{
	"id": "8ef5d918-d7a6-4a04-a507-1a560cab3c92",
	"created_at": "2026-04-06T01:28:52.98466Z",
	"updated_at": "2026-04-10T13:12:35.570532Z",
	"deleted_at": null,
	"sha1_hash": "2a6e38cbe78b03d58d3db9b304d97e510152c6e7",
	"title": "Exclusive Threat Research: Mars (Stealer) Attacks!",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3177507,
	"plain_text": "Exclusive Threat Research: Mars (Stealer) Attacks!\r\nBy Arnold Osipov\r\nArchived: 2026-04-06 00:17:41 UTC\r\nThe Morphisec Labs team has conducted research on the new Mars infostealer. Mars is based on the older Oski\r\nStealer and was first discovered in June 2021. The new Mars is available for sale on several underground forums\r\nand is reported to be under constant development. The Mars Stealer pilfers user credentials stored in various\r\nbrowsers, as well as many different cryptocurrency wallets. Mars Stealer is being distributed via social\r\nengineering techniques, malspam campaigns, malicious software cracks, and keygens. (For more about\r\ninfostealers, read Morphisec’s coverage of the Jupyter infostealer.)\r\nFigure 1: Mars stealer post on hacking forums.\r\nNot long after the Mars Stealer’s release, a cracked version was released with an instruction document. This guide\r\nhas some flaws. One flaw instructs users to set up full access (777) to the whole project, including the victims’\r\nlogs directory.\r\nhttps://blog.morphisec.com/threat-research-mars-stealer\r\nPage 1 of 12\n\nFigure 2: Cracked Mars Stealer instruction guide.\r\nWhoever released the cracked Mars Stealer without official support has led threat actors to improperly configure\r\ntheir environment, exposing critical assets to the world.\r\nInfostealers Ecosystem\r\nAs Sophos explains, information stealers are used for a wide variety of identity theft. They enable attackers to\r\nharvest personally identifiable information (PII), including login data such as stored credentials and browser\r\ncookies that control access to web-based services. These credentials are then sold on criminal marketplaces.\r\nInfostealers offer an accessible entry point to criminal activity. For example, only $160 gets you a lifetime\r\nsubscription to Mars Stealer. You can purchase infostealers on Dark Web forums without any vetting, unlike more\r\nsophisticated tools such as ransomware, which require you to have a reputation amongst other cybercriminals.\r\nInfostealers empower novice cybercriminals to build a reputation they can leverage to acquire more powerful\r\nmalware from more sophisticated actors.\r\nMars Stealer Statistics\r\nWith cryptocurrency use rising, more people will likely possess hot wallets in an unsecured environment. The\r\ncrypto wallet MetaMask is the plugin most stolen using Mars Stealer.\r\nhttps://blog.morphisec.com/threat-research-mars-stealer\r\nPage 2 of 12\n\nFigure 3: Top 5 stolen plugins\r\nThe Morphisec Labs Team compiled the below statistics while evaluating a single actor’s campaign last month. It\r\nincludes targets by country, total stolen passwords, and so on. In addition, we found more than infected 50 domain\r\nusers, compromising companies’ domain passwords. The vast majority of victims are students, faculty members,\r\nand content makers looking for legitimate applications who end up with malicious ones instead. Aside from the\r\nlisted credential types, Morphisec identified credentials which led to the full compromise of a leading healthcare\r\ninfrastructure provider in Canada, and a number of high profile Canadian service companies. We have contacted\r\nand notified the companies and the authorities.\r\nFigure 4: Mars admin panel\r\nOperation Mars\r\nSpam email is the most common distribution method for Mars Stealer, as a compressed executable, download link,\r\nor document payload. Creating a malicious website masquerading as pirated software is another common method\r\nfor spreading this infostealer.