{ "id": "6b2c4420-780f-4a63-9d60-d6679aa5ae03", "created_at": "2026-04-06T00:17:42.987241Z", "updated_at": "2026-04-10T03:37:08.704173Z", "deleted_at": null, "sha1_hash": "e68d1203807669a8401b55e2bb14e0795274e3ab", "title": "Taurus The New Stealer in Town | Zscaler Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1711048, "plain_text": "Taurus The New Stealer in Town | Zscaler Blog\r\nBy Avinash Kumar, Uday Pratap Singh\r\nPublished: 2020-06-26 · Archived: 2026-04-05 20:30:38 UTC\r\nA sandbox is a valuable tool in the ongoing battle against cybercriminals and bad actors are continually looking\r\nfor ways to avoid detection. One of the newest ones we observed, Taurus, includes techniques to evade sandbox\r\ndetection. Was this new malware able to go undetected by the Zscaler Cloud Sandbox? (Spoiler alert: It wasn't.)\r\nLet's take a closer look at the Taurus stealer. \r\nIn early June 2020, we observed and began tracking a new malware campaign. During our research, we observed\r\nthat the \"Predator the Thief\" cybercriminal group is behind the development of this stealer, named Taurus, and is\r\nselling it on dark forums for $100 or rebuilt with a new domain for $20.\r\nThe group selling Taurus claims that this stealer is capable of stealing passwords, cookies, and autofill forms along\r\nwith the history of Chromium- and Gecko-based browsers. Taurus can also steal some popular cryptocurrency\r\nwallets, commonly used FTP clients credentials, and email clients credentials. This stealer also collects\r\ninformation, such as installed software and system configuration, and sends that information back to the attacker.\r\nTaurus is designed to not execute in countries within the Commonwealth of Independent States (CIS), which\r\nincludes Azerbaijan, Armenia, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan,\r\nTurkmenistan, Uzbekistan, and Ukraine. (Turkmenistan and Ukraine are both unofficial members of the\r\norganization. Georgia was a member of the CIS but left the group in 2008.)\r\nInfection cycle\r\nFigure 1: Infection cycle of the Taurus campaign\r\nDistribution method\r\nWhile tracking the campaign, we noticed that attackers initiated this campaign by sending a spam mail to the\r\nvictim containing a malicious attachment. Below are the details of the spam mail we observed:\r\nFrom: \"info@daqrey.site\"\r\nhttps://www.zscaler.com/blogs/research/taurus-new-stealer-town\r\nPage 1 of 11\n\nReceived: from daqrey.site (unknown [91.191.184.35])\r\nDate: Fri, 5 Jun 2020 16:56:35\r\nSubject: Penalty Charge Notice\r\nAttachment: pay-violation1011066.doc\r\nThe attachment (pay-violation1011066.doc) contained malicious macro code to download further payloads.\r\nFigure 2: The attached malicious doc asks users to enable a macro.\r\nInstallation\r\nOnce the document is opened, it prompts the user to enables the macro. Once the content is enabled, an\r\nAutoOpen() subroutine is called, which will run the malicious Visual Basic for Applications (VBA) macro\r\nwherein a PowerShell script is executed via BitsTransfer, downloads three different files of the Taurus Project\r\nfrom the Github site, then saves them in a Temp folder with predefined names.\r\nhttps://www.zscaler.com/blogs/research/taurus-new-stealer-town\r\nPage 2 of 11\n\nFigure 3: The obfuscated VBA macro code\r\nThe macro contains the URL of the payload as a combination of the following obfuscations: Base64 encoded and\r\nreversed string.\r\nUpon decrypting the obfuscated macro code, we see the PowerShell script, as shown in Figure 4.\r\nFigure 4: The decrypted PowerShell script used to download the payload.\r\nFurther, these three files get downloaded from Github and dropped in the %Temp% directory. The three files are:\r\n1.       GeTNht.com → saved with the name “j2tyq.com” → Legitimate AutoIt3.exe\r\n2.       bAMI.com → saved with the name “st6zh” → Base64-encoded AutoIt script having certificate header\r\n3.       wsNcf.com → saved with the name “wsNcf.com” → Taurus Stealer\r\nHere, PowerShell is using the Certutil.exe command to decode the payload and execute it on the victim's machine.\r\nThe Twitter handle @3xp0rt, which exposes documents from a Russian hacking forum, shows some of the claims\r\nof the Taurus project.\r\nhttps://www.zscaler.com/blogs/research/taurus-new-stealer-town\r\nPage 3 of 11\n\nFigure 5: The Taurus project claims to have the stealing ability of malware.\r\nThe author claims that Taurus has the following stealing capabilities:\r\nStealing cookies, Auto-form details, browsing history, and credit card information from Chromium- and\r\nGecko-based browsers.\r\nCookies and passwords from Microsoft Edge browsers.\r\nCredential stealing of some cryptocurrency wallets, including Electrum, MultiBit, Ethereum, Jaxx Liberty,\r\nBytecoin, Atomic, and Exodus\r\nStealing credential of FTP clients, including FileZilla, WinFTP, and WinSCP\r\nStealing session files from applications, including Discord, Steam, Telegram, and Authy\r\nStealing account information of the Battle.Net service\r\nStealing Skype history\r\nStealing credentials from NordVPN\r\nStealing credentials from Pidgin, Psi+, and Psi\r\nStealing credentials from Foxmail and Outlook\r\nCollects system information, such as system configuration and list of installed software.