A newly identified malware, Flesh Stealer, is rapidly emerging as a significant cybersecurity threat in 2025.
Designed to extract sensitive data such as passwords, cookies, and browsing history, the malware targets widely used browsers like Google Chrome, Mozilla Firefox, Microsoft Edge, and Opera.
Additionally, it infiltrates messaging applications like Telegram and Signal to exfiltrate stored chats and databases.
Developed using C#, this malware exhibits advanced evasion techniques and has been actively promoted on underground forums and platforms like Discord and Telegram since August 2024.
Sophisticated Evasion Techniques
It uses anti-debugging tools to identify and terminate processes associated with forensic analysis software such as Wireshark.
Furthermore, it incorporates anti-virtual machine (anti-VM) capabilities by scanning system characteristics like BIOS versions and memory configurations to avoid execution in sandboxed environments.
This ensures the malware operates only on genuine user systems, effectively bypassing security researchers’ detection efforts.
The malware also uses Base64 obfuscation to conceal its code and strings, making reverse engineering more challenging.
It can bypass Chrome’s App-Bound Encryption, enabling access to protected data from browser profiles.
Recent updates have expanded its compatibility to Chrome version 131.
Data Harvesting Capabilities
It scans for saved passwords, cookies, autofill data, and even crypto wallet credentials from over 70 browser extensions.
The malware also resets Google cookies to hijack active sessions for further exploitation.
Beyond browsers, it leverages Windows Management Instrumentation (WMI) to extract hardware details and uses the ‘netsh’ command-line tool to retrieve Wi-Fi credentials.
All harvested data is compressed into encrypted archives for efficient exfiltration via secure communication channels to attacker-controlled servers.
These measures make detection by traditional network security tools difficult.
The malware is attributed to a Russian-speaking developer who avoids targeting systems in Commonwealth of Independent States (CIS) countries by checking installed input languages.
Flesh Stealer has been marketed aggressively through YouTube tutorials (since removed), underground forums like Pyrex Guru, and dedicated websites that have since been taken offline.
According to the Cyfirma report, the malware operates through a web-based control panel that allows attackers to customize features such as anti-debugging settings or automatic startup execution.
To counter threats like Flesh Stealer:
- Implement Strong Endpoint Security: Deploy advanced Endpoint Detection and Response (EDR) tools capable of identifying suspicious activities like registry modifications or process injections.
- Enforce Credential Hygiene: Avoid saving passwords in browsers and enable multi-factor authentication (MFA) for all accounts.
- Harden Browsers: Disable unnecessary extensions and restrict downloads from untrusted sources.
- Conduct Employee Awareness Training: Educate users about phishing risks and safe browsing practices.
- Monitor Network Traffic: Use behavioral analytics tools to detect anomalies indicative of data exfiltration or unauthorized access.
Flesh Stealer’s rapid evolution underscores the growing sophistication of information-stealing malware in today’s cyber threat landscape.
Proactive defense strategies are essential for mitigating its impact on individuals and organizations alike.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
