December 3, 2023

Researchers have spotted a stealer malware named as Evil Extractor (originally marketed as an educational tool) is being marketed for sale for other threat actors to steal data and files from Windows systems.

It has several modules that all work via an FTP service, it also contains environment checking and Anti-VM functions. Its primarily focuses steal browser data and information from compromised endpoints and then upload it to the attacker’s FTP server. Majority  of the victims located in Europe and the U.S.

Sold by an actor named Kodex,  it’s continually updates and packs in various modules to siphon system metadata, passwords, and cookies from various web browsers as well as record keystrokes and even act as a ransomware by encrypting files on the target system.


As a part of the new campaign, the malware has been used as part of a phishing emails that lure recipients into launching an executable that masquerades as a PDF document under the pretext of confirming their account details.

The Account_Info.exe binary is an obfuscated Python program designed to launch a .NET loader that uses a Base64-encoded PowerShell script to launch Evil Extractor. The malware, besides gathering files, can also activate the webcam and capture screenshots.

The report concluded stating, Evil Extractor is being used as a comprehensive info stealer with multiple malicious features, including ransomware. Its PowerShell script can elude detection in a .NET loader or PyArmor.

This research was documented by researchers from Fortinet

Indicators of Compromise

  • 45[.]87[.]81[.]184
  • 193[.]42[.]33[.]232
  • 352efd1645982b8d23a841107007c8b4b024eb6bb5d6b312e5783ce4aa62b685
  • 023548a5ce0de9f8b748a2fd8c4d1ae6c924c40acbde32e9599c868115d11f4e
  • 75688c32a3c1f04df0fc02491180c8079d7fdc0babed981f5860f22f5e118a5e
  • 826c7c112dd1ae80469ef81f5066003d7691a349e6234c8f8ca9637b0984fc45
  • b1ef1654839b73f03b73c4ef4e20ce4ecdef2236ec6e1ca36881438bc1758dcd
  • 17672795fb0c8df81ab33f5403e0e8ed15f4b2ac1e8ac9fef1fec4928387a36d

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: