That Password Manager You Downloaded Is Actually a $3,000/Month Infostealer
A WiX Burn installer calling itself "Antonomasia" by "Cyme" bundles a fully functional copy of Active@ Password Changer alongside DeerStealer -- a MaaS infostealer that will drain your browser credentials, crypto wallets, and messaging sessions before you finish clicking through the setup wizard. The social engineering is deliberate: users searching for password management tools are statistically likely to have something worth stealing. The threat actor knows this.
Sample 04bb4867d35e77e8e391f3829cf07a542a73815fc8be975a7733790d6e04243c was first observed on 2026-03-15. Two C2 domains were active at time of analysis. The PE compile timestamp claims 2017. It's forged.
How the Bundle Works
The outer executable is a legitimate WiX Burn bootstrapper -- the same installer framework used by Microsoft Visual Studio and other trusted software. The .wixburn PE section at the header and an embedded CAB archive at file offset 0x71200 are the structural tells. Inside that CAB: 15 files. Only three are malicious. The rest are genuine Qt5 libraries, MSVC runtimes, and a StarBurn SDK DLL, all present to inflate the "clean" file ratio and make superficial AV analysis return a low threat score.
Bundle Identity:
Display Name : Antonomasia
Publisher : Cyme
Version : 5.3.10.0
Bundle GUID : {039b68bb-ce50-4ecf-919a-0063a775d991}
UpgradeCode : {9CA7841D-0AFC-47D7-9FF9-95EEF9DB0AE1}
MSI Product : {5931BD7A-1314-4267-8D1E-1A70FBB0464F}
The malicious trio:
| File | SHA256 | Role |
|---|---|---|
| Bichromate.dll | 58a6b1fe90145f8ae431d05952d1751e705ae46a81be1c2257f5e1e0ce0292c7 | Download engine (masquerades as Adobe CCMNative.dll) |
| jri | d704f5f01487ca3340454240868515de1a43a1b65e5b4a97a74ab409c8441f82 | AES-CBC encrypted DeerStealer payload (entropy 7.96) |
| yodpxub | 1a5991a30e9d339cbb0143d4bd134509cf4effc7fead7f4f7dcc059990efd669 | XOR-obfuscated C2 configuration |
The decoy -- ActiveISO.exe (SHA256: 588cb61b36a001384a2833bd5df8d7982ca79d6ae17a3d83a94e01b1e79684bd) -- is a genuine, unmodified copy of Active@ Password Changer by LSoft Technologies. It installs, it works, and it keeps the victim distracted.
The Kill Chain
Stage 1 -- Extraction. The WiX Burn engine extracts the CAB to %TEMP%\{GUID}\ and registers "Antonomasia" in Add/Remove Programs. To Windows, it looks like a normal software installation.
Stage 2 -- Decoy. Active@ Password Changer installs visibly. The user sees a real product doing real things. No suspicion.
Stage 3 -- Bichromate loads. Bichromate.dll is dropped and loaded under the export name CCMNative.dll -- Adobe Creative Cloud Manager's native component. This is DLL masquerading. The DLL itself is a weaponized copy of Adobe's Generic Download Engine (GDE v7.0.4.0). Debug strings confirm the provenance:
"GDE Version is 7.0.4.0"
"Adobe_Download_.%s"
"Going to download the file at %s/%s"
Repurposing a legitimate Adobe download engine as your malware loader is a bold choice. It comes pre-built with WinHTTP integration, chunked transfer support, and RSA signature verification -- everything you need for a robust C2 communication channel.
Stage 4 -- Config decryption. Bichromate reads yodpxub and decrypts it with a 32-byte XOR key:
Key (hex): 3c58786d0e72043135730f6f036743312e532220316e216f64691d673d7a027438
The result is a CCMConfig.xml file containing the C2 download URL. The first 38 bytes after decryption: <?xml version="1.0" encoding="utf-8"?>.
