{
	"id": "be2e9407-a3a6-43ae-8b58-49a12555d326",
	"created_at": "2026-04-06T00:17:54.514099Z",
	"updated_at": "2026-04-10T03:21:59.750158Z",
	"deleted_at": null,
	"sha1_hash": "1cc2293f5e9c9fd9f35dbd7b7931a7603f448768",
	"title": "New Meta information stealer distributed in malspam campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5133182,
	"plain_text": "New Meta information stealer distributed in malspam campaign\r\nBy Bill Toulas\r\nPublished: 2022-04-10 · Archived: 2026-04-05 18:17:54 UTC\r\nA malspam campaign has been found distributing the new META malware, a new info-stealer malware that appears to be\r\nrising in popularity among cybercriminals.\r\nMETA is one of the novel info-stealers, along with Mars Stealer and BlackGuard, whose operators wish to take advantage of\r\nRaccoon Stealer's exit from the market that left many searching for their next platform.\r\nBleeping Computer first reported about META last month, when analysts at KELA warned about its dynamic entrance into\r\nthe TwoEasy botnet marketplace.\r\nhttps://www.bleepingcomputer.com/news/security/new-meta-information-stealer-distributed-in-malspam-campaign/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/new-meta-information-stealer-distributed-in-malspam-campaign/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nThe tool is sold at $125 for monthly subscribers or $1,000 for unlimited lifetime use and is promoted as an improved version\r\nof RedLine.\r\nNew Meta malspam campaign\r\nA new spam campaign seen by security researcher and ISC Handler Brad Duncan is proof that META is actively used in\r\nattacks, being deployed to steal passwords stored in Chrome, Edge, and Firefox, as well as cryptocurrency wallets.\r\nThe infection chain in the particular campaign follows the \"standard\" approach of a macro-laced Excel spreadsheet arriving\r\nin prospective victims' inboxes as email attachments.\r\nMETA infection chain on the spotted campaign (isc.sans.edu)\r\nThe messages make bogus claims of fund transfers that are not particularly convincing or well-crafted but can still be\r\neffective against a significant percentage of recipients.\r\nEmail carrying the malicious Excel attachment (isc.sans.edu)\r\nThe spreadsheet files feature a DocuSign lure that urges the target to \"enable content\" required to run the malicious VBS\r\nmacro in the background.\r\nhttps://www.bleepingcomputer.com/news/security/new-meta-information-stealer-distributed-in-malspam-campaign/\r\nPage 3 of 6\n\nThe DocuSign lure that entices users to enable content (isc.sans.edu)\r\nWhen the malicious script runs, it will download various payloads, including DLLs and executables, from multiple sites,\r\nsuch as GitHub.\r\nSome of the downloaded files are base64 encoded or have their bytes reversed to bypass detection by security software. For\r\nexample, below is one of the samples collected by Duncan that has its bytes reversed in the original download.\r\nDLL saved in reverse byte order (isc.sans.edu)\r\nhttps://www.bleepingcomputer.com/news/security/new-meta-information-stealer-distributed-in-malspam-campaign/\r\nPage 4 of 6\n\nEventually, the final payload is assembled on the machine under the name \"qwveqwveqw.exe,\" which is likely random, and\r\na new registry key is added for persistence.\r\nNew registry key and the malicious executable (isc.sans.edu)\r\nA clear and persistent sign of the infection is the EXE file generating traffic to a command and control server at\r\n193.106.191[.]162, even after the system reboots, restarting the infection process on the compromised machine.\r\nMalicious traffic captured in Wireshark (isc.sans.edu)\r\nOne thing to note is that META modifies Windows Defender via PowerShell to exclude .exe files from scanning, to protect\r\nits files from detection.\r\nIf you'd like to dive deeper into the malicious traffic details for detection purposes or curiosity, Duncan has published the\r\nPCAP of the infection traffic here.\r\nhttps://www.bleepingcomputer.com/news/security/new-meta-information-stealer-distributed-in-malspam-campaign/\r\nPage 5 of 6\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/new-meta-information-stealer-distributed-in-malspam-campaign/\r\nhttps://www.bleepingcomputer.com/news/security/new-meta-information-stealer-distributed-in-malspam-campaign/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/new-meta-information-stealer-distributed-in-malspam-campaign/"
	],
	"report_names": [
		"new-meta-information-stealer-distributed-in-malspam-campaign"
	],
	"threat_actors": [],
	"ts_created_at": 1775434674,
	"ts_updated_at": 1775791319,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1cc2293f5e9c9fd9f35dbd7b7931a7603f448768.pdf",
		"text": "https://archive.orkl.eu/1cc2293f5e9c9fd9f35dbd7b7931a7603f448768.txt",
		"img": "https://archive.orkl.eu/1cc2293f5e9c9fd9f35dbd7b7931a7603f448768.jpg"
	}
}