FleshStealer: New Infostealer Targeting Chrome and Mozilla Users

Flashpoint analysts have uncovered a new and highly sophisticated malware variant known as “FleshStealer.”

This credential-stealing malware, first detected in September 2024, is quickly gaining traction in the cybercrime ecosystem with advanced evasion techniques, aggressive data harvesting capabilities, and a focus on bypassing modern security measures.

The rise of FleshStealer highlights a concerning trend in 2025, as infostealers remain one of the most pervasive threats to organizations worldwide.

The emergence of FleshStealer underscores the growing prevalence of credential theft, often leading to ransomware attacks and data breaches.

According to Flashpoint, malware of this type has already compromised over 18 million devices globally and exposed sensitive data from approximately 2.4 billion accounts in the last year alone.

Yet FleshStealer stands apart due to its technical sophistication and ability to evade detection, making it a formidable challenge for security teams.

Dissecting FleshStealer’s Capabilities

FleshStealer is a C#-based infostealer that operates through a web-based control panel.

Unlike its predecessors, it employs encryption techniques to avoid detection and can terminate itself when faced with debugging or forensic analysis.

Additionally, it leverages virtualization detection to identify virtual machine (VM) environments, refusing to execute in sandboxed conditions a clear indication of its creators’ intent to bypass security research methodologies.

The malware is highly targeted and efficient. At only 150 to 300 kilobytes, it operates discreetly, extracting data from over 70 browser extensions and leveraging stolen browser cookies to reset Google sessions.

Its targets include browsers like Chrome and Firefox as well as two-factor authentication (2FA) plugins, crypto wallets, and collaboration platforms like Discord.

Notably, it provides 24/7 technical support to its operators, reflecting a professional and organized approach to malware as a service (MaaS).

Tactics, Techniques, and Procedures (TTPs)

Flashpoint has documented FleshStealer’s operational TTPs, many of which demonstrate advanced evasion and persistence strategies.

For instance, it uses boot or logon autostart execution (T1547) to gain administrative privileges stealthily via legitimate Windows utilities.

By modifying system registry keys, FleshStealer bypasses user account controls (UAC) and reduces the likelihood of detection. Moreover, its obfuscation techniques (T1027) mask operations, while virtualization evasion (T1497) ensures it avoids sandbox environments.

On infected devices, FleshStealer performs process discovery (T1057) to locate browser processes storing sensitive user credentials or session tokens.

It then archives these data sets efficiently, enabling streamlined exfiltration through encrypted communication channels (T1567).

The lightweight malware minimizes its network footprint during data exfiltration, effectively bypassing traditional network defenses and making detection challenging for most enterprises.

The rise of FleshStealer marks a significant evolution in the infostealer threat landscape. Its ability to target sensitive data while evading analysis makes it a clear danger for enterprises.

Flashpoint analysts predict continued development and refinement of this malware by threat actors, increasing its impact across industries.

To counter threats like FleshStealer, organizations must adopt a proactive cybersecurity stance.

Leveraging threat intelligence platforms, such as Flashpoint Ignite, can provide critical insights into malicious activity and enable swift mitigation of risks.

By monitoring stealer logs and trends, companies can better protect against stolen credentials and other forms of data exploitation.

Security teams are encouraged to stay informed on emerging threats and invest in robust defense strategies to prepare for the evolving landscape of cybercrime in 2025.

Also Read:

Google Researchers Analyze Scatterbrain Malware Behind PoisonPlug Attacks

See more