DeerStealer Delivered via Fake Password Manager in Malicious WiX Burn Installer
A malicious WiX Burn bootstrapper branded as "Antonomasia" and signed to appear as publisher "Cyme" was used to deliver the DeerStealer malware-as-a-service infostealer while showing victims a legitimate copy of Active@ Password Changer as a decoy. Analysis found the bundle extracted 15 files from an embedded CAB archive, with the malicious chain centered on Bichromate.dll, an AES-CBC-encrypted payload stored as jri, and an XOR-obfuscated C2 configuration in yodpxub. Bichromate.dll masqueraded as Adobe's CCMNative.dll by repurposing Adobe Generic Download Engine code, then decrypted the configuration and payload and launched DeerStealer entirely in memory to reduce on-disk artifacts.
Once executed, DeerStealer harvested credentials, cookies, browser session data, messaging and VPN information, FTP configurations, screenshots, and clipboard contents, while also targeting more than 50 browsers, over 14 cryptocurrency wallets, and roughly 800 browser extensions. The malware also enabled hidden VNC access and keylogging, and established persistence through an HKCU\Run key named AppVTemplate and scheduled tasks including zceWriter, dyApp, and Pluginsecurity_dbg. It communicated over HTTPS with Cloudflare-fronted command-and-control domains including telluricaphelion[.]com and loadinnnhr[.]today, and researchers assessed the operation as a social-engineering campaign likely spread through malvertising by an affiliate in the Rugmi/DeerStealer ecosystem.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Breakglass publishes technical analysis of DeerStealer delivery chain
Breakglass Intelligence analyzed the installer and reported that a weaponized Adobe Generic Download Engine DLL decrypted an XOR-obfuscated configuration and AES-CBC-encrypted DeerStealer payload for in-memory execution. The report also documented persistence via an HKCU Run key and scheduled tasks, active Cloudflare-fronted C2 domains, and assessed the campaign as likely malvertising by a DeerStealer affiliate in the Rugmi ecosystem.
Malicious 'Antonomasia' installer first observed delivering DeerStealer
A malicious WiX Burn bootstrapper bundle disguised as "Antonomasia" and signed as publisher "Cyme" was first observed delivering DeerStealer while showing victims a legitimate copy of Active@ Password Changer as a decoy.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
DeerStealer Hides Behind a Legitimate Password Manager in a WiX Burn Bundle: Repurposed Adobe Download Infrastructure, AES-Encrypted Fileless Payload, and a $3,000/Month MaaS Empire - Breakglass Intelligence - Breakglass Intelligence
intel.breakglass.tech
Open sourceThat Password Manager You Downloaded Is Actually a $3,000/Month Infostealer - Breakglass Intelligence - Breakglass Intelligence
intel.breakglass.tech
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ACRStealer Campaign Uses Trojanized Installers, Stolen ASUS Certificate, and Shared C2 Infrastructure
Breakglass Intelligence reported that **ACRStealer** is running an active credential-theft operation through multiple delivery chains, including a compromised `.edu` WordPress site and a trojanized **Chris-PC RAM Booster** installer. The malware uses a four-stage infection flow that progresses from PowerShell or installer-based execution to Go and .NET loaders, then decrypts and injects shellcode in memory. Researchers said newer samples introduced a previously undocumented .NET loader, **CoreHubManager**, a new 16-byte XOR key, **AES-256-CBC** shellcode decryption, and **Heaven’s Gate** WoW64 transitions to run x64 code from a 32-bit process. Payloads were also signed with a stolen **ASUSTeK EV code-signing certificate**, allowing binaries such as `sunwukongs.exe` to better evade SmartScreen and other trust controls. Once installed, ACRStealer steals credentials, browser data, DPAPI-protected secrets, Windows Hello NGC keys, smart card certificates, Azure AD OAuth tokens, wallets, documents, and tokens from more than 200 applications, then exfiltrates the data over HTTPS. The malware also uses custom AFD socket operations and dead-drop resolvers hosted on **Steam**, **Google Docs/Slides**, and **Telegram** pages to retrieve command-and-control infrastructure. Breakglass mapped **17 C2 IPs** in the newer cluster and **9 live C2 servers** in the earlier campaign, with the larger set hosted by **VDSINA**, pointing to a concentrated infrastructure footprint. Researchers also found overlap with **SectopRAT**, **AmateraStealer**, **NetSupport RAT**, **OffLoader**, **HIjackLoader/IDATLoader**, and **ClickFix/FakeCAPTCHA** chains, and said ACRStealer has been rebranded as **AmateraStealer** and marketed as a malware-as-a-service offering.
May 25, 2026
GhostPulse IDAT Steganography Delivers DeerStealer and Rhadamanthys via DLL Sideloading
Breakglass Intelligence reported two malware delivery chains using **GhostPulse** to hide infostealer payloads inside fake PNG `IDAT` chunks and execute them through DLL sideloading with legitimate software. In one case, a 12.6 MB MSI installer dropped files into `%LOCALAPPDATA%\Coz\` and abused the EV-signed iMyFone Feedback binary `Utils.exe` by replacing `Qt5Network.dll` with a trojanized loader that parsed **752 headerless `IDAT` chunks** from concealed files to recover a **DeerStealer** payload and encrypted configuration. DeerStealer was described as a malware-as-a-service offering with tiers from **$200 to $3,000 per month**, supporting credential theft, browser and wallet targeting, hidden VNC, keylogging, clipper functions, and SmartScreen bypass. A second intrusion chain tied to the broader **ShadowLadder** campaign used a trojanized KMS activator distributed through a piracy-themed site and Box.com to install files under `%LocalAppData%\Eyalet\`, launch a legitimate Zoner Photo Studio binary, and sideload a malicious `sciter32.dll` that extracted encrypted content from local files using **238 fake `IDAT` chunks** before deploying **Rhadamanthys**. Researchers linked ShadowLadder to at least 35 samples used to spread multiple malware families, including Rhadamanthys, HijackLoader, ACRStealer, DeerStealer, and PeakLight, and identified infrastructure overlaps, Cloudflare-hosted domains, and OPSEC failures that point with medium confidence to a South Asian, possibly Indian, operator.
May 24, 2026
Credential-Theft Malware Campaigns Targeting Windows via Social Engineering and Trusted Services
Multiple reports describe **active malware campaigns targeting Windows users** with a focus on **credential, session, and wallet theft** delivered through social engineering and abuse of legitimate services. **CharlieKirk Grabber**, a Python infostealer packaged with *PyInstaller*, is distributed via phishing, cracked software, cheats, and social-media lures; it kills browser processes (via `TASKKILL`) to access credential stores, collects passwords/cookies/autofill/Wi‑Fi data, zips the loot, uploads it to *GoFile*, and relays the download link to operators via **Discord webhooks** or **Telegram bots**. Separately, attackers are buying **Facebook ads** impersonating Microsoft to drive victims to cloned Windows 11 download pages on lookalike domains (e.g., `ms-25h2-update[.]pro`), delivering a malicious installer that steals saved passwords, browser sessions, and **cryptocurrency wallet** data; the campaign uses **geofencing/sandbox evasion** to show benign content to data-center IPs while serving malware to likely end users. Other contemporaneous activity highlights broader Windows-targeted intrusion tradecraft and adjacent threats. FortiGuard Labs reported **Winos 4.0 (ValleyRat)** phishing campaigns in Taiwan using tax and e-invoice lures, with delivery chains including malicious **LNK** downloaders, **DLL sideloading**, and **BYOVD** using the vulnerable driver `wsftprm.sys`, supported by rapidly rotating domains and cloud hosting. In LATAM, a fake bank-receipt lure delivers **XWorm v5.6** via a `.pdf.js` double-extension WSH dropper that uses junk-padding and Unicode obfuscation, then reconstructs and runs PowerShell (spawned via WMI) and abuses trusted hosting (e.g., Cloudinary) for later stages—enabling credential theft and potential ransomware follow-on. Additional reporting covered a USB-propagating **Monero cryptomining** operation capable of crossing air-gapped environments, a new Linux **SysUpdate** variant with encrypted C2 traffic (and a Unicorn Engine-based decryption approach developed during DFIR), and the **Foxveil** loader abusing **Cloudflare Pages, Netlify, and Discord** to stage shellcode and persist via services or *SysWOW64* masquerading—these are separate threats but reinforce the trend of attackers blending into trusted infrastructure and common user workflows.
Mar 21, 2026