The malware in question has not been documented previously, but it seems to be distributed through fake software crack sites and is targeting the users of major service providers, including Google, Facebook, Amazon, and Apple.

Researchers from Proofpoint named the malware CopperStealer. This is an actively developed password and cookie stealer containing a downloader feature that enables its operators to deliver additional malicious payloads to infected devices.

It looks like the threat actors behind this newly discovered malware have used compromised accounts to run malicious ads and deliver additional malware in subsequent malvertising campaigns.

How was the malware discovered?

In January “TheAnalyst“, shared on its Twitter account a sample that caught the researchers’ attention, helping them to uncover an actively developed password and cookie stealer with a downloader function, that targets Facebook and Instagram business and advertiser accounts.


 A dangerous malware does not need to be sophisticated.

CopperStealers is attacking by harvesting passwords saved in Google Chrome, Edge, Firefox, Yandex, and Opera web browsers, and it’s also able to retrieve the victims’ Facebook User Access Token by making use of stolen cookies. 

While CopperStealer isn’t the most nefarious credential/account stealer in existence, it goes to show that even with basic capabilities, the overall impact can be large.


Fake software crack sites became distribution channels

The new malware is distributed through fake software crack sites and known malware distribution platforms such as keygenninja[.]com, piratewares[.]com, startcrack[.]com, and crackheap[.]net.

Heimdal Official Logo
Antivirus is no longer enough to keep an organization’s systems secure.

Heimdal® Threat Prevention - Endpoint

Is our next gen proactive DNS-Layer security that stops unknown threats before they reach your system.
  • Machine learning powered scans for all incoming online traffic;
  • Stops data breaches before sensitive info can be exposed to the outside;
  • Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
  • Protection against data leakage, APTs, ransomware and exploits;
Try it for FREE today 30-day Free Trial. Offer valid only for companies.

It seems that two of the sites were sinkholed after discovering their connection to ongoing attempts to deliver malware and Potentially Unwanted Programs/Applications (PUP/PUA) software.

In the first 24 hours of operation, the sinkhole logged 69,992 HTTP Requests from 5,046 unique IP addresses originating from 159 countries representing 4,655 unique infections. Proofpoint said.

Credentials make the world go round when it comes to the current threat landscape and this shows the lengths that threat actors will take to steal valuable credential data.


Account stealing malware like this one are providing the scammers with the necessary tools for creating impersonation attacks and identity theft fraud.

Antivirus versus Anti Malware: Which One Should You Choose?

How to Spot and Prevent Apple ID Phishing Scams

15 Warning Signs that Your Computer is Malware-Infected

Alert: Compromised Websites Spread Ransomware and Financial Malware

Leave a Reply

Your email address will not be published. Required fields are marked *