{ "id": "e3eae557-a403-452b-98ef-c5bd565c764d", "created_at": "2026-04-06T00:07:01.404043Z", "updated_at": "2026-04-10T13:13:00.050181Z", "deleted_at": null, "sha1_hash": "d917a4725349291450d767ddf18ce820fe57bad4", "title": "Chae$ 4: New Chaes Malware Variant Targeting Financial and Logistics Customers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1112955, "plain_text": "Chae$ 4: New Chaes Malware Variant Targeting Financial and\r\nLogistics Customers\r\nBy Hido Cohen \u0026 Arnold Osipov\r\nArchived: 2026-04-02 11:18:49 UTC\r\nExclusive: Morphisec Threat Labs identified Chae$ 4, an advanced and previously unknown variant of the Chaes\r\nmalware. Read this post for an abstract of the findings.\r\nDownload the full Chae$ 4 technical analysis containing exclusive details of the threat.\r\nIntroduction – Chae$ 4 \r\nAs the world of cyber threats evolves at an astonishing pace, staying ahead of these digital dangers becomes\r\nincreasingly critical for businesses. In January 2023, Morphisec identified an alarming trend where numerous\r\nclients, primarily within the logistics and financial sectors, were under the onslaught of a new and advanced\r\nvariant of Chaes malware. The sophistication of the threat was observed to increase over multiple iterations from\r\nApril to June 2023.\r\nThanks to Morphisec’s cutting-edge ransomware prevention technology, many of these attacks were thwarted\r\nbefore causing significant damage. \r\nThis isn’t just any ordinary Chaes variant. It has undergone major overhauls: from being rewritten entirely in\r\nPython, which resulted in lower detection rates by traditional defense systems, to a comprehensive redesign and\r\nan enhanced communication protocol. Additionally, it now boasts a suite of new modules that further its malicious\r\ncapabilities. \r\nThe targets of this malware are not random. It has a specific focus on customers of prominent platforms and banks\r\nsuch as Mercado Libre, Mercado Pago, WhatsApp Web, Itau Bank, Caixa Bank, and even MetaMask.\r\nFurthermore, dozens of CMS (Content Management) services haven’t been spared either, including WordPress,\r\nJoomla, Drupal and Magento. It’s important to note that the Chaes malware isn’t entirely new to the cybersecurity\r\nlandscape. Its first appearance dates back to November 2020, when researchers from Cybereason highlighted its\r\noperations primarily targeting e-commerce customers in Latin America. \r\nThe new Chaes variant has been named “Chae$ 4” (Chae$4) by Morphisec, as it is the 4th major variant,\r\nand due to a debug print in a core module saying “Chae$ 4”.\r\nChaes History \u0026 Overview \r\nIn November 2020, Cybereason released its initial research on the Chaes malware. The report highlighted that the\r\nmalware had been active since at least mid-2020, predominantly targeting e-commerce customers in Latin\r\nAmerica, especially Brazil.\r\nhttps://blog.morphisec.com/chaes4-new-chaes-malware-variant-targeting-financial-and-logistics-customers\r\nPage 1 of 7\n\nPrimarily, the malware targeted MercadoLibre users and was characterized by its multi-staged infection process,\r\nability to steal sensitive and financial data related to MercadoLibre, and its utilization of multiple programming\r\nlanguages and LOLbins. \r\nBy January 2022, Avast published a subsequent study, indicating a surge in Chaes’ activity during Q4 2021. Avast\r\ndelved deeply into the different components of the malware, shedding light on its latest updates: a refined\r\ninfection chain, enhanced communication with the C2, newly integrated modules (which they termed\r\n“extensions”), and granular details regarding each infection stage and module.