Date: 08/04/2025
Severity: Medium
Summary
A sophisticated new infostealer and botnet called "Cyber Stealer" was discovered by the Threat Response Unit in May 2025. This multi-functional malware operates on a tiered subscription model with three packages—Regular, Premium, and VIP—offering escalating features from basic stealing to advanced capabilities like DDoS attacks, cryptocurrency mining, and DNS poisoning. Cyber Stealer targets a wide array of applications, including browsers, crypto wallets, communication platforms, gaming apps, and more. Its botnet functions enable remote shell access, keylogging, malware delivery, and clipboard manipulation to redirect cryptocurrency transactions.
Indicators of Compromise (IOC) List
URL/Domain | cyberstealer.live innocents.ru paxrobot.digital wbarenux.pro |
IP Address | 45.88.91.56 176.65.144.220 155.94.155.220 185.196.8.118 |
Hash | 18df26240ecdb39d14567b219a38a3f022b09d3881a729417f04ad3d0fc62286
a86963b7d78c12b831dc01937b02d8c9ece46af4fac07b7c552398f9fb469682
1f9b6ce9d5af66b1b50f1fa0bacca7108e4ce5152753224c5ae497fbd836d47f
6dfc7d78db71dc50bacd7840b130e25c6ea287bd53ebb7e70afc42dfd05711e1
96f48c3d70d0f3f246667cdd3c5da3f7a682ae5704448c4ea5cfce51d04fbc2e
2de64ef4eb0eccff6469604cdd787bc89f205c7f901ca7df36d65e8517f8863f
26fa2fe4d2dbe9a1ea0e27a95fd40f8db5c920b45863a89c55bb15cac6d692b6
8c69d039d9f9ff29f7fccab7056b1569d135675b7dc53cfce8f8ea8366642c04
4eb8b4dda0dfcf21456103f68b65673fd4aab1c8e585b09b5f184ddcef809f9d
73a8f3597439cd59e1ad3257f5cc3408f4fd460306801a34bb07a11a549a292a
ecdd87c60972d680b26ace08cef2660a71491302299d55645c2f4ed165e80af2
41bb07763250248ddd7273e9c2be51f095a4ad6cadb513bf186c92e5804e4d82
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "innocents.ru" or siteurl like "innocents.ru" or url like "innocents.ru" or domainname like "cyberstealer.live" or siteurl like "cyberstealer.live" or url like "cyberstealer.live" or domainname like "paxrobot.digital" or siteurl like "paxrobot.digital" or url like "paxrobot.digital" or domainname like "wbarenux.pro" or siteurl like "wbarenux.pro" or url like "wbarenux.pro" |
Detection Query 2 : | dstipaddress IN ("176.65.144.220","185.196.8.118","155.94.155.220","45.88.91.56") or srcipaddress IN ("176.65.144.220","185.196.8.118","155.94.155.220","45.88.91.56") |
Detection Query 3 : | sha256hash IN ("6dfc7d78db71dc50bacd7840b130e25c6ea287bd53ebb7e70afc42dfd05711e1","1f9b6ce9d5af66b1b50f1fa0bacca7108e4ce5152753224c5ae497fbd836d47f","4eb8b4dda0dfcf21456103f68b65673fd4aab1c8e585b09b5f184ddcef809f9d","ecdd87c60972d680b26ace08cef2660a71491302299d55645c2f4ed165e80af2","96f48c3d70d0f3f246667cdd3c5da3f7a682ae5704448c4ea5cfce51d04fbc2e","a86963b7d78c12b831dc01937b02d8c9ece46af4fac07b7c552398f9fb469682","73a8f3597439cd59e1ad3257f5cc3408f4fd460306801a34bb07a11a549a292a","8c69d039d9f9ff29f7fccab7056b1569d135675b7dc53cfce8f8ea8366642c04","18df26240ecdb39d14567b219a38a3f022b09d3881a729417f04ad3d0fc62286","2de64ef4eb0eccff6469604cdd787bc89f205c7f901ca7df36d65e8517f8863f","26fa2fe4d2dbe9a1ea0e27a95fd40f8db5c920b45863a89c55bb15cac6d692b6","41bb07763250248ddd7273e9c2be51f095a4ad6cadb513bf186c92e5804e4d82")
|
Reference:
https://www.esentire.com/blog/cyber-stealer-analysis-when-your-malware-developer-has-fomo-about-features