\r\nInitial access vector\r\nIn this campaign, the actor distributed Mars Stealer via cloned websites offering well-known software. They used\r\nthe Google Ads advertising platform to trick victims searching for the original software into visiting a malicious\r\nsite instead. The actor is paying for these Google Ads campaigns using stolen information (see figure 15). The\r\nhttps://blog.morphisec.com/threat-research-mars-stealer\r\nPage 3 of 12\n\nexample below is one of many demonstrating how the actor targets Canadians by using geographically targeted\r\nGoogle Ads.\r\nFigure 5: ‘OpenOffice’ Google search yields an actor’s malicious website.\r\nBelow is a fully cloned website masquerading as the official openoffice.org website to lure victims to download\r\nthe Mars Stealer.\r\nFigure 6: Cloned OpenOffice website leads to the Mars stealer.\r\nThe downloaded payload is an executable file, with a corresponding icon and name, packed with the Babadeda\r\ncrypter or Autoit loader. We won’t cover the Mars Stealer’s technical details, which were thoroughly covered by\r\n3xp0rt. During our investigation and research, we identified a C2—tommytshop[.]com—where the Mars admin\r\npanel is stored, which was still up and running at the time of publication.\r\nhttps://blog.morphisec.com/threat-research-mars-stealer\r\nPage 4 of 12\n\nFigure 7: C2 open directory\r\nAs mentioned earlier, surprisingly, the stolen information directory was improperly configured and left open. We\r\nimmediately identified that the vast majority of compromised victims are from Canada (files that start with CA_).\r\nhttps://blog.morphisec.com/threat-research-mars-stealer\r\nPage 5 of 12\n\nFigure 8: Stolen Information\r\nBelow is an example of stolen information extracted from one of the folders. It’s quite self-explanatory:\r\nAutofill – Stores browser autofill data\r\nCC – Stores credit card information\r\nPlugins – Stores browser extension data: Metamask, Coinbase wallet, Binance, etc.\r\nSystem.txt – Stores infected system information such as IP, country code, timezone, etc.\r\nhttps://blog.morphisec.com/threat-research-mars-stealer\r\nPage 6 of 12\n\nFigure 9: Stolen information content\r\nMapping the Attack Infrastructure\r\nFortunately, the actor compromised his own computer with the Mars Stealer while debugging. This allowed us a\r\nrare peek into an operation by looking at his own stolen information—screenshots, passwords, history, system\r\ninformation, etc. Below is an image we generated to summarize the actor’s most relevant activity details.\r\nFigure 10: Recon diagram\r\nWe looked at the actor’s screenshots and discovered they were debugging their Mars Stealer builds using HTTP\r\nAnalyzer. This revealed their second Mars Stealer C2 – http://5.45.84[.]214 which was improperly configured,\r\nsimilar to the first C2.\r\nhttps://blog.morphisec.com/threat-research-mars-stealer\r\nPage 7 of 12\n\nFigure 11: Actor’s screenshot revealing additional C2\r\nAn additional screenshot led us to the actor’s GitLab account, which was continuously updated with the latest\r\nMars Stealer builds under the name of “Tony Mont,” which has been active since late November 2021. We are\r\nassuming they do this for automation purposes.\r\nFigure 12: Actor’s GitLab account\r\nAnother interesting screenshot revealed this actor stores their passwords in a plain text document for almost every\r\nservice they’re using.\r\nhttps://blog.morphisec.com/threat-research-mars-stealer\r\nPage 8 of 12\n\nFigure 13: Actor’s plain text passwords\r\nThe actor is also using Keitaro, a universal tracker for affiliate marketing. And the images below show the actor is\r\na Russian speaker.