QuasarStealer
QuasarRAT based credential stealer module. It uses ChromiumDecryptor+DecryptAesGcm for Chrome/Edge/Brave, FFFecryptor+PK11SDR_Decrypt for Firefox, and YandexPassReader for Yandex. FileZilla and WinSCP FTP client passwords are also retrieved. PE timestamp is future dated (anti-sandbox technique). It derives from the QuasarRAT open source client.
Threat Profile
Type
Infostealer
Programming LanguageC#/.NET
C2 ProtocolHTTP
First Seen2025
Targets
Kuresel
Purpose / Capabilities
- Credential Theft/FTP
No C2 servers have been identified for this family yet.
Research Reports (1)
QuasarStealer 2e6fbd14 -- QuasarRAT ChromePassReader EdgePassReader BravePassReader FirefoxPK11SDR YandexPassReader FileZilla WinSCP ChromiumDecryptor DecryptAesGcm | Yuksek
QuasarStealer 2e6fbd14 PE32 59KB. Quasar.Client.Recovery.FtpClients. Chrome/Edge/Brave/Firefox/Yandex sifre hırsızı. FileZilla+WinSCP FTP. DecryptAesGcm+PK11SDR_Decrypt.
Read Report →