{ "id": "c9a48ea3-47aa-49a6-83c7-dab910c9ce7b", "created_at": "2026-04-06T00:14:41.349118Z", "updated_at": "2026-04-10T03:37:09.06722Z", "deleted_at": null, "sha1_hash": "07d154e74e5c886e83bceab55da6021bc9655ef8", "title": "Finding Malware: Unveiling RECORDSTEALER with Google Security Operations", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1368060, "plain_text": "Finding Malware: Unveiling RECORDSTEALER with Google Security\r\nOperations\r\nBy praveethdsouza\r\nPublished: 2024-09-19 · Archived: 2026-04-05 14:09:59 UTC\r\nWelcome to the Finding Malware Series\r\nThe \"Finding Malware\" blog series is authored to empower the Google Security Operations (SecOps) community to detect\r\nemerging and persistent malware threats. This post dives deep into the RECORDSTEALER malware family and the\r\ndetection opportunities available within the SecOps platform. You can read the other installments to the series here. Happy\r\nhunting!\r\nAbout RECORDSTEALER\r\nAlso known by others as: RecordBreaker, Raccoon Stealer V2\r\nRECORDSTEALER is an infostealer malware written in C that can extract sensitive data, including credit card\r\ninformation, cookies, saved passwords, and cryptocurrency wallets. Some variants possess the capability to capture\r\nscreenshots, transfer files, and load further malicious payloads. \r\nRECORDSTEALER was once a very prevalent threat. However, its activity has ceased since the arrest of its malware\r\nauthor and the takedown of its command-and-control (C2) infrastructure. For more details please refer to the following\r\ndisclosure RECORDSTEALER Malware Takedown. While the activity has stopped, we can learn many valuable lessons\r\nfrom these campaigns. We observed many common tactics and techniques are still in use in today's infostealer distribution\r\nand infection chains. These insights are extremely helpful for the community to detect and combat similar infostealer threats\r\nnow and in the future.\r\nMalware Lifecycle\r\nFigure 1:\r\nMalware lifecycle of RECORDSTEALER\r\nDelivery\r\nThe distribution of RECORDSTEALER was commonly observed using malvertising and cracked software download\r\nthemes to lure victims into downloading a password-protected archive, commonly named filename_password.zip. The\r\nmalware masquerades as the desired software within the archive.\r\nThis distribution method remains a prevalent and active tactic among threat actors. Figure 2 shows an ongoing infostealer\r\ncampaign that employs similar techniques to distribute another infostealer, LUMMAC.V2.\r\nhttps://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Unveiling-RECORDSTEALER-with-Google-Security/ba-p/803490\r\nPage 1 of 9\n\nFigure 2: Another Infostealer: Old tricks, New Threats.\r\nInitialisation and Execution\r\nAfter a successful download, the victim must manually enter a password to extract RECORDSTEALER malware from the\r\narchive's contents. \r\nFigure 3 shows the RECORDSTEALER malware within the downloaded archive, masquerading itself as legitimate\r\nsoftware using the filename \"setup.exe\".\r\nFigure 3: RECORDSTEALER masquerading as legitimate software.\r\nThe successful execution of RECORDSTEALER signals a successful compromise to the attacker. It accomplishes this by\r\nsending an HTTP POST request containing system details to its C2 server. These details include the machineGUID,\r\nusername and the configuration id of the malware. The configuration id is used to decrypt the hard-coded C2 address,\r\nwhich is encrypted with RC4.\r\nFigure 4: Malware Transmission of System Details via HTTP POST\r\nThe HTTP POST request reveals a distinctive characteristic of the malware: the use of \"record\" in the user-agent string,\r\nhence the name RECORDSTEALER. This user-agent string was observed in the malware's initial versions and has since\r\nundergone regular updates by the malware author with unusual user-agent strings such as\r\n\"iMightJustPayMySelfForAFeature,\" \"NesteaFreshIceTea,\" and \"MrBidenNeverKnow,\" among others.\r\nAfter receiving the beacon from a compromised host, RECORDSTEALER expects to receive further instructions from the\r\nC2 server for its subsequent activities\r\nlibs_nss3:http://2.58.56.247/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll\r\nlibs_msvcp140:http://2.58.56.247/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll\r\nhttps://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Unveiling-RECORDSTEALER-with-Google-Security/ba-p/803490\r\nPage 2 of 9\n\nlibs_vcruntime140:http://2.58.56.247/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll\r\nlibs_mozglue:http://2.58.56.247/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll\r\nlibs_freebl3:http://2.58.56.247/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll\r\nlibs_softokn3:http://2.58.56.247/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll\r\news_meta_e:ejbalbakoplchlghecdalmeeeajnimhm;MetaMask;Local Extension Settings\r\news_tronl:ibnejdfjmmkpcnlpebklmnkoeoihofec;TronLink;Local Extension Settings\r\nlibs_sqlite3:http://2.58.56.247/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll\r\news_bsc:fhbohimaelbohpjbbldcngcnapndodjp;BinanceChain;Local Extension Settings\r\news_ronin:fnjhmkhhmkbjkkabndcnnogagogbneec;Ronin;Local Extension Settings\r\nwlts_exodus:Exodus;26;exodus;*;*partitio*,*cache*,*dictionar*\r\nwlts_atomic:Atomic;26;atomic;*;*cache*,*IndexedDB* wlts_jaxxl:JaxxLiberty;26;com.liberty.jaxx;*;*cache*\r\nwlts_binance:Binance;26;Binance;*app-store.*;- wlts_coinomi:Coinomi;28;Coinomi\\\\Coinomi\\\\wallets;*;-\r\nwlts_electrum:Electrum;26;Electrum\\\\wallets;*;- wlts_elecltc:Electrum-LTC;26;Electrum-LTC\\\\wallets;*;-\r\nwlts_elecbch:ElectronCash;26;ElectronCash\\\\wallets;*;- wlts_guarda:Guarda;26;Guarda;*;*cache*,*IndexedDB*\r\nwlts_green:BlockstreamGreen;28;Blockstream\\\\Green;*;cache,gdk,*logs* wlts_ledger:Ledger Live;26;Ledger\r\nLive;*;*cache*,*dictionar*,*sqlite* ews_ronin_e:kjmoohlgokccodicjjfebfomlbljgfhk;Ronin;Local Extension Settings\r\news_meta:nkbihfbeogaeaoehlefnkodbefgpgknn;MetaMask;Local Extension Settings sstmnfo_System Info.txt:System\r\nInformation: |Installed applications: [redacted]\r\nFigure 5: Configuration data sent by the C2\r\nThe above C2 response contains a set of configuration data that is specified by a \"prefix identifier\" and a set of\r\n\"parameters.\" Table 1 explains the list of expected prefix identifiers, their functions, and their targets:\r\nPrefix\r\nIdentifier\r\nFunction Commonly Observed Targets\r\nlibs_\r\nDownload dynamic link libraries\r\n(DLLs).\r\nnss3, nssdbm3, sqlite3, msvcp140, vcruntime140,\r\nmozglue, freebl3, softokn3\r\news_\r\nSearch for Google Chrome extensions in\r\n%appdatalocal% that match the defined\r\nnaming pattern, then gather and upload\r\nthe extension’s configuration data to the\r\nC2 server.\r\nMetamask, TronLink, Binance Chain, Ronin, MetaX,\r\nXDEFI, WavesKeeper, SolFlare, Rabby, Cyanowallet,\r\nCoinbase, Aurowallet, KHC, TezBox, Coin98, Temple,\r\nICONex, Sollet, Clover Wallet, Polymesh Wallet,\r\nNeoLine, Keplr, Terra Station, Liquality, Saturn Wallet,\r\nGuildWallet, Phantom, Brave, Mew CX, TON, Goby\r\nwlts_\r\nSearch for and upload any crypto wallets\r\nfound on the system that match the\r\ndefined naming pattern to the C2 server.\r\nExodus, Atomic, Jaxx Liberty, Binance, Coinomi,\r\nElectrum, Electrum-LTC, Electron Cash, Guarda,\r\nBlockstream Green, Ledger Live, Daedalus, MyMonero,\r\nWasabi\r\nsstmnfo_\r\nCollect system information, including\r\nbut not limited to the operating system\r\nversion, CPU details, and a list of\r\ninstalled software. This gathered data is\r\nthen uploaded to the C2 server.\r\nHost information\r\nscrnsht_\r\nTake screenshots of the victim's screen\r\nand upload them to the C2 server.\r\nScreenshot\r\ntlgrm_\r\nCollect files associated with the\r\nTelegram app and upload them to the\r\nC2 server.\r\nTelegram\r\nsqnl_\r\nCollect files associated with the Signal\r\napp and upload them to the C2 server.\r\nSignal\r\ndscrd_\r\nCollect files associated with the Discord\r\napp and upload them to the C2 server.\r\nDiscord\r\ngrbr_\r\nFind and upload any files matching a\r\nspecific naming pattern, as defined in the\r\nreceived command parameters, to the C2\r\nserver.\r\nFiles\r\nldr_ Download and run additional payloads. Additional payloads\r\nhttps://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Unveiling-RECORDSTEALER-with-Google-Security/ba-p/803490\r\nPage 3 of 9\n\ntoken\r\nAssign a unique identifier to each\r\ncompromised system.\r\nUnique victim identification\r\nTable 1: C2 response configuration explanation \r\nFigure 6 captures the malware executing instructions received from the C2 server to download specific DLL files. These\r\nlegitimate DLL files enable the RECORDSTEALER to extract sensitive information from the victim's Google Chrome and\r\nMozilla Firefox web browsers.\r\nFigure 6: Download of the DLLs\r\nThese DLLs are legitimate libraries designed to support third-party applications. Of the downloaded DLLs, sqlite3.dll and\r\nnss3.dll are of particular interest, as infostealers like RECORDSTEALER exploit their functionalities to expand the\r\nmalware's capabilities for malicious purposes, such as gaining unauthorized access to browser information.\r\nIn this case, RECORDSTEALER scans directory paths associated with Google Chrome and Mozilla Firefox, searching for\r\nspecific files. Upon discovery, the malware uses sqlite3.dll and nss3.dll to execute the following RC4-encrypted queries to\r\nextract the user's sensitive information: \r\nSELECT name_on_card, card_number_encrypted, expiration_month, expiration_year FROM credit_cards\r\nSELECT origin_url, username_value, password_value FROM logins\r\nSELECT host_key, path, is_secure, expires_utc, name, encrypted_value FROM cookies\r\nSELECT name, value FROM autofill\r\nSELECT host, path, isSecure, expiry, name, value FROM moz_cookies\r\nSELECT fieldname, value FROM moz_formhistory\r\nFigure 7: Decoding The Encrypted Queries\r\nData Staging and Exfiltration \r\nRECORDSTEALER achieves its objective by successfully collecting and exfiltrating sensitive information from the\r\ncompromised host. Information includes, but is not limited to: \r\n1. System Information\r\nGather system information including but not limited to OS version, CPU information, and a list of installed software and\r\nsend it to the C2 server. The extracted information is then formatted into plaintext and saved in a file named \"System\r\nInfo.txt\".\r\n2. Chrome Browser\r\nRECORDSTEALER utilizes sqlite3.dll to target and extract data from SQLite database files associated with the Chrome\r\nBrowser:\r\nhttps://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Unveiling-RECORDSTEALER-with-Google-Security/ba-p/803490\r\nPage 4 of 9\n\nLogin Data: This database stores the victim's saved websites, usernames, and passwords. RECORDSTEALER\r\nexecutes the following SQL query and saves the extracted information in a file named \"passwords.txt.