\r\nA few weeks later, in February 2022, the threat actor released a response to Avast’s research as depicted in the\r\nimage below: \r\nDetermining the nature of the threat actor—be it an individual or a group—proved elusive. Highlighted portions in\r\nred hint at the possibility of a group, while the green highlights reflect personal annotations. Given the ambiguity\r\nof the actor’s identity, the designation “Lucifer” was chosen for this threat actor. This decision was influenced by\r\nthe name of the blog and the identifier “lucifer6,” used in encrypting communications with the C2 server. \r\nhttps://blog.morphisec.com/chaes4-new-chaes-malware-variant-targeting-financial-and-logistics-customers\r\nPage 2 of 7\n\nConcluding the series of developments, December 2022 marked another pivotal moment when the Tempest’s\r\nresearch group, SideChannel, unveiled further insights, introducing the malware’s adoption of WMI for system\r\ndata collection. \r\nProgressing to Version 4 \r\nThese previously mentioned research publications encompass versions 1-3 of the Chaes malware. This latest\r\niteration of Chaes unveils significant transformations and enhancements, and is labelled by Morphisec as version\r\n4.  \r\nSignificant changes include:\r\nRefined code architecture and improved modularity\r\nAdded layers of encryption and increased stealth capabilities \r\nPredominant shift to Python, which undergoes decryption and dynamic in-memory execution \r\nSuperseding Puppeteer with a bespoke approach to monitor and intercept Chromium browsers’ activity \r\nAn expanded catalog of services targeted for credential theft \r\nAdoption of WebSockets for primary communication between the modules and the C2 server \r\nImplementation of DGA for dynamic resolution of the C2 server’s address \r\nGiven the depth and breadth of content in this review, the analysis is structured to cater to a wide array of\r\nreaders, ranging from SOC \u0026 CISOs to detection engineers, researchers, and security aficionados. \r\nThe analysis begins with an overview of the infection chain, which remains relatively consistent, followed by a\r\nsuccinct summary of each of the malware’s modules. Subsequent sections will delve deeper into the specifics of\r\neach stage/module. \r\nSince the malware employs recurring mechanisms across various stages/modules, we’ve designated a section\r\ntitled “Additional Components.” Here, readers can find intricate details about each mechanism cited throughout\r\nthe post. \r\nThis structured approach ensures readers can either glean a rapid overview of the malware or immerse themselves\r\nin its intricate components. \r\nComponents\r\nhttps://blog.morphisec.com/chaes4-new-chaes-malware-variant-targeting-financial-and-logistics-customers\r\nPage 3 of 7\n\nNote: Since there’s no major updates in the delivery method from previous analysis and research notes (referenced\r\nearlier), this review will focus on recent developments. For those who aren’t familiar with the infection method,\r\nplease refer to the referenced research.\r\nThe infection starts by executing a malicious, almost undetected, MSI installer that usually pretends to be a JAVA\r\nJDE installer or Anti-Virus software installer. Execution of the malicious installer will cause the malware to\r\ndeploy and download its required files inside a dedicated and hard-coded folder under the\r\n%Appdata%/\u003cprotuhuese_name\u003e folder. \r\nThe folder contains Python libraries, Python executables with different names, encrypted files and Python scripts\r\nthat will be used later. Next, the malware unpacks the core module, which we call ChaesCore — that is\r\nresponsible for setting persistence using Schedule Task and migrating into targeted processes. After the\r\ninitialization phase, ChaesCore starts  its malicious activity and communicates with the C2 address in order to\r\ndownload and load the external modules into the infected system. \r\nThroughout this investigation, seven different modules were identified that can be updated independently without\r\nchanging the core functionality: \r\n1. Init module – the first module sent by the attacker acts as an identification / new victim registration. It gathers\r\nan extensive amount of data on the infected system. \r\n2. Online module – sends an ONLINE message back to the attacker. Acts like a beaconing module to monitor\r\nwhich of the victims are still active. \r\n3. Chronod module – a credential stealer and clipper. This module is responsible for intercepting browser activity\r\nto steal information from the user such as credentials sent on the login process, banking information when\r\ncommunicating with the bank’s website, and has a clipping functionality that tries to steal BTC, ETH and PIX\r\nhttps://blog.morphisec.com/chaes4-new-chaes-malware-variant-targeting-financial-and-logistics-customers\r\nPage 4 of 7\n\ntransfers. \r\n4. Appita module – very similar to the Chronod module in structure and purpose but looks like it specifically\r\ntargets the Itau bank’s application (itauaplicativo.exe). \r\n5. Chrautos module – an improved module based on Chronod and Appita modules. It provides better code\r\narchitecture that has the capacities to expand the targets and tasks done by the module easily. The current version\r\nfocuses on banking and WhatsApp data, however  it’s still under development. \r\n6. Stealer module – responsible for stealing data from Chromium-based browsers. Stolen data includes login\r\ndata, credit cards, cookies, and autofill. \r\n7. File upload module – has the capability to search and upload files from the infected system to the C2 server. In\r\nthe current version, the module uploads only data related to MetaMask’s Chrome extension. \r\nMost of the modules were already present in some form in previous versions, but this version provides a re-implementation for those with improved functionalities, different code base and unique techniques for achieving\r\nits goals. \r\nAnother thing to note is the threat actor’s keen interest in cryptocurrency,  which is denoted by the usage of the\r\nclipper to steal BTC and ETH and the file upload module that steals MetaMask credentials and files. \r\nFull Technical Analysis of Chae$ 4\r\nThe attached report dives deeper into each component of the framework. Starting from the MSI Installer, moving\r\nforward to the main component, the ChaesCore and finishing with the seven modules.\r\nFinally, the different mechanisms used by the malware author for the general malware operation will be explored. \r\nDownload the Chae$ 4 full analysis to delve deeper into the mechanics of this evolved malware, its implications,\r\nand what businesses can do to safeguard themselves.\r\nOr, hear directly from our team by watching our recent virtual event – Dancing With Lucifer: Behind the Scenes\r\nwith the Analyst that Cracked Chae$ 4.\r\nHow Morphisec Helps\r\nMorphisec’s anti-ransomware technology, Automated Moving Target Defense, uses a preventative approach to\r\ncybersecurity, using an ultra-lightweight agent to block unauthorized processes deterministically, rather than\r\nprobabilistically. Protecting over 7,000 organizations and deployed at over nine million endpoints, Morphisec’s\r\nhttps://blog.morphisec.com/chaes4-new-chaes-malware-variant-targeting-financial-and-logistics-customers\r\nPage 5 of 7\n\nAMTD technology prevents unauthorized code from executing, regardless of whether a recognizable signature or\r\nbehavior pattern exists. \r\nWith the ability to proactively prevent unknown and evasive threats such as Chae$ 4, it is no wonder that Gartner\r\ndescribed AMTD as “The future of cyber.” Read the complimentary research report to learn more.\r\nAbout the author\r\nHido Cohen\r\nhttps://blog.morphisec.com/chaes4-new-chaes-malware-variant-targeting-financial-and-logistics-customers\r\nPage 6 of 7\n\nArnold Osipov\r\nMalware Researcher\r\nArnold Osipov is a Malware Researcher at Morphisec, who has spoken at BlackHat and and been recognized by\r\nMicrosoft Security for his contributions to malware research related to Microsoft Office. Prior to his arrival at\r\nMorphisec 6 years ago, Arnold was a Malware Analyst at Check Point.\r\nSource: https://blog.morphisec.com/chaes4-new-chaes-malware-variant-targeting-financial-and-logistics-customers\r\nhttps://blog.morphisec.com/chaes4-new-chaes-malware-variant-targeting-financial-and-logistics-customers\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.morphisec.com/chaes4-new-chaes-malware-variant-targeting-financial-and-logistics-customers" ], "report_names": [ "chaes4-new-chaes-malware-variant-targeting-financial-and-logistics-customers" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434021, "ts_updated_at": 1775826780, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d917a4725349291450d767ddf18ce820fe57bad4.pdf", "text": "https://archive.orkl.eu/d917a4725349291450d767ddf18ce820fe57bad4.txt", "img": "https://archive.orkl.eu/d917a4725349291450d767ddf18ce820fe57bad4.jpg" } }