FOCUS MODE
EXTRACT IOC
Threat Research

SVC New Stealer on the Horizon

Seqrite
SVC New Stealer on the Horizon
SvcStealer 2025 is a sophisticated information-stealing malware delivered through spear phishing emails. It captures sensitive data from victims, including credentials and cryptocurrency wallet information, and sends it to a command and control (C2) server. With a focus on evading detection, it deletes traces of its activities and can potentially download additional malware. Affected: SvcStealer victims, cryptocurrency users, messaging application users, businesses relying on information security.

Keypoints :

  • SvcStealer is delivered via spear phishing email attachments.
  • It collects sensitive data including machine details, user credentials, and cryptocurrency wallets.
  • Data is sent to a command and control (C2) server for further exploitation.
  • The malware attempts to evade detection by deleting evidence of its activities.
  • It can harvest information from various messaging applications and browsers.
  • Processes that might reveal its presence are terminated to avoid monitoring.
  • Once data is collected, it compresses the information and uploads it to the C2 server.
  • The malware can execute additional malicious payloads downloaded from the C2 server.

MITRE Techniques :

  • T1566.001: Phishing: Spearphishing Attachment – Initial access through malicious email attachments.
  • T1070.004: Indicator Removal: File Deletion – Deletes created files to erase traces.
  • T1056.001: Input Capture: Keylogging – Captures user input for stealing credentials.
  • T1552.001: Unsecured Credentials: Credentials In Files – Harvests stored credentials.
  • T1012: Query Registry – Reaches system registry for information gathering.
  • T1518: Software Discovery – Identifies installed software on the victim’s machine.
  • T1057: Process Discovery – Aims to identify running processes.
  • T1082: System Information Discovery – Gathers system-level information.
  • T1083: File and Directory Discovery – Scans for files and directories to extract data.
  • T1560: Archive Collected Data – Compresses collected data before transmission.
  • T1113: Screen Capture – Captures screenshots of the victim’s desktop.
  • T1071: Application Layer Protocol – Uses application-level protocols for communication with C2.

Indicator of Compromise :

  • [MD5] 0535262fe0f5413494a58aca9ce939b2
  • [MD5] ee0fd4d6a722a848f31c55beaf0d0385
  • [MD5] 05ef958a79150795d43e84277c455f5d
  • [MD5] 4868a5a4c8e0ab56fa3be8469dd4bc75
  • [URL] /svcstealer/get[.]php
  • [IPv4] 185[.]81[.]68[.]156
  • [IPv4] 176[.]113[.]115[.]149

Full Story: https://www.seqrite.com/blog/svc-new-stealer-on-the-horizon/

Tags: CRYPTO, PHISHING, THREAT HUNTING, PAYLOAD, DEFENSE EVASION, DISCOVERY, COLLECTION, CREDENTIAL