Katz Stealer, a sophisticated infostealer first identified in 2025, is rapidly establishing itself as a leading threat in the cybercriminal ecosystem.
Sold as malware-as-a-service (MaaS), Katz Stealer combines broad credential theft, system fingerprinting, advanced evasion, and persistent infection strategies.
Its technical design leverages multi-layer obfuscation, in-memory execution, and both user and system-level persistence making detection and remediation considerably more challenging for defenders.
Modular Infection Chain
Katz Stealer’s infection chain comprises several obfuscated and stealth-enhanced stages.
Initial infection typically occurs via phishing emails or malicious software downloads, embedding an obfuscated JavaScript dropper in GZIP archives.
This dropper employs complex polymorphic string reconstruction and JavaScript type coercion to evade static analysis.
Upon execution, it leverages WScript.Shell to call PowerShell with stealth options, decoding a secondary payload in-memory without writing to disk.
According to Picus Security Report, this PowerShell loader then retrieves a seemingly benign image from remote infrastructure but extracts a concealed, base64-encoded stealer payload embedded via steganography.
Using reflection, it loads this code directly into memory through .NET APIs, further minimizing disk artifacts.
A .NET-based loader follows, which performs sandbox and geofencing checks examining system locale, BIOS data, screen resolution, and uptime terminating execution in analysis environments or CIS regions to avoid scrutiny.
If the environment is suitable, the loader exploits a User Account Control (UAC) bypass via cmstp.exe, achieving privilege escalation without prompting the user.
It then schedules tasks for persistence and launches MSBuild.exe, a trusted signed binary, into which it injects its core stealer code via process hollowing.
System Fingerprinting
Once running with escalated privileges, the stealer initiates persistent communication with command-and-control (C2) servers, using both TCP and HTTPS (with custom User-Agent strings, notably containing “katz-ontop”).
It fingerprints the host system and retrieves additional modules for further exploitation.
Katz Stealer is engineered to extract a vast array of credentials and sensitive data:
- Chromium and Gecko-based browser passwords, cookies, and session tokens, circumventing encryption mechanisms by extracting and decrypting master keys within the browser process.
- Cryptocurrency wallet files from both desktop applications and over 150 targeted browser extensions, including Brave’s built-in wallet storage.
- Messaging platform tokens (Discord, Telegram) and game platform accounts.
- VPN, Wi-Fi, and even clipboard data, alongside full screen captures.
An innovative persistence mechanism is deployed via Discord client injection. Katz Stealer modifies Discord’s JavaScript bundle (app.asar), adding code that fetches and executes attacker-supplied JavaScript from a remote server each time Discord starts.
This essentially backdoors Discord, creating a persistent, stealthy foothold for ongoing command execution and data exfiltration.
Discord’s auto-start behavior ensures the backdoor is automatically restored upon system reboot or application restart.
Data exfiltration occurs immediately upon collection, minimizing on-disk traces. Stolen credentials and data are packaged and transmitted via the C2 channel or HTTPS POST, with persistent beaconing and retry behavior for resiliency.
Katz Stealer is distinguished by:
- In-memory-only execution across all stages except temporary files or modules (e.g., injected DLLs in Temp directories).
- Use of trusted binaries (MSBuild.exe), obfuscated network communication, and deletion of temporary artifacts after exfiltration.
- Regular updating of C2 infrastructure, module payloads, and evasion patterns through the MaaS platform, allowing rapid adaptation.
Security researchers highlight that detection is possible via monitoring for unique artifacts such as modified Discord files, “katz-ontop” User-Agent substrings in network traffic, and the presence of suspicious temporary DLLs.
Proactive validation, like that offered by security validation platforms, is critical to ensure visibility against browser injection, PowerShell loaders, and credential theft actions performed by sophisticated malware like Katz Stealer.
Indicators of Compromise (IOCs)
| Type | Indicator | Details/Context |
|---|---|---|
| C2 IP | 185.107.74[.]40 | Primary TCP C2 |
| C2 IP | 31.177.109[.]39 | Additional C2 |
| C2 Domain | twist2katz[.]com | Discord client injection remote code server |
| Payload Host | pub-ce02802067934e0eb072f69bf6427bf6[.]r2[.]dev | Cloudflare R2 domain for stage 2/3 payloads |
| Related Domain | katz-stealer[.]com, katzstealer[.]com | Associated campaign infrastructure |
| User-Agent (HTTP) | Mozilla/5.0 ... Chrome/135.0.0.0 Safari/537.36 katz-ontop | Unique to Katz Stealer network traffic |
| File Artifact | katz_ontop.dll, received_dll.dll (Temp directory) | Browser injection modules |
| File Artifact | decrypted_chrome_key.txt, decrypted_edge_key.txt, decrypted_brave_key.txt (AppData) | Exported browser master decryption keys |
| Discord Artifact | Modified app.asar/index.js referencing twist2katz.com | Persistent backdoor via Discord |
| File Hash | 22af84327cb8ecafa44b51e9499238ca2798cec38c2076b702c60c72505329cb (GZIP dropper) | |
| File Hash | e4249cf9557799e8123e0b21b6a4be5ab8b67d56dc5bfad34a1d4e76f7fd2b19 (Obfuscated JS) | |
| File Hash | fb2b9163e8edf104b603030cff2dc62fe23d8f158dd90ea483642fce2ceda027 (PowerShell loader) | |
| File Hash | 0df13fd42fb4a4374981474ea87895a3830eddcc7f3bd494e76acd604c4004f7 (NET loader) | |
| File Hash | 6dc8e99da68b703e86fa90a8794add87614f254f804a8d5d65927e0676107a9d (katz_ontop.dll) | One variant of injection module |
| File Hash | e73f6e1f6c28469e14a88a633aef1bc502d2dbb1d4d2dfcaaef7409b8ce6dc99 (katz_ontop.dll) | Another variant |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
