{
	"id": "d5fe7477-f47c-4335-adc6-71e328f0118d",
	"created_at": "2026-04-06T01:30:28.172699Z",
	"updated_at": "2026-04-10T03:22:00.977182Z",
	"deleted_at": null,
	"sha1_hash": "212ba5d876cef708edf144204c065feedc95c971",
	"title": "StealC Delivered via Deceptive Google Sheets",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1245032,
	"plain_text": "StealC Delivered via Deceptive Google Sheets\r\nBy eSentire Threat Response Unit (TRU)\r\nArchived: 2026-04-06 01:13:01 UTC\r\nAdversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters\r\nand Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.\r\nWe have discovered some of the most dangerous threats and nation state attacks in our space – including the\r\nKaseya MSP breach and the more_eggs malware.\r\nOur Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced\r\nThreat Analytics driven by our Threat Response Unit – the TRU team.\r\nIn TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We\r\noutline how we responded to the confirmed threat and what recommendations we have going forward.\r\nHere’s the latest from our TRU Team…\r\nWhat did we find?\r\nIn early August 2023, our Security Operations Center (SOC) received a credential theft alert from our eSentire\r\nMDR for Endpoint service. During the investigation, we identified the source of the infection to be a malicious ad\r\nthat the user encountered while looking to download Google Sheets. This ad redirected the user to a malicious\r\npage serving a downloader for StealC infostealer malware.\r\nStealC first appeared on Russian hacking forums in January 2023; it’s written in the C programming language,\r\nand during the development process, the StealC developer relied on popular stealers such as Raccoon, Vidar,\r\nRedline, and Mars stealers.\r\nhttps://www.esentire.com/blog/stealc-delivered-via-deceptive-google-sheets\r\nPage 1 of 10\n\nFigure 1: Stealer advertisement\r\nAs mentioned above, StealC was distributed via a malicious page serving a fake warning message prompting the\r\nuser to download a security update to be able to use the store, as shown below.\r\nFigure 2: Fake warning message\r\nLooking at the source code of the page, we noticed that the threat actor(s) implemented the source code\r\nobfuscation. We found a similar implementation of the code obfuscation.\r\nEach base64-encoded string appears to include a random alphanumeric prefix and suffix, with a numerical value\r\nin between. The JavaScript code iterates through the array using the forEach method.\r\nFor each value, it decodes the base64-encoded string with atob, removes non-digit characters with the regular\r\nexpression /\\D/g and parses the remaining number then subtracts “15662724” (evidence suggests this is a random\r\nvalue generated each time upon the page refresh), and converts it back to a character using String.fromCharCode.\r\nhttps://www.esentire.com/blog/stealc-delivered-via-deceptive-google-sheets\r\nPage 2 of 10\n\nFigure 3: Obfuscated source code\r\nThe deobfuscated code is shown below, and the obfuscation can also be bypassed by inspecting the elements in\r\nbrowsers If the user-agent contains “Chrome” or “Firefox”, the user will be served with a payload (Figure 4).\r\nFigure 4: Deobfuscated source code\r\nThe payload download code is shown below:\r\nhttps://www.esentire.com/blog/stealc-delivered-via-deceptive-google-sheets\r\nPage 3 of 10\n\nFigure 5: Download code\r\nThe code redirects the user to hxxps://sheetsdataaccess[.]com/download/app/download.php?file=download,\r\nwhich then retrieves the payload from hxxps://l6j4zw.dm.files[.]1drv.com as shown below.\r\nFigure 6: URL hosting the payload\r\nWe were able to extract the following configuration from the initial downloaded payload:\r\n{\r\n \"config\":{\r\n \"fake_error_on_black\":true,\r\n \"fake_error_caption\":\"Error\",\r\nhttps://www.esentire.com/blog/stealc-delivered-via-deceptive-google-sheets\r\nPage 4 of 10\n\n\"fake_error_text\":\"Runtime Error 0x80248007\",\r\n \"date_unix\":\"1693515599\"\r\n },\r\n \"anti_vm\":{\r\n \"enabled\":true,\r\n \"anti_vm_exclusion_name\":\"2N5YWPMCWW5UBYQEN6T2.vmt.exe\",\r\n \"check_generic\":true,\r\n \"check_usernames\":true,\r\n \"check_pcnames\":true,\r\n \"check_gpu_vendor\":true,\r\n \"check_processes\":true\r\n },\r\n \"files\":{\r\n \"exe\":{\r\n \"pita\":{\r\n \"link\":\"hxxps://update-vinc.in[.]net/fno7bsukar/7mudndvdcr.dll\",\r\n \"aes_key\":\"17e9d5e23997357f614e9969082aad60\",\r\n \"folder\":\"%TEMP%\",\r\n \"change_md5\":false,\r\n \"pump_file\":false,\r\n \"add_folder_to_exclusions\":false,\r\n \"delete_after_execution\":false,\r\n \"add_to_startup\":false,\r\n \"delay\":3,\r\n \"start_in_memory_path\":\"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\csc.exe\"\r\n }\r\n }\r\n }\r\n}\r\nThe configuration retrieves the encrypted file from update-vinc.in[.]net, decrypts it, and injects it into the csc.exe\r\nprocess. The downloaded payload is compiled with Rust.\r\nInterestingly, Kaspersky has the signature for the binary as “RustyPita,” which aligns with our observations. The\r\nconfiguration also includes features such as AntiVM (using WMI query “SELECT * FROM\r\nMSAcpi_ThermalZoneTemperature”, querying the registry keys for\r\nHKEY_LOCAL_MACHINE\\HARDWARE\\ACPI\\DSDT\\VBOX__ (VirtualBox)), file size pump, fake error caption,\r\nand persistence via Startup.\r\nThe final payload, StealC, contains the obfuscated base64-encoded strings encrypted using the RC4 algorithm. In\r\nour sample, the key is “3345342759455992320894587”.\r\nhttps://www.esentire.com/blog/stealc-delivered-via-deceptive-google-sheets\r\nPage 5 of 10\n\nFigure 7: StealC encrypted strings\r\nUpon successful execution, StealC retrieves the DLL dependencies such as nss3.dll, msvcp140.dll, mozglue.dll,\r\nand freebl3.dll from the command-and-control server and places them under the C:\\ProgramData folder.\r\nBelow is the configuration for the stealer and an example of the information exfiltrated by the attacker.\r\nFigure 8: Configuration and gathered information from the infected machine\r\nFurther researching, we found another malicious website that is currently down using a similar landing page kit\r\nand impersonating Google Business Profile. The C2 IP suggests that TrueBot malware is involved\r\n(94.142.138[.]61).\r\nhttps://www.esentire.com/blog/stealc-delivered-via-deceptive-google-sheets\r\nPage 6 of 10\n\nFigure 9: Website impersonating Google Business Profile\r\nWhat did we do?\r\nWe investigated the activity and confirmed that it was malicious.\r\nOur team of 24/7 SOC Cyber Analysts isolated affected hosts to contain this incident in accordance with\r\nthe business’ policies.\r\nWhat can you learn from this TRU Positive?\r\nThe final payload, StealC, was injected into the csc.exe process.\r\nRustyPita includes a configuration that provides insight into its features and capabilities.\r\nDrive-by downloads continue to be a prevalent method to spread malware, such as information stealers and\r\nloaders.\r\nRecommendations from our Threat Response Unit (TRU):\r\nTrain users to identify and report potentially malicious content using Phishing and Security Awareness\r\nTraining (PSAT) programs.\r\nEnsure employees have access to a dedicated software center to download corporate-approved software.\r\nProtect endpoints against malware by:\r\nEnsuring antivirus signatures are up-to-date.\r\nUsing a Next-Gen AV (NGAV) or Endpoint Detection and Response (EDR) tool to detect and\r\ncontain threats.\r\nhttps://www.esentire.com/blog/stealc-delivered-via-deceptive-google-sheets\r\nPage 7 of 10\n\nIndicators of Compromise\r\nName Indicators\r\nRustyPita 1183eb455a4035ff573f8a4551c24799\r\nStealC d90150a866e48d1958da34fe2bf6ed61\r\nStealC C2 hxxp://89.208.105[.]162/a7f3bfe3b25537ef.php\r\nPayload hosting URL\r\nhxxps://sheetsdataaccess.com/download/index[.]php?\r\nuid=70319b8fcd169a8a0b353fc26b1f5dc4\r\n7mudndvdcr.dll f3532a174cdcd90330e44111bb8c4175\r\nServer hosting the\r\nencrypted payload\r\n194.87.31[.]176\r\nReferences\r\nhttps://www.esentire.com/security-advisories/increased-activity-in-google-ads-distributing-information-stealers\r\nhttps://debugactiveprocess.medium.com/anti-vm-techniques-with-msacpi-thermalzonetemperature-32cfeecda802\r\nTo learn how your organization can build cyber resilience and prevent business disruption with eSentire’s Next\r\nLevel MDR, connect with an eSentire Security Specialist now.\r\nhttps://www.esentire.com/blog/stealc-delivered-via-deceptive-google-sheets\r\nPage 8 of 10\n\nGET STARTED\r\nABOUT ESENTIRE’S THREAT RESPONSE UNIT (TRU)\r\nThe eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your\r\norganization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7\r\nSecurity Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and\r\nworks as an extension of your security team to continuously improve our Managed Detection and Response\r\nservice. By providing complete visibility across your attack surface and performing global threat sweeps and\r\nproactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending\r\nyour organization against known and unknown threats.\r\nhttps://www.esentire.com/blog/stealc-delivered-via-deceptive-google-sheets\r\nPage 9 of 10\n\nSource: https://www.esentire.com/blog/stealc-delivered-via-deceptive-google-sheets\r\nhttps://www.esentire.com/blog/stealc-delivered-via-deceptive-google-sheets\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.esentire.com/blog/stealc-delivered-via-deceptive-google-sheets"
	],
	"report_names": [
		"stealc-delivered-via-deceptive-google-sheets"
	],
	"threat_actors": [],
	"ts_created_at": 1775439028,
	"ts_updated_at": 1775791320,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/212ba5d876cef708edf144204c065feedc95c971.pdf",
		"text": "https://archive.orkl.eu/212ba5d876cef708edf144204c065feedc95c971.txt",
		"img": "https://archive.orkl.eu/212ba5d876cef708edf144204c065feedc95c971.jpg"
	}
}