Researchers from Cyble’s threat intelligence team have uncovered a sophisticated malware campaign spreading Maranhão Stealer, an advanced infostealer targeting users lured through websites offering pirated software, cracked game launchers, and gaming cheats.
Threat actors are using social engineering to distribute malicious files such as DerelictSetup.zip and Fnaf Doom.zip via malicious sites like derelictsgame[.]in. The files contain malware written in Node.js and bundled using Inno Setup installers.
Once installed, Maranhão Stealer hides itself in a directory named ‘Microsoft Updater under the %localappdata%Programs’ path, establishing persistence through Run registry keys and scheduled tasks. The malware then launches its core component updater.exe for system reconnaissance and data theft.
Cyble says that the malware uses reflective DLL injection to bypass security features like Chrome’s AppBound encryption, enabling it to harvest sensitive data including credentials, cookies, browsing history, and cryptocurrency wallet information from browsers such as Google Chrome, Microsoft Edge, Brave, and Opera.
Memory dump analysis also showed that the stealer targets additional browsers and wallet applications depending on the victim’s environment.
The malware communicates with multiple APIs under the domain maranhaogang[.]fun, which researchers believe is used for infection reporting, victim tracking, and data exfiltration.