XehookStealer

XehookStealer is a .NET malware for Windows systems that steals data. It targets Chromium and Gecko browsers and supports over 110 cryptocurrencies and 2FA extensions.

Key Insights

XehookStealer evolved from Agniane Stealer and the Cinoshi project. This looks like a transition from MaaS to more complex tools like XehookStealer.

Distribution Methods

Malware is distributed via SmokeLoader binaries. SmokeLoader is a downloader that installs XehookStealer on compromised systems.

Command-and-Control Infrastructure

XehookStealer uses C2 servers to control infected systems. Researchers have found multiple C2s, some of which are the same as Agniane Stealer, which means shared infrastructure or author.

Known Variants

No specific named variants of XehookStealer have been found but its code overlaps with Agniane Stealer which means they are related malware families.

Mitigation Strategies

Implement endpoint protection solutions to detect and block malware execution.
Educate users about the risks of downloading and executing files from untrusted sources.
Monitor network traffic for unusual activities like unauthorized connections to external servers.
Keep software and security solutions updated to have the latest threat definitions and protection mechanisms.

Targeted Industries or Sectors

XehookStealer targets individual users, steals credentials, cryptocurrency wallets and browser data. Its support for multiple cryptocurrency platforms means it’s interested in users who are involved in digital currency transactions.

Associated Threat Actors

Development and distribution of XehookStealer is linked to MaaS platforms. Code overlap with Agniane Stealer and shared C2 infrastructure means same author or collaboration.