Meduza Stealer: What Is It & How Does It Work?

Meduza Stealer Analysis in 2023
Meduza Stealer is a new malware sample that has a lot of reasons to become a prolific strain

The Malware world evolves constantly, and it would be reckless to ignore newcomers and their potential. Meduza Stealer appears to be a pretty potent stealer variant with its unique features and marketing model. Additionally, this malware may be considered a firstling of a new malware generation – one which breaks old geolocation filtering rules.

What is Meduza Stealer?

Meduza is an all-encompassing infostealer, which is somewhat similar to the old guard at a glance. However, well-known things such as Redline or Raccoon stealers gained the ability to steal cryptocurrency information only with further updates. Meduza, on the other hand, can do this out-of-box, with the ability to circumvent more tricky protection measures of crypto apps. Moreover, it includes a much bigger list of wallets and browsers it can extract data from than any of the mentioned stealers.

The distinctive feature of Meduza Stealer is the way it hides its samples. Instead of a usual packing, hackers use code obfuscation and recompiling, which allows them to circumvent even the most robust anti-malware engines. Well, these approaches do not sound like something phenomenal, but when applied together, and in an unusual way, things may become way less predictable – and detectable.

Though, this is not the full list of unusual things for this malware. In price, the malware offers 2 fixed plans and a negotiable lifetime license. For $199 you receive malware, all possible customization options for the payload, admin panel, and the ability to download all the logs in one click, for the term of 1 month. Hackers offer the same stuff for $399 for 3 months. And the cherry topping, as I said, is the ability to negotiate the prices of a lifetime license for this malware. Probably, malware developers are even ready to share the source code – but that is only a guess since there were groups that used such a model earlier.

Meduza Stealer in Telegram
Promotion of Meduza Stealer in Telegram. Channels are exclusively Russian.

An Offspring of Aurora Stealer?

There are plenty of examples of how brand-new malware may be a re-branded old sample, with a slightly different team of crooks behind it. Malware is rarely developed by a single person. Developers of one malware may start working on another, and bring their prior developments in a new product. Alternatively, a part of a cybercrime gang that stopped functioning may decide to resume their illegal deeds – and they rebrand their “tools” to start with a new image. This or another way, is a common occasion there.

In the case of Meduza Stealer, things are not that straightforward. Due to the use of enhanced obfuscation, it is hard to say whether it shares any code details with known malware families. Some malware analysts claim that Meduza is an offspring of Aurora Stealer – malware that popped out in late 2022. Their main arguments are similarity in the form of C2 calls and logs with collected data.

Aurora vs Meduza Logs
Similarity in logs of Aurora and Meduza Stealers

As you can see, Meduza’s logs resemble Aurora’s by the ASCII-styled header and some visual elements. However, it is not a definitive thing – malware developers sometimes inspire with or completely copy things from other malware families. Other details that researchers put under the suspect are file naming policies – but this is not the brightest proof as well.

This, however, caused a harsh reaction from malware developers. In their “support” channel they called all the proofs rubbish, and also said they picked up the trail of one who leaked the malware build. Also, there was decent evidence that proves Meduza’s originality – it is written in C++, which is not even close to the Golang used in Aurora Stealer.

Developers Rant
The reaction of Meduza developer to the analyst’s claims about the malware being Aurora stealer copy

Meduza Stealer Analysis: Catch Me or I Catch You

The threat that comes from each specific malware sample roughly depends on two factors: how hard it is to detect it and how much damage it can deal. Meduza Stealer tries to outpace its counterparts in these two factors. It is not the most stealthy malware, for sure, and there are ones that steal even more data, but rare samples may boast of a combination of these two. And Meduza does.

Meduza Stealer Exec Chain

In the picture above you can see the simplified scheme of the Meduza Stealer operation process. First of all, it checks the geolocation of the attacked system by its IP address. There lies another unusual feature of this malware — it has a typical ban list of countries for malware from Russia, though it does not include Ukraine. Instead, malware will exit once the IP of the attacked system is in Georgia. The latter has become quite a popular destination among Russians who try to avoid enlistment in the army. Overall, malware will not run in Armenia, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan and Turkmenistan.

Excluded Countries
Code in the malware’s PE file that bans its execution in certain countries.

The very next step is contacting the C2 server. This step is not very common among stealers, as they prefer to knock back the C2 only after succeeding with data stealing. Instead, Meduza contacts the server immediately after ensuring that the system is not in the forbidden location – but without any strict actions. Malware sends the blank POST request, that does not receive any response from the server. Only once the connection is successful, malware will keep going.

Data Gathering

As I said, Meduza is distinctive for an outrageously wide number of web browsers, desktop apps, and crypto-wallets it can rummage through. More common malware samples usually stop on the most popular apps and wallets, including some from alternative options. This one, however, does not disdain even underdogs. Kinza, Mail.ru, Atom, Amigo – some of them are even considered PUPs by security vendors, and I bet you didn’t even know that some of them exist.

List of browsers Meduza gathers data from:

Chrome Chrome Beta Chrome SxS 360ChromeX ChromePlus
Chromium Edge Brave Browser Epic Privacy Browser Amigo
Vivaldi Kometa Orbitum Atom Comodo Dragon
Torch Comodo Slimjet 360Browser 360se6
Baidu Spark Falkon AVAST Browser Waterfox BitTubeBrowser
NetboxBrowser Mustang InsomniacBrowser Maxthon Viasat Browser
Opera Stable Opera Neon Opera Crypto Developer Opera GX Stable QQBrowser
SLBrowser K-Meleon Go! Secure Browser Sputnik
Nichrome CocCoc Browser Uran Chromodo YandexBrowser
7Star Chedot CentBrowser Iridium Naver Whale
Titan Browser SeaMonkey UCBrowser CLIQZ Flock
BlackHawk Sidekick Basilisk GhostBrowser GarenaPlus
URBrowser IceDragon CryptoTab Browser Pale Moon Superbird
Elements Browser Citrio Xpom ChromiumViewer QIP Surf
Liebao Coowon Suhba TorBro RockMelt
Bromium Kinza CCleaner Browser AcWebBrowserr CoolNovo
SRWare Iron Mozilla Firefox AVG Browser Thunderbird Blisk
Cyberfonx SwingBrowser Mozilla IceCat SalamWeb SlimBrowser

Browsers commonly have different ways to handle passwords and autofill info – and the malware has its approach for each one. For ones that store such data in databases, malware prepares an SQL database request, which simply extracts all the valuables. Other, less secure browsers, keep this info in a plain text file – which is not a big quest to find.

One more point of interest for stealer malware in web browsers is cookie files. Cookies can contain different things – from almost useless shopping cart contents to session tokens, usernames, emails, and the like. Cookie files can have a great value when it comes to data stealing – especially when they are fresh. One may say – just the like real ones.

Desktop apps

Aside from web browsers, Meduza Stealer gathers information from several desktop applications, namely Telegram, Steam, and different Discord clients. To put its hands on Steam session tokens, malware gets to the program’s registry key in the CurrentUser branch. The HKCU\Software\Valve\Steam key contains a lot of info, aside from login data and session information – so malware does not go purely for the account.

Telegram does not keep login details in such an accessible form, though malware manages to gather sensitive information similarly. By checking these two keys, Meduza can get information about the system kept in Telegram session info, app versions, usernames, and other important stuff.


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C4A4AE8F-B9F7-4CC7-8A6C-BF7EEE87ACA5}_is1

Discord is also a tough nut when it comes to grabbing session info. For that reason, malware limits to only system info recorded in a session, app configurations, and the like. This, contrary to two other apps, is done directly in the programs’ folder. Malware attacks several different editions of Discord, as the free API allows the creating of forks and user modifications.

2FA Extensions

Well, did I say that Meduza is ravenous when it comes to data gathering? Hold your 2FA browser extensions close to your body – the malware hunts them as well. The list of add-ons it targets is not as big as that of browsers, though there are not many of them present.

Extension name Web Store ID
Authenticator 2FA bhghoamapcdpbohphigoooaddinpkbai
Authenticator 2FA ocglkepbibnalbgmbachknglpdipeoio
EOS Authenticator oeljdldpnmdbchonielidgobddffflal
Trezor Password Manager imloifkgjagghnncjkhggdhalmcnfklk
GAuth Authenticator ilgcnhelpchnceeipipijaljkblbcobl
1Password oeljdldpnmdbchonielidgobddffflal
1Password dppgmdbiimibapkepcbdbmkaabgiofem
Dashlane Password Manager fdjamakpfbbddfjaooikfcpapjohcfmg
Dashlane Password Manager gehmmocbbkpblljhkekmfhjpfbkclbph
Bitwarden Password Manager nngceckbapebfimnlniiiahkandclblb
Bitwarden Password Manager jbkfoedolllekgbhcbcoahefnbanhhlh
NordPass jbkfoedolllekgbhcbcoahefnbanhhlh
Keeper Password Manager bfogiafebfohielmmehodmfbbebbbpei
RoboForm pnlccmojcmeohlpggmfnbbiapkmbliob
RoboForm ljfpcifpgbbchoddpjefaipoiigpdmag
SSO Authenticator nhhldecdfagpbfggphklkaeiocfnaafm
Zoho Vault igkpcodhieompeloncfnbekccinhapdb
KeePassXC dppgmdbiimibapkepcbdbmkaabgiofem
KeePassXC pdffhmdngciaglkoonimfcmckehcpafo
LastPass hdokiejnpimakedhajhdlcegeplioahd
LastPass bbcinlkgjjkejfdpemiealijmmooekmp
BrowserPass naepdomgkenhinolocfifgehidddafch
MYKI bmikpgodpkclnkgmnpphehdgcimmided
MYKI nofkfblpeailgignhkbnapbephdnmbmn
Splikity jhfjfclepacoldmjmkmdlmganfaalklb
CommonKey chgfefjpcobfbnpmiokfjjaglahmnded
Authy gaedmjdfmmahhbjefcbgaolhhanlaolb

Cryptocurrency wallets

Gathering data about crypto wallets was not a widespread thing among older-gen stealers. With time, most of the families we know and love adopted such functionality. Modern-gen ones have them present by default, and it probably makes up for the number of names they can gather info from.