\"\r\nSELECT origin_url, username_value, password_value FROM logins\r\n Cookies: This database, which holds sensitive information like session identifiers and preferences, stores cookies. \r\nRECORDSTEALER executes the following SQL query and saves the extracted information in a file named\r\n\"cookies.txt.\"\r\nSELECT host_key, path, is_secure , expires_utc, name, encrypted_value FROM cookies\r\nWeb Data: This database stores autofill and credit card information. RECORDSTEALER executes the following\r\nSQL query and saves the extracted information in a file named \"CC.txt.\"\r\nSELECT name, value FROM autofill SELECT name_on_card, card_number_encrypted, expiration_month,\r\nexpiration_year FROM credit_cards\r\n3. FireFox Browser\r\nRECORDSTEALER utilizes nss3.dll to target and extract data from Firefox browsers. It extracts the following files and\r\nstores them in file \"ffcookies.txt\":\r\nCookies.sqlite: This file, which contains cookies stored by the Firefox browser, is extracted using following SQL\r\nquery:\r\nSELECT host, path, isSecure, expiry, name, value FROM moz_cookies\r\nLogins.json: This file contains encrypted credentials. RECORDSTEALER accesses the contents of the copied file\r\nand then attempts to decrypt any encrypted passwords.\r\nFormhistory.sqlite: This file contains the autofill information stored by Firefox browser and is extracted using\r\nfollowing SQL query:\r\nSELECT fieldname, value FROM moz_formhistory\r\n4. Crypto wallet:\r\nWallet Files: The malware searches for and uploads any crypto wallets found on the system that match the defined\r\nnaming pattern to the C2 server.\r\nFigure 8: The wallet.dat file contains victim's private keys, public keys, scripts (which correspond to addresses), and\r\nthe transactions related to your victim's wallet\r\nCryptocurrency Wallet Browser Extensions: The malware searches for the specific web browser's wallet\r\nextensions and upload configuration data to the C2.\r\n5. Screenshot capture:\r\nRECORDSTEALER captures a screenshot of the victim's desktop, saves it as \"screenshot.jpeg,\" and uploads it to the C2\r\nserver. \r\nFigure 9: Malware-Captured Hexadecimal Image Data\r\n6. Desktop Application: \r\nRECORDSTEALER collects files associated with the Telegram, Signal, and Discord apps and uploads sensitive\r\ninformation to the C2 server.\r\nhttps://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Unveiling-RECORDSTEALER-with-Google-Security/ba-p/803490\r\nPage 5 of 9\n\n7. File collection: \r\nRECORDSTEALER collects files from specific user directories only when explicit instructions are provided within its\r\nconfiguration data, as detailed below:\r\ngrbr_Desktop:%USERPROFILE%\\\\Desktop\\\\|*.txt|*recycle*,*windows*|10|1|1|files\r\ngrbr_Recent:%APPDATA%\\\\Microsoft\\\\Windows\\\\Recent\\\\|*.txt|*.exe|10|1|1|files\r\ngrbr_Documents:%USERPROFILE%\\\\Documents\\\\|*.txt|*recycle*,*windows*|10|1|1|files\r\nThe above configuration data instructs malware to conduct targeted file collection from the Desktop and Documents folders,\r\nfocusing on acquiring text files (.txt) and any files or folders containing the terms recycle or windows. Additionally, it\r\nextracts both text files (.txt) and executable files (.exe) from the Recent items folder. The malware's collection is limited to\r\nthe 10 most recently modified files that match its criteria. The collected files are then uploaded to the C2 server.\r\nTo illustrate how RECORDSTEALER steals data, Figure 10 depicts the exfiltration process, showing how the malware\r\nsends targeted files from the victim's computer to the attacker's C2 server.