FOCUS MODE
EXTRACT IOC
Threat Research

Unmasking FleshStealer: A New Infostealer Threat in 2025

iocOne
Unmasking FleshStealer: A New Infostealer Threat in 2025
Last year, infostealers infected over 18 million devices, exposing more than 2.4 billion compromised credentials. FleshStealer, a new advanced credential stealer, is gaining traction due to its evasion techniques and data extraction capabilities. Organizations need to enhance their defenses against this growing threat. Affected: organizations, individuals, cybersecurity sector

Keypoints :

  • Information-stealing malware infected over 18 million devices last year.
  • Over 2.4 billion compromised credentials were exposed and sold.
  • Infostealers are a prominent threat in the cybercrime ecosystem.
  • FleshStealer is a new strain with advanced evasion techniques.
  • FleshStealer operates through a web-based panel and uses C# for its execution.
  • It avoids detection by terminating itself in VM environments.
  • The malware is lightweight and targets Chromium and Mozilla-based browsers.
  • FleshStealer uses several tactics to evade detection and escalate privileges.
  • The malware can extract information from multiple browser extensions.
  • Organizations need to stay informed on evolving infostealer trends.

MITRE Techniques :

  • T1547: Boot or Logon Autostart Execution – Uses a Windows utility to gain administrative privileges with altered registry keys.
  • T1027: Obfuscated Files or Information – Employs a decryption routine with obfuscated strings to evade detection.
  • T1497: Virtualization/Sandbox Evasion – Analyzes system information and halts operations in VM environments to avoid detection.
  • T1555: Credentials from Password Stores – Targets browsers to steal saved credentials and session tokens.
  • T1057: Process Discovery – Identifies active browser processes to locate sensitive user data.
  • T1005: Data from Local System – Scans for high-value files and archives data for exfiltration.
  • T1560: Archive Collected Data – Packages identified data into compressed archives for efficient transmission.
  • T1567: Exfiltration Over Web Service – Uses web services for real-time data exfiltration and remote access.

Indicator of Compromise :

  • [Domain] fleshstealer.com
  • [Hash] 5d41402abc4b2a76b9719d911017c592 (example MD5 hash)

Full Story: https://flashpoint.io/blog/fleshstealer-infostealer-threat-2025/

Tags: WINDOWS, PASSWORD, EXFILTRATION, DISCOVERY, COLLECTION, INITIAL ACCESS, PRIVILEGE, EXPLOIT