{
	"id": "30ffcf3b-d4d2-46f8-a279-efc319e2f2eb",
	"created_at": "2026-04-06T00:14:58.45816Z",
	"updated_at": "2026-04-10T03:20:42.113303Z",
	"deleted_at": null,
	"sha1_hash": "259343685e87f2062a366a272233dea375c5d707",
	"title": "Stresspaint Malware Steals Facebook Credentials and Session Cookies",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1462763,
	"plain_text": "Stresspaint Malware Steals Facebook Credentials and Session Cookies\r\nBy Catalin Cimpanu\r\nPublished: 2018-04-18 · Archived: 2026-04-05 17:54:38 UTC\r\nSecurity researchers have spotted a new information stealer that collects Chrome login data from infected victims, along\r\nwith session cookies, and appears to be looking for Facebook details in particular, according to a Radware threat alert the\r\ncompany shared with this reporter.\r\nThe new trojan, named Stresspaint, has been found hidden inside a free Windows application named \"Relieve Stress Paint,\"\r\ndistributed via аоӏ.net —a domain that uses Unicode characters, which when converted to Punycode spell out xn-\r\n-80a2a18a.net, instead of the real aol.net.\r\nRadware believes crooks are using email and Facebook spam to direct users to this misleading website.\r\nhttps://www.bleepingcomputer.com/news/security/stresspaint-malware-steals-facebook-credentials-and-session-cookies/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/stresspaint-malware-steals-facebook-credentials-and-session-cookies/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nUsers who download this app get a legitimate drawing tool, but the app also runs other files in the background. According to\r\nRadware researchers, the drawing app also runs:\r\nTemp\\\\DX.exe - the main Stresspaint module that remains persistent on the system\r\nTemp\\\\updata.dll - possibly used later on for credential/cookie stealing purposes\r\nThe malware then sets the following Windows registry key to gain boot persistence and run Stresspaint's DX.exe file with\r\nevery PC boot:\r\nHKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Updata\r\nAccording to the Radware team, the value of this registry key is DX.exe [parameter].\r\n\"We have seen two different parameters which may indicate two different infection campaigns that the author wants to\r\ntrack,\" the Radware team says. \"This is also represented in the [Stresspaing] control panel.\"\r\nStresspaint also creates another registry key. This one holds each infected victim's GUID in the form of \"[5 random\r\nletters/numbers]HHMMSSYYYYMMDD\".\r\nHKCU\\Software\\Classes\\VirtualStore\\MACHINE\\SOFTWARE\\RelieveStressPaint\\guid\r\nStresspaint steals Chrome login data and session cookies\r\nStresspaint then makes copies of Chrome's login data and cookies databases, which it stores at the following locations:\r\nAppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data11111\r\nAppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies11111\r\nThe malware makes copies of these files so it can run all the queries and operations it needs to extract login credentials and\r\ncookie files stored in the user's Chrome browser.\r\nCrooks accessing Facebook accounts to harvest data\r\nThe malware then takes the collected login data and session cookies, encrypts it, and uploads it to a remove C\u0026C panel,\r\nalong with the user's GUID.\r\nhttps://www.bleepingcomputer.com/news/security/stresspaint-malware-steals-facebook-credentials-and-session-cookies/\r\nPage 3 of 5\n\nRadware researchers tracked this data to a control panel available in the Chinese language. The control panel has dedicated\r\nsections for displaying Facebook credentials, and another one for Amazon data. This latter section is empty, suggesting\r\nattackers have not focused on extracting the Amazon details from the stolen data just yet.\r\nResearchers say crooks are actively validating Facebook credentials and session cookies by logging into accounts and\r\ncollecting additional data such as each user's number of friends, whether the account manages a Facebook Page or not, and if\r\nthe account has a payment method saved in its settings.\r\nStresspaint infected over 35,000 users\r\nRadware says it identified over 35,000 infected users, most based in Vietnam, Russia, and Pakistan. The trojanized painting\r\napp was first seen at the start of the month, but crooks started its mass-distribution only over the weekend.\r\nWhile the malware is currently pretty well detected on aggregated virus-scanning services like VirusTotal, Stresspaint\r\ninitially flew under the radar of some security software because it made copies of Chrome's login and cookies databases and\r\nqueried the copies instead of attempting to access the original files, usually kept under surveillance by most security\r\nsoftware.\r\nResearchers have notified Facebook of the malware's credentials harvesting operations and have also reached out to the\r\ndomain registrar where the malicious аоӏ.net domain was registered, asking for it to be taken down.\r\nhttps://www.bleepingcomputer.com/news/security/stresspaint-malware-steals-facebook-credentials-and-session-cookies/\r\nPage 4 of 5\n\nUPDATE 1: Between the time we received the threat alert and publication time, Radware researchers have spotted changes\r\nto Stresspaint's inner workings, as the malware now uses a new format for the GUID, and some of the files and registry keys\r\ncreated on infected hosts also vary slightly. Nonetheless, besides cosmetic changes to file names and registry keys, the same\r\nmodus operandi remains.\r\nUPDATE 2: The Radware threat alert is now live, here.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/stresspaint-malware-steals-facebook-credentials-and-session-cookies/\r\nhttps://www.bleepingcomputer.com/news/security/stresspaint-malware-steals-facebook-credentials-and-session-cookies/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/stresspaint-malware-steals-facebook-credentials-and-session-cookies/"
	],
	"report_names": [
		"stresspaint-malware-steals-facebook-credentials-and-session-cookies"
	],
	"threat_actors": [],
	"ts_created_at": 1775434498,
	"ts_updated_at": 1775791242,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/259343685e87f2062a366a272233dea375c5d707.pdf",
		"text": "https://archive.orkl.eu/259343685e87f2062a366a272233dea375c5d707.txt",
		"img": "https://archive.orkl.eu/259343685e87f2062a366a272233dea375c5d707.jpg"
	}
}