Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

MassLogger

75
Global rank
56 infographic chevron month
Month rank
116 infographic chevron week
Week rank
0
IOCs

MassLogger is a credential stealer and keylogger first identified in April 2020. It has been actively used in cyber campaigns to exfiltrate sensitive information from compromised systems. It is designed for easy use by less tech-savvy actors and is prominent for the capability of spreading via USB drives. It targets both individuals and organizations in various industries, mostly in Europe and the USA.

Keylogger
Type
Unknown
Origin
4 January, 2020
First seen
24 September, 2025
Last seen

How to analyze MassLogger with ANY.RUN

Type
Unknown
Origin
4 January, 2020
First seen
24 September, 2025
Last seen

IOCs

IP addresses
92.53.90.70
100.42.176.116
46.246.4.5
185.228.82.21
185.234.217.224
94.154.172.199
94.127.7.174
51.68.11.192
195.85.115.195
149.248.76.158
162.221.185.10
91.196.124.59
67.215.233.8
188.121.43.27
203.170.129.7
144.91.112.76
47.106.186.21
47.115.6.72
85.187.128.28
94.126.169.122
Hashes
9234dffab2cbf98b8cbbbc63ab775639cc927ecd0a033e9f34e6b1d20a241441
c2b529403f43656b0db1afcfcb7cac9cfc489cf100b0ef8d57cb09ac78170f6f
1ab76c511b783f9e86701e02b795b27e57849cb82fca9f0dbd36ba1eb75670db
6953bac97a3acd3fb014255896b3a0abc540cc5104c5b387d73c3fe795e2a059
28bf65954121b4d63779e1b30c3618cb6ac947f525454fb5755345f9c04a99a4
841121eea932bf572bdad61acc6921567ce6bf9f50c6135150c14d3dc0a8a451
b4503b1f94a4b6767b17edd3cd2a98cf2b8007df820c6b57826985425fb3294c
dc0087097e433036c00aaf8751d4cd9dc3e309fdba09c2ee1415a4060aa1cced
af612afdb63a670dc1f2b8021cbc70edee315e3b23c2a9c83cbfd67f83d82004
3c507c93f68e1689cf400ea4b85e3e649f59fcd2da6714f5d6c62f6167a03ba7
00d1242d40aff092702b2054651ad3c0672ec6f391172ce2d39233dd30551a58
3505d9db37f9593c51f4c838f3dd6d908fd26c0c579e31394b74b689692a9bdf
9c4a2d8473718bdb1725450b6f0567098006b9aa89fbd913acab1bab0857143d
2e302bee38d2c734914bd99beb38bfbf483a8e90ac57306ede31c13bd6ad45d3
0ca58ca6e3d5d0cbfd54cda69f1b469a2ae90d1d0d589277a28bf594b9ae502e
31b8407d72096a60e6315bfe1e185ab6cb8b8ec09e363d5ef4c5d971a40ddad1
af5562054a38fd1eef5465883393189cb1f862d6a52e85441f6efa638a8e119b
6e042b1e9b57979ff67476adac3b38e7ca2a45228ef361ab0faa7d1f59072d2b
c901da217f2f663a6fbc5023c84165031ac1f12a9160305df218b011636a9a96
7412a864fcd7550656feff47bd16c7fffe84ebdc35821ce24817879cf7a11c8c
Domains
mail.credica.org
mail.miniorangeman.com
mail.gtit.pl
mail.pt2003.hu
maknpcg.asia
akinitaviotias.gr
tiko.etatronds.xyz
geohydroconsult.com
teamsheep.cc
ftp.becommodal.com
a0706689.xsph.ru
paninoteka.si
harolds.ooguy.com
bradbo.life
modestinos2.com
industrialspares.to
nankasa.com.ar
lmf-at.com
bestemys.com
servicesdesk.to
Last Seen at
Last Seen at

Recent blog posts

post image
ANY.RUN Sandbox & Microsoft Sentinel: Les...
watchers 409
comments 0
post image
Fighting Telecom Cyberattacks: Investigating...
watchers 1805
comments 0
post image
Efficient SOC: How to Detect and Solve Incide...
watchers 911
comments 0

What is MassLogger malware?

MassLogger is a sophisticated .NET-based malware classified as a credential stealer and keylogger observed from April 2020. It has since evolved with regular updates from its creator, known as NYANxCAT, who is also linked to other malware like LimeRAT and AsyncRAT.

Its high configurability, evasion techniques, and broad targeting capabilities, as well as the price of approximately $100, made it a popular item on dark web forums. It affects both individual users and organizations, with campaigns targeting industries like manufacturing, banking, and logistics across regions such as Europe (Turkey, Latvia, Italy, etc.), the U.S., and beyond.

MassLogger typically infiltrates networks through social engineering tactics, most often via phishing emails. They may target business users and masquerade as legitimate correspondence, such as procurement requests, shipping notices (e.g., referencing companies like Maersk), or other professional communications.

It can also spread via USB drives by injecting itself into files, infecting new systems when those files are opened.

In some campaigns, MassLogger has been distributed via compiled HTML files (.chm), which, when opened, execute embedded JavaScript to initiate the infection chain.

The infection chain is often multi-staged, involving scripting languages like PowerShell and .NET assemblies, making it harder to trace back to the initial vector.

TTPs of MassLogger attacks MassLogger tactics and techniques via MITRE ATT&CK Matrix

MassLogger is highly efficient at collecting and exfiltrating data. It extracts credentials from a wide range of applications, including web browsers (Chrome, Firefox, Edge), email clients (Outlook, Thunderbird, Foxmail), messaging apps (Discord, Telegram, Pidgin), VPN services (NordVPN), and FTP clients (FileZilla). It can also extract cryptocurrency wallet data.

Besides, it engages keylogging, clipboard monitoring, screen capturing, gathering system info via WMI queries.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

MassLogger Stealer’s prominent features

  • Abuses USB drives to infiltrate systems via infected files
  • To faster achieve its goals and avoid detection, can work without persistence mechanisms
  • Extracts data from a wide range of apps, including browsers, messengers, VPNs, network clients etc.
  • Available as a Malware-as-a-Service (MaaS) tool for $100 which amplifies its reach
  • The focus on fresh session cookies and 2FA bypass (via anti-detect browsers) heightens its threat to modern authentication systems.

MassLogger execution process and technical details

All the variety of MassLogger’s vicious ways is illustrated by fresh malware samples and analyses in ANY.RUN’s Interactive Sandbox. Let’s view one of the recent analysis sessions.

See MassLogger’s sample in action

The intrusion often begins with a phishing email containing a malicious attachment — typically a RAR-compressed archive with an unusual filename extension, such as .chm or .pif — used to bypass email filters. In the past, Microsoft Office files were also commonly used.

The main payload is a variant of the MassLogger Trojan, designed to retrieve and exfiltrate user credentials from various applications, including web browsers, email clients, and VPNs. After the payload is decrypted, MassLogger parses its configuration to target specific applications.

MassLogger’s process in ANY.RUN MassLogger acting in the system, malicious process detected by the sandbox

In some cases, it may be configured as a keylogger, though this functionality is often disabled depending on the campaign. The malware collects credentials from targeted applications and stores them in a log file — typically named Log.txt — in a temporary directory within %APPDATA%. Sometimes, it sends stolen information directly from memory without writing it to disk.

The stolen credentials are exfiltrated using methods such as FTP (File Transfer Protocol) or SMTP (Simple Mail Transfer Protocol). In certain scenarios, the data is sent via email to a compromised mailbox, encoded in Base64. MassLogger generally does not persist on the system after execution, meaning it does not install components that would automatically restart upon a system reboot. It also does not request updates from the threat actor over time, making it a relatively straightforward yet effective credential-stealing tool.

MassLogger employs several advanced evasion techniques:

  • Obfuscation: Its .NET code is heavily obfuscated, using techniques like polymorphic string encryption, hash-based import resolution, and indirect method calls to hide its control flow from static analysis. Tools like de4dot can partially deobfuscate it, but the latest versions (e.g., v3) use complex interpreters and uninitialized field calls.
  • Anti-Analysis: It checks for virtualization or sandbox environments and terminates if detected. It also looks for security software like Avast or AVG, halting execution if found.
  • Dynamic Execution: By replacing Microsoft Intermediate Language (MSIL) at runtime, it thwarts static analysis tools like dnSpy, requiring dynamic analysis to reveal its true behavior.
  • Fileless Techniques: Operating in memory rather than writing to disk minimizes detectable artifacts.
  • Encrypted Configuration: Its configuration (e.g., C2 server details) is encrypted within the payload, decrypted only at runtime using standard .NET cryptographic functions.
  • *Legitimate Traffic Mimicry: Exfiltration over SMTP or FTP blends with normal network traffic, avoiding suspicion from basic monitoring tools.

These tactics make MassLogger a "noisy" yet stealthy stealer, balancing aggressive data theft with efforts to remain undetected.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

What are the examples of successful MassLogger campaigns?

  • Compiled HTML (CHM) Campaign (Early 2021): Cisco Talos documented a significant MassLogger campaign notable for its use of Microsoft Compiled HTML Help (.CHM) files as the initial infection vector. This marked a shift from earlier delivery methods, showcasing the malware’s adaptability. Attackers sent phishing emails with subjects like “Domestic customer inquiry” or “MOU Information,” targeting users in Europe. The emails contained RAR attachments that, when extracted, revealed .CHM files embedding JavaScript to launch the infection chain.
  • Procurement-Themed Phishing Wave (August 2021): Cyberint Research identified a series of campaigns in August 2021 targeting manufacturing and banking sectors, particularly in Europe, with phishing emails disguised as procurement requests. Emails included attachments like RAR files or Office documents with macros, delivering MassLogger to steal credentials from browsers, email clients, and VPN services. The malware exfiltrated data via SMTP to compromised mailboxes, storing stolen information in a "Log.txt" file in the %APPDATA% directory.
  • XLS-Based Industrial Targeting (March 2025): A recent campaign, noted in posts on X around March 30, 2025, involved phishing emails with fake procurement themes and malicious Excel (.XLS) files distributing MassLogger. It focused on stealing sensitive data from business applications, with exfiltration via SMTP or HTTP to attacker-controlled servers. The global scope and industrial focus suggested a continuation of MassLogger’s evolution into a tool for both broad and targeted attacks, potentially linked to initial access brokers supplying larger cybercrime groups.

These campaigns highlight MassLogger’s key strengths: its configurability, low entry cost, and evasion tactics like obfuscation, fileless execution, and anti-analysis checks. Unlike headline-grabbing ransomware attacks, MassLogger’s impact is often quieter but insidious, focusing on credential theft that can lead to downstream breaches.

Gathering threat intelligence on MassLogger

Threat intelligence is of much help in proactive defending against MassLogger. Use ANY.RUN’s Threat Intelligence Lookup to gather IOCs, study attackers’ TTPs, preempt incidents by blocking known C2 infrastructure.

Start by searching MassLogger in TI Lookup by the name and explore malicious samples that the cybersecurity community using ANY.RUN’s tools have encountered.

threatName:"masslogger"

MassLogger search results in TI Lookup MassLogger samples submitted in the Sandbox and filtered via TI Lookup

Explore each session to collect new IOCs and use them for further research. Enrich your monitoring and detection systems with the harvested indicators.

MassLogger’s IOCs in Sandbox Click the IOC button in the top right block of the analysis view interface in the Sandbox

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Conclusion

MassLogger’s combination of accessibility, evasion tactics, and broad data theft capabilities makes it a formidable threat. Its reliance on phishing and fileless execution demands robust email security and endpoint protection, while its stealth requires advanced threat intelligence to stay ahead of evolving campaigns.

By combining behavioral detection, network monitoring, and proactive intelligence-driven countermeasures, organizations can effectively mitigate its risks.

Start building your defenses against MassLogger with 50 requests in TI Lookup

HAVE A LOOK AT

NetSupport RAT screenshot
NetSupport RAT
netsupport
NetSupport RAT is a malicious adaptation of the legitimate NetSupport Manager, a remote access tool used for IT support, which cybercriminals exploit to gain unauthorized control over systems. It has gained significant traction due to its sophisticated evasion techniques, widespread distribution campaigns, and the challenge it poses to security professionals who must distinguish between legitimate and malicious uses of the underlying software.
Read More
DarkGate screenshot
DarkGate
darkgate
DarkGate is a loader, which possesses extensive functionality, ranging from keylogging to crypto mining. Written in Delphi, this malware is known for the use of AutoIT scripts in its infection process. Thanks to this malicious software’s versatile architecture, it is widely used by established threat actors.
Read More
Sality screenshot
Sality
sality
Sality is a highly sophisticated malware known for infecting executable files and rapidly spreading across networks. It primarily creates a peer-to-peer botnet that is used for malicious activities such as spamming, data theft, and downloading additional malware. Sality has strong persistence mechanisms, including disabling security software, making it difficult to remove. Its ability to spread quickly and silently, along with its polymorphic nature, allows it to evade detection by traditional antivirus solutions.
Read More
DarkVision screenshot
DarkVision
darkvision
DarkVision RAT is a low-cost, modular Remote Access Trojan that gives attackers remote control of infected Windows hosts. Initially observed around 2020 and sold in underground marketplaces, DarkVision has become notable for its full feature set (keylogging, screen capture, file theft, remote command execution and plugin support) and for being distributed via multi-stage loaders in recent campaigns.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
LokiBot screenshot
LokiBot
lokibot loader trojan
LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals.
Read More