LINK >>> https://blltly.com/2tlVYz
The PowerShell script will connect to hxxp://45.93.201[.]114/docs/fzLJerifqJwFtnjbrlnJPNrfnupnYg[.]txt to get another MSIL file named Ferriteswarmed.exe, which will then be AES-decrypted, GZIP-decompressed, and loaded in PowerShell via .NET reflective loading. It has a debugger check that will exit once a debugger is found.
Given the file loader capability provided by Raccoon, it is possible for a threat actor to initiate the download and execution of additional payloads once the stealer has completed its data exfiltration.
While other info-stealers threat groups look to put their focus on one product, this new, fairly ambitious, group comes with the sole purpose of creating a real game-changer and setting a new standard and introducing a whole ecosystem for threat actors looking to get into the game.
It seems that most of the early adopters of this stealer are looking for personal gain and are targeting more crypto-related assets such as wallets, tokens and NFTs rather than Redline or Raccoon threat actors who mostly look to resell the findings.
Although malspam is a fairly popular technique, we have seen several cases where threat actors spread Jester Stealer in forums, and mostly Discord channels with gaming or cryptocurrency content. Currently, spreading the stealer in Discord channels is the most common technique we have observed.
As the vast majority of the modern info stealers often look to exfiltrate the stolen data to fairly classic C2 infrastructures, Jester offers better anonymity and several extraction channels that the threat actor can use.
The onion page is a node in the chain that receives the stolen data from the stealer and sends it to a Telegram bot (Figure 16) the threat actor has provided. This additional hop assures the threat actor even more anonymity.
In addition to this infrastructure, Jester Stealer is also capable of having a fallback data exfiltration technique. Each threat actor can config an anonfile, an anonymous file-sharing platform, account that the stealer will send the stolen data to in case the first option did not work properly.
MetaStealer is a new information stealer variant designed to fill the void following Racoon stealer suspending operations in March of this year. Analysts at Israeli dark web intelligence firm Kela first identified its emergence on underground marketplaces  and later as being used in a spam campaign by SANS Internet Storm Centre Handler Brad Duncan , where the initial stages and traffic were detailed. This analysis further describes the final MetaStealer payload detailing its functionality.
With the Microsoft Defender exclusion in place another PowerShell command is issued that proceeds to rename the original file to a hardcoded value with an .exe extension. In this case Original filename.xyz to hyper-v.exe
We have seen SYS01 stealer attacking critical government infrastructure employees, manufacturing companies, and other industries. The threat actors behind the campaign are targeting Facebook business accounts by using Google ads and fake Facebook profiles that promote things like games, adult content, and cracked software, etc. to lure victims into downloading a malicious file. The attack is designed to steal sensitive information, including login data, cookies, and Facebook ad and business account information.
The campaign was first seen in May 2022 and was initially attributed to the Ducktail operation by Zscaler. (This attribution was later discovered to be incorrect.) In this blog we explore the various methods used to distribute SYS01 stealer.
Option d checks if the file %localappdata%\m.txt exists. If it does, the program exits because it means the info stealer is already running on the machine. If the file does not