{ "id": "184492af-1def-419c-8b19-cebbae908b1d", "created_at": "2026-04-06T00:08:46.352911Z", "updated_at": "2026-04-10T03:36:47.724947Z", "deleted_at": null, "sha1_hash": "6642db8db96e6475355abb590751113c5655f7d0", "title": "Researchers warn of FFDroider and Lightning info-stealers targeting users in the wild", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 362060, "plain_text": "Researchers warn of FFDroider and Lightning info-stealers\r\ntargeting users in the wild\r\nBy The Hacker News\r\nPublished: 2022-04-11 · Archived: 2026-04-05 16:13:40 UTC\r\nCybersecurity researchers are warning of two different information-stealing malware,\r\nnamed FFDroider and Lightning Stealer, that are capable of siphoning data and launching further attacks.\r\n\"Designed to send stolen credentials and cookies to a Command \u0026 Control server, FFDroider disguises itself on\r\nvictim's machines to look like the instant messaging application 'Telegram,'\" Zscaler ThreatLabz researchers\r\nAvinash Kumar and Niraj Shivtarkar said in a report published last week.\r\nInformation stealers, as the name implies, are equipped to harvest sensitive information from compromised\r\nmachines, such as keystrokes, screenshots, files, saved passwords and cookies from web browsers, that are then\r\ntransmitted to a remote attacker-controlled domain. \r\nFFDroider is distributed through cracked versions of installers and freeware with the primary objective of stealing\r\ncookies and credentials associated with popular social media and e-commerce platforms and using the plundered\r\ndata to login into the accounts and capture other personal account-related information.\r\nhttps://thehackernews.com/2022/04/researchers-warn-of-ffdroider-and.html\r\nPage 1 of 3\n\nWeb browsers targeted by the malware include Google Chrome, Mozilla Firefox, Internet Explorer, and Microsoft\r\nEdge. The websites targeted encompass Facebook, Instagram, Twitter, Amazon, eBay, and Etsy.\r\n\"The stealer signs into victims' social media platforms using stolen cookies, and extracts account information like\r\nFacebook Ads-manager to run malicious advertisements with stored payment methods and Instagram via API to\r\nsteal personal information,\" the researchers said.\r\nFFDroider also comes with a downloader functionality to upgrade itself with new modules from an update server\r\nthat allows it expand its feature set over time, enabling malicious actors to abuse the stolen data as a vector for\r\ninitial access to a target.\r\nMain Function of Lightning Stealer\r\nLightning stealer operates in a similar fashion in that it can steal Discord tokens, data from cryptocurrency wallets,\r\nand details pertaining to cookies, passwords, credit cards, and search history from more than 30 Firefox and\r\nChromium-based browsers, all of which is exfiltrated to a server in JSON format.\r\n\"Info Stealers are adopting new techniques to become more evasive,\" Cyble researchers said, adding it \"witnessed\r\nransomware groups leveraging Info Stealers to gain initial network access and, eventually, exfiltrating sensitive\r\ndata.\"\r\nhttps://thehackernews.com/2022/04/researchers-warn-of-ffdroider-and.html\r\nPage 2 of 3\n\nThe development comes as stealer malware is becoming an increasingly common occurrence across different\r\nattack campaigns in recent months, in part to fill the void left by Raccoon Stealer's exit from the market in late\r\nMarch due to the ongoing war in Ukraine.\r\nIn February 2022, Cyble Research disclosed details of an emerging threat called Jester Stealer that's engineered to\r\nsteal and transmit login credentials, cookies, credit card information along with data from passwords managers,\r\nchat messengers, email clients, crypto wallets, and gaming apps to the attackers.\r\nSince then, at least three different info-stealers have emerged in the wild, including BlackGuard, Mars Stealer,\r\nand META, the last of which has been observed delivered via malspam campaigns to collect sensitive data.\r\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nSource: https://thehackernews.com/2022/04/researchers-warn-of-ffdroider-and.html\r\nhttps://thehackernews.com/2022/04/researchers-warn-of-ffdroider-and.html\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://thehackernews.com/2022/04/researchers-warn-of-ffdroider-and.html" ], "report_names": [ "researchers-warn-of-ffdroider-and.html" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434126, "ts_updated_at": 1775792207, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6642db8db96e6475355abb590751113c5655f7d0.pdf", "text": "https://archive.orkl.eu/6642db8db96e6475355abb590751113c5655f7d0.txt", "img": "https://archive.orkl.eu/6642db8db96e6475355abb590751113c5655f7d0.jpg" } }