Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

SVCStealer

141
Global rank
134 infographic chevron month
Month rank
158 infographic chevron week
Week rank
0
IOCs

SVCStealer is an information-stealing malware targeting sensitive user data through spear-phishing email attachments. It systematically extracts credentials, financial data, and system information from various applications, including browsers and messaging platforms.

Stealer
Type
Unknown
Origin
1 January, 2025
First seen
7 August, 2025
Last seen

How to analyze SVCStealer with ANY.RUN

Type
Unknown
Origin
1 January, 2025
First seen
7 August, 2025
Last seen

IOCs

IP addresses
176.113.115.149
185.39.17.158
194.38.21.76
185.39.17.233
Domains
diamotrix.online
diamotrix.club
diamotrix.world
Last Seen at

Recent blog posts

post image
MSSP Growth Guide: Scaling Threat Detection f...
watchers 748
comments 0
post image
Major Cyber Attacks in August 2025: 7-Stage T...
watchers 1864
comments 0
post image
How to Enrich IOCs with Actionable Threat Con...
watchers 1196
comments 0

What is SVCStealer?

SVCStealer, an information-stealing malware, was first identified in late January 2025 by SEQRITE researchers. It is written in Microsoft Visual C++ and designed to harvest sensitive data from compromised systems:

  • Login credentials from browsers and other applications.
  • Financial data, such as credit card and cryptocurrency wallet details.
  • Personal files and system information, which can be used for identity theft or sold on dark web forums.
  • Messaging app data from platforms like Discord and Telegram, enabling further social engineering attacks.

SvcStealer focuses both on individuals and on business sectors with valuable data, such as finance, telecommunications, and healthcare. It primarily gains access through spear phishing attacks, where malicious email attachments trick users into executing the malware. These attachments often masquerade as legitimate files to exploit user trust. Social engineering is also engaged with messages posing as legitimate communications, often mimicking trusted entities like Google Meet or medical centers.

Once executed, the malware establishes a foothold on the victim's system and connects to C2 servers to receive further instructions or exfiltrate data. It does not rely on complex network infiltration but uses phishing as the primary vector.

SvcStealer maintains persistence by continuously beaconing to its C2 server, awaiting further commands, which may include downloading additional payloads.

It does not rely on traditional persistence mechanisms like registry modifications or scheduled tasks but ensures ongoing communication with its C2 server using backup IP addresses if the primary connection fails.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

SVCStealer’s Business Impact

  • Data Theft: Loss of sensitive personal and financial information, leading to identity theft, financial fraud, or data sales on underground forums.
  • Operational Disruption: Termination of monitoring processes can hinder system administration, delaying detection and response.
  • Secondary Infections: As a gateway for additional malware, SvcStealer can escalate initial breaches into more severe incidents, such as ransomware or backdoor deployment.
  • Financial Loss: Stolen financial data or cryptocurrency can result in direct financial losses for individuals or organizations.

SVCStealer Execution Process and Technical Details

In spite of being quite recently discovered, SVCStealer has already been actively researched by ANY.RUN’s Interactive Sandbox users including over 500,000 threat analysts and 15,000 SOC businesses. We can choose a public analysis session of the stealer’s sample and watch its execution chain:

View the analysis and gather actionable data.

SVCStealer analysis in ANY.RUN Sandbox SVCStealer sample in ANY.RUN's Interactive Sandbox

SvcStealer is primarily distributed via spear-phishing emails that contain malicious documents or executables. When executed, it generates a unique 11-character alphanumeric folder name derived from the volume serial number of the infected system’s root directory. This folder is created in either the “C:\ProgramData” or “%AppData%” path. This method ensures that only one instance of the malware runs on the system. If the folder already exists, SvcStealer terminates itself to prevent multiple infections, functioning similarly to a mutex.

SVCStealer process in ANY.RUN Sandbox SVCStealer creates the folder with name similar to system name

Once active, SvcStealer attempts to evade detection by terminating common system monitoring and analysis tools. It targets processes such as Taskmgr.exe, ProcessHacker.exe, procexp.exe, and procexp64.exe. This prevents administrators and security software from identifying its activity.

The malware then begins harvesting sensitive information from the victim’s machine. It collects cryptocurrency wallet data stored in a dedicated “Wallets” folder, along with credentials and data from messaging applications like Discord, Telegram, 64gram, and Tox.

Browser data is also targeted, including content from Google Chrome, Opera, Microsoft Edge, Brave, and other browsers. This browser data often includes saved passwords, credit card details, browsing history, and other stored information. In addition, SvcStealer gathers system information, lists of installed applications, running processes with their process IDs, screenshots of the desktop, and files with specific extensions such as .jpg, .pdf, .docx, and .wallet.

After completing data collection, the malware compresses the harvested information into a ZIP archive within the generated folder. It then attempts to connect to its Command and Control (C2) server over HTTP using port 80. The stolen data is typically exfiltrated via HTTP POST requests. Once the transmission is successful, SvcStealer deletes the ZIP file and other artifacts to cover its tracks and minimize detection.

SvcStealer’s primary focus is data theft rather than extensive lateral movement. However, it can facilitate lateral movement by downloading additional tools or malware (e.g., via C2 commands) that enable network reconnaissance or privilege escalation. Its ability to act as an entry point for secondary payloads suggests potential for lateral movement if instructed by the attacker, though no specific lateral movement tactics are documented.

Gathering Threat Intelligence on SvcStealer

Leverage threat intelligence solutions like ANY.RUN’s TI Lookup to gather indicators of compromise associated with SvcStealer campaigns and block them in your network. You can start your research with the malware’s name and further investigate found IOCs with over 40 search parameters in TI Lookup.

threatName:"SVCStealer"

SVCStealer samples Analyses of SVCStealer samples found via TI Lookup

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Conclusion

SVCStealer is a dangerous info-stealer with advanced evasion techniques, primarily targeting credentials and financial data. Defending against it requires a mix of endpoint security, network monitoring, and user awareness. Organizations should employ threat intelligence to stay updated on new variants and attack methods.

Threat Intelligence Lookup gives verdict and context on IOCs in seconds: start with 50 trial searches.

HAVE A LOOK AT

Adware screenshot
Adware
adware
Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.
Read More
Ransomware screenshot
Ransomware
ransomware
Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.
Read More
DarkVision screenshot
DarkVision
darkvision
DarkVision RAT is a low-cost, modular Remote Access Trojan that gives attackers remote control of infected Windows hosts. Initially observed around 2020 and sold in underground marketplaces, DarkVision has become notable for its full feature set (keylogging, screen capture, file theft, remote command execution and plugin support) and for being distributed via multi-stage loaders in recent campaigns.
Read More
WhiteSnake screenshot
WhiteSnake
whitesnake
WhiteSnake is a stealer with advanced remote access capabilities. The attackers using this malicious software can control infected computers and carry out different malicious activities, including stealing sensitive files and data, recording audio, and logging keystrokes. WhiteSnake is sold on underground forums and often spreads through phishing emails.
Read More
Raspberry Robin screenshot
Raspberry Robin
raspberryrobin
Raspberry Robin is a trojan that primarily spreads through infected USB drives and exploits legitimate Windows commands. This malware is known for its advanced obfuscation techniques, anti-debugging mechanisms, and ability to gain persistence on infected systems. Raspberry Robin often communicates with command-and-control servers over the TOR network and can download additional malicious payloads.
Read More
Lynx screenshot
Lynx
lynx
Lynx is a double extortion ransomware: attackers encrypt important and sensitive data and demand a ransom for decryption simultaneously threatening to publish or sell the data. Active since mid-2024. Among techniques are terminating processes and services, privilege escalation, deleting shadow copies. Distribution by phishing, malvertising, exploiting vulnerabilities.
Read More