The BlueStealer campaign from UAE changes template. The attachment of the new “Document approval” email contains an exe: the malware. The stolen data is always exfiltrated to the same Telegram API C2

The BlueStealer campaign from the UAE changes its template: the last email, from a “Request for quotation“, becomes a “Document approval” and is formally sent by a different subject.

Similarly, the name of the attachment, which contains an exe: the malware, also varies. However, the method for exfiltrating stolen data is always the same: Telegam API, using the same C2.

Bluestealer, aka DarkCloud, is an infostealer that aims to exfiltrate credentials from nearly 40 applications (including VPN applications, FTP, browsers, mail clients); credit card information saved in browsers; downloaded e-mail messages and contacts from the address book of some e-mail clients. It also replaces cryptocurrency wallet addresses each time they are copied with its own wallets. This causes payments from infected machines to reach the authors of the malware campaign and not to the intended recipients.