Flesh Stealer: How a New Malware Threatens Chrome, Firefox, and Edge

By Ava McKinneyOnline Safety

Flesh Stealer: A New Nightmare for Chrome, Firefox, and Edge

A new player has emerged in the world of cybercrime: the Flesh Stealer malware, which can bypass browser security and steal user data. This malicious software is actively promoted on underground forums and Telegram channels, and was previously even advertised on YouTube.

Flesh Stealer is a malicious .NET executable written in C#. It comes equipped with numerous protective mechanisms, including bypassing Chrome’s App Bound encryption, anti-debugging features, and checks for virtual environments. First discovered in August 2024, it continues to receive updates, with the latest major improvement adding support for Chrome 131.

How Flesh Stealer Works

The program collects data from Chrome, Firefox, Edge, and Opera browsers, stealing saved passwords, cookies, and browsing history. Additionally, Flesh Stealer can extract chats and databases from Signal and Telegram apps, sending them to the attacker’s server. A special mechanism detects the system’s region, and if a language from a CIS country is set, the malware does not run.

Advanced Evasion Techniques

One of the key protection mechanisms is its ability to recognize virtual machines. Flesh Stealer analyzes physical memory characteristics, BIOS version, and system performance. If indicators of VMware, VirtualBox, Hyper-V, or similar environments are found, the code execution stops. The program also scans running processes for debugging tools like Wireshark or HttpDebuggerUI and terminates them if detected.

To increase stealth, the stealer uses code obfuscation and data encryption methods. It checks devices connected to the system via Windows Management Instrumentation (WMI) and saves the collected information in a separate file. Additionally, the program extracts Wi-Fi credentials using Windows command line, obtaining details about encryption algorithms and passwords for saved networks.

Distribution and Ongoing Development

The developer of Flesh Stealer actively promoted the malware through specialized forums and chats, and even created a dedicated website for its distribution. However, the site was taken down in October 2024. The Telegram channel associated with the project remains active as of now.

Flesh Stealer continues to evolve, receiving positive feedback among cybercriminals. Despite new moderation rules on Telegram, attackers still use the platform to control infected devices and transfer stolen data.

Expert Recommendations

Experts warn that the emergence of new malware based on existing technologies is becoming increasingly common. Flesh Stealer demonstrates how modern cyberattack methods have evolved and highlights the need for organizations to pay greater attention to data protection.

  • Implement multi-factor authentication
  • Limit the use of browser extensions
  • Monitor network traffic
  • Actively use endpoint protection tools to detect and block such threats

Leave a Reply