{
	"id": "1b3c3156-1891-49e6-9f6e-cc7f3f9696d6",
	"created_at": "2026-04-06T00:17:00.707134Z",
	"updated_at": "2026-04-10T03:19:56.565563Z",
	"deleted_at": null,
	"sha1_hash": "7e477191e314d523622816394b3ae3be1780543a",
	"title": "SvcStealer Malware Targeting Users to Extract Sensitive Data from Browsers and Applications - Active IOCs - Rewterz",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 46959,
	"plain_text": "SvcStealer Malware Targeting Users to Extract Sensitive Data\r\nfrom Browsers and Applications - Active IOCs - Rewterz\r\nPublished: 2025-03-24 · Archived: 2026-04-05 13:30:52 UTC\r\nSeverity\r\nHigh\r\nAnalysis Summary\r\nSvcStealer 2025 is a newly identified information stealer that primarily spreads through spear phishing email\r\nattachments. First observed in January 2025, this malware is designed to harvest extensive sensitive data,\r\nincluding machine details, installed software, user credentials, cryptocurrency wallets, and browser information. It\r\nsystematically extracts this data before compressing and transmitting it to its command-and-control (C2) servers.\r\nAdditionally, the malware has the capability to download further malicious payloads, increasing its overall impact\r\nbeyond initial data theft.\r\nIdentified by Researchers, SvcStealer is written in Microsoft Visual C++ and employs various evasion techniques\r\nto bypass security tools. It terminates monitoring processes and deletes traces of its activity to avoid detection.\r\nUpon infecting a system, the malware generates a unique 11-byte alphanumeric identifier derived from the\r\nvictim’s volume serial and communicates with its C2 infrastructure using the IP address 176.113.115.149 over port\r\n80. The stolen data is sent through HTTP POST requests with a multipart/form-data content type, disguising it\r\nas normal web traffic to avoid raising suspicion.\r\nIn terms of persistence, SvcStealer continuously beacons to its C2 server, awaiting further instructions from threat\r\nactors. These commands may include downloading additional malware families, expanding the attack’s scope. By\r\nmaintaining constant communication with the C2 infrastructure, the malware remains an active threat even after\r\ninitial data exfiltration.\r\nSecurity experts strongly advise users to remain cautious of suspicious email attachments, as phishing remains the\r\nprimary infection vector. Implementing advanced endpoint protection, network monitoring, and behavioral\r\nanalysis can help detect and prevent infections. Organizations must enhance their security awareness and deploy\r\nproactive defenses to mitigate the risks posed by this evolving threat.\r\nImpact\r\nSensitive Data Theft\r\nCrypto Theft\r\nGain Access\r\nSecurity Bypass\r\nhttps://rewterz.com/threat-advisory/svcstealer-malware-targeting-users-to-extract-sensitive-data-from-browsers-and-applications-active-iocs\r\nPage 1 of 3\n\nIndicators of Compromise\r\nIP\r\n185.81.68.156\r\n176.113.115.149\r\nMD5\r\n0535262fe0f5413494a58aca9ce939b2\r\nee0fd4d6a722a848f31c55beaf0d0385\r\n05ef958a79150795d43e84277c455f5d\r\n4868a5a4c8e0ab56fa3be8469dd4bc75\r\nSHA-256\r\n0e545c02f20c83526f7f7f424f527e3faa103017cfe046c1f3b7e4ccd842829b\r\n9f77bbcdd38b75f6ec62bc84ff8adcf7be6c9c184a61941af75a2b8f93091fb8\r\n4254de273cf58a956855203549ce4c6ffa2e0eba107d4a11e884f4ea064821d5\r\nb1e889002d9174c58dd9d8b20758516a3ff6e636ff14e00793da3ff9a09a7e9e\r\nSHA-1\r\nc680c17065c5dbc6ee633f81e02c5d91b2539edc\r\na377b72cc04fcb676d5e9671337fd950b5e5d3a9\r\n4ac97823e2107ed5cee77f63f197d2897d910dff\r\n881efd7b368cd566dff7210fa2278f1627817002\r\nRemediation\r\nBlock all threat indicators at your respective controls.\r\nSearch for indicators of compromise (IOCs) in your environment utilizing your respective security\r\ncontrols.\r\nAvoid opening email attachments or links from unknown or suspicious sources. Deploy advanced email\r\nfiltering solutions to detect and block phishing attempts.\r\nUse next-generation antivirus (NGAV) and endpoint detection and response (EDR) solutions to detect and\r\nblock malicious activities in real time.\r\nhttps://rewterz.com/threat-advisory/svcstealer-malware-targeting-users-to-extract-sensitive-data-from-browsers-and-applications-active-iocs\r\nPage 2 of 3\n\nImplement network traffic analysis to identify unusual HTTP POST requests or suspicious communication\r\nwith known malicious IPs, such as 176.113.115.149.\r\nProcess and Behavior Monitoring: Continuously monitor running processes for suspicious activities,\r\nsuch as unauthorized process termination or attempts to delete system logs.\r\nEnsure operating systems, security tools, and installed software are up to date with the latest security\r\npatches to prevent exploitation.\r\nApply the principle of least privilege (PoLP) to limit user permissions, reducing the impact of potential\r\ninfections.\r\nUse dynamic malware analysis tools to analyze and block suspicious files before execution in the network.\r\nEstablish a well-defined incident response strategy to quickly contain and mitigate infections if a system is\r\ncompromised.\r\nRegularly back up critical data and store it securely offline to ensure recovery in case of data theft or\r\nransomware deployment.\r\nEducate employees about phishing techniques and social engineering tactics to minimize the risk of falling\r\nvictim to email-based attacks.\r\nSource: https://rewterz.com/threat-advisory/svcstealer-malware-targeting-users-to-extract-sensitive-data-from-browsers-and-applications-activ\r\ne-iocs\r\nhttps://rewterz.com/threat-advisory/svcstealer-malware-targeting-users-to-extract-sensitive-data-from-browsers-and-applications-active-iocs\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://rewterz.com/threat-advisory/svcstealer-malware-targeting-users-to-extract-sensitive-data-from-browsers-and-applications-active-iocs"
	],
	"report_names": [
		"svcstealer-malware-targeting-users-to-extract-sensitive-data-from-browsers-and-applications-active-iocs"
	],
	"threat_actors": [],
	"ts_created_at": 1775434620,
	"ts_updated_at": 1775791196,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7e477191e314d523622816394b3ae3be1780543a.pdf",
		"text": "https://archive.orkl.eu/7e477191e314d523622816394b3ae3be1780543a.txt",
		"img": "https://archive.orkl.eu/7e477191e314d523622816394b3ae3be1780543a.jpg"
	}
}