RisePro

RisePro is an information-stealing malware family active since at least late 2022. It is described as an infostealer used to harvest credentials and related data from infected systems, and reporting in the provided content places it among the most prevalent stealer families alongside Lumma, Vidar, Stealc, and RedLine. The malware is associated with theft of saved passwords, cookies, autofill data, authentication tokens, and other browser-stored information; one cited host artifact is a file named passwords.txt left on infected systems. The content also notes that stealer logs linked to RisePro can expose corporate and consumer credentials and have been used as a precursor to follow-on intrusions including credential stuffing, account takeover, and ransomware operations.

Observed delivery and infection vectors in the provided material include distribution through malicious GitHub repositories masquerading as cracked software, Discord-linked malware delivery chains, and pay-per-install distribution via PrivateLoader. One campaign described 17 malicious GitHub repositories using fake trust signals in README files and password-protected RAR archives; the extracted payload used a loader to inject RisePro version 1.6 into AppLaunch.exe or RegAsm.exe. Another report states loaders such as Smokeloader, PrivateLoader, and Amadey retrieved next-stage stealers including RisePro from Discord CDN-hosted payloads. RisePro was also reported in GitHub/Discord malware distribution amplified by the Stargazers Ghost network.

The content links RisePro to credential exposure in major intrusion activity. It is explicitly named by Mandiant and other reporting as one of the infostealers associated with previously exposed Snowflake credentials used in the UNC5537 campaign, alongside Vidar, RedLine, Raccoon Stealer, Lumma, and MetaStealer. Additional reporting cited in the content states credentials were obtained through RisePro and Vidar in some cases, and that compromised credentials from RisePro logs were sold or circulated through underground markets and channels. SCILabs also reported compromised credentials obtained via RisePro and Vidar being used in infrastructure related to Red Akodon phishing campaigns in Colombia.

Targeting in the provided content is broad rather than sector-specific: RisePro is described as infecting both consumer and corporate machines, with downstream impact on organizations whose employees or contractors use infected personal or unmanaged devices. The material highlights risk to cloud and enterprise environments when stolen credentials are reused against services such as VPNs, RDP, and Snowflake, especially where MFA is absent or bypassed through stolen session material. RisePro is also tracked in community IOC infrastructure collections such as C2 Tracker as "RisePro Stealer" infrastructure.

High-confidence indicators and artifacts directly mentioned in the content include the dropped file passwords.txt; malicious GitHub repositories themed around cracked software or legal/administrative lures; password-protected RAR/ZIP archives; injection into AppLaunch.exe or RegAsm.exe in the described GitHub campaign; and association with RisePro version 1.6 in that same activity.