An uptick in EvilExtractor activity aims to compromise endpoints to steal browser from targets across Europe and the US, researchers say.

Dark Reading Staff, Dark Reading

April 21, 2023

1 Min Read
concept art depicting data theft
Source: Brain light via Alamy Stock Photo

A phishing campaign that launched in March and is actively targeting Microsoft operating system users in Europe and the US is making the rounds, using the EvilExtractor tool as its weapon of choice.

Research this week from FortiGuard Labs details the EvilExtractor attack chain, explaining that it usually starts with a legitimate-seeming Adobe PDF or Dropbox link, which instead deploy a malicious PowerShell when opened or clicked, before eventually leading to the modular EvilExtractor malware.

"Its primary purpose seems to be to steal browser data and information from compromised endpoints, and then upload it to the attacker’s FTP server," FortiGuard Labs researchers wrote.

The report points out that EvilExtractor was first developed by Kodex, which claimed that, despite its obvious name, it's used as an "educational tool,' according to the EvilExtractor report. "However, research conducted by FortiGuard Labs shows cybercriminals are actively using it as an info-stealer."

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights