Fake RFQ carries a BluStealer campaign. The compressed attachment of the “REQUEST FOR QUOTATION” email contains an exe: the malware. Stolen data is exfiltrated via Telegram API

BluStealer passes from a fake Request for Quotation from Oman.

The compressed attachment of the “REQUEST FOR QUOTATION” email contains an exe: the malware. Stolen data is exfiltrated via Telegram API.

Blustealer, aka DarkCloud, is an infostealer that aims to exfiltrate credentials from nearly 40 applications (including VPN applications, FTP, browsers, mail clients); credit card information saved in browsers; downloaded e-mail messages and contacts from the address book of some e-mail clients. It also replaces cryptocurrency wallet addresses each time they are copied with its own wallets. This causes payments from infected machines to reach the authors of the malware campaign and not to the intended recipients.