New Maranhão Stealer Targets Users Through Pirated Software and Cloud Services

A sophisticated new information-stealing malware campaign dubbed Maranhão Stealer has emerged, targeting gaming enthusiasts through malicious pirated software distributed via cloud-hosted platforms.

The campaign, first identified by security researchers in May 2025, represents a concerning evolution in credential theft operations, combining social engineering tactics with advanced evasion techniques to compromise user accounts and cryptocurrency wallets.

The Maranhão Stealer distinguishes itself through its modern development approach, utilizing Node.js as its core programming language and packaging the malware within Inno Setup installers.

This technical foundation allows the threat actors to create seemingly legitimate software packages that bypass traditional security measures while maintaining sophisticated functionality for data exfiltration.

Illustration depicting password exposure with a person pointing to a screen displaying a URL and the text ‘YOUR PASSWORD’ 

Upon successful installation, the malware establishes a deceptive presence on infected systems by creating a directory structure mimicking legitimate Microsoft components.

The stealer deploys under the path “Microsoft Updater” within the user’s local application data folder, immediately setting hidden and system attributes to avoid casual detection by victims browsing their file systems.

The malware’s persistence mechanisms demonstrate technical sophistication rarely seen in commodity stealers.

Beyond standard registry modifications, Maranhão Stealer creates scheduled tasks and employs reflective DLL injection techniques to access browser data protected by modern security features like Chrome’s AppBound encryption.

Upon execution, updater.exe establishes persistence by creating a Run registry key via reg.exe, adding an entry that ensures the binary located in the Microsoft Updater directory is executed.

This capability enables the malware to extract stored credentials, browsing history, cookies, and session tokens from multiple browser platforms including Chrome, Edge, Firefox, Brave, and Opera.

Comprehensive Data Harvesting

Security analysis reveals that Maranhão Stealer conducts extensive reconnaissance of infected systems before initiating data theft operations.

In addition to hardware and system profiling, the malware collects network and geolocation details by sending a request to ip-api.com/json.

The malware executes WMI queries to enumerate hardware specifications, operating system details, and network configurations while simultaneously capturing screenshots and collecting geolocation data through external IP services.

Illustration of a cybercriminal stealing credentials with an unlocked padlock on a monitor symbolizing a security breach, supporting cybersecurity awareness 

The stealer’s primary focus extends beyond traditional credential theft to specifically target cryptocurrency wallet applications including Electrum, Atomic Wallet, Exodus, Coinomi, and Mercury Wallet.

This targeting approach reflects the high-value nature of cryptocurrency assets and the growing trend of financially motivated threat actors prioritizing digital currency theft over traditional banking credentials.

Communication with command-and-control infrastructure occurs through multiple API endpoints hosted on the domain “maranhaogang[.]fun,” suggesting a well-organized operation with dedicated infrastructure for victim tracking and data exfiltration.

The malware transmits unique victim identifiers, geographic information, and system details to these endpoints before uploading stolen credentials and sensitive data.

The campaign’s distribution strategy specifically exploits the gaming community’s tendency to seek unofficial software modifications and pirated content.

Once the browser is running, infoprocess.exe extracts a malicious module (PAYLOAD_DLL) from its resources and injects it into the browser’s memory space (e.g., chrome.exe).

Threat actors create convincing websites offering popular gaming tools, cheats, and cracked software including “Fnafdoomlauncher.exe,” “Silent Client.exe,” and various game setup files that serve as initial infection vectors.

This approach proves particularly effective because gaming enthusiasts often disable security software or ignore warning messages when installing unofficial gaming utilities.

The malware’s silent installation process, combined with its legitimate-appearing file names and directory structures, allows infections to persist undetected for extended periods while continuously harvesting sensitive information.

The evolution from earlier Maranhão Stealer variants demonstrates the threat actors’ commitment to operational security improvements.

Initial versions relied on easily detectable tools like PsExec and dropped components directly into system directories, while current iterations embed functionality within obfuscated executables and utilize direct Windows API calls to avoid security product detection.

Organizations and individual users should implement robust security awareness training focused on the risks associated with pirated software installation.

Regular monitoring of browser activity, implementation of multi-factor authentication for sensitive accounts, and deployment of advanced endpoint detection solutions can help mitigate the impact of credential-stealing malware campaigns like Maranhão Stealer targeting the gaming community through increasingly sophisticated social engineering techniques.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.