EDumper
EDumper is a browser data stealer used by the OilRig threat actor during the Juicy Mix campaign. It specifically targets Microsoft Edge and was used alongside CDumper, the Chrome-focused counterpart. High-confidence reporting in the provided content states that EDumper collected cookies, browsing history, and credentials from Edge, including credentials from web browser password stores. During Juicy Mix, OilRig staged stolen browser data locally in the %TEMP% directory, with staged files including names such as Eupdate. The campaign also involved VBS and PowerShell scripts, HTTP POST-based C2 communications, scheduled-task persistence, and use of the Mango backdoor, but EDumper’s directly described role is Edge browser data and credential theft.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
During Juicy Mix, OilRig used the CDumper (Chrome browser) and EDumper (Edge browser) to collect credentials.
Techniques & procedures
2 distinct techniques documented for this family, organized by ATT&CK tactic.
Credential Access
1 technique"Agent Tesla can gather credentials from a number of browsers." / "...custom-developed malware, which collected passwords from the Firefox browser storage." / "...used BrowserGhost, a tool designed to obtain credentials from browsers, to retrieve information from password stores."
Discovery
1 technique“...leveraged ICONICSTEALER to steal browser information to include browser history...” / “...collected browser bookmark information...” / “...retrieve browser history...” / “...gather browser data such as bookmarks and visited sites...”
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Browser data stealer focused on Microsoft Edge; used to collect cookies, browsing history, and credentials, and to stage stolen data locally (e.g., files named Eupdate in %TEMP%).
Browser credential dumping tool used to collect credentials from Microsoft Edge.
Browser credential dumping tool targeting Microsoft Edge credentials.
Edge-focused data stealer used to collect cookies, browsing history, and credentials.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.