{
	"id": "9a023ac4-7510-4c93-93ee-0e429b078682",
	"created_at": "2026-04-06T00:08:22.350773Z",
	"updated_at": "2026-04-10T13:12:52.956713Z",
	"deleted_at": null,
	"sha1_hash": "2f1ddda1cf1d00cda85d7851374e1bb882653945",
	"title": "Like Father Like Son? New Mars Stealer",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 63184,
	"plain_text": "Like Father Like Son? New Mars Stealer\r\nBy Yaara Shriebman\r\nPublished: 2022-02-22 · Archived: 2026-04-05 21:38:29 UTC\r\nExecutive Summary\r\nFirst observed in 2021 and advertised as a standalone version on various cybercriminal forums, Mars is an\r\ninformation stealer mainly targeting Windows victim credentials and cryptocurrency wallets including 2FA\r\nplugins and any essential system information. Mars is also capable of loading any type of file by downloading and\r\nexecuting them from a given drop-zone.\r\nOver the past several months, Mars took the place of a solid info stealer. We now see more new threat actors\r\ncomparing its efficiency to Raccoon stealer, and having a hard time choosing between the two given the\r\nsimplicity, “noob-friendly” setup, and cheap price.\r\nAs some claims suggest, Mars is actually a new version of Oski stealer which we have written about in the past.\r\nAdvertising\r\nMars is currently advertised in over 47 different underground forums, Telegram channels and Darknet onion sites,\r\nwhile the main channel for purchasing the malware is the official Telegram channel (Figure 1), created on August\r\n4, 2021, giving a big boost to the stealer.\r\nAlthough Mars is a better version than its predecessor, Oski, a leak of the dashboard caused damage to the info\r\nstealer’s team. But over the past months, we’ve seen the effort the team put into branding this info stealer with\r\ncompetitive prices, promoting the “MarsTeam” name, pushing new abilities, providing lifetime support, and more.\r\nAs mentioned, Mars offers a cheap lifetime subscription for only $160, paid in cryptocurrency of course. In\r\ncomparison, Raccoon and Redline, the top 2 info stealers at the moment, charge the same price for a two-week\r\nsubscription, although their business model is Malware-as-a-Service (MaaS).\r\nAnother option is to use the leaked panel version that is currently free of charge, but threat actors need to take care\r\nof the infrastructure, anonymity, and so on, without any help or support from the MarsTeam.\r\nCommand and Control\r\nThe C\u0026C setup is fairly easy, whether you buy the panel or use the leaked one. The group provides an all-in-one\r\nsolution that makes the stealer’s infrastructure very simple to use, but also very easy to detect.\r\nThe C\u0026C is comprised of three modules: the dashboard, the drop zone for stealers’ logs, and the downloading\r\nsource for dependencies.\r\nhttps://cyberint.com/blog/research/mars-stealer/\r\nPage 1 of 5\n\nAlthough the modules are separate, and the leaked code is easy to understand, it seems that most threat actors do\r\nnot use more sophisticated techniques such as reverse proxy or segregation of each module in a different host, but\r\nrather use them all in the same host.\r\nStructure\r\nThe Cyberint Research Team has been tracking Mars for some time now and found several C\u0026Cs that were set up\r\nas public, disclosing the structure and files within the C\u0026C (Figure 2).\r\nOther than a campaign overview, the dashboard provides file grabbing statistics and Loader rules, which are used\r\nfor setting up the files the threat actor would like to load into the infected machine.\r\nIt seems that more experienced threat actors will look to use the leaked panel kit given that it comes with full\r\ninstallation and building instructions, and , like more advanced stealers, can be modelized to create Telegram\r\nintegration, making the campaign less obvious.\r\nDependencies\r\nThe C\u0026C contains the dependencies the stealer needs in order to operate properly when it comes to information\r\ngathering.\r\nThe files are in fact legitimate third-party Dynamic-link Libraries (DLL) used to support access to data of various\r\napplications and/or browsers.\r\nDrop Zone\r\nThe drop zone module within the C\u0026C is straightforward and simple with the common gate.php file in which the\r\nstealer posting a Zip file containing the stolen data.\r\nDelivery\r\nLacking an out-of-the-box distribution method, recently observed Mars incidents appear to begin with social\r\nengineering techniques commonly used in gaming forums and groups as the threat actors lure the victims to\r\ndownload patching software (Figure 5), cracks and keygens (Figure 6).\r\nUsing this technique might be even more effective than malicious documents sent via email given the fact that\r\nvictims might think that the defense mechanisms alerts these files because of their original purposes, which are\r\npretty sketchy by themselves. This results in excluding these files from the defense systems by the victims and\r\nknowingly approves theses files to run in administrator privileges.\r\nIn addition to this technique, evidence suggests that malspam campaign delivery is also used in the wild, along\r\nwith Twitter and Instagram Direct Messaging.\r\nLike most info stealers, the targeting of these campaigns is based more on the hobbies and communities the\r\nvictims take part in, such as gaming, cryptocurrency, 3D artists and graphic designers, than on a specific\r\ngeolocation or business sector.