A newly advertised information-stealing malware called Anivia Stealer has surfaced on the dark web, with threat actor ZeroTrace aggressively promoting the C++17-based infostealer as a commercial malware-as-a-service offering.
The malware implements sophisticated privilege escalation capabilities, including automatic User Account Control (UAC) bypass functionality, making it a significant threat to Windows-based systems across multiple operating system versions.
Security researchers and threat intelligence analysts are actively investigating the malware’s technical infrastructure and capabilities, though comprehensive independent verification of the advertised features is still underway.
Anivia Stealer boasts an impressive technical arsenal designed to extract sensitive information from compromised systems.
According to the promotional materials shared by ZeroTrace, the malware operates as a standalone executable requiring no external dependencies, allowing it to function across Windows environments ranging from legacy Windows XP systems to modern Windows 11 installations.
The architecture emphasizes efficiency and stealth, utilizing minimal system resources during execution while maintaining encrypted communication channels with its command-and-control infrastructure.
The infostealer targets multiple data categories with precision, including browser-stored credentials, cryptocurrency wallet information, system authentication tokens, and sensitive Local Security Authority (LSA) credentials.
Beyond credential harvesting, Anivia Stealer captures comprehensive system metadata, retrieves WhatsApp data, and can capture screenshots, providing threat actors with multifaceted intelligence regarding both system configuration and user activities.
The malware’s web-based administration panel incorporates geolocation mapping capabilities, displaying victim locations on a world map for monitoring active infections in real time.
Pricing Model and Threat Actor Distribution
ZeroTrace is offering Anivia Stealer through a flexible subscription-based model designed to accommodate various threat actors and criminal organizations.
The pricing structure reflects market-standard malware-as-a-service economics, with a one-month license available for €120, two-month subscriptions priced at €220, three-month packages at €320, and lifetime access available for €680.
This tiered approach democratizes access to advanced infostealer capabilities, enabling cybercriminals with limited resources to acquire sophisticated attack tools previously reserved for well-funded threat groups.
Security analysis suggests a technical and operational connection between Anivia Stealer and previously distributed malware families.
ZeroTrace has previous attribution to developing and promoting the ZeroTrace Stealer and Raven Stealer variants, both information-stealing tools distributed through similar underground channels.
Initial investigation of GitHub commit histories and embedded author metadata indicates that Anivia Stealer may represent a rebranded or significantly forked version of the original ZeroTrace Stealer codebase.
This pattern—where threat actors periodically rebrand existing malware to evade detection signatures and generate renewed marketing attention—reflects established trends within the cybercriminal underground economy.
Mitigations
Organizations should immediately enhance endpoint detection and response (EDR) monitoring for suspicious process execution patterns associated with UAC bypass attempts.
Implementing application whitelisting policies, restricting privileged execution, and maintaining current security patches across Windows infrastructure are essential defensive measures.
Users should exercise heightened caution with email attachments, suspicious downloads, and potentially malicious links, as these remain primary infection vectors for infostealer distribution.
The emergence of Anivia Stealer underscores the continuous evolution of the malware-as-a-service ecosystem and the persistent commercial demand for advanced information-stealing capabilities within the cybercriminal marketplace.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
