Since May 2025, a novel credential stealer dubbed Maranh\u00e3o Stealer<\/strong> has emerged as a significant threat to users of pirated gaming software. Distributed through deceptive websites hosting cracked launchers and cheats, the malware leverages cloud-hosted platforms to deliver trojanized installers that appear innocuous.<\/p>\n Upon execution, the installer unpacks a Node.js\u2013compiled binary encapsulated in an Inno Setup executable, initiating a silent infection process that avoids user detection while harvesting sensitive data.<\/p>\n In its initial campaigns<\/a>, threat actors attracted victims with enticing download links such as Behind the scenes, however, the Inno Setup wrapper drops several components, including Cyble analysts noted that the malware establishes persistence<\/a> through Run registry keys and scheduled tasks immediately after deployment.<\/p>\n The impact of Maranh\u00e3o Stealer extends beyond simple credential theft. By injecting a reflective DLL into browser processes, it bypasses security measures<\/a> like AppBound encryption to exfiltrate stored passwords, cookies, and browsing history from Chrome, Edge, Brave, Opera, and other Chromium-based browsers.<\/p>\n Cyble researchers identified<\/a> that the malware also targets cryptocurrency wallets\u2014Electrum, Exodus, Coinomi, and more\u2014making it a dual threat to both traditional account credentials and digital asset wallets.<\/p>\n In addition to credential harvesting, Maranh\u00e3o Stealer conducts extensive system reconnaissance. It gathers hardware and network information via WMI queries such as Screenshots captured through inline C# in PowerShell further augment the stolen intelligence, enabling threat actors to monitor user activity in real time.<\/p>\n A closer examination of the infection mechanism reveals a multi-stage process designed for stealth and reliability.<\/p>\n Upon execution of the Inno Setup installer, the main payload ( Persistence is immediately secured with a registry modification:-<\/p>\n Once the Run key is in place, the malware<\/a> marks its directory and files with hidden and system attributes through The next phase involves spawning a helper process, Using low-level Windows APIs\u2014 This reflective injection technique not only evades antivirus scans but also runs inside the context of legitimate browser executables, making detection even more challenging.<\/p>\n By combining social engineering, cloud-based distribution, and advanced injection tactics, Maranh\u00e3o Stealer exemplifies the evolving sophistication of modern credential stealers.<\/p>\n Security teams should prioritize application control policies, endpoint monitoring for anomalous registry edits, and behavioral analysis to detect and block such stealthy threats in their early stages.<\/p>\n The post New Maranh\u00e3o Stealer Via Pirated Software Leveraging Cloud-Hosted Platforms to Steal Login Credentials<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nDerelictSetup.zip<\/code>, promising modified game content.<\/p>\nupdater.exe<\/code>, crypto.key<\/code>, and infoprocess.exe<\/code>, into a hidden \u201cMicrosoft Updater\u201d directory under %localappdata%Programs<\/code>.<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEicqzy724nXSoJQrOL4-B5SNykBGJUUeAWldWL_AgjFpfXOO2NPLJyPPR23swC3ZT9OAb0WIk1dayeauJTR6Ltuw2YTpPeBK5O2AaSpsqInULKpeSW-NwuGW-_oNDbiMnWfFzb3a4uW_g36-0MsMEtw6bBn1jPQtAk6YYp8JXMsmkENuoeNYcavD6E7I70\/s16000\/Infection%2520chain%2520%28Source%2520-%2520Cyble%29.webp?ssl=1\")
wmic os get Caption<\/code> and external API calls to ip-api.com\/json<\/code>, profiling the operating system, CPU, disk space, and geographic location of the infected host.<\/p>\nInfection Mechanism<\/strong><\/h2>\n
updater.exe<\/code>) is launched in \/VERYSILENT<\/code> mode, suppressing any installation dialogs.<\/p>\nreg.exe ADD HKCUSoftwareMicrosoftWindowsCurrentVersionRun \/v updater \/t REG_SZ \/d \"C:Users<username>AppDataLocalProgramsMicrosoft UpdaterUpdater.exe\" \/f<\/code><\/pre>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiUFBvlwY7yUD0OSzEWuhRXd7GnUxiY-r70QEyYQzeo7a0Joub0YrHaPEis11ghwQJzZ7ex8sWRjtWNeUvm0CPJQkNZE16OCj53Djt6hxboj8ASRWBV7rD6gdpTjOHW5b4hETpStGcvM9AnMwDiBkYBI7lqFR7L8t9wk78ZzYl2m3kgp7JuLC9T_WNqrTM\/s16000\/Persistence%2520through%2520registry%2520%28Source%2520-%2520Cyble%29.webp?ssl=1\")
attrib +h +s<\/code>, ensuring they remain obscured from casual inspection.<\/p>\ninfoprocess.exe<\/code>, which injects a payload DLL directly into running browser processes.<\/p>\nNtAllocateVirtualMemory<\/code>, NtWriteProcessMemory<\/code>, and CreateThreadEx<\/code>\u2014the malicious module is mapped into the target\u2019s memory space without touching the disk.<\/p>\nFree live\u00a0webinar\u00a0on new malware tactics from our analysts! Learn advanced detection techniques ->\u00a0Register for Free<\/a><\/code><\/strong><\/p>\n