Monday, May 5, 2025
HomeCyber Security NewsMrAnon Stealer Attacking Windows Users Via Weaponized PDF Files

MrAnon Stealer Attacking Windows Users Via Weaponized PDF Files

Published on

SIEM as a Service

Follow Us on Google News

Phishing emails targeting Windows users were discovered, tricking users into opening a malicious PDF file called “MrAnon Stealer” that spreads malware by using fake booking details.

To obtain the final malware, the PowerShell script is executed by the PDF after it has downloaded a.NET executable file made with PowerGUI.

Credentials, system data, browser sessions, and cryptocurrency extensions were all stolen by Mr. Alan Stealer.

- Advertisement - Google News

Attack Flow of MrAnon

According to FortiGuard Labs, this malware is a Python-based information stealer that has been compressed with cx-Freeze to avoid detection.

The majority of queries to the downloader URL came from Germany, indicating that the country was the attack’s main target.

November 2023 had a notable increase in the number of inquiries for this URL, suggesting a more vigorous and active marketing during that month.

Attack Flow
Attack Flow

Posing as a company seeking to book hotel rooms, the attacker sends phishing emails with the subject line “December Room Availability Query.” The body includes fake hotel reservation information for the upcoming holidays. 

Phishing Email
Phishing Email

Researchers say a downloader link for the malicious PDF file is concealed in the stream object.

The malicious PDF file
The malicious PDF file

Researchers discovered that the malware employed the PowerShell script editor, which converts PowerShell scripts into Microsoft executable files, by looking through the strings in the class “Loader.”

“The script initiates the loading of a Windows Form and configures its settings, including form, label, and progress bar. Additionally, it defines text within the execution of the subsequent script to mitigate user suspicions”, FortiGuard Labs shared in a report with Cyber Security News.

In this scenario, a window labeled “File Not Supported” appears along with a status message that reads, “Not Run: python.exe.” This misleading presentation aims to trick users into thinking that the malware hasn’t been effectively executed.

“The malware uses PowerGUI and cx-Freeze tools to create a complex process that involves .NET executable files and PowerShell scripts,” researchers said.

MrAnon Stealer’s support channel offers more features, advertises the product, and has a page where users can buy all related tools.

MrAnon Stealer's telegram channel
MrAnon Stealer’s telegram channel

Data and sensitive information are stolen from many applications, compressed, and uploaded to the threat actor’s Telegram channel and a public file-sharing website. As a result, users are cautioned to avoid opening suspicious PDF files and phishing emails.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Hackers Selling SS7 0-Day Exploit on Dark Web for $5,000

A newly discovered dark web listing claims to sell a critical SS7 protocol exploit...

Chimera Malware: Outsmarting Antivirus, Firewalls, and Human Defenses

X Business, a small e-commerce store dealing in handmade home décor, became the latest...

MediaTek Fixes Multiple Security Flaws in Smartphone, Tablet, and TV Chipsets

MediaTek, a leading provider of chipset technology for smartphones, tablets, AIoT, and smart TVs,...

xAI Developer Accidentally Leaks API Key Granting Access to SpaceX, Tesla, and X LLMs

An employee at Elon Musk’s artificial intelligence venture, xAI, inadvertently disclosed a sensitive API...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Hackers Selling SS7 0-Day Exploit on Dark Web for $5,000

A newly discovered dark web listing claims to sell a critical SS7 protocol exploit...

Chimera Malware: Outsmarting Antivirus, Firewalls, and Human Defenses

X Business, a small e-commerce store dealing in handmade home décor, became the latest...

MediaTek Fixes Multiple Security Flaws in Smartphone, Tablet, and TV Chipsets

MediaTek, a leading provider of chipset technology for smartphones, tablets, AIoT, and smart TVs,...