Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

MetaStealer

58
Global rank
69 infographic chevron month
Month rank
52 infographic chevron week
Week rank
0
IOCs

MetaStealer is an info-stealing malware primarily targeting sensitive data like login credentials, payment details, and browser history. It typically infects systems via phishing emails or malicious downloads and can exfiltrate data to a command and control (C2) server. MetaStealer is known for its stealthy techniques, including evasion and persistence mechanisms, which make it difficult to detect. This malware has been actively used in various cyberattacks, particularly for financial theft and credential harvesting from individuals and organizations.

Stealer
Type
Unknown
Origin
1 March, 2022
First seen
29 September, 2025
Last seen

How to analyze MetaStealer with ANY.RUN

Type
Unknown
Origin
1 March, 2022
First seen
29 September, 2025
Last seen

IOCs

IP addresses
37.220.87.8
87.121.221.68
138.201.198.8
81.161.229.143
82.115.223.13
45.15.157.1
37.220.87.13
5.42.65.101
89.22.234.180
45.15.156.13
77.73.134.70
162.55.188.117
212.113.116.143
185.106.93.153
176.123.9.85
185.161.248.152
185.161.248.143
78.153.130.209
185.161.248.72
165.22.108.237
Domains
ns.edahua.top
marduk.top
popshues.top
fhgerbugjreqnhfegrb.top
trenity.top
musonare.top
apiamad.tuktuk.ug
Last Seen at

Recent blog posts

post image
ANY.RUN Sandbox & Microsoft Sentinel: Les...
watchers 564
comments 0
post image
Fighting Telecom Cyberattacks: Investigating...
watchers 2443
comments 0
post image
Efficient SOC: How to Detect and Solve Incide...
watchers 1025
comments 0

What is MetaStealer malware?

MetaStealer is an information-stealing malware first observed in 2022. Initially announced on underground forums, MetaStealer is available as a malware-as-a-service (MaaS) for a subscription price of $125 per month or $1,000 for lifetime use.

Based on the RedLine stealer codebase, it includes several improvements, making it a more effective tool for credential theft and data exfiltration.

This malware has been distributed mainly through malspam campaigns, often using phishing emails to drop the malicious payload into the victim's machine.

MetaStealer has been observed in malvertising campaigns and cracked software distributed through compromised YouTube accounts. Its ability to steal login credentials, cryptocurrency wallet information, and browser-stored data has made it a popular choice among cybercriminals.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

MetaStealer malware technical details

The primary functionality of MetaStealer malware is to exfiltrate sensitive data from infected systems. Its key features include:

  • Steals login credentials, browser data, and cryptocurrency wallet info.
  • Sends stolen data to a remote command and control server.
  • Targets web browsers and email clients for stored credentials.
  • Modifies registry keys to reinfect systems after reboot.
  • Uses obfuscation to avoid detection by antivirus tools.
  • Spreads via phishing emails, malvertising, and cracked software.
  • Focuses on exploiting browsers to steal saved login info.
  • Available for subscription, making it widely accessible to attackers.
  • Can install additional malware on infected systems.

Once executed, MetaStealer is capable of establishing persistence on the infected system by modifying registry keys, making sure that it can reinfect the machine after a reboot. This persistence mechanism helps attackers maintain prolonged access to compromised systems.

MetaStealer's focus on browser exploitation is particularly dangerous, as it targets saved login credentials, autofill data, cookies, and other session information stored in web browsers. This gives attackers the ability to access a wide range of online accounts, from social media to financial services, without needing direct interaction from the victim.

MetaStealer malware execution process

To see how MetaStealer operates, let’s upload its sample to the ANY.RUN sandbox.

Metastealer process graph in ANY.RUN Metastealer process graph shown in ANY.RUN sandbox

Upon execution, MetaStealer may retrieve information about the operating system using winver.exe. It then duplicates itself, creating a copy that is placed in the local application data directory (%localappdata%\Microsoft\windows) and executed to maintain persistence.

To evade detection by Windows Defender, the malware may employ a PowerShell command to add exclusions for certain file types, allowing it to execute without triggering antivirus alerts. This command specifically targets executable files, facilitating the malware's operation without hindrance.

MetaStealer then collects extensive system details by executing systeminfo.exe.

Following this, it focuses on extracting sensitive information from installed web browsers, such as autofill data, cookies, and login credentials. This information is crucial for attackers as it can provide access to various online accounts and services.

After gathering the necessary information, MetaStealer prepares to send the stolen data back to the attackers, typically by establishing a connection to remote servers where the collected information is transmitted.

The exact mechanisms for exfiltration can vary but often involve HTTP POST requests to predefined command and control (C&C) servers.

In our example task, MetaStealer injects itself into the RegAsm system process to evade process-based defenses and possibly elevate privileges. The injected process attempted to connect to the C2 server, triggering a Suricata rule.

In some cases, the malware may arrive on the system alongside legitimate software, masquerading to avoid suspicion.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

MetaStealer malware distribution methods

MetaStealer is distributed through various methods, with attackers using different tactics to target victims. Some of the key distribution methods include:

  • Phishing emails with malicious attachments: One of the most common methods, MetaStealer is often delivered via phishing emails containing malicious attachments such as Word documents (.doc/.docx) or compressed files (.zip/.rar). These files may contain macros or embedded executables that launch the malware.
  • Malicious links: Emails can also include links that redirect the user to a malicious site where the malware is downloaded, disguised as legitimate software or documents.
  • Malvertising: Attackers sometimes use malicious online advertisements that lead to infected websites. These websites can either directly download MetaStealer or prompt users to install disguised malicious software.
  • Cracked software: MetaStealer has been found bundled with cracked or pirated software. Users who download software from untrusted sources may inadvertently install the malware along with what they believe to be legitimate applications.
  • Fake websites: Attackers may create fake websites that mimic legitimate ones, prompting users to download infected files or software updates that actually deliver MetaStealer.

Gathering threat intelligence on MetaStealer malware

To collect up-to-date intelligence on MetaStealer, use Threat Intelligence Lookup.

This service provides access to a large database filled with insights from millions of malware analysis sessions conducted in the ANY.RUN sandbox. With more than 40 customizable search parameters, you can find relevant data on threats including elements like IPs, domains, file names, and process artifacts.

Metastealer lookup search in ANY.RUN Search results for Metastealer in Threat Intelligence Lookup

For example, to gather intelligence on MetaStealer, you can search directly for its threat name or use a related artifact. By submitting a query like threatName:"MetaStealer", TI Lookup will bring up all associated samples and sandbox results relevant to this malware.

Get a 14-day free trial of Threat Intelligence Lookup along with the ANY.RUN sandbox

Conclusion

MetaStealer poses a significant threat due to its ability to steal credentials and spread through various distribution methods. It’s crucial to proactively analyze suspicious files and URLs to protect against this and similar malware.

ANY.RUN offers real-time threat analysis, letting users investigate suspicious files, track malware behavior, and collect actionable intelligence to improve security defenses.

Sign up for a free ANY.RUN account today and start analyzing emerging threats with no limits!

HAVE A LOOK AT

Adware screenshot
Adware
adware
Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.
Read More
Lumma screenshot
Lumma
lumma
Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.
Read More
Bumblebee Loader screenshot
Bumblebee Loader
bumblebee
Bumblebee is a highly adaptable malware loader, often used by threat actors linked to the Conti and TrickBot cybercrime groups. Since its discovery in 2021, Bumblebee has been leveraged in phishing campaigns and email thread hijacking, primarily to distribute payloads like Cobalt Strike and ransomware. The malware employs obfuscation techniques, such as DLL injection and virtual environment detection, to avoid detection and sandbox analysis. Its command-and-control infrastructure and anti-analysis features allow it to persist on infected devices, where it enables further payload downloads and system compromise.
Read More
Chaos Ransomware screenshot
Chaos ransomware is a malware family known for its destructive capabilities and diverse variants. It first appeared in 2021 as a ransomware builder and later acted as a wiper. Unlike most ransomware strains that encrypt data to extort payment, early Chaos variants permanently corrupted files, while later versions adopted more conventional encryption techniques.
Read More
Cerber screenshot
Cerber
cerber
Cerber is a Ransomware-as-a-Service (RaaS) that appeared in 2016, spread quickly and has been evolving since. It became well-known for its file encryption, offline capabilities, and sophisticated evasion techniques. It primarily targets enterprises, financial institutions, and government entities, encrypting their data and demanding ransom payments in Bitcoin. It also targets everyday users encrypting personal files (photos, documents) with the risk of their permanent loss.
Read More
Wshrat screenshot
Wshrat
wshrat rat trojan
WSHRAT is a Remote Access Trojan — a malware that allows the attackers to take over the infected machines. The RAT has been in circulation since 2013 and it is arguably most notable for the numerous versions released into the wild.
Read More