{
	"id": "1093d93f-ad68-4b5e-a5cc-6aa21a5d9030",
	"created_at": "2026-04-06T00:07:47.099648Z",
	"updated_at": "2026-04-10T13:12:43.811061Z",
	"deleted_at": null,
	"sha1_hash": "1389d428cb38c280e23af926f775ed210e632fec",
	"title": "Threat Alert: AVE MARIA Infostealer on the Rise",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3965421,
	"plain_text": "Threat Alert: AVE MARIA Infostealer on the Rise\r\nBy Alon Groisman\r\nArchived: 2026-04-05 22:09:33 UTC\r\nOver the past two weeks, Morphisec Labs has identified an increase in AVE_MARIA malware infecting victims\r\nthrough a variety of phishing methods. One of the downloader components and C2 metadata are similar to those\r\nwe saw in the Orcus RAT attacks last month and we believe they are by the same threat actor.\r\nAVE_MARIA is an advanced information stealer malware, described in this Yoroi Lab post about an earlier attack\r\non an Italian oil and gas company. It is a relatively new malware, with its first documented appearance towards the\r\nend of 2018.\r\nWhile previous coverage of the malware reported the use of AutoIt as part of the AVE_MARIA downloader stage,\r\nthe campaign identified by Morphisec uses additional, more advanced stealth methods to deliver the same\r\ninformation stealer. More specifically, we have identified the adoption of Orcus RAT delivery stages and Revenge\r\nRAT fileless components that execute reconnaissance and hollowing attacks on legitimate Windows processes to\r\navoid being detected.\r\nTechnical Analysis\r\nPhishing\r\nFollowing a successful email phishing campaign, a malicious VBScript is executed. This VBScript contains a\r\nPowerShell command that downloads an initial Recon stage component.\r\n-\u003e\r\nhttp://blog.morphisec.com/threat-alert-ave-maria-infostealer-on-the-rise-with-new-stealthier-delivery\r\nPage 1 of 7\n\n-\u003e\r\n-\u003e After additional deobfuscation steps, we get to the final PowerShell execution.\r\nFirst Stage Recon Download\r\nThe first stage PowerShell command downloads the RevengeRat component directly into memory (filename –\r\nNuclear Explosion.exe) from pastee.ee, a popular free available text storage site. This component is identified by\r\nits Mutex and strings metadata (RV_MUTEX). The component communicates with its C2, sends all the basic\r\nhttp://blog.morphisec.com/threat-alert-ave-maria-infostealer-on-the-rise-with-new-stealthier-delivery\r\nPage 2 of 7\n\ninformation from the computer (what are the running processes, installed AVs, Username, Machine, system drives\r\nand more) as part of a reconnaissance stage, then executes the next stage PowerShell command.\r\nSecond Stage Downloader\r\nBoth the AVE_MARIA and the downloader are not part of the original second stage PowerShell command that is\r\nexecuted following the described first stage. This makes it very unlikely that runtime detection solutions will\r\ndetect the malware. The same downloader and the information stealer are stored on paste.ee and therefore also\r\ncannot be categorized as low reputation URL. The first URL represents the Downloader, which executes a known\r\nprocess hollowing technique on a legitimate Windows process (RegAsm.exe). This is done to bypass whitelisting.\r\nThe same module was also used as part of the previously described Orcus RAT campaign.\r\nThe Downloader is obfuscated by automatic tools and can easily be de-obfuscated by de4dot. After deobfuscation,\r\nwe clearly see that the script calls C.M method and invoke R function. This, in turn, executes process hollowing\r\nby the book on a 32 bit process, CreateProcess in suspend, Unmap and Map and then resume thread on the written\r\ndata.\r\nhttp://blog.morphisec.com/threat-alert-ave-maria-infostealer-on-the-rise-with-new-stealthier-delivery\r\nPage 3 of 7\n\nAVE_MARIA\r\nThe Information stealer is the same as that which was described by Yoroi Lab in a previous attack.\r\nhttp://blog.morphisec.com/threat-alert-ave-maria-infostealer-on-the-rise-with-new-stealthier-delivery\r\nPage 4 of 7\n\nAs reported, the privilege escalation used by the malware is an old fashion elevated PkgMgr-\u003eDISM Dll hijacking\r\nvulnerability for UAC bypass. The privilege escalation itself is executed by an additional executable, which is\r\nembedded as resource inside the malware.\r\n  \r\nhttp://blog.morphisec.com/threat-alert-ave-maria-infostealer-on-the-rise-with-new-stealthier-delivery\r\nPage 5 of 7\n\nThe malware communicates with 194.5.98[.]139, which was previously identified as a C2 for the Orcus RAT\r\ncampaign.\r\nConclusions\r\nThere is an obvious adaptation of various memory evasion techniques by the different hacker groups. The only\r\nway to combat this type of evasion is change the game on attackers and make their target unpredictable.\r\nMorphisec applies Moving Target Defense and deterministically prevents this type of attacks without prior\r\nknowledge.\r\nArtifacts\r\nVBS\r\nhxxps://paste[.]ee/r/d8Xpk/0\r\nRevenge RAT Recon Downloader\r\nhxxps://paste[.]ee/r/YoY3z/0\r\nAVE_MARIA Downloader – \r\nhxxps://paste[.]ee/r/cbaHS\r\nhxxps://paste[.]ee/r/VsX9H\r\nAVE_MARIA\r\nhxxps://paste[.]ee/r/4AIl0\r\nhxxps://paste[.]ee/r/T36RL\r\nDomains\r\nlist131.ignorelist[.]com\r\n194.5.98[.]139\r\nAbout the author\r\nhttp://blog.morphisec.com/threat-alert-ave-maria-infostealer-on-the-rise-with-new-stealthier-delivery\r\nPage 6 of 7\n\nAlon Groisman\r\nSource: http://blog.morphisec.com/threat-alert-ave-maria-infostealer-on-the-rise-with-new-stealthier-delivery\r\nhttp://blog.morphisec.com/threat-alert-ave-maria-infostealer-on-the-rise-with-new-stealthier-delivery\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"http://blog.morphisec.com/threat-alert-ave-maria-infostealer-on-the-rise-with-new-stealthier-delivery"
	],
	"report_names": [
		"threat-alert-ave-maria-infostealer-on-the-rise-with-new-stealthier-delivery"
	],
	"threat_actors": [],
	"ts_created_at": 1775434067,
	"ts_updated_at": 1775826763,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1389d428cb38c280e23af926f775ed210e632fec.pdf",
		"text": "https://archive.orkl.eu/1389d428cb38c280e23af926f775ed210e632fec.txt",
		"img": "https://archive.orkl.eu/1389d428cb38c280e23af926f775ed210e632fec.jpg"
	}
}