26 May 2025 4 min read Cybersecurity News

Katz Stealer Targets Chrome, Edge, Brave, and Firefox to Steal Login Credentials

Katz Stealer has emerged as a potent credential-stealing malware-as-a-service, targeting popular web browsers such as Chrome, Edge, Brave, and Firefox. This malware conducts extensive system reconnaissance and data theft by extracting saved passwords, cookies, and session tokens from these browsers. It also compromises cryptocurrency wallets, communication platforms like Discord and Telegram, and email clients such as Outlook.

The infection chain leverages phishing emails, fake software downloads, and malicious ads to infiltrate systems. Katz Stealer’s sophisticated delivery method begins with malicious JavaScript hidden within gzip files.

Katz Stealer Malware

Image courtesy of Katz Stealer

Once executed, this script downloads an obfuscated, base64-encoded PowerShell script, retrieving a .NET-based loader payload. The loader injects the stealer into legitimate processes like MSBuild using process hollowing, a covert operation technique. Katz Stealer employs advanced evasion mechanisms, including geofencing, virtual machine detection, and sandbox evasion strategies.

A Sophisticated Malware-as-a-Service Threat

Once active, Katz Stealer establishes a persistent TCP connection to its command and control (C2) server, downloading further payloads and injecting them into browser processes. It can bypass Chrome’s app-bound encryption by extracting decryption keys from Local State files, saving them as plaintext for exfiltration.

The malware’s reach extends to Firefox by targeting profile files like cookies.sqlite and logins.json, hijacking Discord with malicious code injected into the app.asar file for remote execution. Katz Stealer also targets cryptocurrency wallets such as Exodus and Bitcoin Core, copying private keys and seed phrases to temporary directories before uploading them to attacker-controlled servers.

Detection opportunities exist through network traffic analysis for suspicious User-Agent strings and monitoring unusual process behaviors.

Indicators of Compromise (IOCs)

C2 Addresses: 185.107.74.40, 31.177.109.39, twist2katz.com, pub-ce02802067934e0eb072f69bf6427bf6.r2.dev
Related Domains: katz-stealer.com, katzstealer.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36 katz-ontop
Filenames: \AppData\Local\Temp\katz_ontop.dll, \AppData\Local\Temp\received_dll.dll, \AppData\Roaming\decrypted_chrome_key.txt

Katz Stealer Malware Hits 78+ Chromium and Gecko-Based Browsers

Katz Stealer Malware
Image courtesy of Katz Stealer

Katz Stealer is now a significant threat to users of Chromium and Gecko-based browsers, extracting sensitive data from over 78 browser variants. Developed in C and Assembly for lightweight performance, the malware targets credentials, cookies, autofill data, CVV2 codes, OAuth tokens, cryptocurrency wallets, and messaging platforms like Discord and Telegram.

The malware includes a customizable build panel with anti-VM safeguards and a web-based command-and-control interface for stolen data management. Katz Stealer's modular design allows attackers to deploy lighter versions for broad campaigns or equipped variants for high-value targets.

Anti-Detection Mechanisms

The operational flexibility stems from the customizable build panel, allowing attackers to tailor payloads. The malware can enable anti-VM checks to hinder analysis in sandboxed environments and activate privacy-focused features to minimize detection by endpoint protection tools.

Analysts warn that this enterprise-grade C2 infrastructure lowers the barrier for less technically skilled threat actors, potentially increasing the malware’s proliferation.

Implications for Cybersecurity Defenses

The emergence of Katz Stealer underscores the escalating arms race between malware developers and security teams. Its use of low-level languages complicates reverse-engineering efforts, emphasizing the need for organizations relying on Chromium or Gecko-based browsers to monitor for anomalous cookie exports or unauthorized OAuth token usage.

Defensive recommendations include enforcing multi-factor authentication for OAuth-integrated services and segmenting cryptocurrency wallet access from general browsing activities.

Network defenders should scrutinize processes interacting with browser profile directories for unauthorized access, but no specific mitigation tools are confirmed yet. Behavior-based detection strategies focusing on ASM-level memory operations may help identify infiltration attempts.

Katz Stealer represents a significant threat to users of popular web browsers, utilizing advanced capabilities to bypass modern security protections. This malware targets Chrome, Microsoft Edge, Brave, and Firefox, employing a multi-layered attack strategy that combines social engineering with evasion techniques to steal sensitive authentication data.

The malware successfully circumvents Chrome’s App-Bound Encryption technology, extracting decryption keys directly from browser processes. Katz Stealer also targets gaming platforms like Steam, communication tools such as Discord and Telegram, email clients like Outlook, and various cryptocurrency wallet applications.

Nextron Systems researchers identified this threat through comprehensive analysis of its infection mechanisms and behavioral patterns. Katz Stealer employs advanced anti-analysis techniques, including geofencing, virtual machine detection, and sandbox evasion strategies.

The distribution strategy uses everyday online activities as attack vectors, with threat actors concealing malicious payloads within phishing emails, fake software downloads, and malicious advertisements.

Multi-Stage Infection Chain Analysis

The infection mechanism demonstrates remarkable sophistication in payload delivery.

Katz Stealer’s Infection Chain (Source – Nextron System)
Image courtesy of Katz Stealer

The attack begins with heavily obfuscated JavaScript concealed within GZIP files, serving as the initial entry point. The second stage executes a base64-encoded PowerShell script that downloads additional components, utilizing hidden window flags.

Following successful payload extraction, the malware leverages .NET Reflection to load and execute the next stage directly in memory, bypassing disk-based detection mechanisms. The final payload injection occurs through a process hollowing technique targeting the legitimate MSBuild.exe process.

GrackerAI is an AI-powered cybersecurity marketing platform designed to help organizations transform security news into strategic content opportunities. The tool enables marketing teams to identify emerging trends, monitor threats, and produce technically relevant content that resonates with cybersecurity professionals and decision-makers.

Explore GrackerAI to learn more about our services or contact us for further information.