New Maranhão Stealer Via Pirated Software Leveraging Cloud-Hosted Platforms to Steal Login Credentials

Since May 2025, a novel credential stealer dubbed Maranhão Stealer has emerged as a significant threat to users of pirated gaming software. Distributed through deceptive websites hosting cracked launchers and cheats, the malware leverages cloud-hosted platforms to deliver trojanized installers that appear innocuous.

Upon execution, the installer unpacks a Node.js–compiled binary encapsulated in an Inno Setup executable, initiating a silent infection process that avoids user detection while harvesting sensitive data.

In its initial campaigns, threat actors attracted victims with enticing download links such as DerelictSetup.zip, promising modified game content.

Behind the scenes, however, the Inno Setup wrapper drops several components, including updater.exe, crypto.key, and infoprocess.exe, into a hidden “Microsoft Updater” directory under %localappdata%Programs.

Cyble analysts noted that the malware establishes persistence through Run registry keys and scheduled tasks immediately after deployment.

The impact of Maranhão Stealer extends beyond simple credential theft. By injecting a reflective DLL into browser processes, it bypasses security measures like AppBound encryption to exfiltrate stored passwords, cookies, and browsing history from Chrome, Edge, Brave, Opera, and other Chromium-based browsers.

Cyble researchers identified that the malware also targets cryptocurrency wallets—Electrum, Exodus, Coinomi, and more—making it a dual threat to both traditional account credentials and digital asset wallets.

In addition to credential harvesting, Maranhão Stealer conducts extensive system reconnaissance. It gathers hardware and network information via WMI queries such as wmic os get Caption and external API calls to ip-api.com/json, profiling the operating system, CPU, disk space, and geographic location of the infected host.

Screenshots captured through inline C# in PowerShell further augment the stolen intelligence, enabling threat actors to monitor user activity in real time.

Infection Mechanism

A closer examination of the infection mechanism reveals a multi-stage process designed for stealth and reliability.

Upon execution of the Inno Setup installer, the main payload (updater.exe) is launched in /VERYSILENT mode, suppressing any installation dialogs.

Persistence is immediately secured with a registry modification:-

reg.exe ADD HKCUSoftwareMicrosoftWindowsCurrentVersionRun /v updater /t REG_SZ /d "C:UsersAppDataLocalProgramsMicrosoft UpdaterUpdater.exe" /f

Once the Run key is in place, the malware marks its directory and files with hidden and system attributes through attrib +h +s, ensuring they remain obscured from casual inspection.

The next phase involves spawning a helper process, infoprocess.exe, which injects a payload DLL directly into running browser processes.

Using low-level Windows APIs—NtAllocateVirtualMemory, NtWriteProcessMemory, and CreateThreadEx—the malicious module is mapped into the target’s memory space without touching the disk.

This reflective injection technique not only evades antivirus scans but also runs inside the context of legitimate browser executables, making detection even more challenging.

By combining social engineering, cloud-based distribution, and advanced injection tactics, Maranhão Stealer exemplifies the evolving sophistication of modern credential stealers.

Security teams should prioritize application control policies, endpoint monitoring for anomalous registry edits, and behavioral analysis to detect and block such stealthy threats in their early stages.

Free live webinar on new malware tactics from our analysts! Learn advanced detection techniques -> Register for Free