Vega Stealer Malware Harvesting Credentials from Web Browsers

A new variant of August Stealer – named Vega Stealer – is being distributed in small phishing campaigns targeting marketing, advertising, and PR firms and the retail and manufacturing industries. While the campaigns are highly targeted, the malware could potentially be used in much more widespread campaigns and become a major threat.

Vega Stealer does not have the same range of capabilities as its predecessor, although it does include several new features that make it a significant threat, according to security researchers at Proofpoint.

The malware is being distributed via a standard phishing campaign involving Word document attachments with malicious macros that act as downloaders for the Vega Stealer payload in a two-step process, first downloading obfuscated Jscript/PowerShell script which in turn downloads Vega Stealer malware.

The emails captured by Proofpoint contained a document with the name ‘brief.doc’ with various subject lines used, including ‘Online Store Developer Required.’

Some of the emails were directed at specific individuals, others were sent to distribution lists commonly used by businesses such as info@. The emails were sent in low volume with the targets apparently carefully selected. Proofpoint notes that another campaign was being conducted by the same threat actors using the August Stealer payload, with several of the same firms targeted the previous day.

Vega Stealer is written in .NET and appears to be primarily focused on stealing saved credentials from Chrome and Firefox, and is capable of exfiltrating profile information, cookies, and passwords. The malware also takes a screenshot of the infected machine and performs a search for commonly used file types such as .doc/docx, .xls/xlsx, .txt, .rtf, and PDF files and exfiltrates those files along with the harvested credentials.

The researchers note the document macro used to download the payload is currently used by multiple threat actors and is most likely for sale on darknet marketplaces, although URL patterns from the macro suggest this campaign is being conducted by a threat actor known to distribute the Emotet banking Trojan and various other banking Trojans.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of