{ "id": "6617c0eb-2c71-45ba-894f-5f2a37f48eb8", "created_at": "2026-04-06T00:08:30.279921Z", "updated_at": "2026-04-10T13:11:18.778989Z", "deleted_at": null, "sha1_hash": "88e7d11101b22c7ded915a3a534cfe9a26cdf1d5", "title": "Silent Watcher: Dissecting Cmimai Stealer’s VBS Payload", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1419269, "plain_text": "Silent Watcher: Dissecting Cmimai Stealer’s VBS Payload\r\nPublished: 2025-08-08 · Archived: 2026-04-05 21:49:32 UTC\r\nRecently, we at K7 Labs saw a tweet about the Cmimai Stealer, a VBS (Visual Basic Script) infostealer that\r\nbegan to surface in June 2025. This malware is part of a class of Infostealer that uses PowerShell and native\r\nWindows scripting for data theft. Cmimai Stealer collects information from the victim’s system and exfiltrates the\r\ndata using Discord webhook. Interestingly we found another sample uploaded on June 28 with a different\r\nwebhook url. In this blog, we will dissect the offensive mechanisms and provide useful detection techniques for\r\ndefenders.\r\nFig. 1.1: Tweet about Cmimai Stealer\r\nhttps://labs.k7computing.com/index.php/silent-watcher-dissecting-cmimai-stealers-vbs-payload/\r\nPage 1 of 9\n\nFig. 1.2: Presence of the Text “Cmimai Stealer” in the Script\r\nOperational Workflow\r\nFig. 2: Operational Workflow\r\nThe VBS-based malware’s primary operational workflow is described in the above Fig. 2. The script circumvents\r\nexecution restrictions, generates additional PowerShell files, and gathers system data when it runs. It uses Discord\r\nwebhooks to send stolen data, monitors the response, and runs repeatedly every 60 minutes.\r\nFig. 3.1: Initialization and Task Scheduling of Cmimai VBS Stealer\r\nInitially it logs all the execution events in a log “vbs_reporter_log.txt” which is created in the system’s temporary\r\nfolder and then it collects the system and browser data (as shown in Fig. 3.1 and Fig. 3.2). \r\nhttps://labs.k7computing.com/index.php/silent-watcher-dissecting-cmimai-stealers-vbs-payload/\r\nPage 2 of 9\n\nFig. 3.2: Creation of log file \r\nSystem Information Collection via WMI\r\nThe first module is the data-collection module that collects information like the OS version and caption, by\r\nquerying the Windows Management Instrumentation (WMI) Win32_OperatingSystem class. Additionally, it\r\nretrieves the current username and the computer name of the system along with a timestamp (as shown in Fig. 3.3\r\n\u0026 Fig. 3.4).\r\nFig. 3.3: WMI OS version and Caption\r\nFig. 3.4: System Information Collection\r\nDiscord Exfiltration via JSON Webhook\r\nWinHttp or MSXML-based HTTP objects are used to send this data to the configured Discord webhook in a JSON\r\nobject (as shown in Fig. 3.5 and Fig. 3.6).\r\nhttps://labs.k7computing.com/index.php/silent-watcher-dissecting-cmimai-stealers-vbs-payload/\r\nPage 3 of 9\n\nFig. 3.5: JSON Data Exfiltration to Discord Using WinHttpRequest.5.1\r\nFig. 3.6: Fallback to MSXML2.XMLHTTP on Failure with Logging\r\nBrowser Metadata Collection\r\nThis part of the script creates and runs a PowerShell script “vbs_ps_browser.ps1”, which is deleted after\r\nexecution, to gather user profile metadata from Chrome and Edge browsers (as shown in Fig. 3.7 \u0026 Fig. 3.8). It\r\nlogs the results in “ps_browser_log.txt” within the temp folder after attempting to parse the Local State JSON file\r\nfor the above-mentioned browsers. Once the attempt is successful It collects profile name (name) and email\r\naddress (user_name) for all user profiles in the said browsers. The Local State file also contains encrypted_key\r\nand app_bound_encrypted_key for older and newer versions respectively which can be seen in chromium based\r\nbrowsers like chrome and edge. The encrypted_key is the base64 encoding of the Master Key and is used to\r\ndecrypt the sensitive data stored in other files like Login Data, Cookies, etc. In other words, if the attackers have\r\nboth the Master key and the files like Login Data, Cookies, Preferences, they can extract all the autofill\r\npasswords, cookie info and browser preferences. In this script sample we didn’t find any module that decrypts or\r\nexfiltrates the browser data.\r\nFig. 3.7: Initialization of PowerShell Script for Browser Metadata Collection\r\nhttps://labs.k7computing.com/index.php/silent-watcher-dissecting-cmimai-stealers-vbs-payload/\r\nPage 4 of 9\n\nFig. 3.8: Targeted Paths for Browser Metadata Extraction\r\nScreen Capture Module\r\nThis module’s purpose is to take a screenshot of the main screen. When the main sample is executed, a\r\nPowerShell script “vbs_ps_diag.ps1” is created that takes the screenshot, converts it to a 70% quality JPEG, and\r\ngets it ready for upload (as shown in Fig. 3.9 and Fig. 3.10). To ensure successful operation, the module first\r\nverifies that PowerShell is accessible and unblocked by execution policies. After that, it makes use of .NET\r\nassemblies such as System.Drawing and System.Windows.Forms to take screenshots, save it as an image file, and\r\nprepare it to be sent to the attacker. Before the data is sent, it confirms that the image size does not exceed\r\nDiscord’s 8MB upload limit to prevent errors.\r\nFig. 3.9: Screenshot Capture and Upload Logic\r\nFig. 3.10: Screenshot Compression logic\r\nhttps://labs.k7computing.com/index.php/silent-watcher-dissecting-cmimai-stealers-vbs-payload/\r\nPage 5 of 9\n\nFig. 3.11: Exfiltrated System Info and Screenshot Displayed in Discord\r\nPersistence Via Timed Execution\r\nAfter collecting system info and sending the screenshot (as shown in Fig. 3.12), the script enters an endless loop\r\nwith an interval of one hour. This allows the attacker to receive updated screen capture via\r\nAttemptDiagnosticReportViaPS() (Fig. 3.9) regularly without any user action.\r\nFig. 3.12: Timed Loop for Persistent Data Exfiltration\r\nFig. 3.13: vbs_reporter_log.txt\r\nThe above log (Fig. 3.13) shows all the milestones of the activities performed by this VB script.\r\nDefensive Considerations\r\nHigh risk Processes and Parent-Child combos\r\nhttps://labs.k7computing.com/index.php/silent-watcher-dissecting-cmimai-stealers-vbs-payload/\r\nPage 6 of 9\n\nFig. 4.1: Parent-Child Process Chain\r\nThe above Fig. 4.1 shows the process tree where powershell.exe is launched by wscript.exe. Based on the security\r\nlevels, defenders can decide if script execution can be allowed and if certain parent-child combos can be flagged.\r\nFilesystem and Behavioral Indicators\r\nFor this particular malware, defenders can keep an eye out for PowerShell scripts called vbs_ps_browser.ps1 or\r\nvbs_ps_diag.ps1, as well as image files like vbs_diag_*.png or .jpg in the %TEMP% folder.\r\nCommand lines used by this sample  Description \r\n“C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe” -\r\nNoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File “C:\\Users\\\r\n\u003cUser_Name\u003e\\AppData\\Local\\Temp\\vbs_ps_browser.ps1”\r\nRuns a hidden\r\nPowerShell\r\nscript to collect\r\nbrowser data\r\n“C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe” -\r\nNoProfile -Command “exit 0”\r\nChecks if\r\nPowerShell is\r\navailable (used\r\nas a test)\r\n“C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe” -\r\nNoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File “C:\\Users\\\r\n\u003cUser_Name\u003e\\AppData\\Local\\Temp\\vbs_ps_diag.ps1”\r\nRuns a hidden\r\nPowerShell\r\nscript to take a\r\nscreenshot\r\nTable 4.1: Suspicious PowerShell Commands Used by Cmimai Stealer \r\nNetwork Artifacts and Webhook Detection\r\nThe script uses HTTPS to send stolen data to discord.com/api/webhooks/… This can be used in identifying the\r\ntraffic because it has a unique User-Agent name: Cmimai Stealer VBS UI Rev (Fig. 4.2). Defenders should also\r\nkeep an eye out for any unexpected Discord traffic, particularly coming from servers or critical systems.\r\nhttps://labs.k7computing.com/index.php/silent-watcher-dissecting-cmimai-stealers-vbs-payload/\r\nPage 7 of 9\n\nFig. 4.2: User Agent – Cmimai Stealer VBS UI Rev\r\nYARA rules can be used to hunt similar files.\r\nFig. 4.3: YARA Rule\r\nCmimai Stealer is an infostealer that sends the stolen data to threat actors through Discord. It is light weight and\r\nlacks advanced features like persistence on system restart, encrypted communication and credential theft; perhaps\r\nby design. Although it is collecting browser data and screenshots making us classify it as an Infostealer, it can be\r\nused for the dual purpose as a Stealer and also as a second stage reconnaissance tool used for strategizing further\r\nfuture attacks. It has not been attributed to any known malware family yet.\r\nIOCs\r\nHASH  DETECTION NAME \r\n85d55caca5b341696382680eb3550918  Trojan ( 0001140e1 ) \r\nea792d0458d40471cefa26ebccf4ed45 Trojan ( 0001140e1 )\r\nReferences\r\nTweet by @suyog41 – Cmimai Stealer Initial Report\r\nhttps://labs.k7computing.com/index.php/silent-watcher-dissecting-cmimai-stealers-vbs-payload/\r\nPage 8 of 9\n\nSource: https://x.com/suyog41/status/1937035864527511887\r\nTechOwlShield Monthly Report – June 2025\r\nSource: https://www.techowlshield.com/blog-detail.php?slug=monthly+report+june-2025\r\nBehind The Chrome Vault: A Guide to Decrypting Credentials\r\nSource: https://krptyk.com/2023/10/15/decrypting-chrome-credentials/\r\nSource: https://labs.k7computing.com/index.php/silent-watcher-dissecting-cmimai-stealers-vbs-payload/\r\nhttps://labs.k7computing.com/index.php/silent-watcher-dissecting-cmimai-stealers-vbs-payload/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://labs.k7computing.com/index.php/silent-watcher-dissecting-cmimai-stealers-vbs-payload/" ], "report_names": [ "silent-watcher-dissecting-cmimai-stealers-vbs-payload" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434110, "ts_updated_at": 1775826678, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/88e7d11101b22c7ded915a3a534cfe9a26cdf1d5.pdf", "text": "https://archive.orkl.eu/88e7d11101b22c7ded915a3a534cfe9a26cdf1d5.txt", "img": "https://archive.orkl.eu/88e7d11101b22c7ded915a3a534cfe9a26cdf1d5.jpg" } }