A newly analyzed multi-stage malware is targeting a wide range of Chromium-based browsers to steal credentials, exfiltrate sensitive documents, and maintain remote shell access, according to a recent Stormcast podcast and accompanying SANS Internet Storm Center diary.
The sample, examined by SANS ISC handlers, is built around three distinct modules. The first component is a browser credential stealer that targets an unusually broad set of Chromium-derived browsers, including Chrome, Brave, Edge, Opera, Opera GX, Vivaldi, Kiwi, Yandex, Iridium, Comodo Dragon, SRWare Iron, Chromium and AVG Browser. It harvests stored credentials from local browser profiles and exfiltrates them to a command-and-control (C2) server over TCP port 8085, aligning with MITRE ATT&CK’s “Credentials from Web Browsers” technique T1555.003.
A second module acts as a recursive file exfiltration scanner, trawling the victim’s filesystem for “interesting” content based on filenames and extensions, such as likely document or archive types. Once collected, these files are sent to the attacker via TCP port 8086, giving the operator broad access to local data without relying on user interaction. This behavior matches common data collection and exfiltration patterns described in ATT&CK’s “Data from Local System” T1005 and “Exfiltration Over Alternative Protocol” T1048 techniques.
The third module establishes a WebSocket-based connection back to the C2 infrastructure on port 8087 and provides a reverse shell, effectively giving attackers interactive control over compromised hosts. Through this channel, operators can run arbitrary commands, deploy additional tools, or pivot deeper into a victim network. Using WebSockets over nonstandard high ports can complicate detection if organizations rely on coarse-grained firewall rules or limited inspection of outbound traffic.
SANS did not publicly attribute the malware to a specific threat actor or campaign, and there is no indication yet that it exploits a particular software vulnerability or CVE for initial access. Instead, the tooling appears focused on post-compromise activities—credential theft, data harvesting and persistent remote control—once a foothold has been established through phishing, malicious downloads or other conventional vectors. The broad browser coverage suggests the operators expect victims to use a wide mix of Chromium-based products, reflecting the ecosystem around the open source Chromium project.
Defenders are urged to monitor for unusual outbound traffic to ports 8085, 8086 and 8087, especially when associated with WebSocket connections or processes that would not typically initiate external communications. Endpoint telemetry that detects unauthorized access to browser credential stores, large-scale file enumeration, or command shells launched under user context can also provide early warning. Network and security teams should ensure that egress controls, TLS inspection where appropriate, and endpoint detection and response tooling are tuned to detect these behaviors, rather than relying solely on known malware signatures.
