Threat Intel - Technical Analysis of Marco Stealer

Marco Stealer, a newly discovered information stealer first observed in June 2025, is designed to exfiltrate sensitive data including browser information, cryptocurrency wallet details, and files from cloud services like Dropbox and Google Drive. It employs sophisticated anti-analysis techniques, such as string encryption and the termination of security tools, to evade detection. The malware utilizes HTTP for command-and-control (C2) communication, with all messages encrypted using 256-bit AES. Marco Stealer collects system information, including hardware IDs and operating system versions, and uses named pipes for inter-component communication. It actively checks for and terminates analysis tools like Wireshark and x64dbg. The stealer also gathers IP geolocation data and builds a profile of the victim’s machine, encrypting all collected data before transmission to C2 servers, with the exception of screenshots which are exfiltrated in plaintext. It specifically targets browser data using embedded DLLs and executables, and extracts cryptocurrency wallet data from browser extensions. Marco Stealer also harvests clipboard content and recursively searches for sensitive files across various local directories and cloud storage locations. Despite law enforcement actions against similar malware, the market for information stealers remains active, posing a continuous threat to corporate environments. Zscaler’s Cloud Sandbox has successfully detected this campaign, with its security platform identifying indicators related to Marco Stealer.