InfernoGrabber v9.0
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The code includes specific routines for browser exploitation (targeting CVEs like CVE-2023-4863), data exfiltration via a hard-coded Discord webhook, a ransomware 'WinLocker' screen demanding Bitcoin, and an administrative dashboard for the attacker to manage stolen data. | It has been named InfernoGrabber v9.0 by the malware author. The application is designed to operate as a malicious web server that lures victims with a fake Discord avatar AI upscaler, while stealthily running a wide array of harmful actions, including stealing Discord tokens, harvesting credit card numbers and cryptocurrency seed phrases, logging keystrokes, and capturing unauthorized webcam and microphone feeds.
Techniques & procedures
10 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Execution
1 technique
Execution
Credential Access
2 techniques
Credential Access
Collection
4 techniques
Collection
The attack technique entails using a phishing decoy to trick a user into granting file system access to a web page, which then enumerates local files in the selected folder, reads and exfiltrates their contents
The application is designed to operate as a malicious web server that lures victims with a fake Discord avatar AI upscaler, while stealthily running a wide array of harmful actions, including ... logging keystrokes
Exfiltration
1 technique
Exfiltration
Impact
2 techniques
Impact
The attack technique entails using a phishing decoy to trick a user into granting file system access to a web page, which then enumerates local files in the selected folder, reads and exfiltrates their contents, encrypts and overwrites them
The attack technique entails using a phishing decoy to trick a user into granting file system access to a web page, which then enumerates local files in the selected folder, reads and exfiltrates their contents, encrypts and overwrites them, and finally displays an extortion note to the victim.
Recent activity
1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.