EvilExtractor: A thief for Windows systems appears on the Dark Web

A new data-stealing malware called EvilExtractor is available for sale and targets files from Windows systems.


"It includes several modules that all work through an FTP service," said Cara Lin, a researcher at Fortinet FortiGuard Labs. “It also contains environment control and Anti-VM features. Its main purpose appears to be to steal browser data and information from exposed endpoints and then upload it to the attacker's FTP server.”

The network security firm said it noticed a wave of attacks spreading the malware in March 2023, with the majority of victims located in Europe and the US. While EvilExtractor is marketed as an educational tool, it has been adopted by hackers as an information stealer.

The attack tool is sold by a hacker named Kodex on cybercrime forums like Cracked dating back to October 22, 2022. It is constantly updated and incorporates various modules to extract system metadata, passwords and cookies from various web browsers, as well as to record keystrokes and even act as ransomware by encrypting files on the target system.

The malware is also said to have been used as part of a phishing email campaign detected by the company on March 30, 2023. The emails trick recipients into launching an executable file disguised as a PDF document under the guise of confirming its “details their account".

The “Account_Info.exe” binary is a cloaked Python program designed to launch a .NET loader that uses a Base64-encoded PowerShell script to launch EvilExtractor. The malware, in addition to collecting files, can also activate the camera and capture screenshots.

"EvilExtractor is used as a comprehensive information thief with multiple malicious features, including ransomware," said Lin. “The PowerShell script can escape detection in a .NET or PyArmor loader. Within a very short period of time, its developer has updated several functions and increased its stability."

The findings come as Secureworks' Counter Threat Unit (CTU) details a malicious SEO campaign used to deliver the Bumblebee malware loader via rogue installers of legitimate software.


Bumbleebee, first reported a year ago by Google's Threat Analysis Group and Proofpoint, is a modular loader that spreads primarily through phishing techniques. It is suspected to have been developed by actors associated with the Conti ransomware operation as a replacement for BazarLoader.

The use of malicious ads to redirect users looking for popular tools such as ChatGPT, Cisco AnyConnect, Citrix Workspace and Zoom to fake websites that host infected installation files has been on the rise in recent months, after Microsoft began blocking macros by default from Office files downloaded from the web.

In one incident described by the cybersecurity firm, the attacker used the Bumblebee malware to gain an entry point and later moved three hours later to attack with Cobalt Strike and legitimate remote access software such as AnyDesk and Dameware. The attack was eventually stopped before it progressed to the final ransomware stage.


iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.096 registrants.
EvilExtractor, Dark Web

Written by Anastasis Vasileiadis

Translations are like women. When they are beautiful they are not faithful and when they are faithful they are not beautiful.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).