{ "id": "5c2db886-96b5-4ea7-a534-917a7218c539", "created_at": "2026-04-06T00:14:25.060966Z", "updated_at": "2026-04-10T03:36:48.306306Z", "deleted_at": null, "sha1_hash": "9843ce975fc4f03006395ea2f8d1f84c9a6b67b3", "title": "SVC New Stealer on the Horizon", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 852825, "plain_text": "SVC New Stealer on the Horizon\r\nBy Manoj Neelamegam\r\nPublished: 2025-03-21 · Archived: 2026-04-05 13:52:03 UTC\r\nSvcStealer 2025 is a new strain of information stealers, which is delivered through spear phishing email\r\nattachments. We observed SvcStealer malware campaign activity at the end of January 2025. This malware author\r\nharvests sensitive data such as machine data, installed software, user credentials and target cryptocurrency wallets,\r\nmessaging application, browsers data etc. Sends the gathered data to the TA C2 panel and could download another\r\nmalware family from the C2 server.\r\nSvcStealer malware threat actors could sell the gathered details in underground forums as well as criminal\r\nmarketplaces.\r\nTechnical Analysis:\r\n Seqrite has observed the SvcStealer malware in the wild during threat hunting. This malware was written in\r\nMicrosoft Visual C++ programming language. Initially, the malware forms 11 bytes alphanumeric value by\r\nobtaining volume serial number of the victims host root directory and as shown in fig 1 doing arithmetic operation\r\non the obtained volume serial number.\r\nFig:1 Generates folder name\r\nAfter which malware verifies if 11 bytes alphanumeric named folder is already existing in the  “C:\\ProgramData “\r\nlocation. It will create a folder in this location if it does not exist, terminate its behavior to avoid the same malware\r\ninstance running in victims system, similar to creating a mutex.\r\nhttps://www.seqrite.com/blog/svc-new-stealer-on-the-horizon/\r\nPage 1 of 10\n\nFig:2 creating folder\r\nOnce it creates this folder, the malware terminates the below processes found running on the system to avoid\r\nmonitoring by system administrator and security analyst.\r\nProcess name: Taskmgr.exe, ProcessHacker.exe, procexp.exe, procexp64.exe\r\nFig 3:Terminating the process\r\nAfter that it harvests the cryptocurrency wallets data from the victim host machine and save the details in \r\n“Wallets” folder.\r\nhttps://www.seqrite.com/blog/svc-new-stealer-on-the-horizon/\r\nPage 2 of 10\n\nFig 4: harvesting Wallet’s data\r\nSimilarly it harvests the data of targeted messaging software, FTP client, browsers[passwords,CreditCards\r\ndetails,histroy ,etc ], also system information[System_info.txt], user credentials, installed application\r\ndetails[Software_Info.txt], processes running on the victim’s host[Windows_Info.txt] along with PID etc.,\r\ncapturing screenshots [Screenshot.jpg] , targeted files [extension] in the victim host and store those extracted\r\ndetails in the folder shown in fig 2.\r\nList of targeted messengers: 64gram, Discord, Telegram, Tox\r\nList of targeted browsers: Microsoft Edge, Brave, Chromium, Google Chrome, Chrome Canary, Opera, Opera\r\nGX, Opera Crypto, Vivaldi, Yandex, Comodo, UC Browser.\r\nList of targeted File extensions: .jpg,.pdf,.docx,.csv,.sql,.cpp,.h,.dat,.wallet,.pkey\r\nFig 5: collected info details\r\nhttps://www.seqrite.com/blog/svc-new-stealer-on-the-horizon/\r\nPage 3 of 10\n\nFig 6: obtaining system details by SvcStealer\r\nOnce it collects all the information from victim’s host, it compresses\r\n“C:\\ProgramData\\64A6547CE12C1013156883” folder as Zip file, shown in fig 7.\r\nFig 7: compressing info collected file\r\nAfter that, it tries to establish a connection to C2 server at port number 80. Once the C2 server connection has\r\nbeen established, TA uploads the collected details in the Post request and registers victim machine in C2 panel. If\r\nthe C2 server session is not yet created it waits for 5 seconds [sleep method] and keeps on beacon to C2 server\r\nuntil it gets a successful session.\r\nhttps://www.seqrite.com/blog/svc-new-stealer-on-the-horizon/\r\nPage 4 of 10\n\nFig 8: Sending harvested details to C2 server\r\nOnce it sends those collected details to the C2 server, it deletes the compressed zip file and malware stored files in\r\n“C:\\ProgramData\\64A6547CE12C1013156883” to wipe out the traces, for avoiding security analyst and security\r\ntools to trace them.\r\nhttps://www.seqrite.com/blog/svc-new-stealer-on-the-horizon/\r\nPage 5 of 10\n\nFig 9: Deleting traces of folder\r\nIt generates UID by creating folders from volume serial number as shown in the fig 2 [ TA uses this UID as\r\ncommand of screenshot capture of victim machine] then malware beacons to the C2 panel until it gets a successful\r\nsession by waiting for 5 seconds sleep time. It has two C2 IP addresses as an alternative IP address in case the first\r\nC2 domain is not reachable.\r\nFig 10: beacon to C2 panel [alternative IP address]\r\nOnce it successfully establishes the connection to C2 server, It takes the screenshot and saves it in the “location\r\nC:\\Users\\username\\AppData\\Roaming” as a Screenshot.jpg file, then sends that captured screenshot to C2 panel\r\nthrough the Post request.\r\nhttps://www.seqrite.com/blog/svc-new-stealer-on-the-horizon/\r\nPage 6 of 10\n\nFig 11: Sending captured details to C2 panel\r\nLike UID, this malware sends tsk[task command] to the C2 panel. Once the malware receives response from C2\r\nserver, it will  download  files from the TA mentioned URL, which is mentioned in the response from C2 server\r\nand copy that downloaded file as temp_[4 digit numeric number based on current system time].exe  either in\r\nC:\\Users\\username\\AppData\\Local\\Temp\\ or C:\\Users\\username\\AppData\\Roaming [which also mentioned in the\r\nresponse from C2 server] and executes that downloaded file via ShellExecuteW. The malicious C2 domain was\r\nnot reachable at the time of analysis. Possibility of downloading another malware.\r\nhttps://www.seqrite.com/blog/svc-new-stealer-on-the-horizon/\r\nPage 7 of 10\n\nFig 12: Downloading another malware family\r\nIOCS:\r\n0535262fe0f5413494a58aca9ce939b2\r\nee0fd4d6a722a848f31c55beaf0d0385\r\n05ef958a79150795d43e84277c455f5d\r\n4868a5a4c8e0ab56fa3be8469dd4bc75\r\n/svcstealer/get[.]php\r\n185[.]81[.]68[.]156\r\n176[.]113[.]115[.]149\r\nDetections:\r\n            TrojanSpy.SvcStealer.S35070558, TjnSpy.SvcStealer.S35070557\r\nYara rule :\r\nimport “pe”\r\nrule SvcStealer\r\n{\r\nstrings:\r\n$svc1={88 44 24 5A 69 C0 CF 1C 13 00 2D D1 DE A9 68 88 44 24 5B 69 C0 CF 1C 13 00 2D D1 DE A9 68 88\r\n44 24 5C 69 C0 CF 1C 13 00 2D D1 DE A9 68 88 44 24 5D}\r\nhttps://www.seqrite.com/blog/svc-new-stealer-on-the-horizon/\r\nPage 8 of 10\n\n$svc2={2f737663737465616c65722f6765742e706870}\r\n$svc3=”SvcStealer” wide ascii\r\n$svc4={53 63 72 65 65 6E 73 68 6F 74 2E 6A 70 67}\r\ncondition:\r\nall of them\r\n}\r\nMITRE ATTACK TTPs:\r\nTactic Technique / Procedure\r\nInitial Access T1566.001:Phishing:Spearphishing Attachment    \r\nDefense Evasion T1070.004:Indicator Removal:File Deletion\r\nCredential Access T1056.001:Input Capture:Keylogging\r\nT1552.001:Unsecured Credentials:Credentials In Files\r\nDiscovery T1012:Query Registry\r\nT1518:Software Discovery\r\n  T1057:Process Discovery\r\n          T1082:System Information Discovery\r\n  T1083:File and Directory Discovery\r\nCollection  T1560:Archive Collected Data\r\nT1056.001:Input Capture:Keylogging\r\nT1113:Screen Capture\r\nCommand and Control T1071:Application Layer Protocol\r\nConclusion:\r\nThreat actors deliver this malware through spear phishing in which attached is malicious documents/Excel,\r\nexecutable binary, users should avoid opening such suspicious emails. SvcStealer malware developer could act as\r\nan initial access broker [IAB]. This malware implements evasive techniques by deleting malware created files and\r\nfolder traces and kills the processes. This malware could also download additional payload such as botnet etc.\r\nEnsuring only one instance is running in the victim’s machine by generating [via volume serial number] folder\r\nname.\r\nhttps://www.seqrite.com/blog/svc-new-stealer-on-the-horizon/\r\nPage 9 of 10\n\nSource: https://www.seqrite.com/blog/svc-new-stealer-on-the-horizon/\r\nhttps://www.seqrite.com/blog/svc-new-stealer-on-the-horizon/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.seqrite.com/blog/svc-new-stealer-on-the-horizon/" ], "report_names": [ "svc-new-stealer-on-the-horizon" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434465, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9843ce975fc4f03006395ea2f8d1f84c9a6b67b3.pdf", "text": "https://archive.orkl.eu/9843ce975fc4f03006395ea2f8d1f84c9a6b67b3.txt", "img": "https://archive.orkl.eu/9843ce975fc4f03006395ea2f8d1f84c9a6b67b3.jpg" } }