Stage 5 -- C2 beacon. Bichromate phones home over HTTPS to Cloudflare-proxied domains. It may fetch an updated payload or proceed with the embedded one.
Stage 6 -- Fileless execution. The jri blob is decrypted in memory using CryptoPP's AES-CBC implementation. The resulting DeerStealer binary executes without ever touching disk in plaintext form. File-based AV never sees it.
Stage 7 -- Everything gets stolen. DeerStealer harvests:
- Credentials from 50+ browsers (passwords, cookies, autofill, credit cards)
- 800+ browser extensions (crypto wallets, authenticators, password managers)
- 14+ cryptocurrency desktop wallets (Electrum, Exodus, Atomic, etc.)
- Messaging sessions (Discord tokens, Telegram tdata, WhatsApp, Signal)
- VPN/FTP configs (OpenVPN, WinSCP, FileZilla)
- System screenshots, clipboard contents, installed software inventory
It also starts a hidden VNC server running at 30 FPS and a live keylogger. Everything you type after infection is captured.
Stage 8 -- Persistence. Three mechanisms:
- Registry run key:
HKCU\...\RunvalueAppVTemplate(installed viaAppVTemplate.msi) - Scheduled tasks:
zceWriter,dyApp,Pluginsecurity_dbg
Stage 9 -- Exfiltration. Stolen data stages in local SQLite databases (ribs_collection and ribs_payload tables), then ships out as XOR-encrypted HTTPS POSTs and AES-encrypted ZIP archives through Cloudflare's CDN via a "Gasket" proxy layer.
Infrastructure and Attribution
All active C2 infrastructure sits behind Cloudflare, which means the resolved IPs are Cloudflare Anycast addresses. Blocking them would break half the internet. Domain-based DNS blocking is the only effective network mitigation.
C2 Domains
| Domain | Status | Resolved IPs | Notes |
|---|---|---|---|
telluricaphelion[.]com | ACTIVE | 172.67.213.91, 104.21.69.210 | Cloudflare CDN |
loadinnnhr[.]today | ACTIVE | 104.21.34.173, 172.67.163.79 | Cloudflare CDN |
nacreousoculus[.]pro | OFFLINE (SERVFAIL) | -- | Rotated out |
ncloud-servers[.]shop | OFFLINE (NXDOMAIN) | -- | Rotated out |
watchlist-verizon[.]com | Unknown | -- | Associated DeerStealer C2 |
365-drive[.]com | Unknown | -- | Associated DeerStealer C2 |
The domain naming pattern -- high-entropy compound words like "telluricaphelion" and "nacreousoculus" -- is manually crafted to avoid keyword blocklists while remaining pronounceable. Two domains already rotated offline during the analysis window, indicating active infrastructure management.
DeerStealer is a MaaS platform sold by @LuciferXfiles on Telegram-based cybercrime forums. Pricing runs $200 to $3,000/month depending on tier. This specific bundle was likely deployed by an affiliate -- the lure construction choices (WiX format, "Cyme" publisher name, "Antonomasia" branding, password tool decoy) are operational decisions made at the affiliate level, not dictated by the malware kit.
Distribution vector: almost certainly malvertising. The Rugmi/DeerStealer ecosystem is known for purchasing Google Ads targeting users searching for password managers and productivity tools. You search for a password tool, you click an ad, you get an infostealer.
Indicators of Compromise
Malicious File Hashes
| Filename | SHA256 |
|---|---|
| executable.exe / psyche.exe (dropper) | 04bb4867d35e77e8e391f3829cf07a542a73815fc8be975a7733790d6e04243c |
| Bichromate.dll (CCMNative.dll) | 58a6b1fe90145f8ae431d05952d1751e705ae46a81be1c2257f5e1e0ce0292c7 |
| jri (encrypted DeerStealer) | d704f5f01487ca3340454240868515de1a43a1b65e5b4a97a74ab409c8441f82 |
| yodpxub (C2 config) | 1a5991a30e9d339cbb0143d4bd134509cf4effc7fead7f4f7dcc059990efd669 |
Additional hashes for the dropper:
- MD5:
73e9ab1674c64f040da642b6a4690356 - SHA1:
e5a508bf8a7170cbacd6e6ab0259073a2a07b3cf
Legitimate Component Hashes (for allowlisting)
| Filename | SHA256 |
|---|---|
| ActiveISO.exe (decoy) | 588cb61b36a001384a2833bd5df8d7982ca79d6ae17a3d83a94e01b1e79684bd |
| msvcp140.dll | 72fe4598f0b75d31ce2dc621e8ef161338c6450bb017cd06895745690603729e |
| Qt5Core.dll | f7bddcd19a740e179827a99c23cc045d6f4ab8d5b6699592b1a1e8fcb6ddc22f |
| Qt5Gui.dll | ca8334b2e63bc01f0749afeb9e87943c29882131efe58608ea25732961b2df34 |
| Qt5Network.dll | d992aaeb21cb567113126c2912cf75e892c8e3ead5d50147a11abe704b9e2e2b |
| Qt5PrintSupport.dll | 7d91d3d341dbba568e2d19382e9d58a42a0d78064c3ad7adfe3c7bb14742c2b1 |
| Qt5Widgets.dll | 4266918226c680789d49cf2407a7fec012b0ed872adafb84c7719e645f9b2e6d |
| StarBurn.dll | c040a25377028b0c28db81a012de786c803a0e9d6f87ce460335a621d31f5340 |
| vcruntime140.dll | d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8 |
| vcruntime140_1.dll | 1758085a61527b427c4380f0c976d29a8bee889f2ac480c356a3f166433bf70e |
| BootstrapperApplicationData.xml | af5ec3654463a5a657fb60184a7e26dc863a860dbe58930fa874fddd97ccce27 |
Network Indicators
| Domain | Type | Status | Action |
|---|---|---|---|
telluricaphelion[.]com | C2 | ACTIVE | Block at DNS immediately |
loadinnnhr[.]today | C2 | ACTIVE | Block at DNS immediately |
nacreousoculus[.]pro | C2 | OFFLINE | Monitor for reactivation |
ncloud-servers[.]shop | C2 | OFFLINE | Monitor for reactivation |
watchlist-verizon[.]com | C2 | Unknown | Preventive block |
365-drive[.]com | C2 | Unknown | Preventive block |
IP Addresses (Low Confidence -- Cloudflare Shared Infrastructure)
| IP | ASN | Domain |
|---|---|---|
| 172.67.213.91 | AS13335 (Cloudflare) | telluricaphelion[.]com |
| 104.21.69.210 | AS13335 (Cloudflare) | telluricaphelion[.]com |
| 104.21.34.173 | AS13335 (Cloudflare) | loadinnnhr[.]today |
| 172.67.163.79 | AS13335 (Cloudflare) | loadinnnhr[.]today |
Do not block these IPs. They are shared Cloudflare Anycast addresses. Use DNS-layer blocking only.
