A sophisticated information-stealing malware named Anivia Stealer has emerged on underground forums, marketed by a threat actor known as ZeroTrace.
The malware represents a dangerous evolution in credential theft operations, specifically designed to compromise Windows systems from legacy XP installations through the latest Windows 11 environments.
Built using C++17, Anivia Stealer incorporates advanced evasion techniques and comprehensive data exfiltration capabilities that pose significant risks to individual users and enterprise networks alike.
The malware’s advertising campaign highlights its ability to bypass User Account Control mechanisms through automatic elevation techniques, allowing it to execute privileged operations without triggering security warnings that typically alert users to suspicious activity.
KrakenLabs researchers identified the threat actor’s promotional efforts across cybercriminal marketplaces, where Anivia Stealer is being offered on a subscription model ranging from €120 for one month to €680 for lifetime access.
Analysis reveals that the stealer targets an extensive range of sensitive information including browser credentials, authentication cookies, cryptocurrency wallets, messaging tokens, Local Security Authority credentials, and system screenshots.
The malware maintains encrypted communication channels with its command-and-control infrastructure and features automatic update capabilities to evade detection signatures.
Threat intelligence suggests that Anivia Stealer may represent a rebrand or fork of the previously identified ZeroTrace Stealer, with GitHub commit history and developer metadata linking both projects to the same malicious actor who has also distributed Raven Stealer.
UAC Bypass and Privilege Escalation Mechanisms
The core functionality enabling Anivia Stealer’s effectiveness lies in its User Account Control bypass implementation.
The malware exploits Windows privilege escalation vectors to achieve automatic elevation without user interaction, effectively neutralizing one of the operating system’s primary security boundaries.
This technique allows the stealer to access protected system areas, registry hives containing cached credentials, and memory spaces holding authentication secrets that would normally require administrative approval.
The malware’s claim of requiring no external dependencies suggests it packages all necessary exploitation code within its binary, reducing forensic artifacts and simplifying deployment across diverse target environments while complicating detection efforts by security solutions.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
.webp?w=100&resize=100,70&ssl=1 "Top 10 Best Fraud Prevention Companies in 2025")
