Mandiant analyzed the workstations belonging to the end user and discovered that some systems had been infected with CRYPTBOT, an info-stealer malware, shortly before the stolen session token was generated.
CRYPTBOT
CryptBot is an information-stealing malware family used to harvest credentials, browser cookies, session tokens, financial data, social media accounts, and cryptocurrency wallet data.
Profile source: Mallory opens in a new tabCRYPTBOT
Family profile
CryptBot is an information-stealing malware family used to harvest credentials, browser cookies, session tokens, financial data, social media accounts, and cryptocurrency wallet data. The content explicitly describes it as an infostealer and notes behavior including browser credential and cookie theft, screenshot capture, and packaging stolen data into ZIP archives for upload. CryptBot has also been observed adapting to Chromium cookie protections by spawning Chrome with remote debugging enabled (for example with --remote-debugging-port=9222 and --profile-directory="Default") and hiding the spawned browser window via CreateProcess flags.
Observed delivery and execution chains in the content include SEO-poisoned cracked-software sites and dropper-as-a-service ecosystems, password-protected ZIP archives, fake browser update and ClickFix/paste-and-run social-engineering lures that lead to PowerShell and mshta.exe execution, HijackLoader/IDAT Loader, Emmenhtal/Peaklight, and DLL sideloading campaigns abusing legitimate signed binaries such as GitKraken ahost.exe or other c-ares-linked executables. The content also states that CryptBot has been distributed alongside or via loaders delivering Aurora Stealer, Rhadamanthys, SectopRAT, DanaBot, Vidar, Lumma, Agent Tesla, Formbook, Remcos RAT, Quasar RAT, DCRat, and XWorm.
A specifically described CryptBot v3 activity chain used PowerShell with -NoP, -NonI, and -ExecutionPolicy Bypass to contact hxxps://keruzam[.]com/update[.]php?compName=<computername> via Invoke-WebRequest, spoofing a Chrome 102 on Windows 10 x64 user-agent. The response was decoded as UTF-8 and executed directly in memory with IEX, enabling fileless retrieval of additional payloads. The content also references early CryptBot activity from 2019 and a central C2 IP of 5.182.39[.]172 exposed through BraZZZerS fast-flux infrastructure logs.
CryptBot is associated in the content with financially motivated cybercrime activity and malware-as-a-service ecosystems. Cisco Talos reporting cited in the content says the CoralRaider cybercrime group distributed CryptBot globally, including to entities in Germany and Poland. Mandiant also reported CRYPTBOT infections on victim workstations shortly before stolen Microsoft 365 session tokens were used, and assessed with moderate confidence that operators linked to Russian espionage activity obtained tokens or credentials from CRYPTBOT operators. Targeting in the content is broad, with references to worldwide victims and campaigns affecting sectors including oil and gas, import/export, and users seeking pirated software, including business software.
Reported operators
Threat actors
1 named in public reportingMITRE ATT&CK
CRYPTBOT in ATT&CK
24 distinct techniquesTechniques
24 techniquesReporting
Research mentioning CRYPTBOT
Millenium: A RAT Rewritten, a Threat Multiplied | Community Portal | Gurucul
CryptBot1
RUGMI/IDAT Loader + Aurora Stealer - Multi-Stage DLL Sideloading Campaign - Breakglass Intelligence - Breakglass Intelligence
The loader has been used to distribute: Aurora Stealer, Rhadamanthys Stealer, SectopRAT, DanaBot, CryptBot, Vidar Stealer
PDFSIDER Malware – Exploitation of DLL Side-Loading for AV and EDR Evasion
In another campaign identified by Trellix, DLL sideloading was used to distribute a wide assortment of malware, such as Agent Tesla, CryptBot, Formbook, Lumma Stealer, Vidar Stealer, Remcos RAT, Quasar RAT, DCRat, and XWorm.
Resecurity | PDFSIDER Malware - Exploitation of DLL Side-Loading for AV and EDR Evasion
"...DLL sideloading was used to distribute a wide assortment of malware, such as Agent Tesla, CryptBot, Formbook, Lumma Stealer, Vidar Stealer, Remcos RAT, Quasar RAT, DCRat, and XWorm."
Multiple payloads deployed via c-ares DLL side-loading exploit | SC Media
Attackers have been leveraging a DLL side-loading flaw ... to deploy various illicit payloads, including ... CryptBot...
Hackers Exploit c-ares DLL Side-Loading to Bypass Security and Deploy Malware
The campaign has been observed distributing a wide assortment of malware, such as Agent Tesla, CryptBot, Formbook, Lumma Stealer, Vidar Stealer, Remcos RAT, Quasar RAT, DCRat, and XWorm.
Fake pirated software sites serve up malware droppers as a service | SOPHOS
Some of the droppers stored in these archives triggered ransomware alerts from Windows Defender on our baseline target machine–specifically for Conti. But the primary payload of this malware dropper appears to be the CryptBot information stealer.
Smoked out - Emmenhtal spreads SmokeLoader malware
This loader has been active since early 2024 and is primarily used by financially motivated threat actors to distribute commodity infostealers such as CryptBot and Lumma.