Katz Stealer is a type of Malware-as-a-Service (MaaS) malware that emerged in 2025. It combines information-stealing techniques, payload obfuscation, in-memory execution, and persistent operation on compromised systems. Katz's goal is to steal passwords, cryptocurrency wallet information, browser data, VPN/FTP/Wi-Fi information, and other sensitive data from individual users or enterprise systems.

Attack Methods of Katz Stealer

Distribution Phase

The malware is distributed through phishing emails or fake software packages, often as a compressed GZIP file containing an obfuscated JavaScript dropper. The JavaScript content uses techniques such as unusual type coercion, dynamic string construction through array manipulation, and meaningless mathematical expressions to deceive static analysis systems.

Example:

var semiochemical = ([+Infinity[+1]])[1],
    egosurfers = ([+Infinity[+1]])[2];
var galactacrasia = ([++(['clippers']+[])[0] + (['titterel']+[])[1] +
    (['gammon']+[])[2] + (['parkway']+[])[3] +
    (['sacramentality']+[])[6] + (['titterelMap']+[])[7] +
    (['Euless']+[])[8] + (['slice']+[])[9]['stewing'][0]);

These code snippets have no clear executable value, causing syntax errors with analysis tools but will be decoded and run normally on actual JavaScript interpreters.

In-Memory PowerShell Execution

The JavaScript dropper calls PowerShell with options:

-NoProfile -WindowStyle Hidden -Command

The malware continues to decode an embedded Base64 payload and uses the Invoke-Expression technique combined with System.Text.Encoding::Unicode.GetString() to execute the payload directly in memory, without writing files to disk.

Loading .NET Loader via Steganography

The PowerShell loader connects to a URL (e.g., from archive.org) to download a fake image file. The image contains embedded base64 data between <KBASE64_START> and <KBASE64_END>. The loader extracts this data, decodes it, and uses .NET Reflection to load the malware.

Figure 1. Downloading an image containing the malicious payload inside

All these activities are performed in memory, avoiding the creation of any executable files on the hard drive.

.NET Loader and Analysis Evasion Techniques

Environment Checks (Sandbox and Geofencing)

The loader reads BIOS information from the registry, checks screen resolution, uptime, and keyboard layout to determine if it is running in a virtualized environment or malware analysis system. If suspicious signs are detected, the malware self-destructs.

Additionally, the loader checks the geographical location based on the system locale, and if it is in the list of CIS countries (Belarus, Kazakhstan, Uzbekistan, Armenia, etc.), it will not continue to run to avoid legal risks.

Figure 2. Blacklisted countries of the malware

UAC Bypass using cmstp.exe

Katz uses cmstp.exe – a legitimate Windows tool – to load and execute a fake INF file, allowing code execution with admin rights without user confirmation (User Account Control bypass).

Figure 3. UAC Bypass performed by Katz InfoStealer Malware

MSBuild Process Hollowing

After gaining elevated privileges, the loader starts the MSBuild.exe process, a legitimate compiler included with Visual Studio. It then performs process hollowing: replacing the process's memory space with the main stealer's code.

By hiding within a legitimate and Microsoft-signed process, Katz Stealer avoids detection by antivirus software or behavior monitoring systems.

Main Payload: Data Theft and Connection Maintenance

C2 Communication and Module Reception

The payload continuously maintains a TCP connection with a hardcoded malicious server (C2). It identifies the implant through a unique identifier and establishes a reconnect mechanism if the connection is lost.

Additionally, it can communicate over HTTPS with fake domains, using a User-Agent mimicking a real browser but with a special suffix (e.g., katz-ontop) for differentiation.

The payload will download additional modules from C2, including DLLs specialized for injection into browsers or other applications.

Stealing Chromium Browser Information

Katz uses injection techniques to insert malicious code into installed browser processes. When running in the process space of Chrome or Edge, the malware can directly access:

• Master key in Local State

• Database files storing passwords and cookies

Through Windows API and decryption mechanisms similar to those used by browsers, Katz can decrypt passwords encrypted with Application Bound Encryption (ABE), saving decryption keys, cookies, and payment information.

Stealing Firefox/Gecko Browser Information

For Firefox, the malware extracts:

• logins.json: passwords

• cookies.sqlite: session cookies

• key4.db or key3.db: decryption keys

• formhistory.sqlite, places.sqlite: form fill data and browsing history

This information can then be decrypted offline, or cookies can be used to hijack user sessions.

Attacking Discord and Maintaining a Backdoor

Katz modifies the app.asar file of the Discord desktop application, embedding malicious JavaScript to send HTTPS requests to the C2 server each time the application is launched.

The server's response code will be executed directly within the Discord application space via eval(), creating a hidden backdoor in the signed and trusted application.

Users do not notice anything unusual as Discord continues to function normally, while the malware maintains access.

Stealing Cryptocurrency Wallets

Katz Stealer searches for wallet data from two sources:

• Desktop wallet applications: such as Exodus, Electrum, Bitcoin Core, Coinomi, etc., by finding paths, file patterns, or common file extensions.

• Browser extensions: scanning the extension directory to find IDs of over 150 popular Web3 wallets like MetaMask. Notably, Katz can extract separate wallet data from the Brave browser.

Wallet data and private keys, once collected, are packaged for transmission to C2. Before exiting, the malware deletes temporary directories to cover its tracks.

Concealment and Post-Exploitation Recovery

Katz Stealer has a very high level of concealment:

• All payloads are loaded in memory.

• Uses legitimate processes for execution.

• Network communication mimics real browser traffic.

• Deletes temporary files after completing tasks.

After data extraction, the malware can exit or continue to persist through Discord or Scheduled Tasks created in the previous stage. When the system restarts, if Discord auto-runs, the backdoor remains intact.

IOCs Related to Katz Stealer Malware

Recommendations

FPT Threat Intelligence recommends organizations and individuals take several measures to prevent this dangerous attack campaign:

• Enhance email and download control: Establish strict email filtering mechanisms to block malicious compressed files, obfuscated JavaScript, or fake files containing malware distributed through phishing and unknown software downloads.

• Monitor execution behavior in the system: Closely monitor PowerShell, cmstp.exe, MSBuild.exe processes, and behaviors such as in-memory code execution, legitimate process hollowing, or unusual network connections.

• Protect browsers and authentication data: Disable the auto-save password feature in browsers if unnecessary; detect and alert when files like decrypted_chrome_key.txt or strange DLLs are injected into popular browsers.

• Check and protect cryptocurrency wallets: Do not store seed phrases, private keys, or wallet files in user directories. Encourage the use of hardware wallets and periodically check browser wallet extensions.

• Detect anomalies on Discord and Electron applications: Monitor automatic file modification of app.asar or JavaScript code loading from invalid domains through Discord, especially queries to twist2katz.com.

• Increase end-user security awareness: Train users to recognize phishing emails, warn about fake software, and encourage the use of official software download channels. Clearly explain the risks of using browsers to store sensitive information.

• Establish proactive network monitoring mechanisms: Monitor traffic to known IOC domains and IPs; alert on unusual HTTP User-Agents like strings containing "katz-ontop"; detect non-standard C2 communication patterns from endpoints.

References

• Understanding Katz Stealer Malware and Its Credential Theft Capabilities