{
	"id": "efaeb5ce-8d7f-47b8-b5dd-e9a4d427028b",
	"created_at": "2026-04-06T00:08:55.26368Z",
	"updated_at": "2026-04-10T03:22:01.491176Z",
	"deleted_at": null,
	"sha1_hash": "d92de4bb089c25a61cbe45169e05ac7cb798cdbb",
	"title": "Separ Malware Plucks Hundreds of Companies’ Credentials in Ongoing Phish",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 58805,
	"plain_text": "Separ Malware Plucks Hundreds of Companies’ Credentials in\r\nOngoing Phish\r\nBy Lindsey O'Donnell\r\nPublished: 2019-02-20 · Archived: 2026-04-05 22:40:40 UTC\r\nAn ongoing phishing campaign is targeting hundreds of businesses to steal their email and browser credentials\r\nusing a simply – but effective – malware.\r\nAn ongoing phishing campaign is using malicious PDF documents to spread Separ malware and ultimately steal\r\nvictims’ browser and email credentials.\r\nSince the attack started at the end of January, it has affected around 200 companies and over 1,000 individuals,\r\nlocated mainly in Southeast Asia, the Middle East, and North America – and the bad actors behind the attack\r\ncontinue to upload stolen data daily, researchers with Deep Instinct told Threatpost.\r\nThe campaign’s effectiveness stems from a simple but dangerous tactic used by the Separ credential-stealer for\r\nevading detection: Using a combination of legitimate executable files and short scripts.\r\n“Although the attack mechanism used by this malware is very simple, and no attempt has been made by the\r\nattacker to evade analysis, the growth in the number of victims claimed by this malware shows that simple attacks\r\ncan be very effective,” said Guy Propper with Deep Instinct in a Tuesday post.\r\nEarlier variants of Separ have existed since November 2017, with related info-stealers being active in the wild as\r\nfar back as 2013, researchers said.\r\nWhat sets this stealer apart is its use of a simply but tricky technique dubbed “living off the land.” Hackers have\r\nused this popular tactic in the past to launch attacks based on legitimate files which are either common within the\r\norganization attacked, or are widely-used administrative tools. The legit files can be abused to perform malicious\r\nfunctions.\r\nFor Separ, that means using very short script and batch files, as well as legitimate executables, to carry out all of\r\nits malicious business logic.\r\nThese legitimate executables, explained in more depth below, include a browser-password and email-password\r\ndump tools by SecurityXploded, as well as software from NcFTP.\r\nAttack Process\r\nhttps://threatpost.com/separ-malware-credentials-phishing/142009/\r\nPage 1 of 3\n\nThe attack starts with a phishing email that contains a malicious attachment – in this case, a decoy PDF document\r\nthat purports to be a self-extracting executable. According to researchers, the fake documents relate to quotations,\r\nshipments and equipment specifications, and appear to target businesses.\r\nOnce the victim clicks on the attached “PDF document,” the self-extractor calls wscript.exe to run a Visual Basic\r\nScript (VB Script) called adobel.vbs.\r\nAfter the VB Script begins running, it executes an array of short batch scripts which have various malicious\r\nfunctions. The scripts masquerade as fake Adobe-related programs, with the malicious scripts and executable files\r\nnamed to resemble Adobe related programs, researchers said.\r\n“The self-extractor contains within itself all files used in the attack – a VB Script, two batch scripts and four\r\nexecutable files, with the following names: adobel.vbs, adob01.bat, adob02.bat, adobepdf.exe, adobepdf2.exe,\r\nancp.exe and Areada.exe,” researchers said. “Many of the files are named to resemble files related to Adobe.”\r\nThese scripts carry out a slew of malicious functions, which include changing the system’s firewall settings and\r\nstealing all of its email and browser credentials. Meanwhile, the malware also opens up an empty decoy .jpg\r\nimage to hide its activities from the victim.\r\nIn order to steal credentials, Separ uses password-dumping tools provided by SecurityXploded. SecurityXploded,\r\nwhich exists in the initial self-extractor, collects various user credentials and uploads them to the hosting service.\r\nInterestingly, the malware uses an File Transfer Protocol (FTP) client to upload its stolen data to a legitimate\r\nservice called freehostia[.]com. Both this executable and the service are legitimate, researchers said: The source of\r\nancp.exe is a real FTP software provider (NcFTP), and FreeHostia is a well-known and widely-used hosting\r\nservice.\r\n“We were able to access the FTP server several times, and the growth in the number of victims was clearly visible,\r\nmeaning the attack is ongoing and successfully infecting many victims,” researchers said.\r\nOngoing Attack\r\nAccess to the hosting service used by Separ in this recent attack shows that its activity continues, and data stolen\r\nfrom many additional victims is being uploaded daily, researchers said.\r\n“The attack has affected hundreds of companies, located mainly in Southeast Asia and the Middle East, with some\r\ntargets located in North America,” said Propper. “Based on the names of the fake documents which initiate the\r\nattack, it appears the attacker is targeting business organizations, as most fake documents appear to be concerned\r\nwith quotations, shipments and equipment specifications.”\r\nResearchers urged potential victims to restrict the use of scripts and scripting tools in their firms and avoid\r\nclicking on unknown or untrusted links: “Infection through social engineering is the most common method of\r\ninfection,” said Propper.\r\nhttps://threatpost.com/separ-malware-credentials-phishing/142009/\r\nPage 2 of 3\n\nSource: https://threatpost.com/separ-malware-credentials-phishing/142009/\r\nhttps://threatpost.com/separ-malware-credentials-phishing/142009/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://threatpost.com/separ-malware-credentials-phishing/142009/"
	],
	"report_names": [
		"142009"
	],
	"threat_actors": [],
	"ts_created_at": 1775434135,
	"ts_updated_at": 1775791321,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d92de4bb089c25a61cbe45169e05ac7cb798cdbb.pdf",
		"text": "https://archive.orkl.eu/d92de4bb089c25a61cbe45169e05ac7cb798cdbb.txt",
		"img": "https://archive.orkl.eu/d92de4bb089c25a61cbe45169e05ac7cb798cdbb.jpg"
	}
}