MetaMask Binance Wallet BitApp Wallet Coin98 Wallet
SafePal Wallet DAppPlay Guarda EQUA Wallet
GuildWallet Casper Wallet ICONex Math Wallet
Starcoin Hiro Wallet MetaWallet Swash
Finnie Keplr Crocobit Wallet Oxygen
MOBOX WALLET Phantom TronLink XDCPay
Ton Sollet Slope DuinoCoin Wallet
LeafWallet Brave Wallet Opera Wallet CWallet
Flint Wallet Exodus Web3 Wallet Trust Wallet Crypto Airdrops & Bounties
Nifty Wallet Liquality Ronin Wallet Oasis
Temple Pontem Aptos Wallet Solflare Wallet Yoroi
iWallet Wombat Gaming Wallet Coinbase Wallet MEW CX
Jaxx Liberty OneKey Hycon Lite Client SubWallet
Goby TezBox ONTO Wallet Hashpack
Cyano Martian Wallet Sender Wallet Zecrey
Auro Terra Station KardiaChain Rabby Wallet
NeoLine Nabox XDEFI KHC
OneKey CLW Polymesh ZilPay
Byone Eternl Nami Maiar DeFi Wallet

This extensive list contains crypto wallets that can have both desktop and in-browser forms. In such cases, malware treats them in a separate way – by collecting data from registry entries they leave. Here are some examples of keys the malware can read to collect login data from your crypto wallet:


HKCU\SOFTWARE\Etherdyne\Etherwall\geth
HKCU\SOFTWARE\monero-project\monero-core
HKCU\SOFTWARE\BitcoinCore\BitcoinCore-Qt
HKCU\SOFTWARE\LitecoinCore\LitecoinCore-Qt
HKCU\SOFTWARE\DashCore\DashCore-Qt
HKCU\SOFTWARE\DogecoinCore\DogecoinCore-Qt

System fingerprinting

To distinguish between the attacked systems, stealers commonly collect some trivial info about the system. Meduza is not an exclusion – it collects all the basic things that can identify the computer among others.

  • System build details
  • Username
  • Computer name
  • Screen Resolution details
  • Screenshot
  • OS details
  • CPU details
  • RAM details
  • GPU
  • Hardware ID details
  • Execute path
  • Public Ip
  • Geo
  • Time
  • TimeZone

Another application for such data comes into view when we remember that Meduza can also collect browser cookies. The combination of cookies, passwords, and system information allows for creating a complete copy of the device – at least from the POV of the website. There even were Darknet services dedicated specifically to the system profile spoofing – you input the cookies and system specs, and it makes your system indistinguishable from the original one. This helps with circumventing the most sophisticated protection mechanisms.

Data extraction

All the data Meduza Stealer manages to collect from the infected system is stored in a specific folder, created after the malware unpacking and execution. When it comes to sending the data to the command server, malware archives this data and sends it to the server – nothing unusual there. Since malware uses a protected connection for the C&C communication, it is not that easy to detect the extraction process.

C&C connection Meduza
Code responsible for the C2 server connection in Meduza Stealer.

Contrary to the “classic” stealers, like Vidar, Meduza does not perform the meltdown once it finishes data collection. It keeps running in the background, performing periodic pings to the C2 and waiting for commands. There is a command for self-removal – but they are most likely sent only in exclusive cases.

How to protect against Meduza Stealer?

Actually, the ways to protect against Meduza are the same as in the case of any other stealers. However, there is a difference dictated by the exceptional detection evasion capabilities of this malware. For efficient prevention of Meduza stealer activity, a strong heuristic protection is essential.

Be careful with all things that can act as a malware source. Email spam or phishing posts in social media are among the most exploited ways of malware spreading. A less popular, but sometimes even more efficient approach is exploiting Google Ads in search results. Fraudsters will do their best to make you believe that the thing is legit, and you should not fear interacting with it.

Implement preventive anti-malware measures. To weed out malware with such an unusual detection evasion model the program should include a sturdy heuristic engine. Additionally, you can seek solutions with email protection functions and CDR applications. They help you to secure one of the possible attack vectors.

Meduza Stealer: What Is It & How Does It Work?

Avoid cracked software. Yet another place used for malware spreading is cracked programs – they have served this purpose for over two decades now. And even since its share shrunk in recent years, you can still get something nasty from there. You can get dropper malware through the program crack, and it will then inject any other thing – from spyware to ransomware.

By Stephanie Adlam

I write about how to make your Internet browsing comfortable and safe. The modern digital world is worth being a part of, and I want to show you how to do it properly.

Leave a comment

Your email address will not be published. Required fields are marked *