DeerStealer

DeerStealer is a Windows-focused information stealer sold as a malware-as-a-service platform. Reporting in the provided content describes subscription tiers ranging from $200/month to $3,000/month, with higher tiers adding hidden VNC, keylogging, clipper functionality, SmartScreen bypass, and remote process management. It is characterized as a credential-focused stealer and has been observed targeting browser passwords, cookies, session tokens, autofill and credit-card data, browsing history, cryptocurrency wallets, browser extensions, Discord and Telegram tokens, messaging-session data, FTP and VPN credentials, Office documents, and OneDrive contents. Multiple reports state it targets data from more than 50 browsers, more than 800 browser extensions, and numerous desktop and hardware-wallet-related applications.

The malware has been delivered through several infection chains in the source material. Observed vectors include fake browser update lures and web inject chains, malicious MSI installers built with WiX Toolset 4.0.0.0, EV-signed MSI packages that abuse trust and SmartScreen reputation, HTA/mshta-based MaaS affiliate builds, ClickFix-style phishing pages that trick users into manually executing PowerShell, and trojanized software bundles or bootstrapper installers. Specific execution chains include DLL sideloading via legitimate signed binaries such as iMyFone Feedback Utils.exe with a trojanized Qt5Network.dll, Zoner Photo Studio VoTransmitt.exe with a trojanized sciter32.dll, and installers that unpack intermediate loaders before deploying DeerStealer. One analyzed sample used a GhostPulse loader that concealed the payload in headerless PNG-style IDAT chunks stored in cachedrv.xml, with encrypted configuration in servicetable68.cfg. Another WiX Burn sample disguised as "Antonomasia" by publisher "Cyme" used Bichromate.dll masquerading as Adobe CCMNative.dll to decrypt and execute DeerStealer entirely in memory while displaying a legitimate Active@ Password Changer decoy.

Persistence mechanisms directly mentioned in the content include scheduled tasks, HKCU Run key persistence using the value name AppVTemplate, and persistence established by MSI CustomActions before final payload deployment. Anti-analysis and evasion features described in the content include use of signed or EV-signed binaries and installers, in-memory decryption and execution, DLL sideloading, encrypted configuration and payload containers, self-deletion in HTA-based variants, anti-sandbox checks, and rootkit-like or stealth-oriented capabilities. One report states DeerStealer uses Telegram for execution notifications, and another states stolen data may be staged locally in SQLite tables named ribs_collection and ribs_payload before exfiltration via XOR-encrypted HTTPS POST requests and AES-encrypted ZIP archives through a Cloudflare-backed proxy layer.

Associated threat activity in the content links DeerStealer to multiple financially motivated ecosystems and operators. Proofpoint reported TA2727 delivering DeerStealer to Windows users via fake browser update chains, with TA2726 acting as a traffic distribution service redirecting victims by geography. TAG-150, later named GrayBravo, is reported to have used CastleLoader infrastructure to deliver DeerStealer among other payloads. DeerStealer also appears in ShadowLadder campaign reporting, in ITarian abuse chains following fake browser update lures, and in affiliate-operated MaaS activity including HTA-based builds and Telegram-advertised sales. One report attributes the DeerStealer MaaS ecosystem to sales by @LuciferXfiles on Telegram-based cybercrime forums.

High-confidence indicators and artifacts explicitly mentioned in the content include: MSI RVJVAUQL.msi SHA-256 ee5e941218bcf1285b2640c4b2f8baf3ffa44a73b6894ce871a22cbc24b80600; trojanized Qt5Network.dll SHA-256 73d2b832d07ab4f6f893f915ca35a43359250c659900357642c6af1f9cd5e130; cachedrv.xml SHA-256 fdbc169b439b430b7c4688ec3bc56de604d1eaaed66a7c919225981a654ad2ae; servicetable68.cfg SHA-256 3d8f0ef413fec6f85e335ca089da1f67439dbe1c8f5c01fc001b5c03b58028bd; WiX Burn sample SHA-256 04bb4867d35e77e8e391f3829cf07a542a73815fc8be975a7733790d6e04243c; Bichromate.dll SHA-256 58a6b1fe90145f8ae431d05952d1751e705ae46a81be1c2257f5e1e0ce0292c7; encrypted payload file jri SHA-256 d704f5f01487ca3340454240868515de1a43a1b65e5b4a97a74ab409c8441f82; config file yodpxub SHA-256 1a5991a30e9d339cbb0143d4bd134509cf4effc7fead7f4f7dcc059990efd669; active or associated C2 domains telluricaphelion[.]com, loadinnnhr[.]today, nacreousoculus[.]pro, ncloud-servers[.]shop, watchlist-verizon[.]com, 365-drive[.]com; campaign domains statswpmy[.]com and trackingmyadsas[.]com; and ClickFix-delivered MSI SHA-256 ead6b1f0add059261ac56e9453131184bc0ae2869f983b6a41a1abb167edf151 with precursor batch file cv.bat SHA-256 2b74674587a65cfc9c2c47865ca8128b4f7e47142bd4f53ed6f3cb5cf37f7a6b.