Maranhão Stealer Detection: New Node.js-Based Information-Stealing Malware Applies Reflective DLL Injection
Table of contents:
Information-stealing malware is rapidly escalating across the cyber threat landscape. ESET reports that SnakeStealer nearly doubled its activity in H1 2025, becoming the most detected infostealer and accounting for almost 20% of all infostealer detections. Meanwhile, a new campaign dubbed Maranhão Stealer has surfaced, targeting gaming enthusiasts via malicious pirated software hosted on cloud services. This campaign marks a troubling shift in credential theft operations, blending social engineering with advanced evasion tactics to compromise user accounts and cryptocurrency wallets.
Maranhão Stealer Detection
The emergence of more advanced adversary tools and detection evasion methods, helping threat actors remain under the radar, contributes to the evolution of malware stealing. New delivery techniques like ClickFix, paired with the power of generative AI, are driving more sophisticated and large-scale infostealer campaigns.
Register for SOC Prime Platform, which leverages top cybersecurity expertise and AI to help global organizations preempt the cyber attacks they anticipate most. SOC Prime Platform curates a set of Sigma rules and AI-generated content to enable security teams to proactively detect the emerging Maranhão Stealer campaigns. Click the Explore Detections button below to drill down to the relevant list of detections enriched with comprehensive cyber threat context, like audit configurations, false positive data metadata, triage recommendations, and MITRE ATT&CK® references.
The detection code can be instantly converted into multiple SIEM, EDR, and Data Lake language formats, ready to deploy into your instance, and adjusted via Uncoder AI to tailor specific security needs. The latest Uncoder AI update introduces even more advanced capabilities for security teams to help them manage detection engineering tasks end-to-end using a new AI Chat Bot interface and MCP tools.
Maranhão Stealer Analysis
Cyble analysts have uncovered an active Maranhão Stealer campaign distributed via social engineering websites hosted on cloud platforms, with evidence suggesting the malware has been active since May 2025 and is under continuous development. The threat actors primarily target gaming enthusiasts, luring victims with gaming-related links, cheats, and pirated software downloads (e.g., hxxps://derelictsgame.in/DerelictSetup.zip). The malware is delivered in ZIP archives containing an Inno Setup installer that launches a Node.js-compiled binary to exfiltrate credentials. The Maranhão Stealer ensures persistence and evasion, hiding its payloads as system and hidden files, and conducting detailed host reconnaissance. It subsequently extracts credentials, cookies, browser history, and wallet data through reflective DLL injection, underscoring the malware’s growing sophistication.
Once executed, Maranhão Stealer hides in a “Microsoft Updater” folder under %localappdata%\Programs, establishing persistence via Run registry keys and a scheduled task before launching updater.exe. It then performs system reconnaissance, screen captures, and credential theft, targeting browsers and cryptocurrency wallets. To bypass protections like Chrome’s AppBound encryption, it uses reflective DLL injection to extract cookies, stored credentials, and session tokens, which are staged locally and exfiltrated to the attacker’s infrastructure.
Early variants used PsExec and a Go-based decryptor.exe placed in C:\Windows for plaintext password recovery, leaving visible artifacts. Newer builds are stealthier, embedding password recovery in obfuscated infoprocess.exe (Go) and spawning processes via Win32 API calls instead of PsExec. Despite minor sample variations, core functionality remains consistent, illustrating how threat actors fuse social engineering, commodity tools, and modern development stacks to deliver advanced infostealers at scale.
Maranhão Stealer leverages social engineering via pirated software and gaming-related lures, delivering trojanized installers, cracked launchers, and cheats disguised as popular or modified games. Once launched, the stealer (updater.exe) establishes persistence by creating a Run registry key via reg.exe to ensure execution from the Microsoft Updater directory at each user logon. It then conceals its components by setting System and Hidden attributes using attrib.exe. To profile the host, the malware issues WMI queries to gather OS version, CPU model, GPU, hardware UUID, and disk metrics, while also collecting network and geolocation data from ip-api.com/json. This reconnaissance enables environment fingerprinting, sandbox detection, and exploitation assessment. The stealer also performs screen captures to collect visual context from the victim’s system.
After reconnaissance, the stealer targets data theft from major browsers, enumerating user profiles to extract browsing history, cookies, download records, and saved credentials. It initiates a DLL injection chain by spawning infoprocess.exe, passing the browser name as a parameter. The helper process runs the browser in headless mode, enabling covert interaction and data extraction without displaying a window.
As potential Maranhão Stealer attack mitigation measures, organizations should protectively detect suspicious behaviors, process injections, registry changes, and unauthorized data exfiltration, as well as restrict the execution of unauthorized binaries to minimize the risks of similar info-stealing campaigns.
The Maranhão Stealer campaign showcases attackers leveraging advanced tactics, like social engineering via pirated gaming software to exfiltrate credentials and cryptocurrency while relying on obfuscation, persistence, and reflective DLL injection to evade detection, which requires rapid and vigilant response from defenders. By relying on SOC Prime’s complete product suite backed by AI, automation, and real-time threat intel, organizations can proactively defend their infrastructure against sophisticated information-stealing attacks and other evolving threats that matter most.
