Inside Maranhão Stealer: Node.js-Powered InfoStealer Using Reflective DLL Injection

    Tuesday, September 16, 2025 In: Threat Research Print

    Date: 09/16/2025

    Severity: High

    Summary

    Maranhão Stealer is spreading through social engineering sites that offer pirated software, cracked games, and cheats, using cloud services for delivery. Written in Node.js and packaged with Inno Setup, it mirrors trends seen in modern stealer campaigns. The malware establishes persistence via Run registry keys and scheduled tasks, hiding its files with system and hidden attributes. It performs in-depth host profiling and uses DLL injection to steal credentials, cookies, browsing history, and wallet data from browsers. Exfiltrated data is sent to attacker-controlled servers through maranhaogang\[.]fun APIs for tracking, monitoring, and data theft.

    Indicators of Compromise (IOC) List

    Domains\URLs : 

    https://api.maranhaogang.fun/infect

    https://api.maranhaogang.fun:443/socket.io/?id=undefined&EIO=4&transport=

    https://api.maranhaogang.fun/victim

    https://api.maranhaogang.fun/upload

    api.maranhaogang.fun

    Hash : 

    97813e1c66dc8922b8242d24a7a56409b57ce19c61042ffda93031c43a358b9b

    439eb3631638c61842a20e47e1a31d3c1e917f37688bc3ccdac67dae030117a6

    55fc5069e54a35f693bde04f82503752c6dafa5f36c5c35ffbb8ee7c0bd745c6

    1c0fb1550b2ac6173c4861fd2a0dd84d0ddcefeb8aeb33b6ba4dc25d9fefaeb6

    30dce6d07ea67d4e9dfe848a9245051b26dd3f8c84b9b09a490668d2d01ed715

    5c29934925df4dad85f5930c61b32b738fb1cfc9befd60966208ccb73dbd8db0

    b50924f958bb6b49ede6497401dcadc328e3538adf5dca6d66362bcd321a3d00

    d312535b87913542d3f3d0814bb792773c3a2ed561cca43e03892642bf59027a

    ec335c3d2048bb62418526d4d34b386fcad10b8f8805f07d460962ecbd48ab41

    0080f5a06a9f64019a7d5c7bec4fa390a781be762c2581939bb52135afddb940

    15fafd21e86ed8a066543d13957e8de14ac68de58d65ec7e8a3b7600c20b9e8e

    16837d2715bc4afb190c08013ba185b4e62dc65fcbd5320f2dfe6f6be2ca9c27

    1c0fb1550b2ac6173c4861fd2a0dd84d0ddcefeb8aeb33b6ba4dc25d9fefaeb6

    299ebbec35850a7a3aaedb743186580fcd4329e2a4cd606560227f817f99557e

    30dce6d07ea67d4e9dfe848a9245051b26dd3f8c84b9b09a490668d2d01ed715

    30f4b6d879b7a0a5a817bbfc9bdbcc5171f2000b76c5a90e29a3158cbbe197af

    393b50b37922fb6dbf183d9b403110f5c4dee18ae5cddd68ca99a38bf84e049f

    3a71b8f0e4881d8d6888abd7830b4aeede20c7db9687307ae0faa25d53e6002c

    3ed719b54995c349e6e898064521321961679702407533db8e5552ab97ee46a6

    4b13407aaf3a4bb239387de96840db6f246f651a010298212b1020c927fa8f96

    4fdada503206c41d77a5949aee1404c40830d76c4a14c59abea6c235e7a2b9d5

    5c29934925df4dad85f5930c61b32b738fb1cfc9befd60966208ccb73dbd8db0

    61c01c3bd2ed568eea8cf9f51de4cabeebecb7db437a46b424ffff6e1d0ca3a4

    7782f373c32dd2c2017a1cf44b070944fb24add03cc95c6106c2ef4ef01bbc27

    7eb7103109977c1af4076be0f234160ce356150173b0e536aa97598d4583ef9b

    863b34c260b9b393f466f99b9199d28a588a2bf4daf83174664fff0b7073093b

    97813e1c66dc8922b8242d24a7a56409b57ce19c61042ffda93031c43a358b9b

    97eda27517bb85a0385c4ad6c090a84be38e97998248f4dacfc379b2958209c0

    9da9d5717b7ee173854a0a4646964415e80b9ec2fa2a0cbe932c0054d5b71362

    9e6d264b3ab48faf8c89a6e3afb7fe05039bdd82f1fc4af7d3298f9d4337578e

    a6b68fbdb15945a83bfc84c47f9ee584126f085efac95a89785302134b0a11c0

    b0973b4a9b8f713a0760e65f717b6fb7b392c2e8e14e07dddfefecb915cca6b2

    b0a3311f94eb2e87c560b2cde9029a8a5293883777a28fddbf4e4d0672d985f0

    b50924f958bb6b49ede6497401dcadc328e3538adf5dca6d66362bcd321a3d00

    c20e72a39a2e4b808bc86dd2a7c88a54c58accbdbe96e405b769f9096b9c97af

    c8a0cd84d6c8a4d5f7a893744538cbc8b08417468b9c5bd5032b7cdf6d060b34

    d312535b87913542d3f3d0814bb792773c3a2ed561cca43e03892642bf59027a

    d45faeb90d706476c2ad52c183c4ca2e2d72fe2bf840d0f38b83193997a2cdde

    0737f726e751d757e253b0c7aefd697552b075aff9dd661e354c1e87bc132c9a

    4b13407aaf3a4bb239387de96840db6f246f651a010298212b1020c927fa8f96

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\URLs : 

