Flesh Stealer Malware: A Dangerous Threat Targeting Browsers and Messengers

In August 2024, a malicious program called Flesh Stealer emerged, targeting popular browsers such as Chrome, Firefox, Edge, as well as messengers like Signal and Telegram. This malware is designed to steal users’ passwords and data. It is written in C# and operates on the .NET platform.

Throughout its development, Flesh Stealer has incorporated anti-debugging and anti-virtual machine (VM) techniques to evade detection and analysis by cybersecurity experts.

Key Features of Flesh Stealer

🔹 Targeting Browsers and Messengers:
Flesh Stealer steals passwords, saved data, and cache files from Chrome, Firefox, Brave, and Edge. It is also capable of stealing chat histories and databases from messengers such as Signal and Telegram.

🔹 Avoiding Infection in CIS Countries:
The malware does not infect systems in Commonwealth of Independent States (CIS) countries. This suggests that it was likely developed by a Russian-speaking developer who aims to avoid scrutiny from local authorities.

🔹 Anti-VM and Anti-Debugging Mechanisms:
Flesh Stealer detects virtual environments (VMware, VirtualBox, Hyper-V) and analysis tools (Wireshark, HttpDebuggerUI). If such environments or tools are detected, the malware automatically terminates itself.

🔹 Exploiting Wi-Fi and Plug and Play (PnP) Devices:
The malware uses Windows Management Instrumentation (WMI) to gather information about PnP devices and saves them in a file called device.txt. Additionally, it uses the netsh command to steal Wi-Fi credentials, including passwords.

Distribution and Promotion of Flesh Stealer

Initially, Flesh Stealer was promoted on black market forums such as Pyrex Guru and through platforms like Discord and Telegram. Its code is encrypted using Base64 encoding. The developer previously showcased the malware’s capabilities on YouTube, but the video and related domains were later removed. However, the malware’s advertising channels remain active, with over 210 members.

📌 On January 29, 2025, the developer of Flesh Stealer announced support for Chrome version 131, indicating continuous updates and development.

The malware includes a customizable control panel, allowing users to enable the following functions:

✅ Startup Persistence – Automatically launching the malware upon system startup.
✅ Anti-Debugging Measures – Activating protection against debugging and analysis.
✅ Administrator Privileges – Running with elevated system privileges.

All stolen data is transmitted to the attacker’s infrastructure and stored for future use.

Flesh Stealer represents a serious cyber threat due to its advanced features and adaptability. Its ability to steal passwords, bypass encryption, and evade detection increases risks for both individual users and organizations.

How to Protect Yourself from Flesh Stealer

🔹 Regularly Update Passwords – Avoid reusing passwords across multiple sites.
🔹 Enable Two-Factor Authentication (2FA) – Adds an extra layer of security for online accounts.
🔹 Keep Operating Systems and Software Updated – Security updates help protect against malware.
🔹 Use Reliable Antivirus Software – Install and regularly update security programs.
🔹 Secure Wi-Fi Networks – Use strong passwords and enable WPA2/WPA3 encryption.

Flesh Stealer is a prime example of how cybercriminals use increasingly sophisticated methods to steal sensitive data. Since this malware specifically targets browsers and messengers, users and organizations must strengthen their security measures and prepare for emerging threats.

The world of cybersecurity is constantly evolving, making awareness and preparedness our first line of defense. Protecting against malware like Flesh Stealer requires vigilance, adherence to security best practices, and assistance from cybersecurity experts.