Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

DeerStealer

114
Global rank
116 infographic chevron month
Month rank
110 infographic chevron week
Week rank
0
IOCs

DeerStealer is an information-stealing malware discovered in 2024 by ANY.RUN, primarily targeting sensitive data such as login credentials, browser history, and cryptocurrency wallet details. It is often distributed through phishing campaigns and fake Google ads that mimic legitimate platforms like Google Authenticator. Once installed, it exfiltrates the stolen data to a remote command and control (C2) server. DeerStealer’s ability to disguise itself as legitimate downloads makes it particularly dangerous for unsuspecting users.

Stealer
Type
Unknown
Origin
1 June, 2024
First seen
28 March, 2025
Last seen

How to analyze DeerStealer with ANY.RUN

Type
Unknown
Origin
1 June, 2024
First seen
28 March, 2025
Last seen

IOCs

IP addresses
154.216.17.4
Domains
consciousourwi.shop
southedhiscuso.shop
interactiedovspm.shop
charecteristicdxp.shop
potentioallykeos.shop
weiggheticulop.shop
deicedosmzj.shop
cagedwifedsozm.shop
updateb.site
authetificator-gogle.com
gg2024.com
gg2024.info
authenticcator-descktop.com
updater-pro.com
Last Seen at

Recent blog posts

post image
How to Hunt and Investigate Linux Malware 
watchers 83
comments 0
post image
Salvador Stealer: New Android Malware That Ph...
watchers 1044
comments 0
post image
ANY.RUN Wins Globee Awards 2025 for Outstandi...
watchers 356
comments 0

What is DeerStealer malware?

DeerStealer is a relatively new info-stealing malware that emerged in 2024, targeting sensitive data like login credentials, browser history, and cryptocurrency wallet details.

Unlike more established stealers, DeerStealer has quickly gained attention due to its innovative distribution methods, including fake websites mimicking legitimate services like Google Authenticator. These sites trick users into downloading malware under the guise of security software.

The malware has been linked to malicious campaigns that target individual users as well as organizations, and it’s speculated to share similarities with other stealer malware like XFiles.

In addition to exfiltrating data, DeerStealer persists on infected systems by modifying registry keys, enabling it to survive reboots and remain active.

This persistence, combined with its focus on browser exploitation and cryptocurrency theft, makes DeerStealer a significant risk, particularly to users managing sensitive online accounts and assets.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

DeerStealer malware technical details

The primary functionality and features of DeerStealer malware include:

  • Extraction of credentials from web browsers, email clients, and cryptocurrency wallets.
  • Modification of registry keys to reinfect the system after reboot, ensuring long-term access.
  • Obfuscation techniques to avoid detection by security tools, making it harder to analyze.
  • Delivery via phishing emails, malicious Google ads, and fake websites mimicking legitimate services, including Google Authenticator sites.
  • Communication with a command-and-control server via POST requests to send stolen data, often using encrypted communication through simple XOR encryption.

In some DeerStealer campaigns, attackers use a Telegram bot to send information about infected systems, such as IP addresses and country.

When victims land on a fake website (like a Google Authenticator download page), their IP address and country are sent to a Telegram bot. This bot, named "Tuc-tuc," helps attackers track the locations of infected users and coordinate further actions.

Telegram serves as a secure and anonymous medium for logging victim data, making it easier for the attackers to monitor their phishing campaigns without detection.

DeerStealer execution process

To see how DeerStealer operates, let’s upload its sample to the ANY.RUN sandbox.

DeerStealer is commonly distributed via fake websites that mimic legitimate services, such as Google Authenticator. When users attempt to download the application from these sites, their information, such as IP address and country, is sent to a Telegram bot.

The malware itself is hosted on platforms like GitHub and is designed to run directly in memory without leaving traces on disk.

DeerStealer fake website Fake website mimicking Google Authenticator analyzed inside ANY.RUN’s sandbox

Upon execution, it launches a Delphi-based application that serves as a launcher for the final payload.

To evade detection, the payload employs obfuscation techniques and runs entirely in memory, making it difficult for traditional antivirus solutions to identify.

