Hackers Abuse EdgeUpdate and GoogleUpdater to Deploy TimbreStealer Infostealer
ID: 32dc17e4-aeaa-5751-ba24-92aea448a680
STIX ID: report--32dc17e4-aeaa-5751-ba24-92aea448a680
Feed Name: Cyber Press
A Mexico-focused phishing campaign distributes the TimbreStealer infostealer by shipping malicious DLLs named like legitimate updater libraries inside ZIPs hosted on cloud-provider IPs and abusing DLL side-loading of msedgeupdate/goopdate. The malware uses custom API resolution, RC4-based decryptors, large zero-entropy PE sections, geofencing (locale/timezone/desktop checks) and anti-analysis techniques, and it exfiltrates browser and mail artifacts (Chrome/Edge/Firefox/Thunderbird), making this a technically advanced and high-risk threat for targeted organizations.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
