Attacks using the popular Mars Stealer have been on the rise, according to researchers. Its popularity grew after the Raccoon Stealer was shut down abruptly, as some attackers turned to it as an alternative.

Cryptomining Attack

The Campaign

Morphisec discovered a scheme that uses Google Ads SEO tactics to boost the rankings of duplicated OpenOffice sites in Canadian search results. OpenOffice is an open-source office suite that has fallen out of favour in recent years.

The bogus site’s OpenOffice installer is a Mars Stealer.exe that was packed with the Babadeda crypter or the Autoit loader. Anyone has access to the log’s directory of victims thanks to a fault in the configuration instructions of the cracked version of Mars Stealer, which appears to be an honest mistake by the operators. It also implies that the malware was spread by the attackers.

On the threat actor’s C2 servers, the log directory contains a zip file containing stolen data. Browser credit cards, IP addresses, country codes, and timezones are among the data. Because the attackers were victims of the attack, analysts were able to correlate the attacks to a Russian speaker and associated GitLab accounts.


The criminals behind these data thefts, according to researchers, are targeting cryptocurrency assets. MetaMask is the most commonly stolen browser plugin, followed by Coinbase, Binance, and MathWallet. Researchers also identified credentials belonging to a Canadian healthcare infrastructure provider, as well as indicators of breaches on a number of high-profile service companies.


An inflow of new users has overburdened Mars Stealer, and researchers may come across it more frequently in a variety of different efforts. It is recommended that the organization use adequate access management and encryption to protect sensitive data.