{ "id": "de85b467-6071-43a6-94d6-5b1f99c7fbec", "created_at": "2026-04-06T01:30:36.689349Z", "updated_at": "2026-04-10T03:37:08.784016Z", "deleted_at": null, "sha1_hash": "e7381a0b7b7fb61e1b368b8771f0bea0e543ca61", "title": "New Infostealer ‘ColdStealer’ Being Distributed", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 553564, "plain_text": "New Infostealer ‘ColdStealer’ Being Distributed\r\nBy ATCP\r\nPublished: 2022-02-20 · Archived: 2026-04-06 00:09:52 UTC\r\nThe ASEC analysis team has discovered the distribution of ColdStealer that appears to be a new type of\r\ninfostealer. The malware disguises itself as a software download for cracks and tools, a distribution method that\r\nwas mentioned multiple times in previous ASEC blog posts.\r\nThere are two cases for this type of malware distribution:\r\n1. Distributing a single type of malware such as CryptBot or RedLine\r\n2. Dropper-type malware decompressing and executing various internal malware strains\r\nColdStealer was distributed with the second method. For more information, check the following blog post.\r\nVarious Types of Threats Disguised as Software Download Being Distributed\r\nThe downloader malware exists within the dropper malware. When the downloader is run, it downloads\r\nColdStealer from the C2 server. The following figure shows the process.\r\nFigure 1. Infection process of ColdStealer\r\nColdStealer has a structure of multiple packing layers. It currently uses the .NET obfuscation packing method, yet\r\nit was initially possible to obtain the original version that was built using process hollowing and .NET load\r\npacking method.\r\nhttps://asec.ahnlab.com/en/32090/\r\nPage 1 of 7\n\nAs its name suggests, ColdStealer is an infostealer, a simple type of malware that collects various user information\r\nand sends it to C2. It is configured in .NET, and as it has simple features, its size is a mere 80KB. As the\r\nnamespace of the sample that appears to have the original source’s build is “ColdStealer,” the malware was named\r\nas such.\r\nFigure 2. ColdStealer\r\nWhen the infostealer collects information that will be stolen, it saves the information in the ZIP form instead of\r\nfiles in the memory. To do so, it used a source code made public on GitHub. After collecting the information, it\r\nsends memory streams to C2. Doing so will allow the malware to bypass detection as there are no traces of files\r\nand execution.\r\nFigure 3. Uses ZIP streams when collecting information\r\nThe infostealer has six main features.\r\nStealing browser information\r\nStealing cryptocurrency wallet information\r\nStealing files\r\nStealing FTP server information\r\nStealing system information\r\nSending exception (error) information\r\nStealing browser information\r\nTargets are multiple Chromium-based browsers, Opera, and FireFox. The list of targeted Chromium-based\r\nbrowsers is as follows:\r\nBattle.net, Chromium, Google Chrome, Google Chrome (x86), MapleStudio ChromePlus, Iridium,\r\n7Star, CentBrowser, Chedot, Vivaldi, Kometa, Elements, Epic, uCozMedia Uran, Sleipnir5, Citrio,\r\nCoowon, Liebao, QIP Surf, Orbitum, Comodo Dragon, Amigo, Torch, Yandex Browser, Comodo,\r\nhttps://asec.ahnlab.com/en/32090/\r\nPage 2 of 7\n\n360Browser, Maxthon3, K-Melon, Sputnik, Nichrome, CocCoc, Uran, Chromodo, Atom,\r\nBraveSoftware, Microsoft Edge, Nvidia, Steam, CryptoTab\r\nTable 1. List of targets (Chromium-based browsers)\r\nFigure 4. Code for collecting information of Chromium browsers\r\nThe code is configured to support browsers to their latest versions. The malware collects IDs, passwords, cookies,\r\nand web data files saved in the browser. Extension programs are also inquired, meaning the programs on the list\r\nare targeted for collecting as well. The list was found to include sensitive programs related to cryptocurrency\r\nwallets or user verification.