{
	"id": "c97c98e7-1380-487c-8540-f9cdf4b1a05f",
	"created_at": "2026-04-06T00:15:39.536297Z",
	"updated_at": "2026-04-10T03:19:57.728103Z",
	"deleted_at": null,
	"sha1_hash": "541c8333583ed2a9294d9f316810509eff92e980",
	"title": "SVCStealer malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 36686,
	"plain_text": "SVCStealer malware\r\nArchived: 2026-04-05 21:32:54 UTC\r\nSVCStealer is a new C++based infostealing malware identified in the wild. The infostealer collects various\r\nsensitive information from the infected endpoints such as system information, credentials, cryptocurrency wallets,\r\ndata stored in browsers, screenshots, data from messaging applications (Discord, Tox, Telegram) or VPN apps,\r\nand others. The collected information is compressed into a .zip archive and extracted to the C2 servers controlled\r\nby the attackers.\r\nSymantec protects you from this threat, identified by the following:\r\nAdaptive-based\r\nACM.Untrst-RLsass!g1\r\nBehavior-based\r\nSONAR.Dropper\r\nSONAR.MalTraffic!gen1\r\nSONAR.Stealer!gen1\r\nSONAR.TCP!gen1\r\nCarbon Black-based\r\nAssociated malicious indicators are blocked and detected by existing policies within VMware Carbon\r\nBlack products. The recommended policy at a minimum is to block all types of malware from executing\r\n(Known, Suspect, and PUP) as well as delay execution for cloud scan to get maximum benefit from\r\nVMware Carbon Black Cloud reputation service.\r\nFile-based\r\nTrojan Horse\r\nTrojan.Gen.MBT\r\nWS.Malware.1\r\nMachine Learning-based\r\nHeur.AdvML.A!300\r\nHeur.AdvML.A!400\r\nHeur.AdvML.A!500\r\nHeur.AdvML.B!100\r\nHeur.AdvML.B!200\r\nHeur.AdvML.C\r\nhttps://www.broadcom.com/support/security-center/protection-bulletin/svcstealer-malware\r\nPage 1 of 2\n\nNetwork-based\r\nAudit: Bad Reputation Application Activity\r\nSystem Infected: Bad Reputation Process Request 4\r\nWeb Attack: Webpulse Bad Reputation Domain Request\r\nWeb-based\r\nObserved domains/IPs are covered under security categories in all WebPulse enabled products\r\nSource: https://www.broadcom.com/support/security-center/protection-bulletin/svcstealer-malware\r\nhttps://www.broadcom.com/support/security-center/protection-bulletin/svcstealer-malware\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.broadcom.com/support/security-center/protection-bulletin/svcstealer-malware"
	],
	"report_names": [
		"svcstealer-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434539,
	"ts_updated_at": 1775791197,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/541c8333583ed2a9294d9f316810509eff92e980.pdf",
		"text": "https://archive.orkl.eu/541c8333583ed2a9294d9f316810509eff92e980.txt",
		"img": "https://archive.orkl.eu/541c8333583ed2a9294d9f316810509eff92e980.jpg"
	}
}