DeerStealer the $200 Doorway to Your Digital Secrets

Amber | Attack Report

DeerStealer Malware: $200 Dark-Web Stealer With Rootkit-Like Capabilities

Summary

DeerStealer is an advanced information-stealing malware that has been actively deployed in global campaigns since May 2025. Sold on dark-web forums and Telegram channels by the actor LuciferXfiles, DeerStealer leverages a subscription-based model priced between $200 and $3,000 per month, making it accessible to a wide range of threat actors.

The malware masquerades as legitimate software (including fake Adobe Acrobat Reader updates and document readers) and is commonly delivered through HijackLoader payloads and ClickFix phishing chains. Once executed, DeerStealer establishes persistence, steals passwords, financial data, cryptocurrency wallets, browser cookies, VPN credentials, and instant messaging content, then exfiltrates this data to attacker-controlled C2 servers.

Attack Details

DeerStealer is distributed in ZIP archives containing PE executables and uses data obfuscation, signed binaries, and rootkit-like techniques to evade detection. Key characteristics include:

Loader & Branding: Sold under the name XFiles Spyware with full loader package.
Persistence: Creates scheduled tasks to auto-execute after reboots, ensuring long-term access.
Adaptability: Capable of switching C2 servers dynamically to maintain communication even after takedowns.
Past Campaigns: Distributed as fake Google Authenticator apps hosted on GitHub.
Delivery Vector: Often delivered as the final payload of HijackLoader infection chains, using phishing pages that trick users into running commands via Windows Run Prompt.

Recommendations

Implement Network Segmentation & Zero Trust: Apply micro-segmentation and enforce device and user verification before granting access.
Protect Credentials & Sensitive Data: Enable MFA, rotate financial, VPN, and crypto wallet credentials regularly, and monitor for suspicious access.
Audit File System Permissions: Restrict write permissions on sensitive directories and disable unnecessary file sharing using ACLs.
Deploy Advanced Endpoint Protection: Use EDR/NGAV solutions that detect obfuscated binaries, rootkit-like behaviors, and suspicious scheduled task creation

Indicators of Compromise (IoCs)

SHA256 Hashes (Samples)

a03cec07324b0c3227e4f060b0fefc24d35482dfe690bc86df1a53211629837e
b7ee370878fb4290097311e652222d8bab91c44a94063ea192100d4fd9dadb14
ce62130f0392b40ab047392b47d523f66a55260c9fc2ec3d3727fab13fc87933
e189e7fe9cd6d63ecece8b8e8fafb773003db6009fb0c45dc2b21e77167938ba
623ff1e6662986ab36336919fde5c48805b4a87b97af6f9abe09732e9ac45b8f

Domains (Samples)

telluricaphelion[.]com
nacreousoculus[.]pro
cdnnode-01[.]cfd
ncloud-servers[.]shop
authentificator-gogle[.]com
updater-pro[.]com
chromstore-authentificator[.]com

File Paths

C:\Users\[user-name]\AppData\Roaming\DebugdebugIRG_debug\...
C:\Users\[user-name]\AppData\Roaming\Outspan
C:\ProgramData\DebugdebugIRG_debug

IP Addresses

104[.]21[.]112[.]1
103[.]246[.]144[.]118
172[.]67[.]195[.]171

MITRE ATT&CK TTPs

Initial Access: T1566 (Phishing), T1189 (Drive-by Compromise)
Execution: T1204 (User Execution), T1059 (Command and Scripting Interpreter)
Persistence: T1053 / T1053.005 (Scheduled Task), T1574.001 (DLL Search Order Hijacking)
Privilege Escalation: T1548 / T1548.002 (Bypass User Account Control)
Defense Evasion: T1036 (Masquerading), T1027 / T1027.013 (Obfuscated/Encoded Files), T1014 (Rootkit), T1497 (Sandbox Evasion), T1622 (Debugger Evasion)
Discovery: T1082 (System Information Discovery), T1087 (Account Discovery), T1217 (Browser Bookmark Discovery), T1673 (VM Discovery)
Collection: T1005 (Data from Local System), T1056 (Input Capture)
Exfiltration: T1041 (Exfiltration Over C2 Channel), T1001 (Data Obfuscation)
Command & Control: T1071 (Application Layer Protocol)

References

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox