mediumStealer

DeerStealer Hides Behind a Legitimate Password Manager in a WiX Burn Bundle: Repurposed Adobe Download Infrastructure, AES-Encrypted Fileless Payload, and a $3,000/Month MaaS Empire

InvestigatedMarch 16, 2026PublishedMarch 16, 2026

stealersocial-engineeringcredential-theftc2dgaapt

Published: 2026-03-16 | Author: BGI | Investigation Date: 2026-03-15

TL;DR

A WiX Burn bootstrapper bundle disguised as "Antonomasia" by publisher "Cyme" bundles a fully functional copy of Active@ Password Changer alongside DeerStealer -- a MaaS infostealer platform sold for $200 to $3,000/month. The bundle drops 15 files from an embedded CAB archive; only three are malicious. Bichromate.dll is a repurposed Adobe Generic Download Engine (GDE v7.0.4.0) masquerading as Adobe's CCMNative.dll, weaponized to decrypt a XOR-obfuscated C2 configuration and an AES-CBC-encrypted DeerStealer payload that executes entirely in memory. The stealer harvests credentials from 50+ browsers, drains 14+ crypto wallets, monitors 800+ browser extensions, runs a hidden VNC server at 30 FPS, and operates a live keylogger. Two C2 domains behind Cloudflare CDN were confirmed active at time of analysis. The PE compile timestamp claims 2017-11-18 -- it is forged. Persistence is established through a registry run key and three scheduled tasks. Every design choice in this bundle -- the high legitimate-to-malicious file ratio, the Adobe infrastructure masquerade, the password manager decoy targeting users likely to have valuable credentials -- reflects a deliberate social engineering operation by a DeerStealer affiliate operating within the Rugmi loader ecosystem.

Sample Overview

Sample 04bb4867d35e77e8e391f3829cf07a542a73815fc8be975a7733790d6e04243c was first observed on 2026-03-15. The outer executable is a legitimate WiX Burn bootstrapper -- the same installer framework Microsoft uses for Visual Studio and other trusted software distribution. The .wixburn PE section in the header and an embedded CAB archive at file offset 0x71200 are the structural tells.

Property	Value
SHA-256	`04bb4867d35e77e8e391f3829cf07a542a73815fc8be975a7733790d6e04243c`
MD5	`73e9ab1674c64f040da642b6a4690356`
SHA-1	`e5a508bf8a7170cbacd6e6ab0259073a2a07b3cf`
Format	PE32 executable (WiX Burn bootstrapper)
Compile Timestamp	2017-11-18 (FORGED)
CAB Offset	`0x71200`
Total Files in CAB	15
Malicious Files	3

Bundle Identity:
  Display Name : Antonomasia
  Publisher    : Cyme
  Version      : 5.3.10.0
  Bundle GUID  : {039b68bb-ce50-4ecf-919a-0063a775d991}
  UpgradeCode  : {9CA7841D-0AFC-47D7-9FF9-95EEF9DB0AE1}
  MSI Product  : {5931BD7A-1314-4267-8D1E-1A70FBB0464F}

The name "Antonomasia" -- a rhetorical device meaning the substitution of a proper name with a description -- is either a deliberate inside joke about what this bundle does (substituting a password manager with an infostealer) or randomly generated. Either way, the publisher name "Cyme" has no legitimate software provenance. Both names are operational decisions made at the affiliate level.

Bundle Composition: 15 Files, 3 Malicious

Inside the CAB archive, 15 files are extracted. The high legitimate-to-malicious ratio is by design: superficial AV analysis that scores based on file reputation will return a low threat score when 12 of 15 files are clean, signed, widely distributed binaries.

