicious web server that lures victims with a fake Discord avatar AI upscaler... The attack technique entails using a phishing decoy to trick a user into granting file system access to a web page

Execution

1 technique
T1203Exploitation for Client ExecutionEvidence1

The code includes specific routines for browser exploitation (targeting CVEs like CVE-2023-4863)

Credential Access

2 techniques
T1056.001KeyloggingEvidence1

The application is designed to operate as a malicious web server that lures victims with a fake Discord avatar AI upscaler, while stealthily running a wide array of harmful actions, including ... logging keystrokes

T1539Steal Web Session CookieEvidence1

The application is designed to operate as a malicious web server that lures victims with a fake Discord avatar AI upscaler, while stealthily running a wide array of harmful actions, including stealing Discord tokens

Collection

4 techniques
T1005Data from Local SystemEvidence1

The attack technique entails using a phishing decoy to trick a user into granting file system access to a web page, which then enumerates local files in the selected folder, reads and exfiltrates their contents

T1056.001KeyloggingEvidence1

The application is designed to operate as a malicious web server that lures victims with a fake Discord avatar AI upscaler, while stealthily running a wide array of harmful actions, including ... logging keystrokes

T1123Audio CaptureEvidence1

The application is designed to operate as a malicious web server that lures victims with a fake Discord avatar AI upscaler, while stealthily running a wide array of harmful actions, including ... capturing unauthorized webcam and microphone feeds

T1125Video CaptureEvidence1

The application is designed to operate as a malicious web server that lures victims with a fake Discord avatar AI upscaler, while stealthily running a wide array of harmful actions, including ... capturing unauthorized webcam and microphone feeds

Exfiltration

1 technique
T1567Exfiltration Over Web ServiceEvidence1

The code includes specific routines for browser exploitation... data exfiltration via a hard-coded Discord webhook

Impact

2 techniques
T1485Data DestructionEvidence1

The attack technique entails using a phishing decoy to trick a user into granting file system access to a web page, which then enumerates local files in the selected folder, reads and exfiltrates their contents, encrypts and overwrites them

T1486Data Encrypted for ImpactEvidence1

The attack technique entails using a phishing decoy to trick a user into granting file system access to a web page, which then enumerates local files in the selected folder, reads and exfiltrates their contents, encrypts and overwrites them, and finally displays an extortion note to the victim.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping10

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.