December 5, 2023

Researchers came up with a warning about a new variant of the credential-stealing malware dubbed as Zaraza. This is fond of  pilfering log-in credentials of web browsers Google Chrome, Microsoft Edge, Opera and Brave.

Threat actors are leveraging Telegram servers as their C2 platform to shuffle bank login credentials and cryptocurrency exfiltrated from targeted computers. Researchers believe adversaries behind the campaign have ties to Russia, adding the name of the malware translates from Russian to the word infection.

Nearly 40 web browsers are targeted by adversaries using the Zaraza bot. Noticeably absent from the list of browsers is Apple’s Safari and Mozilla Foundation’s Firefox browsers.  The web browser on the system stores credentials in two encrypted formats as a default security measure. This bot is capable of decrypting both formats.


The Zaraza bot appears to part of an organized criminal enterprise, with threat actors able to purchase access to the bot from a centralized malware distributor. The use of platform like Telegram,  can aid them to distribute malware and move data and bypass detection.

Zaraza is distributed as a 64-bit binary file compiled using the C# programming language and contains Russian Cyrillic characters in its code. After scanning the infected device, the malware creates an “output.txt” file in a new subfolder in the Temp directory. Once after extracting encrypted passwords from the browser, the attacker then saved this data to the output.txt file.

Indicator of compromise

  • 41D5FDA21CF991734793DF190FF078BA

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.