    domainname like "https://api.maranhaogang.fun/infect"or url like "https://api.maranhaogang.fun/infect" or siteurl like "https://api.maranhaogang.fun/infect" or domainname like "https://api.maranhaogang.fun:443/socket.io/?id=undefined&EIO=4&transport=" or url like "https://api.maranhaogang.fun:443/socket.io/?id=undefined&EIO=4&transport=" or siteurl like "https://api.maranhaogang.fun:443/socket.io/?id=undefined&EIO=4&transport=" or domainname like "https://api.maranhaogang.fun/victim" or url like "https://api.maranhaogang.fun/victim" or siteurl like "https://api.maranhaogang.fun/victim" or domainname like "https://api.maranhaogang.fun/upload" or url like "https://api.maranhaogang.fun/upload" or siteurl like "https://api.maranhaogang.fun/upload" or domainname like "api.maranhaogang.fun" or url like "api.maranhaogang.fun" or siteurl like "api.maranhaogang.fun"

    Hash :

    sha256hash IN ("a6b68fbdb15945a83bfc84c47f9ee584126f085efac95a89785302134b0a11c0","7eb7103109977c1af4076be0f234160ce356150173b0e536aa97598d4583ef9b","299ebbec35850a7a3aaedb743186580fcd4329e2a4cd606560227f817f99557e","0080f5a06a9f64019a7d5c7bec4fa390a781be762c2581939bb52135afddb940","9e6d264b3ab48faf8c89a6e3afb7fe05039bdd82f1fc4af7d3298f9d4337578e","4b13407aaf3a4bb239387de96840db6f246f651a010298212b1020c927fa8f96","9da9d5717b7ee173854a0a4646964415e80b9ec2fa2a0cbe932c0054d5b71362","b50924f958bb6b49ede6497401dcadc328e3538adf5dca6d66362bcd321a3d00","b0973b4a9b8f713a0760e65f717b6fb7b392c2e8e14e07dddfefecb915cca6b2","4fdada503206c41d77a5949aee1404c40830d76c4a14c59abea6c235e7a2b9d5","7782f373c32dd2c2017a1cf44b070944fb24add03cc95c6106c2ef4ef01bbc27","863b34c260b9b393f466f99b9199d28a588a2bf4daf83174664fff0b7073093b","3ed719b54995c349e6e898064521321961679702407533db8e5552ab97ee46a6","30f4b6d879b7a0a5a817bbfc9bdbcc5171f2000b76c5a90e29a3158cbbe197af","1c0fb1550b2ac6173c4861fd2a0dd84d0ddcefeb8aeb33b6ba4dc25d9fefaeb6","d312535b87913542d3f3d0814bb792773c3a2ed561cca43e03892642bf59027a","30dce6d07ea67d4e9dfe848a9245051b26dd3f8c84b9b09a490668d2d01ed715","c20e72a39a2e4b808bc86dd2a7c88a54c58accbdbe96e405b769f9096b9c97af","439eb3631638c61842a20e47e1a31d3c1e917f37688bc3ccdac67dae030117a6","3a71b8f0e4881d8d6888abd7830b4aeede20c7db9687307ae0faa25d53e6002c","c8a0cd84d6c8a4d5f7a893744538cbc8b08417468b9c5bd5032b7cdf6d060b34","55fc5069e54a35f693bde04f82503752c6dafa5f36c5c35ffbb8ee7c0bd745c6","97813e1c66dc8922b8242d24a7a56409b57ce19c61042ffda93031c43a358b9b","d45faeb90d706476c2ad52c183c4ca2e2d72fe2bf840d0f38b83193997a2cdde","5c29934925df4dad85f5930c61b32b738fb1cfc9befd60966208ccb73dbd8db0","ec335c3d2048bb62418526d4d34b386fcad10b8f8805f07d460962ecbd48ab41","15fafd21e86ed8a066543d13957e8de14ac68de58d65ec7e8a3b7600c20b9e8e","16837d2715bc4afb190c08013ba185b4e62dc65fcbd5320f2dfe6f6be2ca9c27","393b50b37922fb6dbf183d9b403110f5c4dee18ae5cddd68ca99a38bf84e049f","5c29934925df4dad85f5930c61b32b738fb1cfc9befd60966208ccb73dbd8db0","61c01c3bd2ed568eea8cf9f51de4cabeebecb7db437a46b424ffff6e1d0ca3a4","97eda27517bb85a0385c4ad6c090a84be38e97998248f4dacfc379b2958209c0","b0a3311f94eb2e87c560b2cde9029a8a5293883777a28fddbf4e4d0672d985f0","b50924f958bb6b49ede6497401dcadc328e3538adf5dca6d66362bcd321a3d00","0737f726e751d757e253b0c7aefd697552b075aff9dd661e354c1e87bc132c9a")

    Reference:

    https://cyble.com/blog/inside-maranhao-stealer-node-js-powered-infostealer/


    Tags

    MalwareMaranhão StealerInfostealerSocial EngineeringPiratedExfiltrationDLL

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.