Flesh Stealer has surfaced as a high-profile malware campaign targeting web browsers like Chrome, Firefox, Edge, and even messaging platforms like Signal and Telegram.
Written in C# as a .NET executable, Flesh Stealer emerged in August 2024 and has been actively updated to include anti-debugging and anti-virtual machine (VM) techniques.
Notably, the malware avoids infecting systems in Commonwealth of Independent States (CIS) countries, reflecting its Russian-speaking developer’s intent to evade local scrutiny, as per a report by CyFirma.
.png
)
Key Features and Capabilities
Targeted Browsers and Applications
Flesh Stealer focuses on extracting sensitive data, including saved passwords, cookies, browsing history, and chat logs.
It bypasses Chrome’s App Bound Encryption—a significant security feature—to access protected data.
The malware works across multiple browsers, including Chrome, Firefox, Brave, and Edge, and extends its reach to applications like Signal and Telegram by exfiltrating stored databases and chats.
Anti-VM and Anti-Debugging Techniques
To elude detection and analysis, Flesh Stealer checks for virtualized environments by scanning system memory, BIOS versions, and processor speeds.
It identifies VMs by detecting strings like VMware, VirtualBox, and Hyper-V. For anti-debugging, it searches for processes associated with tools like Wireshark and HttpDebuggerUI and terminates them if found.
Wi-Fi and PnP Device Exploitation
The malware uses the Windows Management Instrumentation (WMI) component to collect information about Plug and Play (PnP) devices and save it to a file named device.txt.
Additionally, it executes the netsh command to extract Wi-Fi network credentials, including authentication types, encryption methods, and passwords.
Initially promoted on underground forums like Pyrex Guru and popular platforms like Discord and Telegram, Flesh Stealer relied on Base64 obfuscation techniques to hide its malicious code.
The malware was also showcased on YouTube, where its developer demonstrated its capabilities—though the video and associated domain have since been taken down.
Despite these setbacks, the malware’s promotional Discord and Telegram channels remain active, with over 210 members.
Recent Developments
On January 29, 2025, the Flesh Stealer developer announced support for Chrome version 131, reflecting their commitment to evolving the malware.
A customizable control panel allows cybercriminals to configure features like enabling startup persistence, activating anti-debug measures, and running the software with administrator privileges.
All stolen data is sent to the attacker’s infrastructure, where it is stored for further exploitation.
Flesh Stealer’s advanced features and adaptability make it a formidable cyber threat.
Its ability to steal credentials, bypass encryption, and evade detection underscores the growing sophistication of malware targeting both individuals and enterprises.
The malware developer’s decision to exclude CIS countries indicates regional considerations that align with Russian-speaking cybercriminal norms.
With its expanding capabilities and persistent development, Flesh Stealer poses a significant threat to online security.
Organizations must remain vigilant, adopting robust cybersecurity measures, including frequent password updates, multi-factor authentication, and proactive threat intelligence, to defend against such emerging threats.
As Flesh Stealer continues to target popular browsers and applications, awareness and preparedness remain the first line of defense.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
