Thursday, May 22, 2025
HomeCyber Security NewsMrAnon Stealer Attacking Windows Users Via Weaponized PDF Files

MrAnon Stealer Attacking Windows Users Via Weaponized PDF Files

Published on

SIEM as a Service

Follow Us on Google News

Phishing emails targeting Windows users were discovered, tricking users into opening a malicious PDF file called “MrAnon Stealer” that spreads malware by using fake booking details.

To obtain the final malware, the PowerShell script is executed by the PDF after it has downloaded a.NET executable file made with PowerGUI.

Credentials, system data, browser sessions, and cryptocurrency extensions were all stolen by Mr. Alan Stealer.

- Advertisement - Google News

Attack Flow of MrAnon

According to FortiGuard Labs, this malware is a Python-based information stealer that has been compressed with cx-Freeze to avoid detection.

The majority of queries to the downloader URL came from Germany, indicating that the country was the attack’s main target.

November 2023 had a notable increase in the number of inquiries for this URL, suggesting a more vigorous and active marketing during that month.

Attack Flow
Attack Flow

Posing as a company seeking to book hotel rooms, the attacker sends phishing emails with the subject line “December Room Availability Query.” The body includes fake hotel reservation information for the upcoming holidays. 

Phishing Email
Phishing Email

Researchers say a downloader link for the malicious PDF file is concealed in the stream object.

The malicious PDF file
The malicious PDF file

Researchers discovered that the malware employed the PowerShell script editor, which converts PowerShell scripts into Microsoft executable files, by looking through the strings in the class “Loader.”

“The script initiates the loading of a Windows Form and configures its settings, including form, label, and progress bar. Additionally, it defines text within the execution of the subsequent script to mitigate user suspicions”, FortiGuard Labs shared in a report with Cyber Security News.

In this scenario, a window labeled “File Not Supported” appears along with a status message that reads, “Not Run: python.exe.” This misleading presentation aims to trick users into thinking that the malware hasn’t been effectively executed.

“The malware uses PowerGUI and cx-Freeze tools to create a complex process that involves .NET executable files and PowerShell scripts,” researchers said.

MrAnon Stealer’s support channel offers more features, advertises the product, and has a page where users can buy all related tools.

MrAnon Stealer's telegram channel
MrAnon Stealer’s telegram channel

Data and sensitive information are stolen from many applications, compressed, and uploaded to the threat actor’s Telegram channel and a public file-sharing website. As a result, users are cautioned to avoid opening suspicious PDF files and phishing emails.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

CefSharp Enumeration Tool Identifies Critical Security Issues in .NET Desktop Applications

Cybersecurity researchers and red teamers, a newly released tool named CefEnum is shedding light...

Russian Hackers Exploit Oracle Cloud Infrastructure to Target Scaleway Object Storage

Russian threat actors have been leveraging trusted cloud infrastructure platforms like Oracle Cloud Infrastructure...

Critical Vulnerability in Netwrix Password Manager Enables Authenticated Remote Code Execution

A critical security vulnerability has been discovered in Netwrix Password Secure, a widely used...

Cityworks Zero-Day Vulnerability Used by UAT-638 Hackers to Infect IIS Servers with Shell Malware

Cisco Talos has uncovered active exploitation of a zero-day remote-code-execution vulnerability, identified as CVE-2025-0994,...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

CefSharp Enumeration Tool Identifies Critical Security Issues in .NET Desktop Applications

Cybersecurity researchers and red teamers, a newly released tool named CefEnum is shedding light...

Russian Hackers Exploit Oracle Cloud Infrastructure to Target Scaleway Object Storage

Russian threat actors have been leveraging trusted cloud infrastructure platforms like Oracle Cloud Infrastructure...

Critical Vulnerability in Netwrix Password Manager Enables Authenticated Remote Code Execution

A critical security vulnerability has been discovered in Netwrix Password Secure, a widely used...