The Global Research and Analysis Team (GReAT), from Kasperskydiscovered three new malware in its latest report: ScarletStealer, Acrid and an updated form of Sys01.

The first mentioned has already been detected more than 100 times in Brazil this year, making the country the second most attacked by malware – behind only China. He is also known as “CryptoSwap” and is mainly aimed at cryptocurrency wallet customers. Check out more information about the three new discoveries below.


ScarletStealer had its second highest detection in Brazil, with 123 blocks this year alone. The malware operates in two stages: the first is carried out shortly after the initial infection and is basically a system scan to identify the existence of certain folder structures that indicate the existence of digital wallets – which is the focus of this malware. If found, the malware itself downloads a second module that will be responsible for stealing the cryptocurrencies.
​   ‏
The malware is underdeveloped in terms of functionality and contains many errors, flaws and redundant codes. An example of redundancy is the creation of registry keys for the automatic execution of the malicious program itself – this way the infection is redone without the need for a new action by the criminal. Despite its shortcomings, ScarletStealer’s victims span across the world, with concentrations in China, Brazil, Turkey and the USA.


Acrid is written for the 32-bit operating system, although most current systems are 64-bit. Upon closer inspection of the malware by Kaspersky experts, the reason for compiling for a 32-bit environment became clear: the author decided to use the “Heaven’s Gate” technique, which allows 32-bit applications to access 64-bit space to bypass certain security controls and affect as many machines as possible.
​   ‏
In terms of functionality, the malware incorporates what you would expect from a stealer: stealing browser data (cookies, passwords, login data, credit card information, etc.), local cryptocurrency wallets, specific files and installed application credentials . Although moderately sophisticated with string encryption, Acrid lacks innovative features.


The third most prevalent stealer is the one formerly known as Album Stealer or S1deload Stealer. Sys01 is a relatively unknown stealer that has existed since at least 2022. Its infection vector is to lure users into downloading malicious ZIP files disguised as adult content via a Facebook page. Now, it manages to steal Facebook-related data and send stolen browser data, located and organized in a specific directory structure, to C2. It also has backdoor functions, being able to download and execute specific files. The victims of this campaign were found all over the world, but the majority of them were located in Algeria (just over 15%).
​   ‏
“The emergence of these new “stealers” serves as a stark reminder of the insatiable demand within the criminal underworld for tools that facilitate data theft. With the potential for dire consequences such as financial losses and privacy breaches, it is important for individuals and organizations to remain vigilant and adopt proactive cybersecurity measures. Kaspersky strongly advises keeping your software up to date, exercising caution when downloading files and opening attachments, and exploring robust security solutions to strengthen defenses against constantly evolving threats,” comment Fabio Assolini, director of Kaspersky’s Global Research and Analysis Team for Latin America.
​   ‏
To prevent financial cyberthreats, Kaspersky recommends:

  • Use a trusted security solution that offers malware protection, a fast, unlimited VPN, and can detect threats anywhere.
  • Crypto wallet protections such as two-factor authentication, separate cryptocurrency transactions from personal accounts, automatic updates, and quality antivirus.


Leave a Reply

Your email address will not be published. Required fields are marked *