The emergence of a new information-stealing malware called “Mystic Stealer” has been observed since April 2023, with significant promotion on hacking forums and darknet markets. This malware, available for rent at $150 per month, targets a wide range of applications, including web browsers, browser extensions, cryptocurrency apps, MFA and password management tools, and more.
Furthermore, reports from Zscaler and Cyfirma highlight the sophistication of Mystic Stealer and its rapid development, with version 1.2 released in late May. The malware’s creator actively seeks feedback from the underground hacking community and operates a dedicated Telegram channel for discussions and updates.
Technical details reveal that Mystic Stealer can target all Windows versions and operates in memory to avoid detection by anti-virus products. It performs anti-virtualization checks and has exclusions for Commonwealth of Independent States (CIS) countries, suggesting a potential origin.
The malware’s communication with its command-and-control (C2) server is encrypted, and stolen data is sent directly without storing it on the disk, a tactic employed to evade detection. Mystic Stealer gathers OS and hardware information, takes screenshots, and targets specific data stored in web browsers, applications, and cryptocurrency wallets.
While the future of Mystic Stealer remains uncertain, its presence poses a heightened risk for users and organizations. The addition of a loader functionality increases the potential for deploying additional malicious payloads like ransomware on compromised systems.
Users are advised to exercise extreme caution when downloading software from the internet to mitigate the risks associated with this sophisticated malware.