\r\nMetamask, YoroiWallet, Tronlink, NiftyWallet, MathWallet, Coinbase, BinanceChain, BraveWallet,\r\nGuardaWallet, EqualWallet, JaxxLiberty, BitAppWallet, iWallet, Wombat, AtomicWallet, MewCx,\r\nGuildWallet, SaturnWallet, RoninWallet, PhantomWallet, Arweave, Auro, Celo, Clover, Coin98,\r\nCrypto.com, Cyano, Cyano PRO, Dune, Fractal, Gero, Harmony, Hiro, Iconex, Kardia Chain,\r\nKeplr, KHC, Lamden, Liquality, Maiar, Mew CEX, Mobox, NeoLine, Nami, Oasis, Polymesh,\r\nRabby, Solflare, Sollet, Solong, Temple, Terra Station, TezBox, Theta, XDeFi, ZebeDee,\r\nAuthenticator CC\r\nTable 2. List of browser extension programs for collecting\r\nInstead of stealing entire files, the malware is configured to parse the files internally and send only the necessary\r\ninformation. Yet as it did not take account of Unicode encoding, an error occurs when it tries to parse files with\r\ninformation related to browsers (SQLite format) in Windows that has Korean as the system language.\r\nFigure 5. SQLite parsing error\r\nWhen the parsing is successful, the browser access record is saved in “Domain.text” while account IDs and\r\npasswords are saved in “Passwords.text”.\r\nhttps://asec.ahnlab.com/en/32090/\r\nPage 3 of 7\n\nFigure 6. Collected browser passwords (example)\r\nStealing files\r\nFiles in the desktop and subdirectories of the user account are targeted. The malware collects any files that have a\r\n“wallet” string or extensions .txt and .dat.\r\nFigure 7. Code for collecting files\r\nStealing FTP server information\r\nCollects the list of servers and passwords saved in FileZilla, the most common FTP program.\r\nFigure 8. Code for collecting FTP server information\r\nStealing system information\r\nCollects various system information including Windows version, language, CPU type, clipboard data, execute\r\npermission, etc.\r\nhttps://asec.ahnlab.com/en/32090/\r\nPage 4 of 7\n\nFigure 9. Code for collecting system information\r\nStealing cryptocurrency wallet information\r\nCollects information of wallet programs saved in Roaming directory, Local directory, registry, etc.\r\nZCash, Armory, Bytecoin, JaxxClassic, JaxxLiberty, Exodus, Ethereum, Electrum, Electrum-LTC,\r\nElectrum-BCH, Atomic, Guarda, Wasabi, Daedalus, Coinomi, Litecoin, Dash, Bitcoin, monero-core, Binance\r\nTable 3. Wallet programs targeted for collection\r\nCollecting and sending error information\r\nRecords and sends every error (exception) that occurred while the program was running. As the SQLite parsing\r\nerror in Windows with the Korean language setting is also recorded and sent, the patched version might be\r\ndistributed soon.\r\nFigure 10. Code for collecting errors\r\nAfter every process for collecting information is complete, the information is sent to C2. The URL for sending\r\n(C2 URL) is hard-coded in a particular location. The malware uses the HTTP POST method.\r\nFigure 11. C2 URL\r\nhttps://asec.ahnlab.com/en/32090/\r\nPage 5 of 7\n\nAs shown above, ColdStealer is an infostealer with a very simple form that can cause severe secondary damage by\r\nleaking major system information upon infection. Hence users need to take caution.\r\nThe following is the IOC info related to ColdStealer.\r\nMD5\r\n01144efd1dc06a0b9d3ea8a1e632dc26\r\n03c3f6369b934cf86576c394e9172359\r\n05748b4e8730bb2a705fe1e2e00c5d77\r\n05c97434f3c6970103a3ceda97572481\r\n0b3b4b02ed9d4844ec53a3f2a7064432\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//enter-me[.]xyz/\r\nhttp[:]//jordanserver232[.]com/\r\nhttp[:]//real-enter-solutions[.]xyz/\r\nhttp[:]//realacademicmediausa[.]com/\r\nhttp[:]//realmoneycreate[.]xyz/\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nhttps://asec.ahnlab.com/en/32090/\r\nPage 6 of 7\n\nSource: https://asec.ahnlab.com/en/32090/\r\nhttps://asec.ahnlab.com/en/32090/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://asec.ahnlab.com/en/32090/" ], "report_names": [ "32090" ], "threat_actors": [ { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-10T02:00:03.148052Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-10T02:00:04.732992Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775439036, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e7381a0b7b7fb61e1b368b8771f0bea0e543ca61.pdf", "text": "https://archive.orkl.eu/e7381a0b7b7fb61e1b368b8771f0bea0e543ca61.txt", "img": "https://archive.orkl.eu/e7381a0b7b7fb61e1b368b8771f0bea0e543ca61.jpg" } }