CyberSecurityBoard
Sponsor Register Login

New StealC V2 Expands to Include Microsoft Software Installer Packages and PowerShell Scripts

The malware also features a redesigned control panel with an integrated builder, allowing threat actors to customize payload delivery rules based on various factors including geolocation, hardware IDs (HWID), and installed software. The researchers noted that the malware performs several validation steps before execution, including checking for duplicate instances and verifying that the system language is not one spoken in the Commonwealth of Independent States (CIS), indicating a potential avoidance of targeting these regions. StealC, a popular information stealer and malware downloader that has been active since January 2023, has received a significant update with the introduction of version 2 (V2) in March 2025. These advanced delivery mechanisms allow threat actors to deploy StealC V2 through a variety of methods, effectively bypassing security controls that might be focused on traditional executable files. While the previous version could only execute EXE and DLL files, the new version can now deliver malicious payloads through Microsoft Software Installer (MSI) packages and PowerShell scripts, significantly broadening its attack surface and potential infection vectors. The ability to use legitimate Windows utilities like msiexec.exe and PowerShell creates opportunities for the malware to blend in with normal system operations, highlighting the increasingly sophisticated tactics employed by modern malware authors. This latest iteration brings substantial enhancements to the malware’s capabilities, including a streamlined command-and-control (C2) communication protocol and the integration of RC4 encryption in recent variants, making it more difficult to detect and analyze. For executing MSI packages, the malware uses the msiexec.exe utility with the silent /passive parameter to minimize user interaction, making installation stealthier. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. This method allows the malware to execute remote scripts directly in memory without writing them to disk, making detection more challenging. Unlike with MSI packages and executable files, StealC V2 does not attempt to retry failed PowerShell script executions. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. The new payload delivery capabilities in StealC V2 represent a significant evolution in the malware’s functionality.

This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 02 May 2025 13:40:09 +0000


Cyber News related to New StealC V2 Expands to Include Microsoft Software Installer Packages and PowerShell Scripts

New StealC V2 Expands to Include Microsoft Software Installer Packages and PowerShell Scripts - The malware also features a redesigned control panel with an integrated builder, allowing threat actors to customize payload delivery rules based on various factors including geolocation, hardware IDs (HWID), and installed software. The researchers ...
1 month ago Cybersecuritynews.com
Operation RusticWeb Using PowerShell Commands to filtrate Doc - Hackers use PowerShell commands because they provide a powerful scripting environment on Windows systems, allowing them to stealthily execute malicious scripts and commands called Operation RusticWeb. The PowerShell's capabilities make it an ...
1 year ago Gbhackers.com
StealC malware enhanced with stealth upgrades and data theft tools - The creators of StealC, a widely-used information stealer and malware downloader, have released its second major version, bringing multiple stealth and data theft enhancements. To protect your data from info-stealer malware, avoid storing sensitive ...
1 month ago Bleepingcomputer.com
BianLian GOs for PowerShell After TeamCity Exploitation - In conjunction with GuidePoint's DFIR team, we responded to an incident that began with the exploitation of a TeamCity server which resulted in the deployment of a PowerShell implementation of BianLian's GO backdoor. The threat actor identified a ...
1 year ago Securityboulevard.com CVE-2024-27198 CVE-2023-42793 BianLian
5000+ Malicious Packages Found In The Wild To Compromise Windows Systems - These packages, detected from November 2024 onward, employ sophisticated techniques to evade traditional security measures while executing harmful actions that can lead to data theft, unauthorized access, and complete system compromise. Similarly, ...
3 months ago Cybersecuritynews.com
Microsoft Incident Response lessons on preventing cloud identity compromise - Microsoft Incident Response is often engaged in cases where organizations have lost control of their Microsoft Entra ID tenant, due to a combination of misconfiguration, administrative oversight, exclusions to security policies, or insufficient ...
1 year ago Microsoft.com
Malicious PyPI packages targeting highly specific MacOS machines - As part of our software package supply chain security efforts, we continuously scan for malware in newly released PyPI and NPM packages. In this post, we describe a particularly interesting cluster of malicious packages that we've identified. In late ...
1 year ago Securitylabs.datadoghq.com
Fake IT support sites push malicious PowerShell scripts as Windows fixes - First discovered by eSentire's Threat Response Unit, the fake support sites are promoted through YouTube channels that have been compromised and hijacked to add legitimacy to the content creator. In particular, the threat actors are creating fake ...
11 months ago Bleepingcomputer.com
Financially motivated threat actors misusing App Installer - Since mid-November 2023, Microsoft Threat Intelligence has observed threat actors, including financially motivated actors like Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674, utilizing the ms-appinstaller URI scheme to distribute malware. In ...
1 year ago Microsoft.com Black Basta
3 PYPI Packages Caught Spreading Malware - Recent reports have highlighted the malicious spreading of malware via 3 specific Python Package Index (PyPI) packages. These 3 packages were identified and reported by Sonatype, a software supply chain security firm. ...
2 years ago Securityaffairs.com
Microsoft disables MSIX protocol handler abused in malware attacks - Microsoft has again disabled the MSIX ms-appinstaller protocol handler after multiple financially motivated threat groups abused it to infect Windows users with malware. The attackers exploited the CVE-2021-43890 Windows AppX Installer spoofing ...
1 year ago Bleepingcomputer.com CVE-2021-43890 FIN7
Misconfiguration and vulnerabilities biggest risks in cloud security: Report - The two biggest cloud security risks continue to be misconfigurations and vulnerabilities, which are being introduced in greater numbers through software supply chains, according to a report by Sysdig. While zero trust is a top priority, data showed ...
2 years ago Csoonline.com Hunters
AI-Powered Rhadamanthys Stealer Targets Crypto Wallets with Image Recognition - Rhadamanthys and Lumma, alongside other stealer malware families like Meduza, StealC, Vidar, and WhiteSnake, have also been found releasing updates in recent weeks to collect cookies from the Chrome web browser, effectively bypassing newly introduced ...
8 months ago Thehackernews.com
116 Malicious PyPI Packages Downloaded Over 10,000 Times - A cluster of malicious Python projects has been identified in PyPI, the official Python PyPI package repository, which targets both Windows and Linux systems and often deploys a custom backdoor. In certain instances, the ultimate payload consists of ...
1 year ago Cybersecuritynews.com
Fake Captcha Malware Attacking Windows Users To execute PowerShell Commands - A sophisticated malware campaign is targeting Windows users through deceptive CAPTCHA verification prompts that trick victims into executing malicious PowerShell scripts. Security experts recommend implementing robust security awareness training and ...
3 months ago Cybersecuritynews.com
New Microsoft Incident Response guides help security teams analyze suspicious activity - Today Microsoft Incident Response are proud to introduce two one-page guides to help security teams investigate suspicious activity in Microsoft 365 and Microsoft Entra. These guides contain the artifacts that Microsoft Incident Response hunts for ...
1 year ago Microsoft.com
New KoiLoader Abuses Powershell Scripts to Deliver Malicious Payload - Cyber Security News - This updated strain employs PowerShell scripts embedded within Windows shortcut (LNK) files to bypass traditional detection mechanisms, demonstrating a concerning evolution in attack methodologies. eSentire’s Threat Response Unit (TRU) first ...
2 months ago Cybersecuritynews.com
What Is Software Piracy? - Software piracy has become a worldwide issue, with China, the United States and India being the top three offenders. In 2022, 6.2% of people worldwide visited software piracy websites. Software piracy doesn't require a hacker or skilled coder. Any ...
1 year ago Pandasecurity.com
CVE-2023-53109 - In the Linux kernel, the following vulnerability has been resolved: ...
1 month ago
'everything' blocks devs from removing their own npm packages - Since these 3,000+ packages manage to include every single npm package on the npmjs.com registry as their dependency, npm package authors who have ever published to the npm registry would now be unable to remove their packages at will, because of ...
1 year ago Bleepingcomputer.com
Three New Malicious PyPI Packages Deploy CoinMiner on Linux Devices - Affected platforms: LinuxAffected parties: Linux users that have these malicious packages installedImpact: Latency in device performanceSeverity level: High. On December 5th, 2023, FortiGuard's AI-driven OSS malware detection system identified three ...
1 year ago Feeds.fortinet.com
New ClickFix attack deploys Havoc C2 via Microsoft Sharepoint - A newly uncovered ClickFix phishing campaign is tricking victims into executing malicious PowerShell commands that deploy the Havok post-exploitation framework for remote access to compromised devices. Threat actors have also begun to evolve the ...
3 months ago Bleepingcomputer.com
New Typosquatting and Repojacking Tactics Uncovered on PyPI - Security researchers have identified a concerning uptick in malicious activities infiltrating open-source platforms and code repositories. This trend encompasses a wide array of malicious activities, including hosting command-and-control ...
1 year ago Infosecurity-magazine.com
Hackers Gaining Unauthorized Access to Windows Devices Through Silver and BYOVD Exploits - Last summer, cybercriminals began using Sliver as an alternative to Cobalt Strike, using it for monitoring networks, executing commands, loading reflective DLLs, spawning sessions, and manipulating processes. Recently, attacks have been observed ...
2 years ago Heimdalsecurity.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)