File System Artifacts
| Path | Description |
|---|---|
%TEMP%\{GUID}\Bichromate.dll | Dropped download engine |
%TEMP%\{GUID}\CCMNative.dll | Masqueraded DLL name |
%TEMP%\{GUID}\yodpxub | Obfuscated C2 config |
%TEMP%\{GUID}\jri | AES-encrypted payload blob |
%TEMP%\{GUID}\ActiveISO.exe | Decoy application |
%APPDATA%\AppVTemplate\ | Likely DeerStealer working directory |
Registry Indicators
| Key | Value | Data |
|---|---|---|
HKCU\Software\Microsoft\Windows\CurrentVersion\Run | AppVTemplate | Path to DeerStealer |
HKLM\...\Uninstall\{039b68bb-ce50-4ecf-919a-0063a775d991} | DisplayName | Antonomasia |
HKLM\...\Uninstall\{039b68bb-ce50-4ecf-919a-0063a775d991} | Publisher | Cyme |
Scheduled Tasks
| Task Name | Purpose |
|---|---|
zceWriter | DeerStealer persistence |
dyApp | DeerStealer persistence |
Pluginsecurity_dbg | DeerStealer persistence |
Bundle GUIDs
| Type | Value |
|---|---|
| Bundle GUID | {039b68bb-ce50-4ecf-919a-0063a775d991} |
| UpgradeCode | {9CA7841D-0AFC-47D7-9FF9-95EEF9DB0AE1} |
| MSI ProductCode | {5931BD7A-1314-4267-8D1E-1A70FBB0464F} |
Cryptographic Artifacts
| Type | Value | Purpose |
|---|---|---|
| XOR Key (hex) | 3c58786d0e72043135730f6f036743312e532220316e216f64691d673d7a027438 | yodpxub decryption |
MITRE ATT&CK Mapping
| ID | Tactic | Technique | Context |
|---|---|---|---|
| T1204.002 | Initial Access | User Execution: Malicious File | Victim runs the WiX installer |
| T1036.005 | Defense Evasion | Masquerading: Match Legitimate Name | "Antonomasia" by "Cyme" + Active@ Password Changer decoy |
| T1574.002 | Defense Evasion | Hijack Execution Flow: DLL Side-Loading | Bichromate.dll exported as CCMNative.dll (Adobe component) |
| T1027 | Defense Evasion | Obfuscated Files or Information | XOR-encrypted config, AES-encrypted payload |
| T1140 | Defense Evasion | Deobfuscate/Decode Files or Information | In-memory decryption via CryptoPP |
| T1218.007 | Defense Evasion | System Binary Proxy Execution: Msiexec | AppVTemplate.msi invoked by WiX |
| T1059 | Execution | Command and Scripting Interpreter | DeerStealer payload execution post-decryption |
| T1547.001 | Persistence | Registry Run Keys | HKCU Run key "AppVTemplate" |
| T1053.005 | Persistence | Scheduled Task | zceWriter, dyApp, Pluginsecurity_dbg |
| T1555.003 | Credential Access | Credentials from Password Stores: Web Browsers | 50+ browsers targeted |
| T1552.001 | Credential Access | Unsecured Credentials: Credentials In Files | VPN/FTP config file theft |
| T1083 | Discovery | File and Directory Discovery | System enumeration |
| T1082 | Discovery | System Information Discovery | OS, hardware, software inventory |
| T1005 | Collection | Data from Local System | Documents, credentials, wallet files |
| T1056.001 | Collection | Input Capture: Keylogging | Live keylogger |
| T1071.001 | Command and Control | Application Layer Protocol: Web Protocols | HTTPS C2 via Cloudflare |
| T1573.001 | Command and Control | Encrypted Channel: Symmetric Cryptography | XOR + AES encrypted C2 traffic |
| T1041 | Exfiltration | Exfiltration Over C2 Channel | HTTPS POST with encrypted archives |
Detection Priorities
If you find any of these in your environment, assume full credential compromise:
- DNS queries to
telluricaphelion[.]comorloadinnnhr[.]today - Scheduled tasks named
zceWriter,dyApp, orPluginsecurity_dbg - Registry value
AppVTemplateunderHKCU\...\Run - Add/Remove Programs entry for "Antonomasia" (GUID
{039b68bb-ce50-4ecf-919a-0063a775d991}) - Files named
yodpxub,jri,Bichromate.dll, orCCMNative.dllin temp directories
If DeerStealer executed on a host, treat every stored credential, session token, and crypto wallet on that machine as burned. The hidden VNC module means the attacker was watching the screen in real time. Rotate everything.
Investigation: executable-04bb4867 | Sample: 04bb4867d35e77e8e391f3829cf07a542a73815fc8be975a7733790d6e04243c | TLP:WHITE