A new Rust-based stealer malware dubbed Fickle Stealer has come to the scene, capable of extracting sensitive data from compromised users. The new stealer masquerades itself as GitHub Desktop software for Windows and employs a wide range of anti-malware and detection evasion techniques, posing a growing threat to its potential victims.

Detect Fickle Stealer Malware

The current cybersecurity landscape is marked by the growing prevalence of stealer malware, which is getting increasingly stealthy and evasive. Notably, these threats, such as the recent campaigns involving Strela Stealer and PXA Stealer, employ a variety of sophisticated techniques to bypass security defenses. The emergence of new Fickle Stealer malware, which is leveraged by adversaries to steal sensitive data and can masquerade itself as GitHub Desktop software, encourages organizations to bolster proactive security measures and increase cybersecurity awareness to timely identify malicious intrusions. SOC Prime Platform for collective cyber defense equips security teams with a relevant collection of SOC content to detect Fickle Stealer.

Click Explore Detections below to instantly access the corresponding context-enriched content items. These detections are aligned with MITRE ATT&CK® and provide in-depth cyber threat context for streamlined threat research, including CTI and other relevant metadata. Security engineers can also convert the detection code into 30+ SIEM, EDR, and Data Lake formats that match their security needs.

Explore Detections

Fickle Stealer Analysis

Defenders have observed a wave of cyber attacks spreading Fickle Stealer, a novel stealer malware that commonly disguises itself as legitimate software. Trellix researchers have recently published research into ongoing Fickle Stealer attacks, in which a new malicious strain masquerades itself as GitHub Desktop for Windows.

Fickle Stealer, which first emerged in May 2024, can be spread through diverse attack vectors, including phishing, drive-by downloads, ransomware infections, and misuse of invalid certificates. Once installed, it takes steps to establish persistence and evade security defenses like User Account Control, enabling it to carry out its core task of stealing sensitive data from impacted devices. The malware can download additional files, capture screenshots, and self-destruct after showing a fake error message, making its detection especially challenging for defenders.

Fickle Stealer leverages a multi-stage infection chain that hinders detection and mitigation. The malware spreads via a set of offensive methods like VBA droppers weaponizing Windows flaws and employs a custom packer to disguise its harmful code as legitimate files. It features anti-malware analysis tactics, such as sandbox evasion, debugging tools, and misleading error messages, allowing it to avoid detection while remaining under the radar and harvesting user data.

The new stealer takes advantage of PowerShell scripts, like bypass.ps1, to exfiltrate sensitive data, including the victim’s country, IP address, and OS, via a Telegram bot. It runs hidden commands to relay collected information to an adversary C2 server and uses additional scripts to inject malicious code into executables, ensuring persistence. 

With its multi-stage attack chain, wide distribution across multiple attack vectors, and advanced evasion techniques, Fickle Stealer proves to be a stealthy and challenging malware, making it difficult for defenders to detect its presence in a timely manner. By leveraging SOC Prime’s complete product suite for AI-powered detection engineering, automated threat hunting, and advanced threat detection, security teams can elevate their defenses at scale while helping their organization future-proof the cybersecurity posture and outpace adversaries.