In another sign of the lucrative crimeware-as-a-service (CaaS) ecosystem, cybersecurity researchers have discovered a new Windows-based information thief called The Medusa Thief which are actively developed by the manufacturer to avoid detection by software solutions.
“The Meduza Stealer has a single goal: comprehensive data theft,” Uptycs said in a new report. “It steals user browsing activity, extracts various browser related data.”
“From critical login credentials to precious browsing history records and carefully curated bookmarks, no digital artifact is safe. Even crypto wallet extensions, password managers, and 2FA extensions are vulnerable.”
Despite the similarities in features, Meduza offers a “sneaky” operational design that avoids using obfuscation techniques and immediately halts its execution on a compromised host if the connection to the attacker’s server fails.
It is also designed to be canceled if the victim’s location is on the thief’s predefined list of excluded countries, which consists of the Commonwealth of Independent States (CIS) and Turkmenistan.
Meduza Stealer, in addition to gathering data from 19 password manager applications, 76 crypto wallets, 95 web browsers, Discord, Steam, and system metadata, harvested Windows Registry entries related to miners as well as lists of installed games, suggesting a broader financial motive.
It is currently offered for sale on underground forums such as XSS and Exploit.in and dedicated Telegram channels as a recurring subscription that costs $199 per month, $399 for three months, or $1,199 for a lifetime license. The information stolen by the malware is provided via an easy-to-use web panel.
“This feature allows customers to download or delete stolen data directly from web pages, giving them an unprecedented level of control over the information they illegally obtained,” the researchers said.
“This deep feature set showcases the sophisticated nature of the Meduza Stealer and the lengths to which its creators were willing to go to ensure its success.”