MicroStealer
Intelligence Profile
According to ANY.RUN, MicroStealer is a rapidly spreading infostealer with low current AV detection that uses a multi stage NSIS, Electron, Node.js, and Java (JAR) delivery chain plus heavy obfuscation and VM checks to evade analysis. It is distributed via compromised or impersonated accounts and malicious download sites, with notable activity in the US and Germany and increased targeting of education and telecom sectors. Once executed, it deploys a bundled JRE, persists via a high privilege ONLOGON scheduled task, and may abuse UAC and LSASS token impersonation. Its core capabilities include stealing browser passwords and session cookies, capturing screenshots, exfiltrating crypto wallets, hijacking and profiling Discord accounts, profiling Steam accounts, and sending archived data over HTTPS to Discord webhooks and attacker controlled servers.
Threat Analysis
MicroStealer is a advanced-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of espionage.
The group's espionage-oriented operations suggest a state-sponsored or state-aligned mandate, typically focused on stealing intellectual property, government secrets, or military intelligence. Targets are usually selected for strategic value rather than financial gain.
Classified as an advanced threat actor, MicroStealer likely develops or acquires zero-day exploits, employs custom malware toolchains, and demonstrates long-term persistence capabilities — hallmarks of a well-resourced operation consistent with nation-state backing.