MetaStealer
MetaStealer is an information-stealing malware family active since at least 2022 and observed in both Windows and macOS campaigns. It has been described as a derivative of RedLine and, in Windows reporting, as a commodity infostealer designed to fill the gap after Raccoon Stealer suspended operations. On macOS, researchers tracked it as a Go-based Intel x86_64 Mach-O infostealer distributed during 2023 via malicious DMG files and password-protected ZIP/DMG lures aimed at business users, including fake client-themed documents and software-themed lures such as Adobe- and TradingView-branded installers. On Windows, it has been delivered through spam, malvertising, Roblox-themed lures, tax-themed malware delivery, fake AnyDesk installer chains, and Google Ads impersonating Mozilla Thunderbird and Microsoft Teams.
Its core capability is credential and data theft. Reported functionality includes harvesting browser cookies and saved passwords from Chrome, Firefox, and Edge; stealing files; extracting keychain data and saved passwords on macOS; targeting cryptocurrency wallets; and, in some variants, targeting Telegram- and Meta-related data. Windows analyses also documented keylogging, arbitrary command execution, and hidden VNC/HVNC capability. MetaStealer samples have been noted as heavily obfuscated: Windows variants use encrypted configuration strings and runtime decryption, including Base64/XOR/AES-CBC in some samples and AGILE.NET obfuscation with proxy calls and runtime delegate initialization; macOS variants were compiled from heavily obfuscated Go code with stripped Go build IDs and obfuscated function names.
Observed Windows behavior includes using PowerShell to add a Microsoft Defender exclusion for .exe files, renaming itself to hyper-v.exe, and establishing persistence via a scheduled task named sys under the MicrosoftWindows folder. One analysis reported a hardcoded HTTP C2 at 193.106.191[.]162:1775 using cpp-httplib and JSON, with traffic to /api/client/new, /tasks/get_worker, and /tasks/collect, and storage of a BotId at %localappdata%hyper-v.ver. Additional MetaStealer network indicators reported across analyses include User-Agent strings cpp-httplib/0.10.1 and cpp-httplib/0.12.1; URIs /api/client_hello, /api/client/init, /api/client/verify, and /avast_update; domains such as qocyeicmusmegouw.xyz, uumcceymkuymmqou.xyz, macawiwmaacckuow[.]xyz, yeosyyyaewokgioa[.]xyz, and cmqsqomiwwksmcsw[.]xyz; URLs including pestrear-lamp.xyz:443 and anus-staylard.xyz:443; and IPs 155.117.20.75, 213.139.77.254, and 38[.]134[.]148[.]74. macOS infrastructure included api.osx-mac[.]com, builder.osx-mac[.]com, and db.osx-mac[.]com, with outbound TCP connections observed to 13[.]125.88[.]10 and 13[.]114.196[.]60 on port 3000.
Researchers also reported MetaStealer using a domain generation algorithm, including a newer wordlist-based DGA while older DGA activity remained active. MetaStealer gate servers were assessed as largely domain-agnostic, relying more on IP address, port, URI, and HTTP headers than on the specific domain name. Elastic also observed MetaStealer samples using a COM/path-verification technique in the wild to bypass Chromium application-bound encryption protections.
MetaStealer has been referenced alongside other infostealers in credential-exposure reporting tied to Snowflake customer compromises, where exposed credentials were associated with infostealer families including MetaStealer. On macOS, it was highlighted as notable for targeting business users rather than relying primarily on cracked-software distribution. Apple added partial XProtect detection in version 2170, but multiple known June and July 2023 samples reportedly remained undetected after that update.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
25 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Initial Access
3 techniques
Initial Access
В ноябре 2023 года APT29 (Midnight Blizzard) залезли в корпоративную среду Microsoft через password spraying единственного тестового облачного tenant без MFA... Initial Access и Credential Theft (T1078, T1621)... Valid Accounts (T1078...)
Execution
5 techniques
Execution
To maintain persistence, a scheduled task is created using The Component Object Model (COM), a task named sys is created in the folder MicrosoftWindows’ The task is set to trigger at user login, ensuring the malware remains persistent across reboots.
...both being Go-based infostealers that also use osascript to display error messages to the user on execution...
1001 System Information Spawn cmd.exe process with the command line system info and read output using attached pipes... 1008 Execute Command Execute the given command using a spawned cmd.exe process and read the result using connected pipes.
Persistence
2 techniques
Persistence
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
5 techniques
Stealth
the majority of strings within MetaStealer’s main code are encrypted and only decrypted as needed during runtime... decrypted with a bitwise XOR operation for use during execution
The man... sent me a password protected zip file containing this DMG file... It contained an app that was disguised as a PDF... Other versions of MetaStealer we have seen use names masquerading as Adobe files or software such as 'AdobeOfficialBriefDescription.dmg' and 'Adobe Photoshop 2023 (with AI) installer.dmg'.
В ноябре 2023 года APT29 (Midnight Blizzard) залезли в корпоративную среду Microsoft через password spraying единственного тестового облачного tenant без MFA... Initial Access и Credential Theft (T1078, T1621)... Valid Accounts (T1078...)
Credential Access
4 techniques
Credential Access
1004 Start keylogger Start keylogger on the following applications: Chrome Firefox Notepad
1002 Cookie Stealer Access Cookie data from the following locations... Chrome ... Cookies ... Firefox ... cookies.sqlite ... Edge ... Cookies
Discovery
2 techniques
Discovery
Lateral Movement
2 techniques
Lateral Movement
Collection
2 techniques
Collection
Command and Control
2 techniques
Command and Control
Exfiltration
1 technique
Exfiltration
Samples of MetaStealer have been observed reaching out to one of the following domains: api.osx-mac[.]com builder.osx-mac[.]com db.osx-mac[.]com. MetaStealer has also been observed attempting to open an outgoing TCP connection to either host 13[.]125.88[.]10 or 13[.]114.196[.]60 over port 3000.
IOCs tracked for this family
98 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
MetaStealer is described as using a new wordlist-based DGA while older DGA infrastructure remains active. Its gate/proxy servers are domain-agnostic and rely more on IP, port, URI, and HTTP headers for traffic forwarding.
MetaStealer is described as malware using both an older and a new wordlist-based DGA for C2-related domain generation, with gate/proxy servers that are largely agnostic to the domain used and instead rely on IP, port, URI, and HTTP headers.
Инфостилер, упомянутый как один из источников украденных credential-пар, использованных в кампании против Snowflake.
Mentioned as a rival macOS infostealer to AMOS.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.