Malicious Components

File	SHA-256	Role
`Bichromate.dll`	`58a6b1fe90145f8ae431d05952d1751e705ae46a81be1c2257f5e1e0ce0292c7`	Download engine (masquerades as Adobe CCMNative.dll)
`jri`	`d704f5f01487ca3340454240868515de1a43a1b65e5b4a97a74ab409c8441f82`	AES-CBC encrypted DeerStealer payload (entropy 7.96)
`yodpxub`	`1a5991a30e9d339cbb0143d4bd134509cf4effc7fead7f4f7dcc059990efd669`	XOR-obfuscated C2 configuration

Legitimate Components (Decoy and Support)

File	SHA-256	Purpose
`ActiveISO.exe`	`588cb61b36a001384a2833bd5df8d7982ca79d6ae17a3d83a94e01b1e79684bd`	Active@ Password Changer (decoy)
`msvcp140.dll`	`72fe4598f0b75d31ce2dc621e8ef161338c6450bb017cd06895745690603729e`	MSVC C++ runtime
`Qt5Core.dll`	`f7bddcd19a740e179827a99c23cc045d6f4ab8d5b6699592b1a1e8fcb6ddc22f`	Qt framework core
`Qt5Gui.dll`	`ca8334b2e63bc01f0749afeb9e87943c29882131efe58608ea25732961b2df34`	Qt GUI framework
`Qt5Network.dll`	`d992aaeb21cb567113126c2912cf75e892c8e3ead5d50147a11abe704b9e2e2b`	Qt networking
`Qt5PrintSupport.dll`	`7d91d3d341dbba568e2d19382e9d58a42a0d78064c3ad7adfe3c7bb14742c2b1`	Qt print support
`Qt5Widgets.dll`	`4266918226c680789d49cf2407a7fec012b0ed872adafb84c7719e645f9b2e6d`	Qt widgets framework
`StarBurn.dll`	`c040a25377028b0c28db81a012de786c803a0e9d6f87ce460335a621d31f5340`	StarBurn SDK
`vcruntime140.dll`	`d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8`	MSVC runtime
`vcruntime140_1.dll`	`1758085a61527b427c4380f0c976d29a8bee889f2ac480c356a3f166433bf70e`	MSVC runtime extension
`BootstrapperApplicationData.xml`	`af5ec3654463a5a657fb60184a7e26dc863a860dbe58930fa874fddd97ccce27`	WiX bootstrapper metadata

The ActiveISO.exe decoy is a genuine, unmodified copy of Active@ Password Changer by LSoft Technologies. It installs. It works. It keeps the victim distracted while everything behind the scenes executes. The social engineering logic is deliberate: users searching for password management tools are statistically likely to have credentials worth stealing. The threat actor knows this.

Kill Chain: Nine Stages From Installer to Exfiltration

                    ATTACK FLOW
                    ==========

  [1] WiX Burn Bootstrapper
       |
       v
  [2] CAB Extraction --> %TEMP%\{GUID}\
       |                    |
       |                    +-- ActiveISO.exe (DECOY -- visible install)
       |                    +-- Bichromate.dll
       |                    +-- jri (encrypted payload)
       |                    +-- yodpxub (encrypted config)
       |                    +-- Qt5*.dll, vcruntime, StarBurn (padding)
       v
  [3] Bichromate.dll loads as CCMNative.dll
       |
       v
  [4] XOR decrypt yodpxub --> CCMConfig.xml (C2 URL)
       |    Key: 32-byte cycling XOR
       v
  [5] HTTPS beacon to Cloudflare-proxied C2
       |    telluricaphelion[.]com / loadinnnhr[.]today
       v
  [6] AES-CBC decrypt jri --> DeerStealer (in-memory, fileless)
       |    CryptoPP library, never written to disk in plaintext
       v
  [7] Credential Harvesting
       |    50+ browsers, 14+ wallets, 800+ extensions
       |    Hidden VNC (30 FPS), live keylogger
       v
  [8] Persistence
       |    Registry: HKCU\...\Run "AppVTemplate"
       |    Tasks: zceWriter, dyApp, Pluginsecurity_dbg
       v
  [9] Exfiltration
            SQLite staging (ribs_collection, ribs_payload)
            XOR-encrypted HTTPS POSTs + AES-encrypted ZIP archives
            "Gasket" proxy layer through Cloudflare CDN

Stage 1 -- Extraction

The WiX Burn engine extracts the embedded CAB to %TEMP%\{GUID}\ and registers "Antonomasia" in Add/Remove Programs. To Windows, this is a standard software installation event. The WiX framework's legitimate code signing infrastructure lends the process additional credibility. Endpoint protection products that maintain allowlists for WiX-based installers will often let this pass without behavioral analysis.

Stage 2 -- Decoy Deployment

Active@ Password Changer installs visibly. The user sees a real product, with a real UI, performing real operations on their system. There is no reason for suspicion. The decoy creates a temporal overlap: while the user is clicking through the Active@ setup wizard, the malicious components are executing in parallel.

Stage 3 -- Bichromate Loads

Bichromate.dll is dropped and loaded under the export name CCMNative.dll -- Adobe Creative Cloud Manager's native component. This is DLL masquerading, not sideloading. The DLL itself is a weaponized copy of Adobe's Generic Download Engine (GDE v7.0.4.0), confirmed by embedded debug strings:

"GDE Version is 7.0.4.0"
"Adobe_Download_.%s"
"Going to download the file at %s/%s"

Repurposing a legitimate Adobe download engine as a malware loader is operationally shrewd. The GDE comes pre-built with WinHTTP integration, chunked transfer support, retry logic, and RSA signature verification infrastructure -- everything needed for robust C2 communication. Security products that flag unknown network-capable DLLs will see Adobe download engine strings and version metadata, potentially reducing their suspicion score.

Stage 4 -- Configuration Decryption

Bichromate reads yodpxub from disk and applies a 32-byte (256-bit) cycling XOR key to decrypt it:

XOR Key (hex):
3c 58 78 6d 0e 72 04 31  35 73 0f 6f 03 67 43 31
2e 53 22 20 31 6e 21 6f  64 69 1d 67 3d 7a 02 74 38

The result is a CCMConfig.xml file -- consistent with the Adobe GDE's expected configuration format -- containing the C2 download URL. The first 38 bytes after decryption confirm the XML structure: <?xml version="1.0" encoding="utf-8"?>. By using the GDE's own configuration format, the malware ensures that the download engine processes the C2 URL through its legitimate code paths, including any built-in error handling and retry logic.

Stage 5 -- C2 Beacon

Bichromate phones home over HTTPS to Cloudflare-proxied domains. The initial beacon may fetch an updated payload, retrieve additional configuration parameters, or confirm that the embedded payload should be used. The use of Cloudflare CDN means the actual origin server IP is hidden behind Anycast addresses shared with millions of legitimate websites.

Stage 6 -- Fileless Payload Execution

The jri blob is decrypted in memory using CryptoPP's AES-CBC implementation. Shannon entropy of 7.96 (out of a maximum 8.0) confirms the encryption quality -- the ciphertext is statistically indistinguishable from random data. The resulting DeerStealer binary executes without ever being written to disk in plaintext form. File-based antivirus scanning never gets a chance to inspect it.

The use of CryptoPP (Crypto++) rather than the Windows CryptoAPI is noteworthy. CryptoPP is a C++ cryptographic library typically used in legitimate software. Its presence in the import table does not trigger the same heuristic flags as direct calls to CryptDecrypt or BCryptDecrypt.

Stage 7 -- Credential Harvesting

DeerStealer activates its full collection suite:

Category	Scope	Details
Browsers	50+	Passwords, cookies, autofill, credit cards, history
Browser Extensions	800+	Crypto wallets, authenticators, password managers
Crypto Wallets	14+	Electrum, Exodus, Atomic, MetaMask, Phantom, etc.
Messaging	Multiple	Discord tokens, Telegram tdata, WhatsApp, Signal sessions
VPN/FTP	Multiple	OpenVPN configs, WinSCP, FileZilla saved credentials
System	Full	Screenshots, clipboard, installed software inventory
Hidden VNC	30 FPS	Real-time screen viewing without user knowledge
Keylogger	Live	Every keystroke captured post-infection

The hidden VNC server is particularly dangerous. At 30 frames per second, the attacker has a smooth, real-time view of the victim's desktop. This is not a periodic screenshot module -- this is live surveillance. Combined with the keylogger, the operator can watch the victim type passwords, navigate banking sites, and handle cryptocurrency wallets in real time.

Stage 8 -- Persistence

Three independent persistence mechanisms ensure DeerStealer survives reboots:

Mechanism	Details
Registry Run Key	`HKCU\Software\Microsoft\Windows\CurrentVersion\Run` value `AppVTemplate` (installed via `AppVTemplate.msi`)
Scheduled Task 1	`zceWriter`
Scheduled Task 2	`dyApp`
Scheduled Task 3	`Pluginsecurity_dbg`

The naming conventions are designed to blend with legitimate system processes. AppVTemplate mimics Microsoft's App-V virtualization service. Pluginsecurity_dbg suggests a debugging component for a security plugin. These names would not raise immediate suspicion in a quick visual scan of the registry or task scheduler.

Stage 9 -- Exfiltration

Stolen data is staged in local SQLite databases before exfiltration. The database schema uses two primary tables:

ribs_collection  -- Raw harvested data awaiting processing
ribs_payload     -- Processed data packaged for exfiltration

Exfiltration occurs through a multi-layer encrypted channel:

Data is XOR-encrypted and sent as HTTPS POST requests
Larger collections are compressed into AES-encrypted ZIP archives
All traffic routes through Cloudflare's CDN via a "Gasket" proxy layer
The Cloudflare-fronted C2 domains ensure the origin server IP remains hidden

Infrastructure Analysis

Active C2 Domains

All active C2 infrastructure sits behind Cloudflare. The resolved IPs are Cloudflare Anycast addresses -- blocking them would break half the internet. Domain-based DNS blocking is the only effective network mitigation.

Domain	Status	Resolved IPs	Notes
`telluricaphelion[.]com`	ACTIVE	172.67.213.91, 104.21.69.210	Cloudflare CDN, primary C2
`loadinnnhr[.]today`	ACTIVE	104.21.34.173, 172.67.163.79	Cloudflare CDN, secondary C2
`nacreousoculus[.]pro`	OFFLINE	SERVFAIL	Rotated out during analysis window
`ncloud-servers[.]shop`	OFFLINE	NXDOMAIN	Rotated out during analysis window
`watchlist-verizon[.]com`	Unknown	--	Associated DeerStealer C2
`365-drive[.]com`	Unknown	--	Associated DeerStealer C2

The domain naming pattern is manually crafted. "Telluricaphelion" combines astronomical terminology (telluric + aphelion) into a compound word that avoids keyword blocklists while remaining pronounceable and plausible as a tech company name. "Nacreousoculus" blends nacre (mother of pearl) with oculus. These are not DGA-generated domains -- the linguistic sophistication is too high. They are human-crafted to evade both automated and manual domain reputation analysis.

Two domains rotated offline during the analysis window (SERVFAIL and NXDOMAIN, respectively), indicating active infrastructure management by the operator. Domain rotation is a standard operational practice in the DeerStealer/Rugmi ecosystem, with typical rotation intervals measured in days to weeks.

Cloudflare-Proxied IP Addresses (Low Confidence)

IP	ASN	Associated Domain
172.67.213.91	AS13335 (Cloudflare)	telluricaphelion[.]com
104.21.69.210	AS13335 (Cloudflare)	telluricaphelion[.]com
104.21.34.173	AS13335 (Cloudflare)	loadinnnhr[.]today
172.67.163.79	AS13335 (Cloudflare)	loadinnnhr[.]today

Do not block these IPs. They are shared Cloudflare Anycast addresses serving millions of legitimate websites. Use DNS-layer blocking only.

Attribution and the DeerStealer MaaS Ecosystem

DeerStealer is a Malware-as-a-Service platform sold by @LuciferXfiles on Telegram-based cybercrime forums. The subscription model offers tiered access:

Tier	Approximate Price	Capabilities
Basic	~$200/month	Browser credential theft, cookie harvesting
Standard	~$1,000/month	+ Crypto wallets, extensions, messaging sessions
Full Suite	~$3,000/month	+ Hidden VNC, clipper, keylogger, SmartScreen bypass

The capabilities observed in this sample -- hidden VNC at 30 FPS, live keylogger, 800+ extension targeting -- are consistent with the full-suite tier. At $3,000/month, the operator has invested in the premium offering.

This specific bundle was deployed by an affiliate, not the DeerStealer developer. The lure construction choices -- WiX Burn format, "Cyme" publisher name, "Antonomasia" branding, password tool decoy, Adobe GDE weaponization -- are operational decisions made at the affiliate level. The DeerStealer kit provides the payload; the affiliate provides the delivery mechanism and social engineering.

Distribution Vector

Near-certain: malvertising. The Rugmi/DeerStealer ecosystem is documented for purchasing Google Ads targeting users searching for password managers, productivity tools, and system utilities. The victim searches for a password tool, clicks a promoted result, downloads what appears to be a legitimate installer, and gets an infostealer. The Active@ Password Changer decoy completes the illusion -- the victim gets the software they wanted, and never suspects anything else happened.

Compile Timestamp Analysis

The PE compile timestamp claims 2017-11-18. This is forged. The WiX Burn framework version, the Qt5 library versions bundled in the CAB, and the DeerStealer feature set (hidden VNC, 800+ extension targets) are all consistent with 2025-2026 development. Timestamp forging is a standard anti-analysis technique intended to confuse timeline-based correlation and make the sample appear to predate known DeerStealer infrastructure.

Indicators of Compromise

Malicious File Hashes

Filename	SHA-256
executable.exe / psyche.exe (dropper)	`04bb4867d35e77e8e391f3829cf07a542a73815fc8be975a7733790d6e04243c`
Bichromate.dll (CCMNative.dll)	`58a6b1fe90145f8ae431d05952d1751e705ae46a81be1c2257f5e1e0ce0292c7`
jri (encrypted DeerStealer)	`d704f5f01487ca3340454240868515de1a43a1b65e5b4a97a74ab409c8441f82`
yodpxub (C2 config)	`1a5991a30e9d339cbb0143d4bd134509cf4effc7fead7f4f7dcc059990efd669`

Additional hashes for the dropper:

Algorithm	Hash
MD5	`73e9ab1674c64f040da642b6a4690356`
SHA-1	`e5a508bf8a7170cbacd6e6ab0259073a2a07b3cf`

Legitimate Component Hashes (For Allowlisting)

Filename	SHA-256
ActiveISO.exe (decoy)	`588cb61b36a001384a2833bd5df8d7982ca79d6ae17a3d83a94e01b1e79684bd`
msvcp140.dll	`72fe4598f0b75d31ce2dc621e8ef161338c6450bb017cd06895745690603729e`
Qt5Core.dll	`f7bddcd19a740e179827a99c23cc045d6f4ab8d5b6699592b1a1e8fcb6ddc22f`
Qt5Gui.dll	`ca8334b2e63bc01f0749afeb9e87943c29882131efe58608ea25732961b2df34`
Qt5Network.dll	`d992aaeb21cb567113126c2912cf75e892c8e3ead5d50147a11abe704b9e2e2b`
Qt5PrintSupport.dll	`7d91d3d341dbba568e2d19382e9d58a42a0d78064c3ad7adfe3c7bb14742c2b1`
Qt5Widgets.dll	`4266918226c680789d49cf2407a7fec012b0ed872adafb84c7719e645f9b2e6d`
StarBurn.dll	`c040a25377028b0c28db81a012de786c803a0e9d6f87ce460335a621d31f5340`
vcruntime140.dll	`d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8`
vcruntime140_1.dll	`1758085a61527b427c4380f0c976d29a8bee889f2ac480c356a3f166433bf70e`
BootstrapperApplicationData.xml	`af5ec3654463a5a657fb60184a7e26dc863a860dbe58930fa874fddd97ccce27`

Network Indicators

Domain	Type	Status	Action
`telluricaphelion[.]com`	C2	ACTIVE	Block at DNS immediately
`loadinnnhr[.]today`	C2	ACTIVE	Block at DNS immediately
`nacreousoculus[.]pro`	C2	OFFLINE	Monitor for reactivation
`ncloud-servers[.]shop`	C2	OFFLINE	Monitor for reactivation
`watchlist-verizon[.]com`	C2	Unknown	Preventive block
`365-drive[.]com`	C2	Unknown	Preventive block

File System Artifacts

Path	Description
`%TEMP%\{GUID}\Bichromate.dll`	Dropped download engine
`%TEMP%\{GUID}\CCMNative.dll`	Masqueraded DLL name
`%TEMP%\{GUID}\yodpxub`	Obfuscated C2 config
`%TEMP%\{GUID}\jri`	AES-encrypted payload blob
`%TEMP%\{GUID}\ActiveISO.exe`	Decoy application
`%APPDATA%\AppVTemplate\`	Likely DeerStealer working directory

Registry Indicators

Key	Value	Data
`HKCU\Software\Microsoft\Windows\CurrentVersion\Run`	`AppVTemplate`	Path to DeerStealer
`HKLM\...\Uninstall\{039b68bb-ce50-4ecf-919a-0063a775d991}`	`DisplayName`	Antonomasia
`HKLM\...\Uninstall\{039b68bb-ce50-4ecf-919a-0063a775d991}`	`Publisher`	Cyme

Scheduled Tasks

Task Name	Purpose
`zceWriter`	DeerStealer persistence
`dyApp`	DeerStealer persistence
`Pluginsecurity_dbg`	DeerStealer persistence

Bundle GUIDs

Type	Value
Bundle GUID	`{039b68bb-ce50-4ecf-919a-0063a775d991}`
UpgradeCode	`{9CA7841D-0AFC-47D7-9FF9-95EEF9DB0AE1}`
MSI ProductCode	`{5931BD7A-1314-4267-8D1E-1A70FBB0464F}`

Cryptographic Artifacts

Type	Value	Purpose
XOR Key (32-byte, hex)	`3c58786d0e72043135730f6f036743312e532220316e216f64691d673d7a027438`	yodpxub config decryption
Encryption Algorithm	AES-CBC via CryptoPP	jri payload decryption
Payload Entropy	7.96 / 8.00	Near-maximum, indistinguishable from random

MITRE ATT&CK Mapping

ID	Tactic	Technique	Context
T1204.002	Initial Access	User Execution: Malicious File	Victim runs the WiX installer
T1036.005	Defense Evasion	Masquerading: Match Legitimate Name	"Antonomasia" by "Cyme" + Active@ Password Changer decoy
T1574.002	Defense Evasion	Hijack Execution Flow: DLL Side-Loading	Bichromate.dll exported as CCMNative.dll (Adobe component)
T1027	Defense Evasion	Obfuscated Files or Information	XOR-encrypted config, AES-encrypted payload
T1140	Defense Evasion	Deobfuscate/Decode Files or Information	In-memory decryption via CryptoPP AES-CBC
T1218.007	Defense Evasion	System Binary Proxy Execution: Msiexec	AppVTemplate.msi invoked by WiX engine
T1059	Execution	Command and Scripting Interpreter	DeerStealer payload execution post-decryption
T1547.001	Persistence	Registry Run Keys / Startup Folder	HKCU Run key "AppVTemplate"
T1053.005	Persistence	Scheduled Task/Job: Scheduled Task	zceWriter, dyApp, Pluginsecurity_dbg
T1555.003	Credential Access	Credentials from Password Stores: Web Browsers	50+ browsers targeted
T1552.001	Credential Access	Unsecured Credentials: Credentials In Files	VPN/FTP configuration file theft
T1083	Discovery	File and Directory Discovery	System enumeration and file inventory
T1082	Discovery	System Information Discovery	OS, hardware, software inventory
T1005	Collection	Data from Local System	Documents, credentials, wallet files
T1056.001	Collection	Input Capture: Keylogging	Live keylogger, every keystroke post-infection
T1125	Collection	Video Capture	Hidden VNC server at 30 FPS
T1071.001	Command and Control	Application Layer Protocol: Web Protocols	HTTPS C2 via Cloudflare CDN
T1573.001	Command and Control	Encrypted Channel: Symmetric Cryptography	XOR + AES encrypted C2 traffic
T1041	Exfiltration	Exfiltration Over C2 Channel	HTTPS POST with encrypted ZIP archives
T1074.001	Collection	Data Staged: Local Data Staging	SQLite databases (ribs_collection, ribs_payload)

Detection Engineering

Priority 1 -- Immediate Compromise Indicators

If you find any of these in your environment, assume full credential compromise and initiate incident response:

DNS queries to telluricaphelion[.]com or loadinnnhr[.]today
Scheduled tasks named zceWriter, dyApp, or Pluginsecurity_dbg
Registry value AppVTemplate under HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Add/Remove Programs entry for "Antonomasia" with GUID {039b68bb-ce50-4ecf-919a-0063a775d991}
Files named yodpxub, jri, Bichromate.dll, or CCMNative.dll in %TEMP% subdirectories

Priority 2 -- Behavioral Detection Rules

SIGMA Rule: WiX Burn Bundle Drops Adobe GDE DLL
  EventType: FileCreate
  TargetFilename|endswith:
    - '\Bichromate.dll'
    - '\CCMNative.dll'
  TargetFilename|contains: '\Temp\'
  Condition: file created in temp directory by msiexec.exe or setup process

SIGMA Rule: Suspicious Scheduled Task Names
  EventType: ScheduledTaskCreate
  TaskName|contains:
    - 'zceWriter'
    - 'dyApp'
    - 'Pluginsecurity_dbg'
  Condition: any match

YARA Rule: WiX Burn Bundle with High-Entropy Embedded Blobs
  Strings:
    $wixburn = ".wixburn" ascii
    $gde = "GDE Version is" ascii
    $adobe = "Adobe_Download_" ascii
  Condition:
    uint16(0) == 0x5A4D and $wixburn and ($gde or $adobe)

Priority 3 -- Network Detection

Suricata/Snort:
  alert dns any any -> any any (
    msg:"DeerStealer C2 DNS Lookup";
    dns.query;
    content:"telluricaphelion.com";
    sid:2026031501; rev:1;
  )

  alert dns any any -> any any (
    msg:"DeerStealer C2 DNS Lookup";
    dns.query;
    content:"loadinnnhr.today";
    sid:2026031502; rev:1;
  )

Incident Response Guidance

If DeerStealer executed on a host, the scope of compromise is total. The hidden VNC module means the attacker was watching the screen in real time. The keylogger captured every keystroke. The credential harvester drained every browser, every wallet, every saved session.

Mandatory response actions:

Isolate the host from the network immediately
Rotate every credential that was ever stored or typed on that machine -- browser passwords, cryptocurrency wallet keys, messaging session tokens, VPN certificates, SSH keys, API tokens
Revoke all active sessions for accounts accessed from the compromised host
Check cryptocurrency wallets for unauthorized transfers -- the attacker had real-time access
Enable MFA on all accounts that do not already have it -- the attacker has the passwords
Preserve forensic artifacts before reimaging: memory dump, disk image, event logs, scheduled task exports, registry hive dumps
Monitor for credential reuse across the organization -- if the compromised user reused passwords, lateral movement is expected

The ribs_collection and ribs_payload SQLite tables, if recoverable from disk, will contain a manifest of exactly what was stolen. This is useful for scoping the breach.

Conclusion

This DeerStealer deployment is a textbook example of how modern MaaS affiliates construct convincing delivery mechanisms. Every element is optimized for evasion and victim confidence: a legitimate WiX Burn installer framework, a working password manager as a decoy, repurposed Adobe download infrastructure for C2 communication, near-perfect-entropy AES encryption for the payload, and Cloudflare CDN for network infrastructure hiding. The 12:3 ratio of legitimate to malicious files in the bundle is engineered specifically to manipulate automated analysis scores.

The repurposing of Adobe's Generic Download Engine is the most technically interesting element. Rather than building custom download and C2 infrastructure from scratch, the affiliate weaponized a legitimate, battle-tested download engine that comes with WinHTTP integration, retry logic, and configuration parsing already built in. Security products that recognize Adobe GDE strings are less likely to flag the network activity as suspicious.

Both C2 domains were confirmed active at time of analysis. The DeerStealer MaaS ecosystem continues to operate openly, with the platform developer maintaining Telegram presence and affiliates deploying new campaigns on a near-daily basis. This sample is one instance of a much larger ongoing operation.

Investigation: executable-04bb4867 | Sample: 04bb4867d35e77e8e391f3829cf07a542a73815fc8be975a7733790d6e04243c | TLP:WHITE

Breakglass Intelligence -- Automated Threat Hunting | intel.breakglass.tech