A sophisticated PowerShell-based malware named TAMECAT has emerged as a critical threat to enterprise security, targeting login credentials stored in Microsoft Edge and Chrome browsers. <\/p>\n
This malware operates as part of espionage campaigns conducted by APT42, an Iranian state-sponsored cyber-espionage group that has been actively targeting high-value senior defense and government officials worldwide. <\/p>\n
The threat demonstrates advanced capabilities in credential theft<\/a>, data exfiltration, and persistent access to compromised systems.<\/p>\n TAMECAT employs a multi-stage infection process that begins with social engineering tactics. <\/p>\n The attackers impersonate trusted WhatsApp contacts and send victims malicious links that abuse the search-ms URI protocol handler. <\/p>\n Once activated, the malware downloads a VBScript<\/a> that performs antivirus detection on the target system to determine the appropriate execution path. <\/p>\n This initial reconnaissance allows the malware to adapt its deployment strategy based on the security environment it encounters.<\/p>\n Pulsedive Threat Research analysts identified<\/a> TAMECAT as leveraging multiple command-and-control channels, including Telegram bots, Discord, Firebase, and Cloudflare Workers infrastructure. <\/p>\n The malware\u2019s modular architecture enables it to download additional PowerShell scripts and execute various commands remotely. <\/p>\n Each module serves a specific purpose, ranging from browser credential extraction to screen capture and file system crawling, making it a comprehensive surveillance tool.<\/p>\n The threat actors behind TAMECAT utilize WebDAV servers to deliver malicious LNK files disguised as PDF documents. <\/p>\n When executed, these files trigger a chain of events that establish persistence through logon scripts and registry run keys. <\/p>\n The malware communicates with its command-and-control infrastructure using encrypted channels, employing AES encryption with predefined keys to protect stolen data during transit. <\/p>\n This layered approach to obfuscation<\/a> makes detection significantly more challenging for traditional security tools.<\/p>\n TAMECAT implements sophisticated techniques to extract login credentials from both Microsoft Edge and Chrome browsers. <\/p>\n The malware utilizes Microsoft Edge\u2019s remote debugging<\/a> feature to access browser data while the application is running. <\/p>\n For Chrome, TAMECAT suspends the browser process temporarily to gain unrestricted access to stored credential databases. <\/p>\n This dual-capability approach ensures the malware can harvest sensitive authentication information regardless of which browser the victim prefers.<\/p>\n The credential extraction module operates entirely in memory, leaving minimal forensic traces on the infected system. <\/p>\n Once credentials are collected, TAMECAT employs its Download Module and a specialized DLL<\/a> component called Runs.dll to chunk the stolen data into smaller segments before exfiltration. <\/p>\n This segmentation strategy helps the malware evade network monitoring tools that might flag large data transfers. <\/p>\n The exfiltration process uses multiple channels simultaneously, including FTP and HTTPS protocols, providing redundancy in case one communication path becomes blocked or monitored.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post TAMECAT PowerShell-Based Backdoor Exfiltrates Login Credentials from Microsoft Edge and Chrome<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"Details](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEijrOdqvjyqyy0jX-9yk-OyT2ZxG1yidIjnQMHYaZQ-V4Nq4iCKEkqlBRuTHlG3zgskc7NN_jRLkZ3Y3ZnX83JhdqdogSyJ4mPagblQ6YUZXuzjk_imK7Yd-ZKBg6z1CkITdwYVz3pAeHhe46-fx4FGTK5Sb5fCUFvCWuOIEXARaZX5TRdQyBraxjQv1EM\/s16000\/Details%2520Of%2520TAMECAT%27s%2520capabilities%2520%28Source%2520-%2520Pulsedive%29.webp?ssl=1\")
![\"VBScript](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiMrXQlMvOFY7LzObzD3mxDtXlUxrt5j3Di2llG5plBqISzMkKZmx_CAQuT4_hRxHvv3Ow2YnNCAmTlxX1qAveMuBmkQjmnCbskoohvhtO-OeaT3ysbcSQIjFbAZwYTlA3rvYezmUsFYhTdhhKipuVUYvd-MbLU5g_RkhlFwdXNTLWyRkeNCOGv4aZSAXk\/s16000\/VBScript%2520used%2520to%2520download%2520TAMECAT%2520%28Source%2520-%2520Pulsedive%29.webp?ssl=1\")
Browser Credential Extraction Mechanism<\/strong><\/h2>\n
![\"The](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEji-wTz6qXa2TraGgHKtamUN64YzAg6EeKZwrIpsWSJD21JPc-pGPC_bpAKPq7bXVCd1btNksFlIKqD7_aGz_ZKSgFKFjAJOV3qyW8ANjs6ZxPQsnzyYmaeFpJMyMFxXv2c31LaS3pM2K0LxJFNudkhMLAKLYhvMvFHsGdVM12ENje-oEwIF96iAHlw3kk\/s16000\/The%2520decoded%2520Borjol%2520function%2520%28Source%2520-%2520Pulsedive%29.webp?ssl=1\")
![\"Code](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhY59ttlOApZEs9l4U7-AP6MMdwZJqsOUZ8ZnMwY6wmf_OcHUgIYuaYfmEVh9ulMiYqhYh_sNVVIXlP0Erhu05wLCPrla0W0bRH5lPna7ndiNmQ3ORsWNOhLLpQQASrTC7-_fmf0_Chgte5w18a-ob1fAhLHt7QqFffPjjFEWpNUcSfHqssj2Xll3Z-2tk\/s16000\/Code%2520that%2520is%2520run%2520based%2520on%2520the%2520response%2520from%2520the%2520C2%2520server%2520%28Source%2520-%2520Pulsedive%29.webp?ssl=1\")