DeerStealer

DeerStealer is a Windows-focused malware-as-a-service infostealer, also referred to in the provided content as XFiles Spyware in at least some reporting. It is described as a multi-stage stealer that uses deception, persistence, signed binaries, DLL sideloading, in-memory execution, and rootkit-like or stealth-oriented techniques to evade detection while exfiltrating sensitive data. Reported subscription tiers range from $200/month to $3,000/month, with higher tiers adding capabilities such as hidden VNC, keylogging, clipper functionality, SmartScreen bypass, and remote process management.

Across the reporting, DeerStealer is delivered through multiple initial access vectors, including malicious MSI installers built with WiX Toolset, EV-signed MSI packages, WiX Burn bootstrapper bundles disguised as legitimate software, fake Google Chrome updates, trojanized WordPress plugin distribution, malvertising, web downloads, and ClickFix-style fake browser verification/CAPTCHA pages that trick users into pasting and executing malicious commands. One documented ClickFix chain used a PowerShell command to download cv.bat (SHA-256: 2b74674587a65cfc9c2c47865ca8128b4f7e47142bd4f53ed6f3cb5cf37f7a6b), which then downloaded a malicious MSI (SHA-256: ead6b1f0add059261ac56e9453131184bc0ae2869f983b6a41a1abb167edf151). Other observed delivery chains used legitimate signed binaries for sideloading, including Zoner Photo Studio VoTransmitt.exe and iMyFone Feedback Utils.exe, with trojanized DLLs such as sciter32.dll and Qt5Network.dll acting as loaders.

The malware is consistently described as credential- and data-theft focused. Reported collection includes passwords, cookies, session tokens, autofill data, credit card data, browsing history, and browser extension data from more than 50 browsers and hundreds of extensions. Specific browser targets mentioned include Chrome, Edge, Brave, Opera, and Firefox. DeerStealer also targets cryptocurrency assets, including browser wallet extensions and desktop wallets such as MetaMask, Phantom, Coinbase Wallet, Electrum, Exodus, Atomic, and hardware wallet bridge applications or USB wallets. Additional theft capabilities mentioned in the content include Discord tokens, Telegram tdata or tokens, WhatsApp and Signal sessions, FTP and VPN credentials, OpenVPN configurations, WinSCP and FileZilla data, Office documents, OneDrive contents, screenshots, clipboard contents, installed software inventory, and messaging-session data.

Persistence mechanisms directly mentioned include an HKCU Run key value named AppVTemplate and scheduled tasks including zceWriter, dyApp, Pluginsecurity_dbg, and in separate HTA-based MaaS reporting, 30-minute scheduled-task persistence patterns. DeerStealer samples in the content also used MSI CustomActions to launch loaders and unpack intermediate components. Some variants staged stolen data locally in SQLite tables named ribs_collection and ribs_payload before exfiltration.

Several technical delivery and loader chains are described. One March 2026 sample used a trojanized Qt5Network.dll containing a GhostPulse loader that parsed payload data hidden in 752 headerless PNG-style IDAT chunks inside cachedrv.xml and configuration data in servicetable68.cfg. Another WiX Burn sample disguised as "Antonomasia" by publisher "Cyme" used Bichromate.dll, a weaponized Adobe Generic Download Engine component masquerading as CCMNative.dll, to decrypt an XOR-obfuscated configuration file yodpxub and an AES-CBC-encrypted DeerStealer payload jri, then execute the payload entirely in memory. Reported hashes from that chain include Bichromate.dll SHA-256 58a6b1fe90145f8ae431d05952d1751e705ae46a81be1c2257f5e1e0ce0292c7, jri SHA-256 d704f5f01487ca3340454240868515de1a43a1b65e5b4a97a74ab409c8441f82, yodpxub SHA-256 1a5991a30e9d339cbb0143d4bd134509cf4effc7fead7f4f7dcc059990efd669, and outer bundle SHA-256 04bb4867d35e77e8e391f3829cf07a542a73815fc8be975a7733790d6e04243c. Another MSI sample RVJVAUQL.msi had SHA-256 ee5e941218bcf1285b2640c4b2f8baf3ffa44a73b6894ce871a22cbc24b80600 and used trojanized Qt5Network.dll SHA-256 73d2b832d07ab4f6f893f915ca35a43359250c659900357642c6af1f9cd5e130.

Exfiltration and communications in the content include HTTPS POST, XOR-encrypted HTTPS POST, AES-encrypted ZIP archives routed through a Cloudflare-backed proxy layer referred to as "Gasket," Telegram-based execution notifications, and in one report Telegram-based exfiltration. Reported DeerStealer-related infrastructure includes telluricaphelion[.]com, loadinnnhr[.]today, nacreousoculus[.]pro, ncloud-servers[.]shop, watchlist-verizon[.]com, 365-drive[.]com, statswpmy[.]com, and trackingmyadsas[.]com. Active C2 domains during one analysis window were telluricaphelion[.]com and loadinnnhr[.]today.

The content links DeerStealer to broader criminal ecosystems and affiliate operations. It is described as being advertised and sold via Telegram, including attribution in one report to @LuciferXfiles on Telegram-based cybercrime forums. Reporting also places DeerStealer in the Rugmi ecosystem and notes that multiple HTA samples labeled DeerStealer HTA v4.1.1 and other names were assessed as affiliates of a single MaaS crypto-stealer platform. DeerStealer has also been observed as a secondary payload delivered by other malware distribution operations, including CastleLoader/GrayBravo and the ShadowLadder campaign. Associated targeting in the content is broad and financially motivated, with emphasis on credential theft, cryptocurrency theft, and account takeover rather than a single vertical, though delivery campaigns have targeted general Windows users through fake software, browser-update lures, password-tool lures, malvertising, and phishing-style ClickFix pages.