Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

DeerStealer

108
Global rank
98 infographic chevron month
Month rank
93 infographic chevron week
Week rank
0
IOCs

DeerStealer is an information-stealing malware discovered in 2024 by ANY.RUN, primarily targeting sensitive data such as login credentials, browser history, and cryptocurrency wallet details. It is often distributed through phishing campaigns and fake Google ads that mimic legitimate platforms like Google Authenticator. Once installed, it exfiltrates the stolen data to a remote command and control (C2) server. DeerStealer’s ability to disguise itself as legitimate downloads makes it particularly dangerous for unsuspecting users.

Stealer
Type
Unknown
Origin
1 June, 2024
First seen
22 January, 2025
Last seen

How to analyze DeerStealer with ANY.RUN

Type
Unknown
Origin
1 June, 2024
First seen
22 January, 2025
Last seen

IOCs

IP addresses
154.216.17.4
Domains
interactiedovspm.shop
deicedosmzj.shop
consciousourwi.shop
potentioallykeos.shop
weiggheticulop.shop
cagedwifedsozm.shop
charecteristicdxp.shop
southedhiscuso.shop
updateb.site
authetificator-gogle.com
gg2024.com
gg2024.info
authenticcator-descktop.com
updater-pro.com
Last Seen at

Recent blog posts

post image
How to Prevent a Ransomware Attack on a Busin...
watchers 928
comments 0
post image
How Threat Intelligence Lookup Helps Enterpri...
watchers 985
comments 0
post image
InvisibleFerret Malware: Technical Analysis
watchers 6775
comments 0

What is DeerStealer malware?

DeerStealer is a relatively new info-stealing malware that emerged in 2024, targeting sensitive data like login credentials, browser history, and cryptocurrency wallet details.

Unlike more established stealers, DeerStealer has quickly gained attention due to its innovative distribution methods, including fake websites mimicking legitimate services like Google Authenticator. These sites trick users into downloading malware under the guise of security software.

The malware has been linked to malicious campaigns that target individual users as well as organizations, and it’s speculated to share similarities with other stealer malware like XFiles.

In addition to exfiltrating data, DeerStealer persists on infected systems by modifying registry keys, enabling it to survive reboots and remain active.

This persistence, combined with its focus on browser exploitation and cryptocurrency theft, makes DeerStealer a significant risk, particularly to users managing sensitive online accounts and assets.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

DeerStealer malware technical details

The primary functionality and features of DeerStealer malware include:

  • Extraction of credentials from web browsers, email clients, and cryptocurrency wallets.
  • Modification of registry keys to reinfect the system after reboot, ensuring long-term access.
  • Obfuscation techniques to avoid detection by security tools, making it harder to analyze.
  • Delivery via phishing emails, malicious Google ads, and fake websites mimicking legitimate services, including Google Authenticator sites.
  • Communication with a command-and-control server via POST requests to send stolen data, often using encrypted communication through simple XOR encryption.

In some DeerStealer campaigns, attackers use a Telegram bot to send information about infected systems, such as IP addresses and country.

When victims land on a fake website (like a Google Authenticator download page), their IP address and country are sent to a Telegram bot. This bot, named "Tuc-tuc," helps attackers track the locations of infected users and coordinate further actions.

Telegram serves as a secure and anonymous medium for logging victim data, making it easier for the attackers to monitor their phishing campaigns without detection.

DeerStealer execution process

To see how DeerStealer operates, let’s upload its sample to the ANY.RUN sandbox.

DeerStealer is commonly distributed via fake websites that mimic legitimate services, such as Google Authenticator. When users attempt to download the application from these sites, their information, such as IP address and country, is sent to a Telegram bot.

The malware itself is hosted on platforms like GitHub and is designed to run directly in memory without leaving traces on disk.

DeerStealer fake website Fake website mimicking Google Authenticator analyzed inside ANY.RUN’s sandbox

Upon execution, it launches a Delphi-based application that serves as a launcher for the final payload.

To evade detection, the payload employs obfuscation techniques and runs entirely in memory, making it difficult for traditional antivirus solutions to identify.

Before initiating its malicious activities, DeerStealer performs checks to confirm it's not operating in a sandbox or virtual environment. It collects hardware identifiers (HWID) and transmits them to its command and control (C2) server. If the checks are passed, the malware retrieves a list of target applications and keywords from the server.

DeerStealer process graph DeerStealer process graph displayed in the ANY.RUN sandbox

DeerStealer scans the infected system for sensitive information, such as cryptocurrency wallet credentials, browser-stored passwords, and other personal data. The stolen data is organized into a structured format, often JSON, before being exfiltrated.

The exfiltration occurs through POST requests, typically sent over encrypted channels to bypass network monitoring tools. To maintain persistence, DeerStealer may establish scheduled tasks or modify startup configurations, enabling it to execute automatically upon system reboot.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

DeerStealer malware distribution methods

DeerStealer is primarily distributed through various deceptive techniques that aim to trick users into downloading malware. Some of the key distribution methods include:

  • Phishing emails: Attackers send emails that appear legitimate, often containing malicious attachments or links. These attachments can be disguised as Word documents or compressed files (e.g., .zip or .rar), which, once opened, deploy the malware.
  • Malvertising: Cybercriminals use malicious advertisements that romote legitimate services like Google Authenticator. When users click on these ads, they are redirected to fraudulent websites that prompt them to download DeerStealer.
  • Fake websites: Attackers create websites that mimic legitimate services, particularly focusing on fake Google Authenticator sites. These websites trick users into downloading infected files disguised as legitimate software.
  • Software cracks: It has also been observed in pirated software downloads, where users download what appears to be legitimate software, only to infect their systems with DeerStealer.

Gathering threat intelligence on DeerStealer malware

To collect up-to-date intelligence on DeerStealer, you can utilize Threat Intelligence Lookup from ANY.RUN.

This tool gives access to a comprehensive database filled with insights from millions of malware analysis sessions. Using over 40 customizable search parameters, such as IPs, domains, file names, and process artifacts, it allows you to uncover important details about threats like DeerStealer.

DeerStealer TI Lookup results Search results for DeerStealer in Threat Intelligence Lookup

For instance, by searching for DeerStealer’s name or using a related indicator, such as a domain or process artifact (threatName:"DeerStealer", Threat Intelligence Lookup will display all relevant samples and sandbox results associated with the malware.

Get your 14-day free trial of Threat Intelligence Lookup along with the ANY.RUN sandbox.

Conclusion

DeerStealer is a serious threat, capable of stealing login credentials, browser data, and cryptocurrency information. Its distribution through fake websites makes it difficult to detect. It’s important to analyze suspicious files and URLs to protect against DeerStealer and similar malware.

ANY.RUN provides a real-time sandbox for analyzing malware behavior and allows its users to quickly identify threats, gathering key indicators of compromise (IOCs)

Sign up for a free ANY.RUN account today and start analyzing all the emerging threats with no limits!

HAVE A LOOK AT

Jigsaw screenshot
Jigsaw
jigsaw
The Jigsaw ransomware, initially detected in 2016, encrypts files on compromised systems and requires a ransom payment in Bitcoin. If the ransom is not paid, the malware starts deleting files, increasing the pressure on victims to comply. Its source code is publicly accessible, allowing various threat actors to customize and repurpose the malware for different objectives.
Read More
zgRAT screenshot
zgRAT
zgrat
zgRAT is a malware known for its ability to infect systems and exfiltrate sensitive data to command-and-control (C2) servers. It is primarily distributed through loader malware, as well as phishing emails. zgRAT employs various advanced techniques, including process injection and code obfuscation, to evade detection and maintain persistence on infected systems. The malware can also spread via USB drives and uses popular messaging platforms like Telegram and Discord for data exfiltration.
Read More
Fog Ransomware screenshot
Fog is a ransomware strain that locks and steals sensitive information both on Windows and Linux endpoints. The medial ransom demand is $220,000. The medial payment is $100,000. First spotted in the spring of 2024, it was used to attack educational organizations in the USA, later expanding on other sectors and countries. Main distribution method — compromised VPN credentials.
Read More
DarkGate screenshot
DarkGate
darkgate
DarkGate is a loader, which possesses extensive functionality, ranging from keylogging to crypto mining. Written in Delphi, this malware is known for the use of AutoIT scripts in its infection process. Thanks to this malicious software’s versatile architecture, it is widely used by established threat actors.
Read More
Emmenhtal screenshot
Emmenhtal
emmenhtal
First identified in 2024, Emmenhtal operates by embedding itself within modified legitimate Windows binaries, often using HTA (HTML Application) files to execute malicious scripts. It has been linked to the distribution of malware such as CryptBot and Lumma Stealer. Emmenhtal is typically disseminated through phishing campaigns, including fake video downloads and deceptive email attachments.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More