{ "id": "d1547a09-3b1a-4be7-8e02-d7b5b8838e62", "created_at": "2026-04-06T03:35:45.885017Z", "updated_at": "2026-04-10T03:36:48.447616Z", "deleted_at": null, "sha1_hash": "a48016660188c0847e6f653908103da64cfdd888", "title": "How malware steals autofill data from browsers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 49863, "plain_text": "How malware steals autofill data from browsers\r\nBy Sergey Golubev\r\nPublished: 2019-08-07 · Archived: 2026-04-06 03:12:12 UTC\r\nMost browsers kindly offer to save your data: account credentials, bank card details for online stores, billing\r\naddress, name, and passport number for travel sites, and so on. It’s convenient and saves having to fill out the\r\nsame forms all over again or worry about forgotten passwords. However, there is a catch: All of this autofill data\r\ncan be scooped up by cybercriminals if your computer gets infected by a stealer — a piece of malware that steals\r\ninformation, including from browsers.\r\nSuch programs are becoming increasingly popular with online scammers: In the first half of this year alone,\r\nKaspersky’s security products detected more than 940,000 stealer attacks. That is a one-third increase from the\r\nsame period of 2018.\r\nStrictly speaking, stealers are interested in more than just browsers’ autofill data — they are also looking for\r\ncryptocurrency wallets and gaming data, and they steal files from the desktop as well (we hope you don’t store\r\nvaluable information there, such as password lists).\r\nHowever, browsers have become a hub of work and play, including shopping, banking and more, and are often a\r\nsource of far more confidential information than other programs. Let’s take a look at how stealers get their\r\nthieving hands on browser data.\r\nHow browsers store your autofill data\r\nBrowser developers seek to protect the information entrusted to them. To do so, they encrypt it, and decryption is\r\npossible only on the same device and from the same account that saved it. So if someone simply steals a file with\r\nautofill data, they won’t be able to use it — everything in it is securely encrypted.\r\nBut, there’s a but. By default, browser developers assume that your device and account are well protected,\r\nmeaning that any program running from your account on your computer is acting on your behalf and therefore\r\nshould be able to extract and decrypt saved data. Unfortunately, this also applies to malware that has penetrated\r\nthe device and is running under your account.\r\nThe only browser that offers extra protection for stored data against third parties is Firefox, which allows you to\r\ncreate a master password that you have to enter when you need the data to be decrypted and used for autofill.\r\nHowever, this option is disabled by default.\r\nHow malware steals data from Chrome\r\nGoogle Chrome and other browsers based on the Chromium engine (such as Opera and Yandex.Browser) always\r\nstore user data in the same place, so stealers have no problem finding it. In theory at least, this data is stored in\r\nhttps://www.kaspersky.com/blog/browser-data-theft/27871/\r\nPage 1 of 3\n\nencrypted form. However, if the malware has already penetrated the system, then its actions are done in your\r\nname.\r\nTherefore, the malware simply puts in a polite request to the browser’s data encryption tool to decrypt information\r\nstored on your computer. With requests seemingly from the user considered safe by default, in response the stealer\r\ngets all your passwords and credit card details.\r\nHow malware steals data from Firefox\r\nFirefox operates a bit differently. To hide password databases and more from strangers, the browser creates a\r\nprofile with a random name, so the malware cannot know in advance where to look for it. However, the name of\r\nthe file with the saved data does not change, so there is nothing to prevent the stealer from sifting through all\r\nprofiles (the folders containing them are stored in one place) and identify the desired file.\r\nAfter that, the malware again asks the relevant browser module to decrypt the files, and it succeeds, because it is\r\nsupposedly acting on your behalf.\r\nHow malware steals data from Internet Explorer and Edge\r\nNative Windows browsers use special storage for your data. The precise method and type of storage depend on the\r\nversion of the application, but regardless, the reliability leaves much to be desired. Here, too, the malware can\r\neasily retrieve your passwords and credit card details by requesting it from storage, seemingly on your behalf.\r\nThe problem is that the malware’s request for the decryption of browser data appears to come from the user, so the\r\nbrowser has no reason to say no.\r\nWhat happens to data stolen by the stealer?\r\nOnce the malware has the autofill data in plain text, it sends them back to cybercriminals. From there, either of\r\ntwo scenarios may unfold. The malware’s handlers can use it themselves or, more likely, sell it to other\r\nmalefactors on the black market, where such products are always highly prized.\r\nEither way, if usernames and passwords were among the stored information, the crooks will likely steal a couple\r\nof your accounts and try to finagle money out of your friends. If you saved bank card data in the browser, the\r\nlosses could be more direct; your money will either be spent or transferred elsewhere.\r\nStolen accounts can be used for many other purposes too, from spamming and promotion of websites or apps, to\r\nsending viruses and laundering money stolen from others (and if the police get involved, they may come knocking\r\non your door).\r\nHow to protect data from stealers\r\nAs you can see, if malware penetrates your computer, data stored in the browser is at risk, and with it your\r\nfinances and reputation. To avoid such a situation:\r\nhttps://www.kaspersky.com/blog/browser-data-theft/27871/\r\nPage 2 of 3\n\nDo not entrust important information such as bank card details to your browser for safekeeping. Instead,\r\nenter them manually each time — it takes longer but is safer. You can also store passwords in a password\r\nmanager.\r\nIf you use Firefox, you can protect browser-stored data with a master password. To do so, click on the three\r\nbars in the upper right corner of the browser and select Options, go to the Privacy \u0026 Security tab, scroll\r\ndown to Logins and Passwords, and select the Use a master password box. The browser will ask you to\r\ncreate this password — the longer and more complex, the harder it will be for attackers to crack.\r\nMost important: The best way to safeguard data is to prevent malware from getting onto your computer in\r\nthe first place. To do so, install a reliable security solution that will keep infections at bay. No malware, no\r\nproblem!\r\nSource: https://www.kaspersky.com/blog/browser-data-theft/27871/\r\nhttps://www.kaspersky.com/blog/browser-data-theft/27871/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.kaspersky.com/blog/browser-data-theft/27871/" ], "report_names": [ "27871" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775446545, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a48016660188c0847e6f653908103da64cfdd888.pdf", "text": "https://archive.orkl.eu/a48016660188c0847e6f653908103da64cfdd888.txt", "img": "https://archive.orkl.eu/a48016660188c0847e6f653908103da64cfdd888.jpg" } }