Katz Stealer Malware Bypasses Browser Security to Steal Credentials

Credited by Freepik

VTA-004517 – Katz Stealer Malware Bypasses Browser Security to Steal Credentials

A new malware called Katz Stealer is targeting popular web browsers, stealing sensitive data like passwords, cryptocurrency wallets, and authentication cookies. Researchers said this malware-as-a-service operation bypasses modern security protections, including Chrome’s App-Bound Encryption, by extracting decryption keys directly from browser processes.

The malware employs multi-stage evasion tactics, starting with obfuscated JavaScript hidden in GZIP files. It then uses PowerShell to fetch additional payloads from legitimate sites like archive.org, concealing malicious code within seemingly harmless files. The final stage involves process hollowing, injecting malicious code into trusted processes like MSBuild.exe to avoid detection.

Katz Stealer also uses anti-analysis techniques, such as geofencing (avoiding CIS countries), VM detection, and checking screen resolution to evade sandboxes. It spreads through phishing emails, fake downloads, and malicious ads.

Severity:
Medium

Attack Surface:
Cloud Storage, Email, Endpoint, Endpoint OS, Messaging, Web Browser

Tactics:
Credential Access, Defense Evasion, Execution, Exfiltration, Initial Access

Techniques:
T1574 – Hijack Execution Flow
T1114 – Email Collection
T1548 – Abuse Elevation Control Mechanism
T1552 – Unsecured Credentials
T1546 – Event Triggered Execution
T1134 – Access Token Manipulation
T1082 – System Information Discovery
T1113 – Screen Capture
T1115 – Clipboard Data
T1027 – Obfuscated Files or Information
T1104 – Multi-Stage Channels
T1140 – Deobfuscate/Decode Files or Information
T1055 – Process Injection

Indicator of Compromise :
1. https://otx.alienvault.com/pulse/6834c6aefb95d8ced1354ff5

References:
1. https://www.nextron-systems.com/2025/05/23/katz-stealer-threat-analysis/

SuperPRO’s Threat Countermeasures Procedures:
1. Enable multi-factor authentication (MFA) for all critical accounts.
2. Regularly update browsers and operating systems to patch vulnerabilities.
3. Avoid downloading software from untrusted sources or clicking on suspicious links.
4. Use endpoint protection with behavioral analysis to detect process hollowing.
5. Monitor network traffic for unusual connections to unknown IPs.
6. Educate users on identifying phishing attempts and social engineering tactics.

Contributed by: Fatini