{ "id": "a8aed56d-6784-4896-b96d-9f48086273f5", "created_at": "2026-04-06T00:22:03.068253Z", "updated_at": "2026-04-10T03:20:52.907423Z", "deleted_at": null, "sha1_hash": "cb4155efbcf5f0fecf6bf3ffa15ddb5076aa930d", "title": "Chae$ Chronicles: Version 4.1 Dedicated to Morphisec Researchers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2371098, "plain_text": "Chae$ Chronicles: Version 4.1 Dedicated to Morphisec\r\nResearchers\r\nBy Arnold Osipov\r\nArchived: 2026-04-05 19:02:49 UTC\r\nIn ongoing efforts to monitor and analyze emerging cyber threats, Morphisec Threat Labs has recently turned its\r\nfocus to Chae$ 4.1, an update to the Chaes malware Infostealer series. This version introduces key updates,\r\nincluding an improved Chronod module, and features a unique aspect: a direct message to the Morphisec team\r\nwithin the source code.\r\nIntroduction\r\nThis blog post will briefly touch upon the updates in Chae$ 4.1 and mention Morphisec’s initial interaction with\r\nthe hackers. It will also cover several previously unknown details of the delivery chain.  \r\nFor those interested in an in-depth technical analysis, we have prepared a comprehensive report on Chae$ 4.1,\r\navailable for download. \r\nDownload the full Chae$ 4.1 technical analysis containing exclusive details. \r\nThe Chae$ authors dedicated parts of their source code to the Morphisec researchers \r\nInfection Chain \r\nhttps://blog.morphisec.com/chaes-chronicles\r\nPage 1 of 8\n\nThe infection chain starts with an email written in Portuguese, which purports to be an urgent communication\r\nrequest from a lawyer regarding a legal case. The email pressured the victim with an urgent call for “prompt\r\nresponse”, or risk highly adverse legal repercussions. The email includes a link and a password to access the\r\ndocument from that link. \r\nDelivery via attacker Controlled Websites  \r\nUpon clicking the provided link, the victim will be redirected to\r\nhttps://totalavprotection[.]shop/abrirProcesso.php?email=\u003cvictims_email\u003e. Then, the victim will be prompted to\r\ninput the provided password to download the document, which is a ZIP file. This website\r\nhttps://totalavprotection[.]shop additionally functions as a deceptive website for TotalAV, directly delivering the\r\nMSI installer without the intermediary step of a ZIP file. \r\nYet another website delivers the malicious payload directly as an MSI installer.\r\nhttps://www.webcamcheck[.]online/ A website that allegedly scans the machine for risks and suggests updating\r\nthe machine’s driver after “scanning”. After the victim clicks the BLOCK button (marked in red), a JavaScript is\r\nexecuted in the background. The script is designed to mimic the appearance of a legitimate system scan. During\r\nthe simulated scan, a hardcoded list of files is presented, giving the illusion of a comprehensive analysis of the\r\nvictim’s computer.\r\nhttps://blog.morphisec.com/chaes-chronicles\r\nPage 2 of 8\n\nFollowing the scan, the victim is then shown with a crafted message: “Security Risk Detected” and urges the\r\nvictim to download an updated driver to install the latest version and eliminate the risk.\r\nClicking the button triggers the execution of a script named download.js. Whose purpose is to smuggle the\r\nmalicious installer by decoding a zipped base64 blob. Following the activation of the installer, Chae$ 4.1 is\r\nactivated.\r\nChae$ 4.1 — Changes\r\nFrom this point onward, the attack chain remains similar to Morphisec’s previous analysis, except for some\r\nadjustments in the Chae$ framework. It has advanced from version 4 to 4.1, primarily characterized by\r\nmodifications in the Chronod module.\r\nhttps://blog.morphisec.com/chaes-chronicles\r\nPage 3 of 8\n\nThe full components of Chae$, as reviewed in the analysis of Chae$4\r\nIn fact, the advancement to Chae$ 4.1 is clearly shown in debug messages:\r\nhttps://blog.morphisec.com/chaes-chronicles\r\nPage 4 of 8\n\nFollowing successful activation, exfiltrated data is delivered to the threat actor’s C2. Examining the C2s employed\r\nthroughout distinct phases of the framework unveils the presence of the Chae$ team panel login page.\r\nhttps://blog.morphisec.com/chaes-chronicles\r\nPage 5 of 8\n\nFull Technical Analysis of Chae$ 4.1\r\nThe attached report dives deeper into the new Chae$ variant. Read the full Chae$ 4.1 analysis to delve deeper into\r\nthe mechanics of this evolved malware, its implications, and what businesses can do to safeguard themselves.\r\nHow Morphisec Helps\r\nMorphisec’s Automated Moving Target Defense (AMTD) technology uses a preventative approach to\r\ncybersecurity, using an ultra-lightweight agent to block unauthorized processes deterministically, rather than\r\nprobabilistically. Protecting over 7,000 organizations and deployed at over nine million endpoints, Morphisec’s\r\nransomware prevention technology prevents unauthorized code from executing, regardless of whether a\r\nrecognizable signature or behavior pattern exists.\r\nhttps://blog.morphisec.com/chaes-chronicles\r\nPage 6 of 8\n\nIf you don’t believe us, ask the Chae$ group:\r\nMorphisec researchers were contacted by the threat actors, leading to an interesting exchange… \r\nSchedule a demo to experience Morpisec’s advanced anti-ransomware, endpoint protection and risk-based\r\nvulnerability prioritization. Reduce Risk Now.\r\nAbout the author\r\nhttps://blog.morphisec.com/chaes-chronicles\r\nPage 7 of 8\n\nArnold Osipov\r\nMalware Researcher\r\nArnold Osipov is a Malware Researcher at Morphisec, who has spoken at BlackHat and and been recognized by\r\nMicrosoft Security for his contributions to malware research related to Microsoft Office. Prior to his arrival at\r\nMorphisec 6 years ago, Arnold was a Malware Analyst at Check Point.\r\nSource: https://blog.morphisec.com/chaes-chronicles\r\nhttps://blog.morphisec.com/chaes-chronicles\r\nPage 8 of 8\n\n https://blog.morphisec.com/chaes-chronicles \nThe full components of Chae$, as reviewed in the analysis of Chae$4\nIn fact, the advancement to Chae$ 4.1 is clearly shown in debug messages:\n Page 4 of 8\n\n https://blog.morphisec.com/chaes-chronicles \nFollowing successful activation, exfiltrated data is delivered to the threat actor’s C2. Examining the C2s employed\nthroughout distinct phases of the framework unveils the presence of the Chae$ team panel login page.\n Page 5 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.morphisec.com/chaes-chronicles" ], "report_names": [ "chaes-chronicles" ], "threat_actors": [], "ts_created_at": 1775434923, "ts_updated_at": 1775791252, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cb4155efbcf5f0fecf6bf3ffa15ddb5076aa930d.pdf", "text": "https://archive.orkl.eu/cb4155efbcf5f0fecf6bf3ffa15ddb5076aa930d.txt", "img": "https://archive.orkl.eu/cb4155efbcf5f0fecf6bf3ffa15ddb5076aa930d.jpg" } }