{
	"id": "d325d75b-974e-4f42-bb56-b5fef10d961a",
	"created_at": "2026-04-06T02:11:57.211652Z",
	"updated_at": "2026-04-10T03:21:17.296703Z",
	"deleted_at": null,
	"sha1_hash": "05304e6d95bf75a2980c6c06df73db6166145338",
	"title": "New Vega Stealer shines brightly in targeted campaign | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 998314,
	"plain_text": "New Vega Stealer shines brightly in targeted campaign | Proofpoint\r\nUS\r\nBy May 10, 2018 Proofpoint Staff\r\nPublished: 2018-05-10 · Archived: 2026-04-06 01:48:21 UTC\r\nOverview\r\nRecently, Proofpoint observed a campaign targeting Marketing/Advertising/Public Relations and\r\nRetail/Manufacturing industries with a new malware called Vega Stealer. The malware contains stealing\r\nfunctionality targeting saved credentials and credit cards in the Chrome and Firefox browsers, as well as stealing\r\nsensitive documents from infected computers. Vega is a variant of August Stealer with only a subset of its\r\nfunctionality as well as several important new features.\r\nDelivery and Targeting\r\nOn May 8, 2018, Proofpoint observed and blocked a low-volume email campaign with subjects such as “Online\r\nstore developer required.” While some emails were sent to individuals, others were sent to distribution lists\r\nincluding “info@”, “clientservice@”, and “publicaffairs@” at the targeted domains, an approach that has the\r\neffect of amplifying the number of potential victims. The messages contained a malicious attachment called\r\n“brief.doc” bearing macros that downloaded the Vega Stealer payload.\r\nThis campaign was also notable for its targeting. Messages were sent to a narrow set of companies in the\r\nMarketing/Advertising/Public Relations and Retail/Manufacturing industries.\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-vega-stealer-shines-brightly-targeted-campaign\r\nPage 1 of 7\n\nFigure 1: Document attachment containing macros that, when enabled, download Vega Stealer\r\nIt is worth noting that in a related campaign from the previous day (May 7) we observed several macro documents\r\nsuch as “engagement letter.doc” downloading a previously documented malware strain known as August Stealer\r\n[1]. This campaign is related because documents were sent to some of the same targets and macros downloaded\r\nthe stealer from the same IP address. Subjects used were: “Item return” and “Our company need online store from\r\na scratch.”\r\nAttachment Analysis\r\nThe Vega Stealer payload was delivered via a document containing malicious macros. The document’s lure and\r\nsubsequent network activity is similar to other malicious documents and campaigns delivering payloads such as\r\nthe banking Trojan Ursnif, but in this instance a newer form of macro was used. We believe this is a commodity\r\nmacro that is for sale and used by multiple actors.\r\nThe macro retrieves the payload in a two-step process in which junk functions iterate while simultaneously\r\nbuilding a string to be executed using a GetObject function. This string is the first request in the two-step process\r\n(Figure 2). The first request executed by the document retrieves an obfuscated JScript/PowerShell script. The\r\nexecution of the resulting PowerShell script creates the second request, which in turn downloads the executable\r\npayload of Vega Stealer. The payload is saved to the victim machine in the user's \"Music\" directory with a\r\nfilename of \"ljoyoxu.pkzip\". Once this file is downloaded and saved, it is executed automatically via the\r\ncommand line.\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-vega-stealer-shines-brightly-targeted-campaign\r\nPage 2 of 7\n\nFigure 2: First request made by the macros returning the obfuscated code used to download the Vega Stealer\r\npayload\r\nMalware Analysis\r\nOn the surface, Vega Stealer is a simple payload, but could have longer lasting impacts if further developed and\r\ndistributed. Due to the distribution and lineage, this threat may continue to evolve and grow to be a commonly\r\nobserved threat. The name 'Vega Stealer' was derived from a pdb string used within the binary\r\nC:\\Users\\Willy\\source\\repos\\Vega\\Vega\\obj\\Release\\Vega.pdb\r\nVega Stealer is written in .NET and the sample we observed dropping in the wild did not contain any packing or\r\nobfuscation methods. One of the goals of Vega appears to be gathering and exfiltrating saved data from the\r\nGoogle Chrome browser, including:\r\nPasswords (the “logins” SQLite table contains URLs and username and password pairs)\r\nSaved credit cards (the “credit_cards” autofill table contains name, expiration date, and card number)\r\nProfiles (the “autofill_profile_names” table contains first, middle, and last name)\r\nCookies\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-vega-stealer-shines-brightly-targeted-campaign\r\nPage 3 of 7\n\nFigure 3: Snippet of code showing the function for stealing saved credit card information from the Chrome\r\nbrowser\r\nVega also gathers specific files found in the Mozilla Firefox browser “\\\\Mozilla\\\\Firefox\\\\Profiles” folder, namely\r\n“key3.db\" “key4.db\", “logins.json\", and “cookies.sqlite\". These store various passwords and keys according to\r\nMozilla documentation [2].\r\nFigure 4: Snippet of code showing the function for sending data from the retrieved files from the Firefox browser\r\nto the command and control (C\u0026C)\r\nVega also takes a screenshot of the infected machine using the following routine:\r\nFigure 5: Snippet of code showing the screenshot grabbing function\r\nIn addition to these features, Vega will also search the infected user's Desktop and sub-directories for any files\r\nending in \".doc, .docx, .txt, .rtf, .xls, .xlsx, .pdf\" based on a hard-coded string. These files will also be exfiltrated\r\none by one to the remote command and control (C\u0026C) server (Figure 6).\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-vega-stealer-shines-brightly-targeted-campaign\r\nPage 4 of 7\n\nFigure 6: Snippet of code showing the collection and sending of files with special extensions\r\nVega Stealer communicates with a hardcoded C\u0026C server using the HTTP protocol. There are two parameters\r\nused in the C\u0026C traffic, specifically in the client body of the request. 'f=' is the filename and 'c=' is the base64-\r\nencoded data portion of the request. The order of network communication with the C\u0026C is as follows:\r\nIf found, send the “key3.db\" “key4.db\", “logins.json\", and “cookies.sqlite\" Mozilla Firefox files\r\nSend the screenshot file “screenshot.png” (Desktop screenshot)\r\nSend the “chrome_pw.txt” containing saved data stolen from Chrome; the “c=” parameter will be empty if\r\nnone is found\r\nFurther network requests exist if Vega finds any documents matching the “doc|docx|txt|rtf|xls|xlsx|pdf”\r\nextensions\r\nFigure 7: Vega Stealer sending screenshot data to the C\u0026C server\r\nFigure 8: Vega Stealer exfiltrating saved Mozilla Firefox data\r\nAttribution\r\nThe document macro utilized in this campaign is a commodity macro that we believe is for sale and used by\r\nmultiple actors, including the threat actor spreading Emotet banking Trojan. However, the URL patterns from\r\nwhich the macro retrieves the payload are the same as those used by an actor we are tracking who distributes the\r\nUrsnif banking Trojan, which often downloads secondary payloads such as Nymaim, Gootkit, or IcedID. As a\r\nresult, we attribute this campaign to the same actor with medium confidence.\r\nFor Vega Stealer itself, there are numerous links to August Stealer. It appears to be a stripped-down version of this\r\npreviously documented malware with some new functionality added. Specific similarities and differences include\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-vega-stealer-shines-brightly-targeted-campaign\r\nPage 5 of 7\n\nBoth are written in .NET and share similar classes\r\nThe exfiltration of additional documents with the “doc|docx|txt|rtf|xls|xlsx|pdf” extensions is similar to\r\nAugust; however August did not have this hard-coded in the malware but rather configurable in the C\u0026C\r\npanel\r\nThe Chrome browser stealing functionality in Vega is a subset of the August code\r\nAugust also stole from other browsers and applications, such as Skype and Opera\r\nNew functionality in Vega includes new network communication protocol and expanded Firefox stealing\r\nfunctionality\r\nConclusion\r\nIt remains to be seen whether Vega was a special modification of the August Stealer for this specific campaign or\r\nif it will be used more widely in the future.\r\nWhile Vega Stealer is not the most complex or stealthy malware in circulation today, it demonstrates the flexibility\r\nof malware, authors, and actors to achieve criminal objectives. Because the delivery mechanism is similar to more\r\nwidely distributed and mature threats, Vega Stealer has the potential to evolve into a commonly found stealer. We\r\nwill continue to monitor this threat as it propagates in the wild.\r\nReferences\r\n[1] https://www.proofpoint.com/us/threat-insight/post/august-in-december-new-information-stealer-hits-the-scene\r\n[2] https://support.mozilla.org/en-US/kb/recovering-important-data-from-an-old-profile#w_passwords\r\nIndicators of Compromise (IOCs)\r\nIOC\r\nIOC\r\nType\r\nDescription\r\n2c2d4649fd706f662e75b053b18d207c5d698ecadfb70ec16f0a85465880b8d3 SHA256 brief.doc\r\nhxxp://46.161.40[.]155/cachedmajsoea/index.php?e=lossyc URL\r\nDocument\r\nrequesting script\r\nhxxp://46.161.40[.]155/lipomargara/lossyc.yarn URL\r\nDocument\r\nrequesting\r\npayload\r\nb3535fc9a0c1fc12c161d9257bfff1b698455fa246cc0cd2969affa564747cb4 SHA256 Vega Stealer\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-vega-stealer-shines-brightly-targeted-campaign\r\nPage 6 of 7\n\nhxxp://46.161.40[.]155/foaf.php URL\r\nVega Stealer\r\nC\u0026C\r\nET and ETPRO Suricata/Snort/ClamAV Signatures\r\n2830738 - ETPRO TROJAN MSIL/Vega Stealer Screenshot Upload\r\n2830739 - ETPRO TROJAN MSIL/Vega Stealer Passwords Upload\r\nSource: https://www.proofpoint.com/us/threat-insight/post/new-vega-stealer-shines-brightly-targeted-campaign\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-vega-stealer-shines-brightly-targeted-campaign\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.proofpoint.com/us/threat-insight/post/new-vega-stealer-shines-brightly-targeted-campaign"
	],
	"report_names": [
		"new-vega-stealer-shines-brightly-targeted-campaign"
	],
	"threat_actors": [],
	"ts_created_at": 1775441517,
	"ts_updated_at": 1775791277,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/05304e6d95bf75a2980c6c06df73db6166145338.pdf",
		"text": "https://archive.orkl.eu/05304e6d95bf75a2980c6c06df73db6166145338.txt",
		"img": "https://archive.orkl.eu/05304e6d95bf75a2980c6c06df73db6166145338.jpg"
	}
}