logo

Hackers Abuse EdgeUpdate and GoogleUpdater to Deploy TimbreStealer Infostealer

ID: 32dc17e4-aeaa-5751-ba24-92aea448a680

STIX ID: report--32dc17e4-aeaa-5751-ba24-92aea448a680

Feed Name: Cyber Press

Threat Score
75/100

Date Published: 2026-07-04

Date Updated: 2026-07-04

Author: Mayura

...
...

A Mexico-focused phishing campaign distributes the TimbreStealer infostealer by shipping malicious DLLs named like legitimate updater libraries inside ZIPs hosted on cloud-provider IPs and abusing DLL side-loading of msedgeupdate/goopdate. The malware uses custom API resolution, RC4-based decryptors, large zero-entropy PE sections, geofencing (locale/timezone/desktop checks) and anti-analysis techniques, and it exfiltrates browser and mail artifacts (Chrome/Edge/Firefox/Thunderbird), making this a technically advanced and high-risk threat for targeted organizations.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.