Katz Stealer: The Rise of a Next-Gen Infostealer MaaS

The emergence of Katz Stealer in early 2025 has quickly shaken up the infostealer landscape, offering threat actors a powerful Malware-as-a-Service (MaaS) tool tailored for large-scale credential theft and cryptocurrency heists. This post unpacks its key features, infection chain, and why security professionals need to pay attention to this evolving threat.

What Makes Katz Stealer Stand Out?

• Commercial MaaS Platform: Katz Stealer is widely distributed across cybercrime forums, Telegram, and Discord, offered to affiliates for accessible pricing ($100/mo, $270/3mo, $480/6mo). Subscribers gain access to a robust web management panel for payload generation, data management, and campaign control.
• Modular Payloads: During setup, attackers can toggle tailored theft modules (browser, clipboard, email, crypto) and delivery formats, creating custom builds for distinct attack targets.
• Broad Data Theft: Capable of looting credentials, private crypto wallet data, session keys, cookies, autofill data, and more from browsers (Chrome, Edge, Brave, Firefox), messengers (Telegram, Discord), gaming accounts, VPNs, email clients, and FTP software.

The Katz Stealer Infection Chain

Katz Stealer leverages a multi-stage infection process engineered for stealth and persistence:

1. Initial Dropper: Delivered via phishing emails or trojanized downloads as obfuscated JavaScript within archive files. The JS launches a PowerShell command with -WindowStyle Hidden for stealth.
2. Steganographic Loader: PowerShell downloads an image carrying a hidden, base64-encoded payload. Custom markers locate the payload, which is decoded in memory (never written to disk initially).
3. Privilege Escalation: Katz abuses cmstp.exe (a legitimate Windows tool) to bypass User Account Control, escalating privileges on the infected system.
4. Persistence & Evasion: Scheduled tasks ensure survival on reboot. The malware checks locale/keyboard settings and seeks to avoid infecting systems in Russia or CIS countries. It hunts for analysis/sandbox environments by checking BIOS strings, resolution, and uptime.
5. Process Injection: The main Katz module is injected via process hollowing into MSBuild.exe, running invisibly and with elevated permissions.

Methods of Exfiltration & Evasion

• Browser Hijacking: Katz launches headless browser instances, injecting a custom DLL to extract cookies, credentials, autofill, and master browser encryption keys.
• Encryption Bypass: It defeats Chrome’s 2024 ABE (Application Bound Encryption) by masquerading as the user/browser and uses Windows crypto APIs to decrypt and dump all stored browser secrets.
• Widespread Harvesting: Messaging, gaming, email clients, and VPN/FTP software are systematically harvested for account details and saved credentials.
• Advanced Crypto Wallet Theft: Searches for files/keys/seed phrases from desktop wallets (Exodus, Coinomi, Bitcoin, Ethereum, Monero, etc.), as well as over 150 targeted crypto wallet browser extensions, including MetaMask and Binance.

Command & Control (C2) Infrastructure

• Hardcoded C2 Addresses: Every Katz Stealer payload carries preset C2 IPs/domains. Communication is HTTP/HTTPS-based, with persistent beaconing and identification per victim/campaign.
• Continuous Exfiltration: Data is uploaded not just on initial infection but as fresh credentials and files are accessed or generated. Large files (screenshots, video) are chunked for transfer.
• Self-Cleanup: Operators can instruct Katz Stealer to destroy evidence—wiping dropped files, logs, and closing injected processes when the campaign ends.

Indicators of Compromise (IoCs)

File SHA-1 Hashes (sample): 0076795b220fa48c92b57994b015119aae8242ca 1ee406eb68ab92bad77cf53df50c4ce6963e75fd 571b3681f7564236b7527d5b6fe14117f9d4de6d

text (…and more in original research)

Network IoCs:
172.67.146[.]103, 185.107.74[.]40, 195.182.25[.]71 katz-panel[.]com, katz-stealer[.]com, katzstealer[.]com, twist2katz[.]com

text (…see source for full list)

OSINT Handles:

• Katzadmin, KatzStealer, @katzst, @katzcontact, @katzadmin

Why Katz Stealer Matters

• Stealth by Design: In-memory execution, sandbox detection, steganographic loaders, privilege escalation—all make Katz Stealer extremely difficult to catch with legacy defenses.
• Focus on Crypto: Its dedication to harvesting cryptocurrency wallets and extensions makes it a major threat to both individuals and businesses holding digital assets.
• Low Barrier to Entry: The turnkey platform, full management panel, and affordable pricing lower the threshold for criminals of any skill level to join the infostealing ecosystem.

Defensive Recommendations:

• Harden email and SaaS app hygiene against archive (.gz) attachments and unknown senders.
• Monitor for suspicious PowerShell and cmstp.exe activity.
• Employ full endpoint detection and response (EDR) solutions capable of catching in-memory and process-hollowing attacks.
• Regularly update systems, train users on phishing/social engineering, and implement malware-resistant backups.

Katz Stealer is a prime, modern example of how the infostealer business model continues to innovate, combining advanced technical evasion with criminal ease of use. Vigilance and layered defenses are key.