Understanding the Maranhão Stealer: A New Infostealer Threat
Overview of the Maranhão Stealer Campaign
Cybersecurity experts at Cyble have identified an alarmingly sophisticated infostealer campaign exploiting unsuspecting users. The Maranhão Stealer is being disseminated primarily through social engineering tactics, particularly via websites that purport to offer pirated software, cracked game launchers, and cheats. These deceptive platforms, such as derelictsgame[.]in, are luring victims with enticing yet malicious downloads like DerelictSetup.zip and Fnaf Doom.zip.
How the Maranhão Stealer Operates
The malware itself is crafted in Node.js and packaged as an Inno Setup installer, making its emergence in the victims’ systems quite stealthy. Upon execution, it embeds itself within a directory labeled “Microsoft Updater” found under the path %localappdata%\Programs, cleverly masking its true intent.
The Maranhão Stealer gains persistence by creating Run registry keys and scheduled tasks. These tactics ensure that the malware continues to operate even after a reboot. Once it’s firmly established, it activates its main component, named updater.exe, which triggers extensive reconnaissance of the host system.
Mechanisms of Data Extraction
The malware excels in extracting sensitive data, using several advanced techniques. Among them is reflective DLL injection, which targets web browsers to bypass security measures, such as Chrome’s AppBound encryption. Through this method, the Maranhão Stealer can circumvent defenses to collect critical information, including login credentials, cookies, and cryptocurrency wallet data. Cyble researchers have pointed out that this methodological sophistication means successful infections could result in widespread credential breaches and digital asset theft.
Evolution of the Maranhão Stealer
Having been active since May 2025, the Maranhão Stealer continues to undergo significant development. Each iteration grows more capable and stealthy, adapting to evasion techniques that reduce the likelihood of detection. A notable enhancement lies in its password-decrypting functionality, which is integrated within a component called infoprocess.exe. This part of the malware is written in Go and intentionally obfuscated to avoid scrutiny.
Unlike its earlier variants, this latest version moves away from using PsExec to spawn child processes, opting instead to leverage Win32 API calls directly. This shift points to an overall evolution toward more stealthy and sophisticated execution techniques, highlighting the adaptability of threat actors in the cyber landscape.
Analysis of Malicious Files
Cyble’s investigation unveiled several malicious files linked to the Maranhão Stealer, including Fnafdoomlauncher.exe, Fnaf.exe, and Slinkyhook.exe. Focusing specifically on the file Fnafdoomlauncher.exe, researchers note that it operates in “/VERYSILENT” mode, enhancing its concealed installation process. This executable drops critical components like updater.exe and crypto.key into the Microsoft Updater directory, further ensuring persistence through automated launch upon user login.
The malware’s cunning extends to disguising these components by marking files in the Microsoft Updater directory as both System and Hidden attributes. This tactic serves to evade detection by traditional security solutions.
Data Theft Capabilities
After establishing a foothold, the Maranhão Stealer intensifies its focus on data theft, particularly from popular web browsers. The analysis demonstrated that the malware actively harvests information from Google Chrome, Microsoft Edge, Brave, and Opera. It meticulously enumerates user profiles and extracts vital data such as browsing history, cookies, download records, and saved login details. Additional targets, including various other browsers and cryptocurrency wallets, were identified during memory dump analysis, indicating that the malware is versatile and capable of adjusting its tactics based on the victim’s specific environment.
Moreover, the Maranhão Stealer has been seen engaging with numerous APIs hosted under the domain maranhaogang[.]fun, likely for purposes linked to infection reporting, victim tracking, and data exfiltration.
Concluding Observations from Cyble’s Analysis
Cyble’s thorough investigation into the Maranhão Stealer provides deep insights into its operational blueprint and ongoing developments. Their blog contains comprehensive technical details as well as recommendations for safeguarding against such threats. Included are 45 Indicators of Compromise (IoCs) and file hashes that can help security teams identify potential infections swiftly.
In today’s landscape where cyber threats continue to evolve, staying informed about such sophisticated campaigns becomes essential for maintaining digital security and integrity.
