Phemedrone Stealer Technical Analysis

This blog post comes from the Phemedrone Stealer Technical Analysis report. If you want to download it as a PDF click here

Executive Summary

Phemedrone stealer malware distinguishes itself through its advanced mechanisms for evading detection, its capability to extract a wide range of sensitive data—including passwords, financial information, and personal identification details—and its flexible architecture that allows it to be updated by its operators to counter cybersecurity measures. Its distribution mode often involves phishing campaigns, malicious attachments, or exploiting software vulnerabilities, making it a formidable threat to individual users and organizations.

This technical analysis report aims to dissect the Phemedrone stealer malware, offering insights into its operational framework, distribution methods, and the nature of the data it targets. By delving into its technical characteristics, we seek to understand the malware’s behavior, its interaction with infected systems, and how it communicates with command and control (C2) servers.

Phemedrone, distributed using advertising and detected security vulnerabilities in campaigns since August 2023, can easily be developed to have new features and capabilities thanks to its modular structure.

In addition to the sensitive data it targets, such as browser history, cookies, autofill data, and credit card information, it also targets various browser extensions, wallets, and popular applications such as Telegram, Steam, and Discord.

Although no specific method is followed when transferring the data to the attacker, it is transferred to the attacker as a ZIP archive file via Telegram. Apart from basic anti-analysis methods, we could not detect any effort to ensure permanence in the system or make analysis difficult.


FiletypeWin32 EXE
Written LanguageNET
First Seen / Detection Date2024-01-23
Initial Infection VectorExploit Public-Facing Application, Phishing
Table 1: Phemedrone sample fingerprints

MITRE ATTA&CK Threat Matrix

  • TA0001 – Initial Access
    • T1566 – Phishing
  • TA0002 – Execution
    • T1204 – User Execution
    • T1569 – System Services
  • TA0005 – Defense Evasion
    • T1497 – Virtualization/Sandbox Evasion
  • TA0007 – Discovery
    • T1016 – System Network Configuration Discovery
    • T1497 – Virtualization/Sandbox Evasion
    • T1614 – System Location Discovery
    • T1518 – Software Discovery
  • TA0009 – Collection
    • T1560 – Archive Collected Data
  • TA0011 – Command And Control
    • T1573 – Encrypted Channel
  • TA0010 – Exfiltration
    • T1048 – Exfiltration Over Alternative Protocol


Mitigation Strategies

  • Use multi-factor authentication (MFA) and limit user privileges based on roles to minimize the malware’s spread and impact.
  • Regularly update operating systems, applications, and antivirus software to protect against known vulnerabilities.
  • Immediately disable any user accounts that are suspected of being compromised.
  • Force a password reset for all user accounts, especially those that were compromised or have elevated privileges.

You can find the IoCs and Yara Rules in the Brandefense GitHub Repository.

This blog post comes from the Phemedrone Stealer Technical Analysis report. If you want to download it as a PDF click here

Share This: