The “Purchase Order” email from Lebanon carries Blustealer. The compressed attachment contains an exe file: the malware. Stolen data is exfiltrated via Telegram API

“Purchase Order” is the object of an email from Lebanon conveying a new Blustealer (aka DarkCloud) campaign.

The compressed attachment contains an exe file: the malware. The stolen data is then exfiltrated via Telegram API.

BluStealer is an infostealer that aims to exfiltrate credentials from nearly 40 applications (including VPN applications, FTP, browsers, mail clients); credit card information saved in browsers; downloaded e-mail messages and contacts from the address book of some e-mail clients. It also replaces cryptocurrency wallet addresses each time they are copied with its own wallets. This causes payments from infected machines to reach the authors of the malware campaign and not to the intended recipients.