The zEus stealer malware has been found embedded in a Minecraft source pack shared on YouTube, posing a significant threat to users. This malware variant, disguised as a Windows screensaver file within a WinRAR self-extract file, executes upon running and displays an image to avoid suspicion. Named after the string “zEus” visible in its icon and the profile of the Discord webhook receiving the stolen data, the malware checks if it’s being analyzed by comparing the computer name and running processes against blacklists.
Once executed, zEus collects a wide range of sensitive information, including IP addresses, hardware details, browser data, and login credentials for various applications like Steam, Discord, and Epic Games. It stores this data in specific folders within C:\ProgramData, compresses them into a ZIP file, and sends it to the attacker’s server. Additionally, zEus drops several batch scripts to kill Task Manager, send screenshots, lock the screen, and establish communication with a command-and-control (C2) server, ensuring persistent control over the victim’s computer.
The malware targets cryptocurrencies and searches for files containing keywords related to security and login mechanisms. To protect against such threats, it is crucial to download files only from reputable sources, enable multi-factor authentication (MFA), and use comprehensive security solutions like Fortinet’s FortiGuard services, which detect and block this malware. FortiGuard Labs recommends subscribing to services like FortiRecon for timely threat intelligence and proactive defense measures. If affected by this or any other cybersecurity threat, organizations should contact FortiGuard’s Incident Response Team for assistance.
