Phishing campaigns have recently adopted a cunning approach by employing PDFs. The unsuspecting victims, lured by the promise of exciting travel content, unknowingly fall prey to the notorious New MrAnon Stealer Malware’s —a potent malware designed for information theft.

According to Cara Lin, a researcher at Fortinet FortiGuard Labs, “this malware is a Python-based information stealer compressed with cx-Freeze to evade detection.” She goes on to say, “MrAnon Stealer steals its victims’ credentials, system information, browser sessions, and cryptocurrency extensions.”

Considering the surge in queries directed to the downloader URL housing the payload, it’s evident that, as of November 2023, Germany emerged as the primary target of the attack.

The phishing email adopts the guise of a travel agency, presenting recipients with a PDF file. Upon opening the file, users are urged to download what is purported to be the latest version of Adobe Flash, setting in motion the initiation of the infection.

Through this process, malicious Python scripts are deployed, capable of collecting data from various programs and transferring it to both a public file-sharing website and the threat actor’s Telegram channel. Simultaneously,.NET executables and PowerShell scripts come into play.

Furthermore, the malware has the capability to harvest data from VPN clients, instant messaging apps, and files with specific extensions listed.

New MrAnon Stealer Malware's

The creators are marketing MrAnon Stealer at $500 per month (or $750 for two months), accompanied by a discreet loader priced at $250 and a crypter available for $250 per month.

“The campaign initially disseminated Cstealer in July and August but transitioned to distributing MrAnon Stealer in October and November,” Lin stated. “This pattern suggests a strategic approach involving the continued use of phishing emails to propagate a variety of Python-based stealers.”

This revelation aligns with the onset of a spear-phishing email campaign orchestrated by the China-affiliated Mustang Panda. The target audience includes the Taiwanese government and diplomats, with the objective of deploying SmugX—a novel PlugX backdoor variant identified by Check Point in July 2023.

In conclusion, the observed surge in queries to the downloader URL and the specific targeting of Germany underscore the sophistication of the MrAnon Stealer malware campaign. The phishing tactics, disguised as a travel agency, reveal a calculated approach to exploiting user vulnerabilities. Furthermore, the malware’s diverse data collection capabilities, coupled with its availability for purchase in the cybercriminal underground, emphasize the multifaceted nature of the threat.

Moreover, the temporal correlation with the spear-phishing campaign orchestrated by Mustang Panda against the Taiwanese government adds a layer of geopolitical complexity to the landscape. The simultaneous deployment of SmugX, a new PlugX backdoor variant, amplifies the significance of proactive cybersecurity measures. This confluence of events emphasizes the need for heightened vigilance and collaborative efforts in defending against evolving cyber threats.




Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.


About Rhyno Cybersecurity Services

Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.

Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.

This website uses cookies to improve your online experience. By continuing, we will assume that you are agreeing to our use of cookies. For more information, visit our Cookie Policy.

Privacy Preference Center