\r\nFigure 10: The Exfiltration Process\r\nCode Overlap and Common Techniques Among Infostealers\r\nIt is notable that many techniques employed by RECORDSTEALER are not exclusive. Malware authors often reuse\r\nexisting code or adapt techniques from other malware, leading to overlap across different infostealer families. Active\r\ninfostealers like VIDAR and STEALC, which share common techniques, are still circulating. \r\n  RecordStealer Vidar StealC\r\nArchive\r\nFilename\r\nSeen in\r\nDistribution\r\nCampaigns\r\nLatest_Filez_Free_Passw0rdz_4321.rar\r\n#!!Se-tUp_2244_Pa$sW0rd$s.zip @#SETUP_FILE_2024_PASSCODE_$.rar\r\nStaging\r\nDirectory\r\nLocalLow folder C:\\\\ProgramData\\\\ C:\\\\ProgramData\\\\\r\nDropped freebl3.dll freebl3.dll freebl3.dll\r\nBenign\r\nDLLs\r\nmozglue.dll\r\nmsvcp140.dll\r\nnss3.dll\r\nsoftokn3.dll\r\nsqlite3.dll\r\nvcruntime140.dll\r\nmozglue.dll\r\nmsvcp140.dll\r\nnss3.dll\r\nsoftokn3.dll\r\nvcruntime140.dll\r\nmozglue.dll\r\nmsvcp140.dll\r\nnss3.dll\r\nsoftokn3.dll\r\nsqlite3.dll\r\nvcruntime140.dll\r\nhttps://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Unveiling-RECORDSTEALER-with-Google-Security/ba-p/803490\r\nPage 6 of 9\n\nSystem\r\nInformation\r\nSystem Info.txt Information.txt System_info.txt\r\nScreenshot Screenshot.jpg screenshot.jpg screenshot.jpg\r\nData\r\nStaging\r\nCreate random filenames\r\nCreate individual files such\r\nas (e.g Passwords.txt,\r\nCookie_list.txt, etc.)\r\nCreate individual files of the targeted data\r\nData\r\nExfiltration\r\nCollected Data is sent in plain text via\r\nHTTP POST request.\r\nCollected Data is\r\ncompressed into a ZIP\r\narchive and sent via HTTP\r\nPOST request.\r\nCollected data is encoded in Base64 and\r\nsent one by one via HTTP POST requests.\r\nTable 2: Common Infostealer Tactics and Techniques\r\nTable 2 highlights similarities in techniques employed by various common infostealer malware. This shows the importance\r\nof mapping an attacker's techniques. Even with minor malware variations, robust detection mechanisms can effectively\r\nidentify and thwart these threats.\r\nThreat Hunting \u0026 Detection in Google SecOps\r\nHunting Opportunities\r\nMandiant Hunt surfaces otherwise undetected malicious activity by employing a detection strategy that uses both strong\r\nsignals (high enough fidelity to be reviewed 1:1) and weak signals (low fidelity on their own but provide broad coverage of\r\nthreat actor tactics) to enumerate attacker activity in customer environments. These signals are used to sequentially funnel\r\npetabytes of telemetry data to a practicable number of enriched and highly curated cases for analyst review. Mandiant uses\r\nsecurity frameworks like MITRE ATT\u0026CK® to help label data, find interesting sequences of activity, and share actionable\r\nresults with customers.\r\nGoogle SecOps customers can use the following information to create detections for infostealer's initial compromise\r\nactivity:\r\nArchive filename with alphanumeric \"password\" string - Threat actors can evade detection by delivering\r\nmalware in password-protected archives (.zip, .7z, .rar, etc.), preventing inspection of the actual malicious files by\r\nsecurity software. To trick users into extracting the contents of password-protected archives while attempting to\r\ncircumvent filename-based detection, threat actors have been observed including the password in the filename but\r\nobfuscating the string.\r\nThese events map to ATT\u0026CK Technique T1204.002 - User Execution: Malicious File. Some examples include:\r\nC:\\\\Users\\\\\u003cuser\u003e\\\\AppData\\\\Local\\\\Temp\\\\ffb3499e-65a1-449c-810b-a7c0d684e7e5_#!!SetUp_2244_PassW0rd$$.zip\r\nC:\\\\Users\\\\\u003cuser\u003e\\\\AppData\\\\Local\\\\Temp\\\\31d7dd7d-145e-432f-81c4-\r\n152a2bb85215_@~!SeTuP_9292_PASSW0rD!