\r\nhttps://www.zscaler.com/blogs/research/taurus-new-stealer-town\r\nPage 4 of 11\n\nFigure 6: The Taurus login panel.\r\nThe Taurus project has also built a dashboard where the attacker can keep an eye on the infection counts according\r\nto geolocations.\r\nhttps://www.zscaler.com/blogs/research/taurus-new-stealer-town\r\nPage 5 of 11\n\nFigure 7: The Taurus dashboard to see infection count according to geolocation.\r\nThis dashboard also provides the attacker with the ability to customize the configuration of Taurus.\r\nFigure 8: The attacker can update the configuration of Taurus in the dashboard.\r\nhttps://www.zscaler.com/blogs/research/taurus-new-stealer-town\r\nPage 6 of 11\n\nTechnical analysis of the payload\r\nOnce PowerShell downloads the three different files from the GitHub repository, it uses the utility “Certutil.exe”\r\nto decode the payload. Out of three downloaded files, the first one is an AutoIT interpreter that is used to run the\r\ndecoded AutoIT script. Then, Certutil.exe decrypts the second file, which is a Base64-encoded AutoIT file having\r\na certificate as a header. This AutoIT file will decrypt the third file, which is the Taurus Stealer.\r\nAfter deobfuscating the AutoIT script, we noticed that it has multiple anti-sandbox techniques. It checks for the\r\nSleep patch in the sandbox using the GetTickCount function.\r\nFigure 9: The anti-sandbox patch with the GetTickCount API.\r\nIt also checks for the existence of specific files, the computer name, and internet connectivity using the Ping\r\nfunction.\r\nFigure 10: Taurus performs multiple checks for files, the computer name, and internet connectivity.\r\nFinally, the AutoIT script reads and decodes the wsNcf.com file, then loads the deobfuscated shellcode for\r\ninjecting the decoded payload into dllhost.exe.\r\nFigure 11: Building a path for dllhost.exe.\r\nFigure 12 shows details of the deobsfucated shellcode, which will inject the payload.\r\nhttps://www.zscaler.com/blogs/research/taurus-new-stealer-town\r\nPage 7 of 11\n\nFigure 12: The shellcode checking for the executable to inject in the dllhost.exe.\r\nBefore starting the actual activity of the stealer, the malicious program is started by loading configuration into\r\nmemory step by step.\r\nhttps://www.zscaler.com/blogs/research/taurus-new-stealer-town\r\nPage 8 of 11\n\nFigure 13: Storing config into memory.\r\nWe have successfully been able to see the further activity of the malicious program, which is the actual purpose of\r\nthis malware—stealing.\r\nFigure 14 shows the system information being fetched by the stealer.\r\nFigure 14: The system information fetched by the stealer.\r\nFileless approach\r\nWhile disassembling the code, we figured out that all the stolen data is being sent as a Zip file. Interesting part is\r\nthat malware allocates a memory space for the Zip file and embeds the Zip file directly to the request data.\r\nFigure 15: All the stolen data is put into a Zip file.\r\nNetwork Communication\r\nAfter zipping all the stolen data, the malicious program tries to send that data to a Command and Control (C\u0026C)\r\nserver after building the URL at run time, which is also pre-defined in the malicious program (Ofcourse XORed).\r\nFigure 16: The URL building to send the stolen data to the C\u0026C.\r\nURL pattern: http:///gate/cfg/?post=\u0026data=\r\nCloud Sandbox detection\r\nWe have analyzed the sample in the Zscaler Cloud Sandbox and successfully detected the malware.\r\nhttps://www.zscaler.com/blogs/research/taurus-new-stealer-town\r\nPage 9 of 11\n\nFigure 17: The Zscaler Cloud Sandbox successfully detected the malware.\r\nConclusion\r\nWe are actively monitoring for new threats in the Zscaler cloud to protect our customers. We have added details of\r\nthis malware to our threat library.\r\nVBA - https://threatlibrary.zscaler.com/threats/3e4e094a-66e1-407a-8b42-7a683a54bfb1/\r\nEXE - https://threatlibrary.zscaler.com/threats/b26933a4-31f8-4618-a6cf-775f8a383116/\r\nMITRE ATT\u0026CK TTP Mapping\r\nT1064 Macros in document used for code execution.\r\nT1086 PowerShell commands to execute payloads\r\nT1132 Data Encoding\r\nT1020 Automated Exfiltration\r\nT1003 Credential Dumping\r\nT1503 Credentials from Web Browser\r\nhttps://www.zscaler.com/blogs/research/taurus-new-stealer-town\r\nPage 10 of 11\n\nT1539 Steal Web Session Cookie\r\nT1106 Execution through API\r\nT1518 Software Discovery\r\nIndicators of Compromise (IOCs)\r\nECCD93CFA03A1F1F4B2AF649ADCCEB97 - Doc file\r\n3E08E18CCC55B17EEAEEDF3864ABCA78 - Encrypted AutoIT script\r\n221BBAC7C895453E973E47F9BCE5BFDC - Encrypted Taurus Stealer\r\n5E3EA2152589DF8AE64BA4CBB0B2BD3B - Decrypted Taurus Stealer\r\nCnC:\r\nbit-browser[.]gq\r\nAtest001[.]website\r\nPanel\r\n64.225.22[.]106/#/login\r\nSource: https://www.zscaler.com/blogs/research/taurus-new-stealer-town\r\nhttps://www.zscaler.com/blogs/research/taurus-new-stealer-town\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.zscaler.com/blogs/research/taurus-new-stealer-town" ], "report_names": [ "taurus-new-stealer-town" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434662, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e68d1203807669a8401b55e2bb14e0795274e3ab.pdf", "text": "https://archive.orkl.eu/e68d1203807669a8401b55e2bb14e0795274e3ab.txt", "img": "https://archive.orkl.eu/e68d1203807669a8401b55e2bb14e0795274e3ab.jpg" } }