A new strain of malware, known as SvcStealer, has emerged as a significant threat in the cybersecurity landscape.
This malware is primarily delivered through spear phishing attacks, where malicious attachments are sent via email to unsuspecting victims.
The SvcStealer campaign was first observed in late January 2025 and has been designed to harvest a wide range of sensitive data from compromised systems.
Technical Analysis and Impact
SvcStealer is written in Microsoft Visual C++ and operates by generating a unique folder name based on the volume serial number of the victim’s host root directory.
It creates this folder in the “C:\ProgramData” location to ensure that only one instance of the malware runs on the system, similar to a mutex.
Once established, the malware terminates processes like Taskmgr.exe and ProcessHacker.exe to evade detection by system administrators and security analysts.
It then proceeds to collect data from various sources, including cryptocurrency wallets, messaging applications like Discord and Telegram, and browsers such as Google Chrome and Opera.
The collected data includes passwords, credit card details, browsing history, and system information, which are stored in specific folders within the created directory.
The malware compresses the collected data into a zip file and sends it to a Command and Control (C2) server via a POST request.
According to Seqrite Report, if the initial connection attempt fails, it waits for five seconds before retrying.
Once the data is transmitted, SvcStealer deletes the compressed file and any other traces to avoid detection.
The malware also captures screenshots of the victim’s machine and sends them to the C2 server.
Furthermore, it can download additional malware payloads from the C2 server, potentially leading to further system compromise.
Mitigation and Response
To protect against SvcStealer, users should be cautious when opening email attachments, especially those from unfamiliar sources.
Implementing robust email filtering and educating users about phishing tactics are crucial steps in preventing initial infection.
Additionally, maintaining up-to-date antivirus software and regularly monitoring system activity can help detect and mitigate the effects of such malware.
The threat actors behind SvcStealer could sell the stolen data on underground forums, making it essential for organizations to enhance their cybersecurity measures to safeguard sensitive information.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup – Try for Free
