3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
MawaStealer

MawaStealer

ID: 22d4239b525d46f1005c19a79ec5c21115891
Crimeware Spyware/Stealer
Threat types: Malware
Unknown
Updated: 2026-03-03
Created: 2026-03-03
Progress: 64% Completeness: 61% Freshness: 70%
Operation zone:
Aliases Limited alias preview
No aliases registered.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

MawaStealer is an infostealer campaign distributed via piracy/torrent lures. Public analysis describes a staged chain (LNK→batch→PowerShell→.NET) collecting Chrome profile data, selected crypto wallet artifacts, and Telegram credentials, with HTTPS exfiltration to installinfo[.]dynu[.]net. A later wave (INFERENCE: same operator) uses signed-binary DLL sideloading via VLC (malicious libvlc.dll) and delivers Vidar Stealer v2, exfiltrating to tester[.]technologytorg[.]com.


Technique Technique name Tactics Evidence
T1204 User Execution TA0002
  • 2025-09-11 — Victim executes lure (shortcut/archives) leading to staged scripts and .NET payloads. · ref
T1059.001 PowerShell TA0002
  • 2025-09-11 — PowerShell used in staged chain (Base64 decode, script execution). · ref
T1059.003 Windows Command Shell TA0002
  • 2025-09-11 — Batch scripts used as dropper stages (run_ps.bat and related). · ref
T1053.005 Scheduled Task TA0002 TA0003 TA0004
  • 2025-09-11 — Scheduled tasks created/executed as part of staged persistence/launch chain (per YARA patterns and description). · ref
T1574.001 DLL TA0003 TA0004 TA0005
  • 2026-02-28 — Legitimate VLC EXE sideloads malicious libvlc.dll from same directory (DLL search order hijacking). · ref
T1027 Obfuscated Files or Information TA0005
  • 2025-09-11 — .NET stages are packed/obfuscated (ConfuserEx) and decrypted/unpacked at runtime. · ref
T1071.001 Web Protocols TA0011
  • 2025-09-11 — Data exfiltration occurs over HTTPS to installinfo[.]dynu[.]net. · ref
  • 2026-02-28 — Later wave uses HTTPS exfil to tester[.]technologytorg[.]com and /api/auth registration. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-03-04T00:22:42+00:00

MawaStealer — Torrent-lure infostealer with staged loader chain; later evolution to DLL sideloading (INFERENCE)

Classification: TLP:WHITE – Open Source Intelligence (OSINT)

Category: Malware / Infostealer — Origin: Unknown

Author: iQBlack CTI Team



Executive Summary

MawaStealer is described in public malware analysis as an information-stealing campaign primarily distributed to end users through piracy/torrent-themed lures. The initial publicly documented wave (Sep 2025) used a multi-stage chain involving a malicious shortcut (.lnk) that launched a batch dropper, PowerShell stages, and multiple .NET payload layers (including ConfuserEx-packed components). The reported collection focus included Chrome profile data (passwords/sessions/extensions), select cryptocurrency wallet artifacts, and Telegram credentials, plus basic host profiling checks (e.g., AV enumeration, webcam presence) and simple anti-debug logic.

Public reverse engineering identifies an exfiltration endpoint at installinfo[.]dynu[.]net and victim-side artifacts such as a service name (ServiceMcCSPStartupv2) and dropped directories/files under Public/ProgramData paths. In late Feb 2026, a separate analysis describes what appears to be a second wave using a more sophisticated delivery mechanism: a legitimate signed VLC executable that sideloads a malicious libvlc.dll, followed by a multi-stage unpacking chain and eventual delivery of a Vidar Stealer v2 payload.


Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for Decision Makers — MawaStealer

Classification: Unclassified / OSINT — TLP:WHITE

Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — MawaStealer


Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-03-04T00:24:24+00:00

IOC Appendix — MawaStealer

Classification: Unclassified / OSINT — TLP:WHITE

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-03-04T00:25:20+00:00

OSINT Library — MawaStealer


2026-02-28 — GitHub Gist (shavitush) — “From MawaStealer to Vidar: Sideloading via VLC”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.