Before initiating its malicious activities, DeerStealer performs checks to confirm it's not operating in a sandbox or virtual environment. It collects hardware identifiers (HWID) and transmits them to its command and control (C2) server. If the checks are passed, the malware retrieves a list of target applications and keywords from the server.

DeerStealer process graph DeerStealer process graph displayed in the ANY.RUN sandbox

DeerStealer scans the infected system for sensitive information, such as cryptocurrency wallet credentials, browser-stored passwords, and other personal data. The stolen data is organized into a structured format, often JSON, before being exfiltrated.

The exfiltration occurs through POST requests, typically sent over encrypted channels to bypass network monitoring tools. To maintain persistence, DeerStealer may establish scheduled tasks or modify startup configurations, enabling it to execute automatically upon system reboot.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

DeerStealer malware distribution methods

DeerStealer is primarily distributed through various deceptive techniques that aim to trick users into downloading malware. Some of the key distribution methods include:

  • Phishing emails: Attackers send emails that appear legitimate, often containing malicious attachments or links. These attachments can be disguised as Word documents or compressed files (e.g., .zip or .rar), which, once opened, deploy the malware.
  • Malvertising: Cybercriminals use malicious advertisements that romote legitimate services like Google Authenticator. When users click on these ads, they are redirected to fraudulent websites that prompt them to download DeerStealer.
  • Fake websites: Attackers create websites that mimic legitimate services, particularly focusing on fake Google Authenticator sites. These websites trick users into downloading infected files disguised as legitimate software.
  • Software cracks: It has also been observed in pirated software downloads, where users download what appears to be legitimate software, only to infect their systems with DeerStealer.

Gathering threat intelligence on DeerStealer malware

To collect up-to-date intelligence on DeerStealer, you can utilize Threat Intelligence Lookup from ANY.RUN.

This tool gives access to a comprehensive database filled with insights from millions of malware analysis sessions. Using over 40 customizable search parameters, such as IPs, domains, file names, and process artifacts, it allows you to uncover important details about threats like DeerStealer.

DeerStealer TI Lookup results Search results for DeerStealer in Threat Intelligence Lookup

For instance, by searching for DeerStealer’s name or using a related indicator, such as a domain or process artifact (threatName:"DeerStealer", Threat Intelligence Lookup will display all relevant samples and sandbox results associated with the malware.

Get your 14-day free trial of Threat Intelligence Lookup along with the ANY.RUN sandbox.

Conclusion

DeerStealer is a serious threat, capable of stealing login credentials, browser data, and cryptocurrency information. Its distribution through fake websites makes it difficult to detect. It’s important to analyze suspicious files and URLs to protect against DeerStealer and similar malware.

ANY.RUN provides a real-time sandbox for analyzing malware behavior and allows its users to quickly identify threats, gathering key indicators of compromise (IOCs)

Sign up for a free ANY.RUN account today and start analyzing all the emerging threats with no limits!

HAVE A LOOK AT

Lynx screenshot
Lynx
lynx
Lynx is a double extortion ransomware: attackers encrypt important and sensitive data and demand a ransom for decryption simultaneously threatening to publish or sell the data. Active since mid-2024. Among techniques are terminating processes and services, privilege escalation, deleting shadow copies. Distribution by phishing, malvertising, exploiting vulnerabilities.
Read More
Sality screenshot
Sality
sality
Sality is a highly sophisticated malware known for infecting executable files and rapidly spreading across networks. It primarily creates a peer-to-peer botnet that is used for malicious activities such as spamming, data theft, and downloading additional malware. Sality has strong persistence mechanisms, including disabling security software, making it difficult to remove. Its ability to spread quickly and silently, along with its polymorphic nature, allows it to evade detection by traditional antivirus solutions.
Read More
Ramnit screenshot
Ramnit
ramnit
Ramnit is a highly modular banking trojan and worm that evolved from a file-infecting virus into a powerful cybercrime tool. It specializes in financial fraud, credential theft, remote access, and malware delivery, being a serious threat to businesses and individuals. First spotted in 2010, Ramnit became popular after the 2014 takedown of the GameOver Zeus botnet, as cybercriminals sought alternatives for banking fraud.
Read More