Cofense - Security Awareness Training & Email Threat Detection

New “Complaint Stealer” Malware Escalates, Targeting Cryptocurrency Wallets & Hospitality Sector

Cofense Intelligence™ Flash Alert

Share This Article

By Cofense Intelligence

A series of campaigns delivering the newly christened “Complaint Stealer” malware began in mid-October and escalated within the last 2 days. The Complaint Stealer malware is an Information Stealer that targets cryptocurrency wallets and programs as well as credentials stored in browsers. Complaint Stealer shows unusual interest in the graphics card and other information associated with cryptocurrency mining so cryptocurrency mining may be a later addition. Complaint Stealer also often makes use of legitimate software such as AutoIT or PKWARE. All samples seen to date use the same C2 location. This campaign uses social engineering tactics also recently seen during the MGM, Caesars and other luxury hotel resort breaches.

Phishing Campaign Characteristics

These campaigns all targeted hospitality customers and were themed around complaints about the accommodations, staff behavior, etc. The campaigns bypassed multiple Secure Email Gateways (SEGs) including Cisco Ironport and Microsoft ATP. The phishing campaigns delivering Complaint Stealer all used password protected archives downloaded from embedded mega[.]nz URLs to deliver the malware.

New “Complaint Stealer” Malware Escalates

Figure 1: Email from campaign delivering Complaint Stealer.


We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.