\r\nFigure 14: Keitaro panel\r\nThe actor’s Google Ads platform page, paid for with stolen credentials.\r\nhttps://blog.morphisec.com/threat-research-mars-stealer\r\nPage 9 of 12\n\nFigure 15: Actor’s Google Ads campaign\r\nAttribution\r\nWe can safely attribute this actor as a Russian national by looking at the screenshots and keyboard details from the\r\nextracted system.txt.\r\nProtect Yourself From Infostealers like Mars Stealer\r\nMorphisec Labs will keep monitoring the Mars Stealer and provide updates when appropriate. Infostealers are\r\nused by a wide variety of cybercriminals, from novices to state-sponsored actors. They’re easy to acquire—and\r\nthey work. Mars is currently being promoted in over 47 different underground forums, Darknet onion sites, and\r\nTelegram channels, and even has an official Telegram channel for purchasing through.\r\nMorphisec protects against advanced attack chains such as those used in the Mars stealer. We do this with our\r\npatented Moving Target Defense (MTD) technology, which blocks advanced and zero-day attacks. MTD uses\r\nsystem polymorphism to hide application assets, operating system assets, and other critical assets from\r\nadversaries. This leads to unpredictable and dramatically reduced attack surfaces.\r\nhttps://blog.morphisec.com/threat-research-mars-stealer\r\nPage 10 of 12\n\nIndicators of Compromise (IOCs)\r\nServices\r\nIP/URL Service\r\n91.92.128[.]35 Keitaro panel\r\nhttps://gitlab.com/corpsoft GitLab account\r\nserver315.web-hosting.com:2083 cPanel file manager\r\nMars C2\r\ntommytshop[.]com\r\n5.45.84[.]214\r\n193.56.146[.]66\r\n185.212.130[.]47\r\ntonyshop312[.]com\r\n66.29.142[.]232\r\ntelemeetrydata[.]cn\r\nSamples (SHA256)\r\nc48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14\r\n38807bc99d0f9a78480d3b12cfc96cdbfdb83bc277758595e77808b9b22ac087\r\nbb48381955c8676b866760129db84ffce2e0b9c1fdd6a0179ab022dbf6fea708\r\ncf1d4bf6b4a831d9664bbf0f40a609152a699f8d535c21e41ada406c47f63bfa\r\n10731eea825c6bbcd5c543b2c98f4de384b36279cabba22fa247cda865c59093\r\naf023cd8d2dcbeccfaf197094721768593154fc35019534a399563b011862a91\r\nc26e405d1f07a9090e83454a7a978d5a89ef4764b00e7b354e6b2bb653e49378\r\n9ed18a0b5e15bd4ecb73c5428e208b5d1b162274cfb0d6c62f7b5c3a04ec4d56\r\nab7e7d8594befb5a7137ec323db87a4aacfa64260327d61eee30626a760c3d5b\r\nd5ee3a86821e452c33f178dc080aff7ca5054518a719ef74320909cbb55bb6c5\r\n36613d674b4737da2b2986d9a49b48d06f1233cc7ea6aa7386bdb6d4bec90301\r\nb15cb7537c9da026144ce35c70b21f72f81c8855b537c6ae987e785447e90f42\r\nc3c1549bdd5613e9dbc3f09963cd1bd0f303b6f33bb4df62d9260590869cadec\r\n8f925aa659cdab2466d2860dfc06d14d1c384c7a449683813db8d9219ed333c9\r\n6929dae4d2bf6d2086bca0389e967f2c43bfb940da09b175b39df5fa1684a027\r\nAbout the author\r\nhttps://blog.morphisec.com/threat-research-mars-stealer\r\nPage 11 of 12\n\nArnold Osipov\r\nMalware Researcher\r\nArnold Osipov is a Malware Researcher at Morphisec, who has spoken at BlackHat and and been recognized by\r\nMicrosoft Security for his contributions to malware research related to Microsoft Office. Prior to his arrival at\r\nMorphisec 6 years ago, Arnold was a Malware Analyst at Check Point.\r\nSource: https://blog.morphisec.com/threat-research-mars-stealer\r\nhttps://blog.morphisec.com/threat-research-mars-stealer\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.morphisec.com/threat-research-mars-stealer"
	],
	"report_names": [
		"threat-research-mars-stealer"
	],
	"threat_actors": [],
	"ts_created_at": 1775438932,
	"ts_updated_at": 1775826755,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2a6e38cbe78b03d58d3db9b304d97e510152c6e7.pdf",
		"text": "https://archive.orkl.eu/2a6e38cbe78b03d58d3db9b304d97e510152c6e7.txt",
		"img": "https://archive.orkl.eu/2a6e38cbe78b03d58d3db9b304d97e510152c6e7.jpg"
	}
}