LeakyInjector and LeakyStealer Duo Hunts For Crypto and Browser History

 Author(s): Vlad Pasca, Radu-Emanuel Chiscariu

• New two-stage malware targets cryptocurrency wallets and browser history
• LeakyInjector uses low-level APIs for injection to avoid detection and injects LeakyStealer in explorer.exe
• LeakyStealer implements a “polymorphic engine” that is able to modify its memory area with hard-coded bytes at runtime
• Both were signed with valid Extended Validation certificate
• LeakyStealer beacons to the C2 server at regular intervals
• Multiple related samples use the same certificate infrastructure 

Hybrid Analysis has analyzed a new two-stage malware that we’re naming LeakyInjector and LeakyStealer. The duo performs reconnaissance on an infected machine and targets multiple crypto wallets, including browser extensions corresponding to crypto wallets. The malware also looks for browser history files from Google Chrome, Microsoft Edge, Brave, Opera, and Vivaldi.

The first stage (LeakyInjector) decrypts the ChaCha20-encrypted second stage  (LeakyStealer) and injects the payload into the explorer.exe process. The stealer computes the Bot ID corresponding to the infected machine and establishes persistence using an entry under the Run registry key. The malware implements a polymorphic engine that modifies memory bytes using specific hard-coded values. LeakyStealer searches for crypto wallets such as Electrum, Exodus, Atomic, Sparrow, Ledger Live, Guarda, and BitPay in addition to browser extensions like MetaMask, Phantom, Coinbase, and Trust Wallet. Two backdoor commands are implemented: downloading and executing a file, and executing Windows commands. 

A Hybrid Analysis Perspective

The sample is a 64-bit Windows executable (approximately 30 MB, padded with null bytes) and is signed with a valid digital certificate. The malware contains numerous debug strings and artifacts, indicating minimal obfuscation.

Figure 1 - File Summary

The malware establishes persistence by creating an entry under the Run registry key:

Figure 2 - Persistence through registry manipulation

Looking at the “HTTP Traffic” in the Hybrid Analysis report, we can identify HTTP POST requests used for C2 communications. The domain was recently registered. The process connects to 45[.]151[.]62[.]120 on port 443 (TCP), using a browser-related user agent.

Figure 3 - HTTP POST requests to the C2 server

The stealer is looking for different browser extensions corresponding to crypto wallets:

Figure 4 - Crypto wallets are targeted

The malware reads browser-related files to retrieve the browser history, as highlighted in the figure below.

Figure 5 - Accessing browser-related data

A Deeper Dive

LeakyInjector analysis

The first stage - which we named LeakyInjector - is looking for the “explorer.exe” process on the host:

Figure 6 - The injector searches for the explorer.exe process

The malware injects the next stage into the explorer process using the low level APIs displayed below.

Figure 7 - Perform process injection using low level APIs

The stealer that we called LeakyStealer is stored in an encrypted form in the injector and is decrypted using the ChaCha20 algorithm, with the key and nonce being hard-coded.

Figure 8 - ChaCha20 algorithm is used to decrypt the stealer before it’s being injected

LeakyStealer analysis

The malware computes the Bot ID of the infected host by XOR-ing the “C:\” volume serial number with the 0xDEADBEEF constant. If not available, the Bot ID is initialized using the GetTickCount function.

Figure 9 - Bot ID value is computed

It retrieves the hostname, the username, and the domain assigned to the local machine (see Figure 10).

Figure 10 - Extract information that will be exfiltrated

The malicious process determines whether it’s running with admin privileges using the GetTokenInformation API (0x14 = TokenElevation):

Figure 11 - Determine if the malware is running with admin privileges

The binary connects to the everstead[.]group C2 server using a hard-coded user agent, as highlighted below.

Figure 12 - First connection to the C2 server

A field called “Traffic Tag” is initialized with the “convert” value. Figure 13 reveals the verbose output containing information extracted in previous steps.

Figure 13 - Multiple debugging strings shown

Persistence

The stealer copies itself as “MicrosoftEdgeUpdateCore.exe” in the “%AppData%” directory. It establishes persistence by creating an entry called “EdgeUpdateCore” under the Run registry key:

Figure 14 - Self-copy and persistence

LeakyStealer implements a “polymorphic engine” that is able to modify its memory area with hard-coded bytes at runtime:

Figure 15 - Modify bytes using a routine called polymorphic engine at runtime

The search is performed for the 8-byte marker “DE AD BE EF CA FE BA BE”. The process changes the memory protection of the first 16 bytes (including the marker) using VirtualProtect (0x40 = PAGE_EXECUTE_READWRITE). These 16 bytes are modified to a randomized sequence of “no-operation” assembly instructions, such as 0x90 for NOP, “EB 00” for JMP 0x2, or “66 90” for “XCHG AX, AX”. The code that performs the patching is fairly common and frequently found in video game cheat engines. Its purpose in this sample remains unclear as it does not change any actual code and limits the patching to the marker bytes.

Figure 16 - Replace the 16 bytes containing the hard-coded marker using different bytes

The binary enters a loop that builds a registration packet that will be sent to the C2 server (Figure 17).

Figure 17 - LeakyStealer is beaconing to the C2 server at regular intervals

The RtlGetVersion and GetVersionExA methods are utilized to obtain the Windows version:

Figure 18 - Retrieve the Windows OS version

Data exfiltration

The registration packet contains the “LOAD” magic string, the Bot ID, 0x01 (value corresponding to a Registration packet), the admin flag, the traffic tag, the hostname, the username, the Windows domain, and the OS version:

Figure 19 - Registration packet is constructed

Figure 20 - Example of a registration packet

LeakyStealer is looking for cryptocurrency wallets such as Electrum, Exodus, Atomic, Sparrow, Ledger Live, Guarda, and BitPay:

Figure 21 - Multiple crypto wallets are targeted

Cryptocurrency browser extensions such as MetaMask, Phantom Wallet, Coinbase Wallet, and Trust Wallet are also targeted:

Figure 22 - Crypto browser extensions

The malware exfiltrates the registration packet to the “/api/beacon” URI. The server’s response is received and read using the WinHttpReceiveResponse and WinHttpReadData functions (Figure 23).

Figure 23 - Server’s response is received and parsed

The binary extracts the history file from the following browsers: Google Chrome, Microsoft Edge, Brave, Opera, and Vivaldi.

Figure 24 - Obtain the history file from multiple browsers

Every history file found is copied to the temporary folder as “history_%d.db”, where “%d” is generated via a function call to GetTickCount. The malware reads these files in memory and deletes them afterward using the DeleteFileA API, as highlighted below.

Figure 25 - Create copies of history files, read them, and then delete them afterwards

The browser history is exfiltrated to the C2 server using the “/api/beacon/history” URI. We observe that the stealer adds the “X-Bot-Id” header in the request:

Figure 26 - Browser history files are sent to the C2 server

Figure 27 - Example of exfiltrating the browsing history files

The server’s response has the following structure: “LOAD<1-byte Command type><4-byte Command length><Command>”. The command type can be 0 (No command from the server), 1 (two commands implemented by the stealer), and >=2 (Unknown command type).

Figure 28 - Specific packet structure is expected from the C2 server

Stealer Commands

The first command is used to download and execute a file from the C2 server. It has the “download URL Localfile” structure.

Figure 29 - Download command implemented by LeakyStealer

As we can see below, the process downloads the file from the C2 server, creates and populates the newly created file, and finally executes it using the CreateProcessA method.

Figure 30 - Create new file mentioned in the command

Figure 31 - CreateProcessA API call

The second command can be used to run Windows commands on the infected machine and sends the output to the C2 server. The output is read using an anonymous pipe:

Figure 32 - Execute Windows command on the infected host

Mapping the infrastructure

The certificate’s issuer details point to a Hong Kong registrant. Similar versions of the stealer were signed with the same certificate. At the time of the analysis, the certificate was still valid, but at the time of publishing this report it has been revoked by its issuer.

Figure 33 - Signed Certificate information

The certificate thumbprint A8BF7554363D27DEB374C4E2658AC05C60E3BAA7 revealed seven related samples, demonstrating that the threat actor reuses signing infrastructure across multiple payloads.

Signer: Hefei Nudan Jukuang Network Technology Co., Ltd.

Valid Period: September 9, 2025 - September 9, 2026

Issuer: Sectigo Public Code Signing CA EV R36

This legitimate Extended Validation (EV) certificate may have been potentially obtained through fraudulent means or a compromised business entity may have potentially been abused for malware signing. The seven samples share consistent operational patterns:

• Persistence mechanisms across all variants
• Masquerading as legitimate Microsoft Edge update components
• Recent activity with samples spanning October 1-9, 2025 

A Shodan search for the IP address returns open ports 22, 80 and 443.

Figure 34 - Shodan search

There are two domains associated with the IP address, namely “everstead[.]group” and “ip-ptr[.]tech”.  

Figure 35 - Shodan result for the IP address

The MSI file called “dynatrc.php” drops LeakyStealer with SHA256 dea8653698cea84e063165524c3e8c8141de246a29b9b8de40be3943fd1c6f14 that communicates with the same C2 server. The installer could be downloaded from the paycnex[.]com domain, as highlighted below:

Figure 36 - VirusTotal result shows the distribution site of the installer

We’ve identified a PowerShell script that is related to NetSupportRAT on the same domain:

Figure 37 - PowerShell script related to NetSupportRAT was stored on the distribution domain

LeakyStealer Through the Eyes of Hybrid Analysis

The Hybrid Analysis report identifies multiple behavioral patterns and indicators that classify LeakyStealer as a new, information-stealing malware. For example, it highlights that the process targets crypto browser extensions and the history files across multiple browsers. Through in-depth technical analysis of LeakyStealer’s core functionality, we’re potentially offering insights enabling more effective detection and defense strategies.

