Cyber Stealer Analysis When Your Malware Developer Has FOMO About Features
Key Takeaways
First identified by eSentire’s Threat Response Unit (TRU) in May 2025, Cyber Stealer represents a new and actively developing threat. The malware authors are consistently updating the tool based on user feedback from hacking forums, indicating an agile development process and suggesting the threat will continue to evolve and become more sophisticated.
The malware compresses stolen data into a zip archive and sends it to the Command & Control (C2) server via HTTP POST requests, including detailed statistics about the types and quantities of stolen data (passwords, credit cards, cookies, etc.).
The malware maintains regular communication with its C2 server through various endpoints, including heartbeat checks, XMR miner configuration, task checks, configuration updates, and data exfiltration. The C2 URL can be dynamically updated through Pastebin, with a hardcoded backup URL if that fails.
The malware includes sophisticated modules for cryptocurrency theft (clipper module), cryptocurrency mining, DNS poisoning through host file manipulation, and configurable monitoring features like screenshots and keylogging, all controlled through a comprehensive administration panel.
To read the complete article see: Cyber Stealer Analysis