\r\nhttps://cyberint.com/blog/research/mars-stealer/\r\nPage 2 of 5\n\nAs mentioned, the more traditional and more scalable technique of spreading the stealer will be a combination of\r\nsocial engineering the abusing malspam campaigns – often carried out by delivering malicious documents of any\r\nkind to the victim’s machine containing malicious macros (Figure 7) that downloads and execute Mars in the\r\nmachine\r\nThere has been a rise in cases where campaigners will abuse the Discord infrastructure and use it as a solid\r\nloading module for their malicious content. With Mars Stealer, it’s no different.\r\nPost Infection\r\nMars Stealer’s approach is somewhat similar to most other stealer threats. It is obviously focused on the theft of\r\ncredentials from common applications, browsers and credentials stores, as well as the acquisition of potentially\r\nsensitive and valuable data from a victim machine, such as cryptocurrency wallets or other files,\r\nAdditionally, Mars Stealer can be used as a ‘loader’ to download and execute additional payloads from its\r\ncommand and control (C2) infrastructure and, notably, will terminate and delete itself upon the conclusion of its\r\ntask.\r\nIn cases in which the default languages of the victim’s machine are from Kazakhstan, Uzbekistan, Azerbaijan,\r\nBelarus and Russia, the stealer will not proceed with.\r\nCalling Home\r\nThe first step Mars will take once the machine is infected is to communicate with the C\u0026C in order to receive\r\nconfigurations and instructions via HTTP GET request to the gate.php file (Figure 8).\r\nOski Comparison\r\nThroughout the entire operation process, Mars implements the same methods as Oski: Communication with the\r\nC\u0026C, working directory, dependencies use and data exfiltration phase are, all the same. The differences between\r\nthe two are with the type of content the info stealer will look for by default and the 2FA plugins.\r\nRecommendations\r\nEmployee security awareness training remains an important step in helping them identify and be suspicious\r\nof unsolicited emails and phishing campaigns, especially messages with embedded links or file\r\nattachments.\r\nDisable administrative tools and script interpreters, such as PowerShell, to prevent their misuse by\r\nmalicious payloads.\r\nUse Group Policy to disable macros from running in Microsoft Office applications (legitimate macros\r\nshould be digitally signed to allow for an exception to the disable rule),\r\nEducate users on the common TTP used and reinforce the message that documents encouraging them to\r\n‘Enable Editing’, ‘Enable Content’ or disable any other security setting are almost certainly malicious.\r\nMulti-factor authentication should be implemented wherever possible to limit the effectiveness of stolen\r\ncredentials.\r\nhttps://cyberint.com/blog/research/mars-stealer/\r\nPage 3 of 5\n\nEmployees should be reminded of the risks associated with credential reuse and weak passwords supported\r\nby password policies to encourage best practice.\r\nLimit user permissions according to the principal of least privilege (POLP).\r\nEnsure that email security controls are applied to limit the delivery of potentially malicious attachments or\r\nlinks to end-users, as well as implementing protocols and security controls such as DKIM, DMARC and\r\nSPF.\r\nContinuous monitoring of unusual endpoint behaviors such as excessive requests to specific webhosts\r\nusing unusual user-agent strings, can provide an early indication of compromise.\r\nConsider applying deep content inspection to ensure that any downloaded content filetype matches the\r\nactual file content in addition to blocking dangerous filetypes, such as executables, for standard users.\r\nRecommendations\r\nIndicators of Compromise\r\nFile Samples (SHA256)\r\nThe following hashes are provided for reference, given the ongoing nature of these campaigns, it is likely that the\r\nthreat actor will utilize methods to avoid detection such as packing and crypting resulting in differing\r\ncryptographic hashes.\r\nDelivery:\r\ndc52bd40b95294f98db602df36975e9c5a203a2648dd8ddc6748f2e678cc39a6\r\n2cfdba6fcd48a3047b93b72092061bf1fac2511f74f8c747215a7c3aaf2a9102\r\ned427feb185f07a51de0194f1165ebaeb002f2b8c9b08d974219be5c6075c6f\r\nMars:\r\na4d54f94d70dcb5a029d89dcd3bcda4bb5e3e0b909fbcad04bb5ed4d09459c7d\r\n031ebdaf0189694eec6b83ad26e8252547d843780563f54ec06a170f1c0e40d3\r\nURLs\r\nThe following URLs have been observed as used during the initial downloader phases:\r\nhxxps[:]//siasky.net/OAC12bva5mDWqNV5JIvaN4K9ASZmy1rMTXxCg7lUGhUf0A\r\nhxxps[:]//plik.root.gg/file/7Pi2XabIKFrlmvfR/oF2VN0eo1Z0CGt2y/BOINCPortable_7_16_22.log\r\nAdditionally, multiple resources hosted on the Oski Stealer C2 URL have been observed with the directory\r\nstructure potentially changing between campaigns:\r\nanderd2w[.]beget.tech\r\n185[.]4.65.70\r\na0626884[.]xsph.ru\r\npanel[.]computer\r\nf0623459[.]xsph.rublitzhost.ga\r\nhttps://cyberint.com/blog/research/mars-stealer/\r\nPage 4 of 5\n\n80[.]79.114.182\r\ntest[.]akadns9[.]ne\r\nSource: https://cyberint.com/blog/research/mars-stealer/\r\nhttps://cyberint.com/blog/research/mars-stealer/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://cyberint.com/blog/research/mars-stealer/"
	],
	"report_names": [
		"mars-stealer"
	],
	"threat_actors": [],
	"ts_created_at": 1775434102,
	"ts_updated_at": 1775826772,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2f1ddda1cf1d00cda85d7851374e1bb882653945.pdf",
		"text": "https://archive.orkl.eu/2f1ddda1cf1d00cda85d7851374e1bb882653945.txt",
		"img": "https://archive.orkl.eu/2f1ddda1cf1d00cda85d7851374e1bb882653945.jpg"
	}
}