{
	"id": "63bd897e-96fe-4624-b68c-be6b62d0f437",
	"created_at": "2026-04-06T02:12:38.34905Z",
	"updated_at": "2026-04-10T03:21:49.966572Z",
	"deleted_at": null,
	"sha1_hash": "c9a3a1eb24a7046265fcf5e74d55d20ebb68c0f4",
	"title": "DeerStealer malware spread via fake Google Authenticator websites",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 33946,
	"plain_text": "DeerStealer malware spread via fake Google Authenticator\r\nwebsites\r\nArchived: 2026-04-06 01:36:35 UTC\r\nA new malicious campaign distributing infostealer variant dubbed DeerStealer has been identified in the wild. The\r\nmalware is spread under the disguise of fake Google Authenticator app and the malicious binary is hosted on the\r\nGithub repository. The malware is written in the Delphi programming language, collects confidential data from\r\nthe compromised endpoint and exfiltrates the stolen data in form of PKZIP archives to the C2 servers controlled\r\nby the attackers.\r\nSymantec protects you from this threat, identified by the following:\r\nCarbon Black-based\r\nAssociated malicious indicators are blocked and detected by existing policies within VMware Carbon\r\nBlack products. The recommended policy at a minimum is to block all types of malwares from executing\r\n(Known, Suspect, and PUP) as well as delay execution for cloud scan to get maximum benefit from\r\nVMware Carbon Black Cloud reputation service.\r\nFile-based\r\nTrojan.Gen.MBT\r\nWS.Malware.1\r\nMachine Learning-based\r\nHeur.AdvML.A\r\nHeur.AdvML.A!300\r\nHeur.AdvML.A!500\r\nHeur.AdvML.B!100\r\nHeur.AdvML.B!200\r\nHeur.AdvML.C\r\nWeb-based\r\nObserved domains/IPs are covered under security categories in all WebPulse enabled products\r\nSource: https://www.broadcom.com/support/security-center/protection-bulletin/deerstealer-malware-spread-via-fake-google-authenticator-web\r\nsites\r\nhttps://www.broadcom.com/support/security-center/protection-bulletin/deerstealer-malware-spread-via-fake-google-authenticator-websites\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.broadcom.com/support/security-center/protection-bulletin/deerstealer-malware-spread-via-fake-google-authenticator-websites"
	],
	"report_names": [
		"deerstealer-malware-spread-via-fake-google-authenticator-websites"
	],
	"threat_actors": [],
	"ts_created_at": 1775441558,
	"ts_updated_at": 1775791309,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c9a3a1eb24a7046265fcf5e74d55d20ebb68c0f4.pdf",
		"text": "https://archive.orkl.eu/c9a3a1eb24a7046265fcf5e74d55d20ebb68c0f4.txt",
		"img": "https://archive.orkl.eu/c9a3a1eb24a7046265fcf5e74d55d20ebb68c0f4.jpg"
	}
}