Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to threat actors
3 malware families

Charcoal Stork

Also known asCharcoal Stork

Charcoal Stork is a suspected pay-per-install (PPI) provider first observed in 2022 delivering ChromeLoader. Researchers tracked it separately from the ChromeLoader payload because Charcoal Stork also delivered other malware families, including SmashJacker and later VileRAT; other vendor reporting associates it with additional payloads as well. The activity is characterized as a distribution service responsible for delivery mechanics such as file naming and SEO or malvertising, while downstream payloads vary. Charcoal Stork uses malvertising and lure files disguised as cracked games, cracked software, fonts, desktop wallpaper, movies, streaming-themed files, and other popular downloads. Early samples were commonly ISO files, later followed by VBS, MSI, and EXE installers. Campaigns were notable for the same binary hash appearing under many different filenames across numerous victim environments; one commonly used filename in earlier campaigns was "your file is ready to download," later replaced in some campaigns by the more generic "install." Associated payload delivery observed in Charcoal Stork campaigns includes ChromeLoader, a browser hijacker that redirects searches, sends harvested search data to command-and-control infrastructure, and installs a malicious browser extension; SmashJacker, which used distinct MSI build and installation characteristics and installed a trojanized 7-Zip before a malicious browser extension; and VileRAT, a Python RAT. The content notes that VileRAT is reportedly uniquely used by DeathStalker, which previous reporting described as highly targeted to financial technology organizations, but Charcoal Stork-delivered VileRAT was observed across several dozen organizations in a broad range of industries. Researchers described Charcoal Stork as highly prevalent in 2023, with especially heavy activity in April and September, and nearly three times more prevalent than the next most common threat in that reporting. Red Canary also later described Charcoal Stork as a suspected PPI provider using malvertising to deliver installers disguised as cracked games, fonts, or desktop wallpaper.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

5 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

4 of 15 tactics7 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0042
Resource Development
2 techniques
T1583×2
Acquire Infrastructure
T1588
Obtain Capabilities
T1588.001
Malware
TA0002
Execution
1 technique
T1059
Command and Scripting Interpreter
T1059.001×2
PowerShell
TA0003
Persistence
1 technique
T1176×2
Software Extensions
TA0005
Stealth
1 technique
T1036
Masquerading
ARSENAL

Associated malware families

3 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
ChromeLoaderChromeLoader is a browser hijacker capable of redirecting searches for popular search engines such as Google, Bing and Yahoo, sending search data to its C2, and adding and preventing users from uninstalling a malicious browser extension.1Jun 14, 2026
SmashJackerThe emergence of SmashJacker, a payload distinct from ChromeLoader but that also stemmed from Charcoal Stork initial access, led to our decision to continue tracking Charcoal Stork separately.1Jun 14, 2026
VileRATLater in 2023 we also observed VileRAT being delivered by Charcoal Stork, and research from other vendors suggests several other payloads have been observed as well.1Jun 14, 2026
ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
red canary threat reportNews
Jan 1, 2026
Charcoal Stork - Red Canary Threat Detection Report

A suspected pay-per-install provider responsible for large-scale initial access and malware delivery campaigns using SEO/malvertising and lure files masquerading as cracked software, games, wallpapers, and streaming content. It delivered multiple payloads including ChromeLoader, SmashJacker, and VileRAT, and was described as the most prevalent threat observed by the source in 2023.

Read more
red canary threat reportNews
Jan 1, 2026
ChromeLoader - Red Canary Threat Detection Report

A suspected delivery affiliate tracked separately from ChromeLoader that provides initial access and has delivered multiple payloads including ChromeLoader, SmashJacker, and VileRAT.

Read more
red canary blogNews
Oct 24, 2024
Intelligence Insights: October 2024

Suspected pay-per-install provider using malvertising to distribute installers disguised as cracked games, fonts, or desktop wallpaper.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping5

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal3

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.