For clarity this is windows malware, not a browser exploit.
Distributed as c++ payload, persists in Startup by writing itself there with the CopyFileA api, uses powershell to pull browser data from file system… This is windows malware that knows what files to look in for various browsers and then exfiltrates via telegram. I wouldn’t have titled it like this since it make it seem like a browser exploit instead of a ball of c++ and powershell but it’s neat that they cast such a wide net I guess. No mention so far of distribution method, initial exploit, or group attribution that I’ve been able to spot.
For clarity this is windows malware, not a browser exploit.
Distributed as c++ payload, persists in Startup by writing itself there with the CopyFileA api, uses powershell to pull browser data from file system… This is windows malware that knows what files to look in for various browsers and then exfiltrates via telegram. I wouldn’t have titled it like this since it make it seem like a browser exploit instead of a ball of c++ and powershell but it’s neat that they cast such a wide net I guess. No mention so far of distribution method, initial exploit, or group attribution that I’ve been able to spot.
Original report from July: https://hybrid-analysis.blogspot.com/2025/07/new-advanced-stealer-shuyal-targets.html
Additional info: https://www.pointwild.com/threat-intelligence/shuyal-stealer-advanced-infostealer-targeting-19-browsers