Hybrid Analysis is a powerful platform for identifying and analyzing malware, whether mundane or highly sophisticated. It provides detailed context and information that can be investigated further during the dynamic analysis of the malware. For performing a more in-depth analysis of malware samples, you can download them by registering with a Hybrid Analysis account and becoming a vetted user.

Indicators of Compromise

SHA256

9b8bd9550e8fdb0ca1482f801121113b364e590349922a3f7936b2a7b6741e82

88e0c1652eb91c517a5fec9d356c7f30c0136d544f5d55ac37f20c5612134efb

Files created

%AppData%\MicrosoftEdgeUpdateCore.exe

C:\Users\<User>\AppData\Local\Temp\history_%d.db

Registry value

EdgeUpdateCore

C2 server

everstead[.]group

A Deep Dive Into Warlock Ransomware Deployed Via ToolShell SharePoint Chained Vulnerabilities

Author(s): Vlad Pasca

• Warlock ransomware was deployed by exploiting the SharePoint vulnerabilities CVE-2025-53770 and CVE-2025-53771
• The malware includes a hostname verification mechanism that excludes designated systems from encryption, indicating self-preservation tactics
• Warlock performs defense evasion by stopping a list of services and processes and removes volume shadow copies 
• The ransomware encrypts files using a combination of the ChaCha20 algorithm and Curve25519

Warlock ransomware has been recently found being distributed through newly discovered SharePoint vulnerabilities. This malware represents the latest evolution in ransomware tactics, combining advanced encryption methods with targeted defense evasion techniques.

As a result, we have conducted a comprehensive analysis of Warlock, examining both its initial behavior through sandbox environments and performing detailed static and dynamic analysis of samples in the wild. The findings reveal a methodical attack pattern designed to maximize damage while protecting itself from detection and removal.

The ransomware exploits two critical SharePoint vulnerabilities (CVE-2025-53770 and CVE-2025-53771) as its entry point, then deploys a multi-stage attack that includes terminating security services, removing recovery options, and implementing a hybrid encryption scheme using ChaCha20 and Curve25519 algorithms.

Perhaps most telling is Warlock's self-preservation mechanism—a hostname verification feature that deliberately avoids encrypting certain systems, suggesting a calculated self-preservation approach built by its operators.

A Hybrid Analysis Perspective

As we can see in the Hybrid Analysis report, the ransomware appends its extension to the existing one:

Figure 1 - Warlock ransomware’s extension identified

Figure 2 reveals that the malware is looking to open and possibly stop multiple services related to backup, databases,  shadow copies, AntiVirus software, and so on.

Figure 2 - Multiple services are targeted

Hybrid Analysis identifies that the sample implements the ChaCha20 algorithm for encryption using YARA rules (Figure 3).

Figure 3 - ChaCha20 algorithm identified

Figure 4 - CryptoPP library is statically linked

The SHEmptyRecycleBinW API is utilized to empty the Recycle Bin in order to avoid possible file recovery from the location:

Figure 5 - SHEmptyRecycleBinW API call

A Deeper Dive Into Warlock

The process retrieves the command-line arguments and compares them with the following list: “-e” (doesn’t change the extension of the file passed as a parameter), “-n” (doesn’t create the ransom note) and “-p”.

Figure 6 - Command-line arguments retrieval

The threat actor embedded a GUID in the code that will appear in all encrypted files. The ransomware also implements a check (skipping files encryption) for a placeholder that should be a hostname called “replacethiswhitehost”.

Figure 7 - Hard-coded information

The malware hides the current window via a function call to ShowWindow (0x0 = SW_HIDE):

Figure 8 - Malware’s window is hidden

SHEmptyRecycleBinW is used to empty the Recycle Bin on all drives (0x7 = SHERB_NOCONFIRMATION | SHERB_NOPROGRESSUI | SHERB_NOSOUND):

Figure 9 - Empty the Recycle Bin

Warlock mounts all unmounted volumes using the FindFirstVolumeW, FindNextVolumeW, and SetVolumeMountPointW functions.

Figure 10 - Mount all unmounted volumes

Defense Evasion

The ransomware stops a list of services (i.e. AntiVirus, backup, shadow copies) using the ControlService method (0x1 = SERVICE_CONTROL_STOP). The entire list of services can be found in the Appendix.

Figure 11 - Targeted services are stopped

The executable stops a list of processes that might interfere with the encryption. The list of all processes can be found in the Appendix.

Figure 12 - Targeted processes are killed

Volume Shadow Copies Deletion

The ransomware deletes all volume shadow copies by calling the CreateVssBackupComponentsInternal function and then DeleteSnapshots on every shadow copy found (see Figure 13).

Figure 13 - Delete volume shadow copies using COM interface

Encryption of Files

GetDriveTypeW is used to retrieve the drive type, which must be different than 0x1 (DRIVE_NO_ROOT_DIR) and 0x5 (DRIVE_CDROM):

Figure 14 - GetDriveTypeW API call

The following files and directories will not be encrypted by Warlock Ransomware:

Figure 15 - Skipped files and directories

The malware creates multiple threads that will handle the file encryption. Firstly, it appends the “.x2anylock” extension to every file to be encrypted using MoveFileW:

Figure 16 - Append the ransomware’s extension to encrypted files

The ransomware uses Curve25519 (CryptoPP library) and ChaCha20 for encrypting files. It calls BCryptGenRandom to generate 32 random bytes (session private key), computes the 32-byte session public key using Curve25519, and then computes the 32-byte shared secret using the session private key and a hard-coded 32-byte public key. The ChaCha20 key is the SHA256 of the shared secret and the IV is equal to the first 8 bytes from the key. The entire workflow is highlighted in the figure below. The threat actor can recover the shared secret using the session public key that is written to the encrypted file and the secret private key that corresponds to the hard-coded public key.

Figure 17 - Generate the shared secret using Curve25519

Figure 18 - Hard-coded 32-byte public key

The ransomware traverses the directories and encrypts the files using ChaCha20:

Figure 19 - Open targeted file for encryption

Figure 20 - Write encrypted content to the file

A snippet of the ChaCha20 implementation is displayed in Figure 21.

Figure 21 - ChaCha20 algorithm

An example of an encrypted file is displayed below. The footer contains the 32-byte session public key generated before and the hard-coded GUID already mentioned.

Figure 22 - Footer contains the 32-byte session public key and GUID

The ransom note called “How to decrypt my data.txt” is dropped in every encrypted directory (Figure 23).

Figure 23 - Ransom note

Warlock Through the Eyes of Hybrid Analysis

The Hybrid Analysis sandbox report reveals multiple key behavioral indicators of Warlock ransomware's functionality. The analysis identifies the ransomware's unique file extension and confirms its use of the ChaCha20 algorithm for file encryption. A significant indicator of malicious intent is the ransomware's systematic termination of backup and AntiVirus software services. The in-depth technical analysis provides crucial evidence from the dynamic analysis and describes the volume shadow copies deletion process, as well as every step of the complex file encryption workflow. 

Hybrid Analysis is a powerful platform for identifying and analyzing malware, whether mundane or highly sophisticated. It provides detailed context and information that can be investigated further during the dynamic analysis of the malware. For performing a more in-depth analysis of malware samples, you can download them by registering with a Hybrid Analysis account and becoming a vetted user.

Indicators of Compromise

SHA256

d1f9ace720d863fd174753e89b9e889d2e2f71a287fde66158bb2b5752307474

File created 

How to decrypt my data.txt

Appendix

Targeted processes

"sql.exe", "oracle.exe", "ocssd.exe", "dbsnmp.exe", "synctime.exe", "agntsvc.exe", "isqlplussvc.exe", "xfssvccon.exe", "mydesktopservice.exe", "ocautoupds.exe", "encsvc.exe", "firefox.exe", "tbirdconfig.exe", "mydesktopqos.exe", "ocomm.exe", "dbeng50.exe", "sqbcoreservice.exe", "excel.exe", "infopath.exe", "msaccess.exe", "mspub.exe", "onenote.exe", "outlook.exe", "powerpnt.exe", "steam.exe", "thebat.exe", "thunderbird.exe", "visio.exe", "winword.exe", "wordpad.exe", "notepad.exe"

Targeted services

"vss", "sql", "svc$", "memtas", "mepocs", "sophos", "veeam", "backup", "GxVss", "GxBlr", "GxFWD", "GxCVD", "GxCIMgr", "DefWatch", "ccEvtMgr", "ccSetMgr", "SavRoam", "RTVscan", "QBFCService", "QBIDPService", "Intuit.QuickBooks.FCS", "QBCFMonitorService", "YooBackup", "YooIT", "zhudongfangyu", "sophos", "stc_raw_agent", "VSNAPVSS", "VeeamTransportSvc", "VeeamDeploymentService", "VeeamNFSSvc", "veeam", "PDVFSService", "BackupExecVSSProvider", "BackupExecAgentAccelerator", "BackupExecAgentBrowser", "BackupExecDiveciMediaService", "BackupExecJobEngine", "BackupExecManagementService", "BackupExecRPCService", "AcrSch2Svc", "AcronisAgent", "CASAD2DWebSvc", "CAARCUpdateSvc"