FleshStealer: A new Infostealer Attacking Chrome & Mozilla Users

A newly identified strain of information-stealing malware, FleshStealer, is making headlines in 2025 due to its advanced evasion techniques and targeted data extraction capabilities.

Flashpoint analysts have shed light on its operation, revealing a sophisticated tool that poses significant risk to organizations worldwide.

Designed to bypass traditional defenses and target sensitive data, FleshStealer is emerging as a notable cyber threat in an already complex cybersecurity landscape.

Advanced Evasion Techniques and Data Targeting

First observed in September 2024, FleshStealer is a C#-based credential stealer executed through a web-based control panel.

Its standout features include extensive encryption mechanisms, the ability to detect virtual machine (VM) environments, and termination of operations when debugging tools are detected.

These techniques aim to prevent forensics analysis, demonstrating the malware’s capability to disrupt static and dynamic security investigations effectively.

Beyond its stealth, FleshStealer shows versatility in its target scope. It specifically focuses on Chromium and Mozilla-based web browsers, extracting data from over 70 browser extensions, crypto wallets, and two-factor authentication (2FA) settings.

Additionally, it has a unique ability to reset Google cookies, enabling threat actors to hijack sessions for further exploitation.

Such targeted capabilities make FleshStealer highly effective at harvesting confidential information like stored credentials, browser session data, and other valuable artifacts.

How It Operates

FleshStealer leverages several Tactics, Techniques, and Procedures (TTPs), as documented by Flashpoint analysts.

For privilege escalation, it exploits legitimate Windows utilities to bypass user account controls (UAC) and achieve administrative rights without raising alarms.

To evade detection, it uses obfuscated files, string decryption routines, and registry operations to mask its behavior.

The malware also employs advanced scanning mechanisms to identify whether it is running in sandboxed or VM environments, ensuring execution only on genuine user systems.

Another key characteristic is its tailored data collection process. FleshStealer targets high-value files, credentials, and user data, compressing the stolen information into archives for efficient exfiltration.

By leveraging encrypted communication channels and web services for data transmission, the malware bypasses standard network security measures, making detection and mitigation challenging for cybersecurity teams.

FleshStealer’s operational efficiency and advanced anti-detection features signify an evolving threat in the cybersecurity realm.

Analysts note that its modular architecture allows easy updates, suggesting its capabilities could expand further.

With infostealers remaining a persistent challenge in cybercrime, tools like FleshStealer highlight the need for proactive defense strategies.

Flashpoint emphasizes the importance of real-time monitoring and intelligence in staying ahead of such threats.

Organizations are urged to strengthen defenses against initial access attacks, adopt threat intelligence solutions, and regularly update their incident response protocols.

FleshStealer’s rise underscores the critical need for vigilance in safeguarding sensitive information against increasingly sophisticated malware.

For comprehensive insights into FleshStealer and other emerging threats, Flashpoint offers detailed analysis and actionable intelligence to help organizations fortify their cyber resilience.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free