New MrAnon Stealer Malware Targets German Users via Booking-Themed Scam

December 12, 2023NewsroomCryptocurrency / Cyber ​​​​Attack

Mr.Anon Stealer

A phishing campaign has been observed that delivers an information-stealing malware called Mr.Anon Stealer to unsuspecting victims through seemingly innocuous booking-themed PDF lures.

“This malware is a Python-based information stealer that is compressed with cx-Freeze to avoid detection,” Fortinet FortiGuard Labs researcher Cara Lin SAYS. “MrAnon Stealer steals victims’ credentials, system information, browser sessions, and cryptocurrency extensions.”

There is evidence to suggest that Germany was the main target of the attack in November 2023, due to the number of times the download URL hosting the payload was queried.

Disguised as a company looking to book hotel rooms, the phishing email contains a PDF file that, when opened, activates the infection by prompting the recipient to download a new version of Adobe Flash.


Doing so results in the execution of .NET executables and PowerShell scripts to ultimately run a malicious Python script, capable of gathering data from multiple applications and exfiltrating it to public file-sharing websites and the Telegram channel of threat to the actor.

It is also capable of extracting information from instant messaging apps, VPN clients, and files that match the desired list of extensions.

Mr.Anon Stealer

MrAnon Stealer is offered to authors for $500 per month (or $750 for two months), along with a crypter ($250 per month) and a stealth loader ($250 per month).

“The campaign initially spread Cstealer in July and August but switched to distributing MrAnon Stealer in October and November,” Lin said. “This pattern suggests a strategic approach involving the continuous use of phishing emails to spread various Python-based thieves.”

The disclosure comes as the China-linked Mustang Panda is behind a spear-phishing email campaign targeting the Taiwanese government and diplomats with the intention of spreading SmugX, a new variant of the PlugX backdoor previously discovered by Check Point in July 2023.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment