K7 Labs investigated the Cmimai Stealer, a Visual Basic Script (VBS)-based infostealer that surfaced in June 2025 and uses PowerShell and native Windows scripting to secretly exfiltrate data. This is a recent development in the cybersecurity environment.
This malware, first highlighted in a tweet, operates as a lightweight threat actor tool that circumvents execution policies, generates ephemeral PowerShell scripts, and systematically harvests system and browser metadata before transmitting it via Discord webhooks.
Notably, an additional sample surfaced on June 28, 2025, featuring a distinct webhook URL, indicating potential variants or campaign evolutions.
Core Functionality of Cmimai Stealer
The stealer initializes by logging execution events in a temporary file named “vbs_reporter_log.txt” within the system’s %TEMP% directory, then proceeds to query Windows Management Instrumentation (WMI) via the Win32_OperatingSystem class to extract critical system details such as OS version, caption, current username, computer name, and timestamps.
This data is formatted into a JSON payload and dispatched using WinHttpRequest.5.1 or falling back to MSXML2.XMLHTTP objects over HTTPS, ensuring reliable exfiltration to attacker-controlled Discord channels.
The script’s browser metadata collection module dynamically creates and executes “vbs_ps_browser.ps1,” which parses the Local State JSON files from Chromium-based browsers like Google Chrome and Microsoft Edge, retrieving user profile names, email addresses, and encrypted master keys (base64-encoded as “encrypted_key” or “app_bound_encrypted_key”).
While this positions the malware to potentially decrypt sensitive artifacts like Login Data or Cookies for credential theft, the analyzed samples lack modules for actual decryption or further exfiltration, suggesting a reconnaissance-focused design rather than full-fledged data plunder.
Complementing this, a screen capture component deploys “vbs_ps_diag.ps1,” utilizing .NET assemblies including System.Drawing and System.Windows.Forms to snapshot the primary display, compress it to a 70% quality JPEG under 8MB to comply with Discord’s upload limits, and integrate it into the webhook payload.
Persistence is achieved through an infinite loop that reactivates the diagnostic reporting every 60 minutes, enabling ongoing surveillance without requiring system restarts or advanced evasion techniques.
Threat Implications
From a defensive standpoint, Cmimai Stealer’s operational footprint offers multiple detection vectors, including anomalous parent-child process chains where wscript.exe spawns powershell.exe with bypassed execution policies and hidden window styles, as seen in commands like “powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File vbs_ps_browser.ps1” for browser scraping or “vbs_ps_diag.ps1” for screenshot capture.
Filesystem indicators encompass temporary artifacts such as the aforementioned PowerShell scripts, log files, and image outputs like “vbs_diag_*.jpg” in %TEMP%.
Network telemetry reveals HTTPS traffic to discord.com/api/webhooks endpoints with a distinctive User-Agent string “Cmimai Stealer VBS UI Rev,” facilitating signature-based blocking on endpoints or gateways, while YARA rules can hunt for script patterns emphasizing WMI queries and Discord hooks.
Although lacking robust features like reboot persistence, encrypted communications, or direct credential decryption, this infostealer’s dual utility as both a data thief and a second-stage reconnaissance asset underscores its potential in multi-phase attacks, unattributed to any established malware family yet.
Defenders are advised to monitor for unexpected Discord-bound traffic from sensitive systems and flag high-risk script executions to mitigate proliferation.
Indicator of Compromise (IoCs)
| HASH | DETECTION NAME |
|---|---|
| 85d55caca5b341696382680eb3550918 | Trojan (0001140e1) |
| ea792d0458d40471cefa26ebccf4ed45 | Trojan (0001140e1) |
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
Source link
