Blustealer campaign from Lithuania simulating China. The compressed attachment of the “Order_list_30052023” message contains an exe file: the malware. Stolen data is exfiltrated via Telegram API

Blustealer hides inside a fake email from China, actually coming from Lithuania.

The compressed attachment of the “Order_list_30052023” message contains an exe file: the malware. Stolen data is exfiltrated via Telegram API.

Blustealer, aka DarkCloud, is an infostealer that aims to exfiltrate credentials from nearly 40 applications (including VPN applications, FTP, browsers, mail clients); credit card information saved in browsers; downloaded e-mail messages and contacts from the address book of some e-mail clients. It also replaces cryptocurrency wallet addresses each time they are copied with its own wallets. This causes payments from infected machines to reach the authors of the malware campaign and not to the intended recipients.