New MrAnon Stealer Malware Targeting German Users via Booking-Themed Scam

New MrAnon Stealer Malware Targeting German Users via Booking-Themed Scam

A phishing campaign has been observed delivering an information stealer malware called MrAnon Stealer to unsuspecting victims via seemingly benign booking-themed PDF lures.

“This malware is a Python-based information stealer compressed with cx-Freeze to evade detection,” Fortinet FortiGuard Labs researcher Cara Lin said. “MrAnon Stealer steals its victims’ credentials, system information, browser sessions, and cryptocurrency extensions.”

Doing so results in the execution of .NET executables and PowerShell scripts to ultimately run a pernicious Python script, which is capable of gathering data from several applications and exfiltrating it to a public file-sharing website and the threat actor’s Telegram channel.

It’s also capable of capturing information from instant messaging apps, VPN clients, and files matching a desired list of extensions.

“The campaign initially disseminated Cstealer in July and August but transitioned to distributing MrAnon Stealer in October and November,” Lin said. “This pattern suggests a strategic approach involving the continued use of phishing emails to propagate a variety of Python-based stealers.”

The disclosure comes as the China-linked Mustang Panda is behind a spear-phishing email campaign targeting the Taiwanese government and diplomats with an aim to deploy SmugX, a new variant of the PlugX backdoor that was previously uncovered by Check Point in July 2023.