%!!.zip.215\\\\@~!SeTuP_9292_PASSW0rD!%!!.rar\r\nC:\\\\Users\\\\\u003cuser\u003e\\\\AppData\\\\Local\\\\Temp\\\\7zE8479FF7F\\\\Files^^_9077__Pa$$w0rds(Updated).rar\r\nUse the UDM query below in Google Security Operations to identify such filewrites. The detection logic will likely find\r\nnumerous innocuous events in your environment, so add negations to filter out the noise until interesting results remain.\r\n(metadata.event_type = \"FILE_CREATION\" OR metadata.event_type = \"FILE_MODIFICATION\") AND target.file.full_path\r\n= /Users/ nocase AND ( target.file.full_path = /\\\\.zip$/ nocase OR target.file.full_path = /\\\\.rar$/ nocase OR\r\ntarget.file.full_path = /\\\\.7z$/ nocase ) AND ( target.file.full_path = /^P[a@][s$]{2}(w((o|0)rd))?(.)?[-_\\\\s]*\r\n[0-9]{3,6}(([-_]+[\\\\w]{2,15})|(\\\\.[a-z]{3}))/ nocase OR target.file.full_path = /([_\\\\s-]+)P[a@][s$]{2}\r\n(w((o|0)rd))?(.)?[-_\\\\s]*[0-9]{3,6}((\\\\.[a-z]{3}(\\\\.[a-z]{3})?)|([-_\\\\s]*[A-Za-z]{4,10}\\\\.[a-z]{3}))/ nocase OR\r\ntarget.file.full_path = /([_\\\\s-]+)P[a@][s$]{2}(w((o|0)rd))?(.)?([-_\\\\s]+)?[0-9]{3,6}[_\\\\s]+[(]/ nocase OR\r\ntarget.file.full_path = /(Set[-]?up(s)?|activate|main|file)[_\\\\s-]+[0-9]{3,4}[_\\\\s-]+P[a@][s$]{2}(w((o|0)rd))?\r\n(.)?([-_\\\\s]+|\\\\.rar)/ nocase OR target.file.full_path = /(Set[-]?up(s)?|activate|main|file)((.){2})?[_-]+P[a@]\r\n[s$]{2}(w((o|0)rd))?(.)?[_-]*[0-9]{3,6}[_-]+(.){3,4}\\\\.rar/ nocase OR target.file.full_path = /P[a@][s$]\r\n{1,2}w0rd(.)?/ nocase OR target.file.full_path = /[0-9]{3,6}([-_\\\\s]+)?As([-_\\\\s]+)?P[a@][s$]{1,}/ nocase ) AND\r\nNOT ( target.file.full_path = /\u003cYour exclusion here\u003e/ nocase OR target.file.full_path = /\u003cYour exclusion here\u003e/\r\nnocase )\r\nFilewrites to C:\\\\Users\\\\\u003cuser\u003e\\\\AppData\\\\LocalLow - The initial stages of infostealer compromises have involved\r\ndropping malware as well as legitimate files necessary for malware functionality to directories like C:\\\\Users\\\\\r\n\u003cuser\u003e\\\\AppData\\\\LocalLow due to their minimal access privileges and lack of visibility from users.\r\nhttps://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Unveiling-RECORDSTEALER-with-Google-Security/ba-p/803490\r\nPage 7 of 9\n\nThese events map to ATT\u0026CK Technique T1564.001 - Hide Artifacts: Hidden Files and Directories. \r\nUse the UDM query below in Google Security Operations to identify suspicious filewrites to C:\\\\Users\\\\\r\n\u003cuser\u003e\\\\AppData\\\\LocalLow. Some negations have already been provided to help filter out noisy, benign filewrites.\r\n(metadata.event_type = \"FILE_CREATION\" OR metadata.event_type = \"FILE_MODIFICATION\") AND\r\ntarget.file.full_path = /LocalLow/ nocase AND ( ( principal.process.file.full_path = /setup/ nocase OR\r\nprincipal.process.file.full_path = /\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp/ nocase OR\r\nprincipal.process.file.full_path = /(P[a@][s$]{2}(w)?[0o]?(rd)?(s$)?[\\\\s_-]*[0-9]{3,8})|([0-9]{3,8}\r\n[\\\\s_-]+P[a@][s$]{2}(w)?[0o]?(rd)?(s$)?)/ nocase OR target.file.full_path = /dll$/ nocase ) AND NOT\r\nprincipal.process.file.full_path = /OneDriveSetup\\\\.exe$/ nocase AND NOT\r\nprincipal.process.file.full_path = /KMPlayerPortable\\\\.exe$/ nocase AND NOT\r\nprincipal.process.file.full_path = /AcrobatPortable\\\\.exe$/ nocase AND NOT\r\nprincipal.process.file.full_path = /bvckup2\\\\.exe$/ nocase AND NOT principal.process.file.full_path =\r\n/AcrobatDCPortable\\\\.exe$/ nocase AND NOT target.file.full_path = /Microsoft/ nocase AND NOT\r\ntarget.file.full_path = /Adobe$/ nocase AND NOT target.file.full_path = /Acrobat$/ nocase AND NOT\r\ntarget.file.full_path = /WebEx$/ nocase AND NOT target.file.full_path = /Adobe\\\\-Backup/ nocase )\r\nUser data exfiltration: While true positive hits on this detection logic mean that the infostealer was successful and it\r\nis too late to stop exfiltration, being aware that exfiltration occurred can help an organization respond and reduce the\r\nimpact of stolen data.