{
	"id": "9bed9f9d-95f0-4b82-959e-c50f68a0661a",
	"created_at": "2026-04-06T00:06:30.705928Z",
	"updated_at": "2026-04-10T03:21:03.020986Z",
	"deleted_at": null,
	"sha1_hash": "fd2bae5de5fc54b47c186fe3e84ae60ab869e6ef",
	"title": "MAR-10435108-1.v1 ICONICSTEALER | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 285177,
	"plain_text": "MAR-10435108-1.v1 ICONICSTEALER | CISA\r\nPublished: 2023-04-20 · Archived: 2026-04-05 17:38:50 UTC\r\nNotification\r\nThis report is provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not\r\nprovide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial\r\nproduct or service referenced in this bulletin or otherwise.\r\nThis document is marked TLP:CLEAR--Disclosure is not limited. Sources may use TLP:CLEAR when information carries\r\nminimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to\r\nstandard copyright rules, TLP:CLEAR information may be distributed without restriction. For more information on the\r\nTraffic Light Protocol (TLP), see http://www.cisa.gov/tlp.\r\nSummary\r\nDescription\r\nThis submission included one unique file. This file has been identified as a variant of the malware known as\r\nICONICSTEALER. This variant of malware was utilized in the supply chain attack on the commercial software\r\n3CXDesktopApp. The primary purpose of this malware is to steal sensitive data from a victim user's web browser, and make\r\nit available for exfiltration by a separate malicious component.\r\nDownload the PDF version of this report:\r\nSubmitted Files (1)\r\ne2ef455e92b3cb5a4c0f3093191d0bfb4fe3ff961e2a403feaa26060a298c70f (infostealer.dll)\r\nFindings\r\ne2ef455e92b3cb5a4c0f3093191d0bfb4fe3ff961e2a403feaa26060a298c70f\r\nTags\r\nbackdoor information-stealer trojan\r\nDetails\r\nName infostealer.dll\r\nSize 1186167 bytes\r\nType PE32+ executable (DLL) (GUI) x86-64, for MS Windows\r\nMD5 c9f452576b2430814821da0223a535c8\r\nSHA1 cad1120d91b812acafef7175f949dd1b09c6c21a\r\nSHA256 e2ef455e92b3cb5a4c0f3093191d0bfb4fe3ff961e2a403feaa26060a298c70f\r\nSHA512 9099c4f970b04400b1b9db283ba60850e806217a3fbceba8bac5168621ad1994cf2c5a77e4ff7639c1660eba79504a5de684e0c7e3e746d3\r\nssdeep 24576:qxvjY/8tWCp4I1+HufhT3cimlXiOHhMdR03ZCNgqI0XK:8WCKI1zT3cimlXichMXwCrI\r\nEntropy 6.476725\r\nAntivirus\r\nAhnLab Infostealer/Win.Agent\r\nAntiy Trojan/Win64.NukeSped\r\nAvira TR/NukeSped.grojn\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar23-110a\r\nPage 1 of 5\n\nBitdefender Gen:Variant.SupplyChainAgent.8\r\nEmsisoft Gen:Variant.SupplyChainAgent.8 (B)\r\nESET Win64/NukeSped.OX trojan\r\nK7 Trojan ( 005a1eee1 )\r\nTrend Micro TrojanS.82E50547\r\nTrend Micro HouseCall TrojanS.82E50547\r\nVirusBlokAda Trojan.Win64.SamScissors\r\nYARA Rules\r\nrule CISA_10435108_01 : trojan backdoor steals_authentication_credentials\r\n{\r\n   meta:\r\n       Author = \"CISA Code \u0026 Media Analysis\"\r\n       Incident = \"10435108\"\r\n       Date = \"2023-04-12\"\r\n       Last_Modified = \"20230412_1700\"\r\n       Actor = \"n/a\"\r\n       Family = \"3CXDESKTOPAPP\"\r\n       Capabilities = \"steals-authentication-credentials\"\r\n       Malware_Type = \"trojan backdoor\"\r\n       Tool_Type = \"n/a\"\r\n       Description = \"Detects 3CXDesktopApp InfoStealer samples\"\r\n       SHA256_1 = \"e2ef455e92b3cb5a4c0f3093191d0bfb4fe3ff961e2a403feaa26060a298c70f\"\r\n   strings:\r\n       $s0 = { 53 00 45 00 4c 00 45 00 43 00 54 00 20 00 75 00 }\r\n       $s1 = { 72 00 6c 00 2c 00 20 00 74 00 69 00 74 00 6c 00 }\r\n       $s2 = { 65 00 20 00 46 00 52 00 4f 00 4d 00 20 00 6d }\r\n       $s3 = { 6f 00 7a 00 5f 00 70 00 6c 00 61 00 63 00 65 00 }\r\n       $s4 = { 4d 00 6f 00 7a 00 69 00 6c 00 6c 00 61 00 5c 00 }\r\n       $s5 = { 46 00 69 00 72 00 65 00 66 00 6f 00 78 00 5c }\r\n       $s6 = { 33 00 43 00 58 00 44 00 65 00 73 00 6b 00 74 00 6f 00 70 }\r\n   condition:\r\n       all of them\r\n}\r\nssdeep Matches\r\nNo matches found.\r\nDescription\r\nThis file is a 64-bit Windows DLL (Dynamic-link Library). Analysis indicates this application was part of a supply chain\r\nattack against the commercial application 3CXDesktopApp. This malicious DLL was included within an installer for the\r\n3CXDesktopApp. The primary purpose of this DLL is to steal information from various web browsers employed by a victim\r\nuser. This malware is being referred to in open source as ICONICSTEALER. During runtime the application first attempts\r\nto read a file named \"\\\\3CXDesktopApp\\\\config.json\". Additionally, the malware attempts to collect the victim system's\r\nhostname, domain name, and OS version (Figure 1).\r\nThe malicious application next attempts to steal sensitive information from the victim user's web browser. Specifically it\r\nwill target the Chrome, Edge, Brave, or Firefox browsers (Figure 2). It uses an embedded SQLITE library to query the\r\nbrowser databases for sensitive information (Figure 3). Analysis indicates the data stolen from the web browsers will be\r\nwebsites recently visited including sensitive parameters passed to the sites. These parameters could include sensitive\r\ninformation including login credentials or credit card numbers.\r\nNo exfiltration capability was discovered within this malicious application, indicating it works with another malicious\r\ncomponent to exfiltrate collected data.\r\nScreenshots\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar23-110a\r\nPage 2 of 5\n\nFigure 1 - This screenshot illustrates this malware attempting to access the file \\\\3CXDesktopApp\\\\config.json.\r\nFigure 2 - This screenshot illustrates web browsers targeted by this malware, known as ICONICSTEALER.\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar23-110a\r\nPage 3 of 5\n\nFigure 3 - This screenshot illustrates the malware beginning to search through folders of various web browsers looking for\r\nthe database files. The database files will be queried with an embedded SQLITE library looking for sensitive information.\r\nFigure 4 - This screenshot indicates the malware \"backs up\" the web browser databases before querying them for sensitive\r\ninformation. It may do this to prevent accidental corruption of the databases, or to prevent the browser from crashing if the\r\nuser is currently browsing the web.\r\nRecommendations\r\nCISA recommends that users and administrators consider using the following best practices to strengthen the security\r\nposture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators\r\nprior to implementation to avoid unwanted impacts.\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar23-110a\r\nPage 4 of 5\n\nMaintain up-to-date antivirus signatures and engines.\r\nKeep operating system patches up-to-date.\r\nDisable File and Printer sharing services. If these services are required, use strong passwords or Active Directory\r\nauthentication.\r\nRestrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local\r\nadministrators group unless required.\r\nEnforce a strong password policy and implement regular password changes.\r\nExercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be\r\nknown.\r\nEnable a personal firewall on agency workstations, configured to deny unsolicited connection requests.\r\nDisable unnecessary services on agency workstations and servers.\r\nScan for and remove suspicious e-mail attachments; ensure the scanned attachment is its \"true file type\" (i.e., the\r\nextension matches the file header).\r\nMonitor users' web browsing habits; restrict access to sites with unfavorable content.\r\nExercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).\r\nScan all software downloaded from the Internet prior to executing.\r\nMaintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).\r\nAdditional information on malware incident prevention and handling can be found in National Institute of Standards and\r\nTechnology (NIST) Special Publication 800-83, \"Guide to Malware Incident Prevention \u0026 Handling for Desktops and\r\nLaptops\".\r\nContact Information\r\n1-844-Say-CISA\r\nCISA Central  (UNCLASS)\r\nCISA SIPR (SIPRNET)\r\nCISA IC (JWICS)\r\nCISA continuously strives to improve its products and services. You can help by answering a very short series of questions\r\nabout this product at the following URL: https://us-cert.cisa.gov/forms/feedback/\r\nDocument FAQ\r\nWhat is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware\r\nanalysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide\r\ninformation regarding the level of desired analysis.\r\nCan I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to\r\nthis document should be directed to the CISA at 1-844-Say-CISA or CISA Central .\r\nCan I submit malware to CISA? Malware samples can be submitted via three methods:\r\nWeb: https://malware.us-cert.gov\r\nE-Mail: submit@malware.us-cert.gov\r\nFTP: ftp.malware.us-cert.gov (anonymous)\r\nCISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software\r\nvulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov.\r\nThis product is provided subject to this Notification and this Privacy \u0026 Use policy.\r\nACKNOWLEDGEMENTS\r\nSentinelOne contributed to this report.\r\nSource: https://www.cisa.gov/news-events/analysis-reports/ar23-110a\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar23-110a\r\nPage 5 of 5\n\n https://www.cisa.gov/news-events/analysis-reports/ar23-110a  \nFigure 1-This screenshot illustrates this malware attempting to access the file \\\\3CXDesktopApp\\\\config.json.\nFigure 2-This screenshot illustrates web browsers targeted by this malware, known as ICONICSTEALER.\n  Page 3 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.cisa.gov/news-events/analysis-reports/ar23-110a"
	],
	"report_names": [
		"ar23-110a"
	],
	"threat_actors": [],
	"ts_created_at": 1775433990,
	"ts_updated_at": 1775791263,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fd2bae5de5fc54b47c186fe3e84ae60ab869e6ef.pdf",
		"text": "https://archive.orkl.eu/fd2bae5de5fc54b47c186fe3e84ae60ab869e6ef.txt",
		"img": "https://archive.orkl.eu/fd2bae5de5fc54b47c186fe3e84ae60ab869e6ef.jpg"
	}
}