A new two-stage malware family has emerged, targeting cryptocurrency enthusiasts and everyday users alike.
Dubbed LeakyInjector and LeakyStealer by researchers at Hybrid Analysis, this duo stealthily infiltrates Windows systems to siphon sensitive data, including crypto wallet credentials and browser histories.
First spotted in early October 2025, the malware masquerades as legitimate software, leveraging a valid Extended Validation (EV) certificate to evade initial scrutiny.
Signed by Hefei Nudan Jukuang Network Technology Co., Ltd., and issued by Sectigo, the certificate valid until September 2026 has been linked to at least seven related samples, suggesting reuse by a persistent threat actor.
Initial Infection and Evasion Tactics
LeakyInjector serves as the dropper, a padded 64-bit executable around 30 MB that scans for the explorer.exe process on the infected machine.
It employs low-level Windows APIs for process injection, decrypting the second-stage payload LeakyStealer using the ChaCha20 algorithm with hardcoded keys and nonces.
Once injected, LeakyStealer establishes persistence by copying itself to the %AppData% directory as “MicrosoftEdgeUpdateCore.exe” and adding a “EdgeUpdateCore” entry to the Run registry key.
This mimics Microsoft Edge updates, blending seamlessly with system processes. To dodge detection, LeakyStealer features a rudimentary polymorphic engine.
It scans its memory for a hardcoded 8-byte marker (“DE AD BE EF CA FE BA BE”) and patches the surrounding 16 bytes with NOP instructions or harmless jumps, altering its footprint at runtime.
Debug strings and minimal obfuscation reveal a sample likely in active development, yet its beaconing to a command-and-control (C2) server at regular intervals using HTTP POST requests to 45.151.62.120:443 ensures reliable exfiltration.
The server, tied to domains like everstead.group and ip-ptr.tech, responds with commands parsed via WinHTTP functions.
Data Theft and Backdoor Capabilities
LeakyStealer computes a unique Bot ID by XORing the C: drive’s volume serial with 0xDEADBEEF, then gathers system intel like hostname, username, domain, and Windows version using APIs such as RtlGetVersion and GetTokenInformation.
It checks for admin privileges before exfiltrating this data in a “LOAD” packet to /api/beacon.
The real prize lies in its theft mechanisms. The malware hunts for crypto wallets including Electrum, Exodus, Atomic, Sparrow, Ledger Live, Guarda, and BitPay, plus browser extensions like MetaMask, Phantom, Coinbase, and Trust Wallet.
It also plunders history files from Chrome, Edge, Brave, Opera, and Vivaldi, copying them to temp folders as “history_%d.db,” reading contents in memory, and deleting traces with DeleteFileA.
Exfiltrated via /api/beacon/history with an X-Bot-Id header, this data fuels potential phishing or account takeovers.
Two backdoor commands amplify its danger: one downloads and executes remote files using CreateProcessA, while the other runs Windows commands via anonymous pipes, relaying output to the C2.
Distribution traces back to an MSI installer on paycnex.com, alongside a PowerShell script linked to NetSupport RAT, hinting at broader campaigns.
Hybrid Analysis’s deep dive underscores the malware’s sophistication despite its flaws.
As crypto adoption grows, users must prioritize endpoint detection, certificate validation, and browser isolation.
Revoked post-analysis, the signing cert highlights the risks of abused legitimate infrastructure a wake-up call for heightened vigilance in 2025’s threat environment.
