Listen to this Post
In October 2025, cybersecurity researchers uncovered a highly sophisticated malware campaign targeting cryptocurrency users and browser data. This campaign, powered by the newly discovered LeakyInjector and LeakyStealer malware strains, showcases a level of technical ingenuity that signals a worrying escalation in cybercriminal tactics. By leveraging stealth, encryption, and legitimate digital certificates, these threats are designed to infiltrate systems unnoticed, steal sensitive financial information, and evade detection by conventional security tools.
Hybrid Malware Duo: LeakyInjector and LeakyStealer
The attack unfolds in a precise two-stage process. The first stage, LeakyInjector, is a 64-bit Windows executable signed with a valid Extended Validation (EV) certificate, giving it an appearance of legitimacy that allows it to bypass security checks. Its unusually large file size, padded with null bytes, further reduces detection likelihood. Once executed, LeakyInjector injects an encrypted payload, LeakyStealer, directly into the memory of the explorer.exe process using low-level Windows APIs.
LeakyStealer, the second-stage malware, uses ChaCha20 encryption for payload protection and stores decryption parameters internally. It establishes persistence by creating a registry entry named “EdgeUpdateCore” and disguising itself as MicrosoftEdgeUpdateCore.exe in the user’s AppData directory. Once active, it collects detailed reconnaissance data, including hostnames, usernames, and domain information, generating a unique Bot ID before communicating with a command-and-control (C2) server at everstead[.]group using encrypted HTTP POST requests that mimic normal browser traffic.
Advanced Evasion and Data Exfiltration
LeakyStealer’s polymorphic engine alters specific memory bytes during runtime using randomized assembly instructions, complicating static detection without affecting functionality. The malware aggressively targets cryptocurrency wallets, including Electrum, Exodus, Atomic, Ledger Live, Sparrow, Guarda, and BitPay, along with browser wallet extensions like MetaMask, Phantom, Coinbase, and Trust Wallet.
It also stealthily collects browser history from Chrome, Edge, Brave, Opera, and Vivaldi, reading files in memory before deleting them to reduce forensic traces. Exfiltrated data is sent via carefully crafted network packets that include the Bot ID in custom headers. LeakyStealer’s backdoor capabilities allow downloading and executing files from the C2 server, executing arbitrary Windows commands, and relaying outputs back to attackers.
Infrastructure and Indicators of Compromise
Digital forensic analysis links multiple samples to the same compromised certificate infrastructure, all masquerading as legitimate Windows components. Shodan data identifies IP 45.151.62.120 and domains everstead[.]group and ip-ptr[.]tech as central to the campaign, while MSI installers hosted on paycnex[.]com distribute the payload.
SHA256 Samples:
9b8bd9550e8fdb0ca1482f801121113b364e590349922a3f7936b2a7b6741e82
88e0c1652eb91c517a5fec9d356c7f30c0136d544f5d55ac37f20c5612134efb
Files Created:
%AppData%MicrosoftEdgeUpdateCore.exe
C:UsersAppDataLocalTemphistory_%d.db
Registry Entry: EdgeUpdateCore
C2 Server: everstead[.]group
Hybrid Analysis emphasizes the campaign’s technical sophistication, particularly in its use of code signing, encryption, and stealthy exfiltration methods. This combination presents a significant risk for cryptocurrency users, browser extension holders, and enterprise security teams alike.
What Undercode Say: Cybercriminals Upping the Stakes
The emergence of LeakyInjector and LeakyStealer marks a shift in cybercriminal strategy from opportunistic attacks to precision-targeted operations. By employing legitimate EV certificates, attackers exploit inherent trust mechanisms in operating systems, a tactic rarely seen outside highly sophisticated threat actors. This campaign demonstrates a careful understanding of Windows internals, encryption protocols, and network traffic patterns, allowing the malware to evade endpoint detection systems effectively.
From an operational perspective, the polymorphic behavior of LeakyStealer shows that attackers are investing heavily in anti-analysis techniques. Randomized assembly instructions do not change the malware’s logic but frustrate static analysis, forcing defenders to rely on behavioral monitoring and dynamic sandboxing.
The focus on cryptocurrency wallets and browser-based assets highlights the continued appeal of financial malware, particularly in decentralized finance ecosystems where recovery is nearly impossible once funds are stolen. Targeting both software wallets and browser extensions demonstrates attackers’ awareness of multiple user entry points, increasing the likelihood of successful exfiltration.
The campaign’s infrastructure, leveraging multiple domains, IP addresses, and MSI installers, underscores the attackers’ operational discipline. Distribution via legitimate-looking MSI files masks malicious intent under the guise of standard software installation, exploiting user trust. This approach not only increases infection rates but complicates attribution and mitigation.
For cybersecurity teams, the hybrid injection technique requires layered defense strategies. Traditional signature-based detection is insufficient; advanced endpoint protection, memory scanning, and C2 traffic analysis are essential. Additionally, organizations should monitor unusual registry entries and AppData modifications, particularly those mimicking system updates.
From a strategic standpoint, this campaign also signals a broader trend in cybercrime: integrating encryption and evasion techniques that were once the domain of state-sponsored attacks into financially motivated operations. This blurring of lines increases overall threat sophistication and calls for more proactive threat hunting and awareness campaigns.
Ultimately, LeakyInjector and LeakyStealer exemplify a new generation of malware where stealth, encryption, and operational coordination converge, making detection and response increasingly challenging. Cybersecurity defenders must adapt quickly, combining threat intelligence, advanced forensic tools, and user education to reduce potential damage.
🔍 Fact Checker Results
✅ Malware targeting cryptocurrency wallets and browser data confirmed.
✅ Use of EV-signed binaries and polymorphic engines verified.
❌ No evidence yet of successful widespread cryptocurrency theft reported.
📊 Prediction
💰 Cryptocurrency users face increasing risks from stealth malware targeting both software and browser wallets.
🛡 Organizations will need to adopt behavioral analysis, memory monitoring, and advanced endpoint protection to counteract these threats.
🌐 The trend of financial malware using legitimate certificates and MSI installers is likely to continue, driving demand for proactive threat hunting and threat intelligence sharing.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.digitaltrends.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
