Skip to content
Malware family

CRYPTBOT

CryptBot is an information-stealing malware family used to harvest credentials, browser cookies, session tokens, financial data, social media accounts, and cryptocurrency wallet data.

Profile source: Mallory opens in a new tab

CRYPTBOT

Family profile

CryptBot is an information-stealing malware family used to harvest credentials, browser cookies, session tokens, financial data, social media accounts, and cryptocurrency wallet data. The content explicitly describes it as an infostealer and notes behavior including browser credential and cookie theft, screenshot capture, and packaging stolen data into ZIP archives for upload. CryptBot has also been observed adapting to Chromium cookie protections by spawning Chrome with remote debugging enabled (for example with --remote-debugging-port=9222 and --profile-directory="Default") and hiding the spawned browser window via CreateProcess flags.

Observed delivery and execution chains in the content include SEO-poisoned cracked-software sites and dropper-as-a-service ecosystems, password-protected ZIP archives, fake browser update and ClickFix/paste-and-run social-engineering lures that lead to PowerShell and mshta.exe execution, HijackLoader/IDAT Loader, Emmenhtal/Peaklight, and DLL sideloading campaigns abusing legitimate signed binaries such as GitKraken ahost.exe or other c-ares-linked executables. The content also states that CryptBot has been distributed alongside or via loaders delivering Aurora Stealer, Rhadamanthys, SectopRAT, DanaBot, Vidar, Lumma, Agent Tesla, Formbook, Remcos RAT, Quasar RAT, DCRat, and XWorm.

A specifically described CryptBot v3 activity chain used PowerShell with -NoP, -NonI, and -ExecutionPolicy Bypass to contact hxxps://keruzam[.]com/update[.]php?compName=<computername> via Invoke-WebRequest, spoofing a Chrome 102 on Windows 10 x64 user-agent. The response was decoded as UTF-8 and executed directly in memory with IEX, enabling fileless retrieval of additional payloads. The content also references early CryptBot activity from 2019 and a central C2 IP of 5.182.39[.]172 exposed through BraZZZerS fast-flux infrastructure logs.

CryptBot is associated in the content with financially motivated cybercrime activity and malware-as-a-service ecosystems. Cisco Talos reporting cited in the content says the CoralRaider cybercrime group distributed CryptBot globally, including to entities in Germany and Poland. Mandiant also reported CRYPTBOT infections on victim workstations shortly before stolen Microsoft 365 session tokens were used, and assessed with moderate confidence that operators linked to Russian espionage activity obtained tokens or credentials from CRYPTBOT operators. Targeting in the content is broad, with references to worldwide victims and campaigns affecting sectors including oil and gas, import/export, and users seeking pirated software, including business software.

Reported operators

Threat actors

1 named in public reporting
APT29

Mandiant analyzed the workstations belonging to the end user and discovered that some systems had been infected with CRYPTBOT, an info-stealer malware, shortly before the stolen session token was generated.

MITRE ATT&CK

CRYPTBOT in ATT&CK

24 distinct techniques

Reporting

Research mentioning CRYPTBOT

Jul 7
Gurucul Threat Research

Millenium: A RAT Rewritten, a Threat Multiplied | Community Portal | Gurucul

CryptBot1

Mar 14
Breakglass Intel

RUGMI/IDAT Loader + Aurora Stealer - Multi-Stage DLL Sideloading Campaign - Breakglass Intelligence - Breakglass Intelligence

The loader has been used to distribute: Aurora Stealer, Rhadamanthys Stealer, SectopRAT, DanaBot, CryptBot, Vidar Stealer

Jan 20
Securityaffairs

PDFSIDER Malware – Exploitation of DLL Side-Loading for AV and EDR Evasion

In another campaign identified by Trellix, DLL sideloading was used to distribute a wide assortment of malware, such as Agent Tesla, CryptBot, Formbook, Lumma Stealer, Vidar Stealer, Remcos RAT, Quasar RAT, DCRat, and XWorm.

Jan 18
Resecurity

Resecurity | PDFSIDER Malware - Exploitation of DLL Side-Loading for AV and EDR Evasion

"...DLL sideloading was used to distribute a wide assortment of malware, such as Agent Tesla, CryptBot, Formbook, Lumma Stealer, Vidar Stealer, Remcos RAT, Quasar RAT, DCRat, and XWorm."

Jan 15
Scworld

Multiple payloads deployed via c-ares DLL side-loading exploit | SC Media

Attackers have been leveraging a DLL side-loading flaw ... to deploy various illicit payloads, including ... CryptBot...

Jan 14
The Hacker News

Hackers Exploit c-ares DLL Side-Loading to Bypass Security and Deploy Malware

The campaign has been observed distributing a wide assortment of malware, such as Agent Tesla, CryptBot, Formbook, Lumma Stealer, Vidar Stealer, Remcos RAT, Quasar RAT, DCRat, and XWorm.

Jan 1
Sophos Threat Research

Fake pirated software sites serve up malware droppers as a service | SOPHOS

Some of the droppers stored in these archives triggered ransomware alerts from Windows Defender on our baseline target machine–specifically for Conti. But the primary payload of this malware dropper appears to be the CryptBot information stealer.

Mar 31
G Data Software

Smoked out - Emmenhtal spreads SmokeLoader malware

This loader has been active since early 2024 and is primarily used by financially motivated threat actors to distribute commodity infostealers such as CryptBot and Lumma.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.