Unmasking FleshStealer: A New Infostealer Threat in 2025

Last year, information-stealing malware infected over 18 million devices, resulting in the exposure and sale of over 2.4 billion compromised credentials. This sensitive data—including login and account data, financials, and a gamut of personally identifiable information (PII)—allowed threat actors to carry out crippling ransomware attacks and numerous high-profile data breaches.

“Infostealers have emerged as one of the most persistent and widespread threats in the cybercrime ecosystem. Flashpoint data shows a growing sophistication in how threat actors leverage these tools, particularly in bypassing security measures.

Monitoring these trends and strengthening defenses against initial access threats will be key to mitigating the risks posed by this pervasive malware.“

Ian Gray, VP of Intelligence at Flashpoint

Going into 2025, infostealers remain a clear danger for organizations worldwide, as these malicious programs are readily available and cheaply sold across illicit marketplaces and forums. Flashpoint analysts have identified a new infostealer strain that is rapidly gaining attention due to its advanced evasion techniques and aggressive data harvesting capabilities—the FleshStealer Credential Stealer.

What is FleshStealer?

FleashStealer, first observed in September 2024, is a credential stealer operated through a web-based panel. This C#-based malware uses encryption to avoid detection and possesses several notable features that distinguish it from other infostealer threats. It’s designed to operate discreetly, terminating itself if debugging is detected. FleshStealer is particularly effective in detecting virtual machine (VM) environments. It will avoid executing on VMs to prevent any potential forensics analysis, showcasing an understanding of security research practices.

FleshStealer also provides 24/7 support for their threat actor client base and decrypts logs directly on the server. It operates at a lightweight 150 to 300 kilobytes and targets web browsers based on the Chromium and Mozilla engines, capable of extracting information from approximately 70 different browser crypto and two-factor authentication (2FA) extensions, in addition to Discord sessions. The malware can also reset Google cookies, allowing for further exploitation.

FleshStealer Tactics, Techniques, and Procedures (TTPs)

Flashpoint analysts analyzed the sophisticated arsenal employed by FleshStealer. The following outlines some of the TTPs that FleshStealer leverages:

Tactic	Technique ID	Name
Privilege Escalation	T1547	Boot or Logon Autostart Execution
Defense Evasion	T1027	Obfuscated Files or Information
Defense Evasion	T1497	Virtualization/Sandbox Evasion
Credential Access	T1555	Credentials from PasswordStores: Credentials from WebBrowsers
Discovery	T1057	Process Discovery
Collection	T1005	Data from Local System
Collection	T1560	Archive Collected Data
Exfiltration	T1567	Exfiltration Over Web Service

How FleshStealer Works

T1547: Privilege Escalation

FleshStealer employs a commonly used privilege escalation technique that leverages a Windows utility with elevated privileges, to bypass user account control (UAC) and gain administrative privileges. This utility, found in Windows 10 and later versions, is a legitimate executable used by the Windows operating system for managing features related to the Windows Settings framework.

The exploit works by modifying specific registry keys, instructing the system to execute a custom command or malicious script. Because it is a trusted Microsoft application, the operating system permits it to run with elevated privileges without prompting the user for approval. By hijacking this process, FleshStealer gains administrative rights, allowing it to operate with escalated privileges and execute additional commands or payloads without user intervention. It also reduces its chances of detection and alerting the victim.

T1027: Defense Evasion

FleshStealer includes a decryption routine that masks its operations which helps it evade detection by traditional security measures. Using obfuscated strings in combination with registry operations, FleshStealer hides its actions and controls its operations. Once decrypted, these strings are used for various tasks, including registry manipulation and path setup.

T1497: Defense Evasion

FleshStealer scans the host environment for detailed system information, including hardware and network identifiers such as CPU type, GPU model, RAM capacity, system install date, active IP addresses, and gateway IP. By analyzing this information, the malware can accurately detect whether it is running in a virtual machine or sandbox, as these environments often have characteristic hardware profiles or limited system resources. Furthermore, FleshStealer cross-references for specific programs and tools commonly used in virtualized or analyzed environments to determine whether the infected system may be under observation by security analysts.

Beyond hardware and software checks, FleshStealer also monitors active windows to identify and react to any visible debugging or packet capture tools. If any of these tools or virtual machine indicators are detected, the malware’s web-based control panel is designed to immediately halt operations. This approach effectively disrupts attempts at static and dynamic analysis, enabling FleshStealer to evade detection by most security researchers. It does all of this to ensure that it operates only within unmonitored user environments, where it can carry out its data-stealing objectives undisturbed.

T1057: Process Discovery

FleshStealer conducts targeted process discovery to identify active browser processes, focusing primarily on those that store sensitive user data, such as saved credentials, session tokens, and browsing history. By monitoring browsers such as Chrome, Firefox, Microsoft Edge, and Opera, FleshStealer pinpoints where valuable information resides, tailoring its collection tactics accordingly. This selective approach enables the malware to prioritize high-yield targets, specifically examining processes associated with Chromium and Mozilla-based browsers that are known to contain login information, cookies, and cryptowallet data. This method not only optimizes data collection but also reduces unnecessary processing overhead, allowing FleshStealer to operate more stealthily and efficiently within the compromised system.

T1547: Collection

FleshStealer scans infected systems for high-value files, such as sensitive documents, authentication files, and local data caches. Once identified, this information is systematically gathered, sorted, and packaged into a compressed archive, making it easy to transmit to the command-and-control server. By archiving data, FleshStealer minimizes network footprint during exfiltration, reducing the chances of detection. This archiving process is typically automated and streamlined to run at intervals, allowing threat actors to extract large volumes of data quickly and efficiently without raising suspicion. The compressed format not only reduces data size but also allows the malware to obscure file contents, further evading detection by standard security measures.

T1567: Exfiltration

Through in-depth debugging of the FleshStealer malware executable, Flashpoint analysts extracted critical command and control (C2) details, including the server IP address and port. This connection facilitates real-time data exfiltration and remote access for threat actors, allowing them to continuously monitor and manage infected systems. 

By leveraging web services for data exfiltration, FleshStealer bypasses typical network security measures, making detection and interception by standard defenses more difficult. The malware’s use of secure, encrypted communication further complicates mitigation efforts, requiring advanced network monitoring to detect suspicious connections to known C2 infrastructure.

Stay Ahead of Evolving Threats Using Flashpoint

As 2025 unfolds, FleshStealer represents an evolving threat for global organizations due to its evasion capabilities, focus on session hijacking, and 2FA bypass. Additionally, Flashpoint anticipates ongoing development and updates to FleshStealer as threat actors adapt it even further to evade defenses and expand its reach.

Therefore, staying informed on the latest infostealer trends is critical for organizations looking to defend against this sophisticated and prevalent threat. Flashpoint provides deep visibility and analysis of known and emerging infostealer strains—including extensive access to our collection of stealer logs containing actionable data such as compromised credit card information. Sign up for a demo today to see how Flashpoint empowers security teams with timely and comprehensive threat intelligence.