SteelFox Malware Blitz Infects 11K Victims With Bundle of Pain

The malware combines a miner and data stealer, and it packs functions that make detection and mitigation a challenge.

Thousands of people — including many using applications such as AutoCAD, JetBrains, and the Foxit PDF editor — have become victims of a sophisticated data-stealing and cryptomining malware campaign thats been active since at least February 2023.
The as-yet-unidentified threat actor behind it is distributing the malware via forum posts and illegal torrents. What makes the malware challenging to mitigate is its use of SSL pinning and TLSv1.3 encryption to protect its command-and-control (C2) communications and data exfiltration activities against interception and analysis.
Researchers at Kaspersky who
discovered
the malware are tracking it as SteelFox. In a report this week, they described the threat as not targeting any user, group, or organization specifically. Instead, it acts on a mass scale, extracting every bit of data that can be processed later, the security vendors researchers noted. The highly sophisticated usage of modern C++ combined with external libraries grant this malware formidable power.
More than 11,000 people appear to have fallen victim to the malware bundle, mostly across 10 countries, including Brazil, China, Russia, Mexico, and the
United Arab Emirates
.
The initial access in each case resulted from people acting on posts that advertised SteelFox as an efficient application activator — i.e., a tool that allows users to bypass licensing mechanisms and activate a commercial application for free. The apps that SteelFox purported to be an activator for included Foxit PDF Editor, JetBrains, and AutoCAD.
While these droppers do have the advertised functionality, they also deliver sophisticated malware right onto the user’s computer, the researchers wrote.
Kasperskys analysis of the SteelFox activator for JetBrains showed that once it has initial access, the malware asks for administrative access to the users system. It then uses that access to begin installing the application activator in the computers Progra Files folder. During the process, SteelFox also drops a malicious Portable Executable file for 64-bit Windows systems (PE64). The file goes through a series of execution steps before retrieving and deploying a modified version of the
XMRig coin miner
with hardcoded credentials to a mining pool.
The malware then connects to its C2 server, at which point a separate data stealer component is triggered. The stealer first enumerates or determines the browsers on the victims systems and deploys functions for stealing a range of data, including credit card data, cookies, browsing history, and a list of sites the user might have visited. Other data that Kaspersky found the stealer pilfering from compromised systems included information on all installed software, network info such as wireless interfaces and passwords, drive names and types, user information, and RDP session information.
The security vendor pointed to several mechanisms that the authors of the malware have implemented to make it hard for defenders to detect and mitigate against the threat. The initial stage executable, for instance, is encrypted, making analysis harder. The initial PE64 payload is modified, after deployment, by overwriting time stamps and inserting random junk data to avoid detection. For persistence, the second-stage payload creates a Windows service and configures it to auto start ensuring the malware remains active through system reboots. Before actual payload execution the malware launches and loads from inside a Windows service that requires privileges unavailable to most users.
This makes any user actions against this loader impossible because even copying this sample requires NTSYSTEM privileges, Kaspersky said.
SteelFoxs use of
SSL pinning
— where a client application or device uses a specific certificate or public key — and the TLSv.3 encryption protocol for C2 communication is another issue because they allow the malware to operate covertly with a low risk of detection.
SteelFox has emerged recently, and it is a full-featured crimeware bundle. It is capable of stealing various user data that might be of interest to the actors behind this campaign, Kasperskys researchers wrote.
SteelFox is only the latest manifestation of what security researchers have described as the growing sophistication that threat actors have begun incorporating into their malware and tactics. Another recent example is CRON#TRAP, a campaign, where a threat actor is using
custom-emulated QEMU Linux environments
to stage malware and execute malicious commands in near-undetectable fashion. In May, Elastic Security reported
GhostEngine
a multimodal malware toolkit that, among other things, has functions for effectively killing endpoint detection and response mechanisms. The proliferation and easy availability of generative AI (GenAI) tools also has fueled some of the recent innovation around malware tactics, especially in
influence operations and misinformation campaigns
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
SteelFox Malware Blitz Infects 11K Victims With Bundle of Pain