\r\nThese events map to ATT\u0026CK Technique T1041 - Exfiltration Over C2 Channel. \r\nMandiant threat hunters have observed patterns in the hostname and URL of HTTP connections associated with\r\ninfostealer exfiltration. Google Security Operations users can find instances of these network connections with the\r\nfollowing UDM query.\r\nNegations have been provided for common, benign activity; add more to filter out noise or use the Pivot functionality\r\nof Google Security Operations to stack benign events.\r\n(metadata.event_type = \"NETWORK_CONNECTION\" OR metadata.event_type = \"NETWORK_DNS\" OR\r\nmetadata.event_type = \"NETWORK_HTTP\") AND ( ( principal.process.file.full_path = /\\\\:\\\\\\\\Users\\\\\\\\/\r\nnocase AND network.http.method = \"POST\" AND ( target.hostname = /^([0-9]{1,3}\\\\.){3}[0-9]{1,3}$/ OR\r\ntarget.hostname = /\\\\.top$/ nocase ) AND NOT ( principal.process.file.full_path =\r\n/\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\Application/ nocase OR principal.process.file.full_path =\r\n/\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Programs\\\\\\\\/ nocase ) AND ( target.url = /[a-f0-9]{20,40}$/ OR target.url =\r\n\"/\" OR target.url = \"/index.php\" nocase ) AND NOT ( principal.process.file.full_path = /Postman\\\\.exe$/\r\nnocase OR principal.process.file.full_path = /java\\\\.exe$/ nocase OR principal.process.file.full_path =\r\n/firefox\\\\.exe$/ nocase OR principal.process.file.full_path = /msedge\\\\.exe$/ nocase OR\r\nprincipal.process.file.full_path = /chrome\\\\.exe$/ nocase OR principal.process.file.full_path =\r\n/nuclei\\\\.exe$/ nocase OR principal.process.file.full_path = /thorium\\\\.exe$/ nocase OR\r\nprincipal.process.file.full_path = /OfficeSuiteHDMeeting\\\\.exe$/ nocase OR\r\nprincipal.process.file.full_path = /BurpSuitePro\\\\.exe$/ nocase OR principal.process.file.full_path =\r\n/brave\\\\.exe$/ nocase ) AND principal.process.file.full_path != \"\" ) OR ( network.http.method = \"POST\"\r\nAND target.url = /http(s)?:\\\\/\\\\/.*:\\\\d.*\\\\/sendlog/ nocase AND NOT target.url =\r\n/Winserve\\\\/rest\\\\/utility\\\\/sendLoginSuccess$/ nocase ) OR ( network.http.user_agent = \"userAgendCode\"\r\nAND network.http.method = \"POST\" ) )\r\nDetections\r\nGoogle Security Operations Enterprise and Enterprise Plus customers will benefit from these detections being applied\r\nautomatically through curated detections. Standard customers can create single or multi-event rules to detect the malware.\r\nThis rule is designed to detect on creation of DLLs associated with the RECORDSTEALER malware.\r\nrule RECORDSTEALER_DLL_Drop { meta: author = \"Mandiant\" description = \"Detects the creation of DLLs\r\ncommonly associated with RECORDSTEALER malware for data exfiltration from browsers\"\r\nmitre_attack_technique = \"Ingress Tool Transfer\" mitre_attack_url =\r\n\"https://attack.mitre.org/techniques/T1105/\" severity = \"Medium\" platform = \"Windows\" type = \"hunt\"\r\nevents: ( $e.metadata.event_type = \"FILE_MODIFICATION\" or $e.metadata.event_type = \"FILE_CREATION\" ) and\r\n( re.regex($e.target.file.full_path, `AppData\\\\\\\\LocalLow\\\\\\\\nss3\\\\.dll`) or\r\nre.regex($e.target.file.full_path, `AppData\\\\\\\\LocalLow\\\\\\\\mozglue\\\\.dll`) or\r\nre.regex($e.target.file.full_path, `AppData\\\\\\\\LocalLow\\\\\\\\sqlite3\\\\.dll`) or\r\nre.regex($e.target.file.full_path, `AppData\\\\\\\\LocalLow\\\\\\\\msvcp140\\\\.dll`) or\r\nre.regex($e.target.file.full_path, `AppData\\\\\\\\LocalLow\\\\\\\\vcruntime140\\\\.dll`) or\r\nre.regex($e.target.file.full_path, `AppData\\\\\\\\LocalLow\\\\\\\\freebl3\\\\.dll`) or\r\nre.regex($e.target.file.full_path, `AppData\\\\\\\\LocalLow\\\\\\\\softokn3\\\\.dll`) ) outcome: $hostname =\r\n$e.principal.hostname $file = $e.target.file.full_path condition: $e }\r\nhttps://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Unveiling-RECORDSTEALER-with-Google-Security/ba-p/803490\r\nPage 8 of 9\n\nThis rule is designed to detect C2 communications associated with the RECORDSTEALER malware.\r\nrule rule_recordstealer_useragents { meta: author = \"Mandiant\" description = \"This rule is designed to\r\ndetect command-and-control (C2) communications associated with the RECORDSTEALER malware. While these\r\nuser agents are associated with past distributions of the malware, compromises from these distributions\r\nmay still be active and performing C2.\" mitre_attack_technique = \"Application Layer Protocol: Web\r\nProtocols\" mitre_attack_url = \"https://attack.mitre.org/techniques/T1071/001/\" severity = \"Medium\"\r\nplatform = \"Windows\" type = \"Hunt\" events: $e.metadata.event_type = \"NETWORK_HTTP\" and\r\n($e.network.http.method = \"GET\" or $e.network.http.method = \"POST\") re.regex($e.network.http.user_agent,\r\n`record|mozzzzzzzzzzz|qwrqrwrqwrqwr|rqwrwqrqwrqw|TakeMyPainBack|x|xxx|20112211|23591|1235125521512|125122112551|901785252112|B1D3N_\r\noutcome: $user_agent = $e.network.http.user_agent $url = $e.target.url condition: $e }\r\nWe would like to extend our thanks to Rommel Joven for his helpful contributions to this blog post.\r\nHave questions or feedback for the Managed Defense team? Comment on the blog or ask a question in the Managed\r\nDefense Forum. \r\nSource: https://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Unveiling-RECORDSTEALER-with-Google-Security/ba-p/8034\r\n90\r\nhttps://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Unveiling-RECORDSTEALER-with-Google-Security/ba-p/803490\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Unveiling-RECORDSTEALER-with-Google-Security/ba-p/803490" ], "report_names": [ "803490" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "3da47784-d268-47eb-9a0d-ce25fdc605c0", "created_at": "2025-08-07T02:03:24.692797Z", "updated_at": "2026-04-10T02:00:03.72967Z", "deleted_at": null, "main_name": "BRONZE VAPOR", "aliases": [ "Chimera ", "DEV-0039 ", "Thorium ", "Tumbleweed Typhoon " ], "source_name": "Secureworks:BRONZE VAPOR", "tools": [ "Acehash", "CloudDrop", "Cobalt Strike", "Mimikatz", "STOCKPIPE", "Sharphound", "Watercycle" ], "source_id": "Secureworks", "reports": null }, { "id": "873a6c6f-a4d1-49b3-8142-4a147d4288ef", "created_at": "2022-10-25T16:07:23.455744Z", "updated_at": "2026-04-10T02:00:04.61281Z", "deleted_at": null, "main_name": "Chimera", "aliases": [ "Bronze Vapor", "G0114", "Nuclear Taurus", "Operation Skeleton Key", "Red Charon", "THORIUM", "Tumbleweed Typhoon" ], "source_name": "ETDA:Chimera", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "SkeletonKeyInjector", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434481, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/07d154e74e5c886e83bceab55da6021bc9655ef8.pdf", "text": "https://archive.orkl.eu/07d154e74e5c886e83bceab55da6021bc9655ef8.txt", "img": "https://archive.orkl.eu/07d154e74e5c886e83bceab55da6021bc9655ef8.jpg" } }