Phoenix v4 and Chromium_Stealer malware deployment via malicious Word documents
Malware Activity
Summary
Hide ▲
Show ▼
The Phoenix v4 backdoor and Chromium_Stealer were deployed through malicious Microsoft Word documents, giving operators remote control and browser credential theft on infected systems. The payload chain depended on macros and embedded Visual Basic code, making the infection path effective against users who enabled content. The toolset combined persistence, C2 connectivity, and credential harvesting from Chrome, Edge, Opera, and Brave.
Related Happenings
LofyGang Minecraft LofyStealer campaign
Campaign
First: 28.04.2026 20:39
Last: 28.04.2026 20:39
Sources 1
About this happening:
The **LofyGang** crew has re-emerged with a **Minecraft-player targeting** operation that uses **LofyStealer (GrabBot)**, increasing the risk of **credential and payment-data thef...
LofyGang Minecraft LofyStealer campaign
CampaignAbout this happening: The **LofyGang** crew has re-emerged with a **Minecraft-player targeting** operation that uses **LofyStealer (GrabBot)**, increasing the risk of **credential and payment-data thef...
Venom Stealer MaaS continuous credential theft and exfiltration
Malware Activity
First: 01.04.2026 16:30
Last: 01.04.2026 16:30
Sources 1
About this happening:
The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...
Venom Stealer MaaS continuous credential theft and exfiltration
Malware ActivityAbout this happening: The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...
Torg Grabber browser-extension theft activity
Malware Activity
First: 25.03.2026 20:32
Last: 25.03.2026 20:32
Sources 1
About this happening:
The **Torg Grabber** infostealer is actively stealing data from **850 browser extensions**, including **728 cryptocurrency wallet extensions**, which raises the risk of account ta...
Torg Grabber browser-extension theft activity
Malware ActivityAbout this happening: The **Torg Grabber** infostealer is actively stealing data from **850 browser extensions**, including **728 cryptocurrency wallet extensions**, which raises the risk of account ta...
VoidStealer debugger-based ABE-bypass infostealer
Malware Activity
First: 22.03.2026 16:32
Last: 22.03.2026 16:32
Sources 1
About this happening:
**VoidStealer** now uses a **debugger-based ABE bypass** to steal **Chrome** master keys, increasing the risk of browser credential and sensitive-data theft. The infostealer can e...
VoidStealer debugger-based ABE-bypass infostealer
Malware ActivityAbout this happening: **VoidStealer** now uses a **debugger-based ABE bypass** to steal **Chrome** master keys, increasing the risk of browser credential and sensitive-data theft. The infostealer can e...
Arkanix Stealer infostealer operation
Malware Activity
First: 22.02.2026 17:33
Last: 22.02.2026 17:33
Sources 1
About this happening:
A **short-lived Arkanix Stealer** operation emerged in **October 2025**, putting **browser data, wallets, and credentials** at risk across multiple platforms. The project combined...
Arkanix Stealer infostealer operation
Malware ActivityAbout this happening: A **short-lived Arkanix Stealer** operation emerged in **October 2025**, putting **browser data, wallets, and credentials** at risk across multiple platforms. The project combined...
Timeline
-
22.10.2025 18:00 2 articles · 7mo ago
MuddyWater phishing campaign with Phoenix v4 and Chromium_Stealer
Initial DisclosureGroup-IB disclosed a phishing campaign attributed with high confidence to MuddyWater that targeted international organizations across multiple regions by abusing compromised email accounts and a mailbox accessed via NordVPN to send trusted-looking messages. The malicious Microsoft Word documents urged recipients to enable macros, which executed embedded Visual Basic code that dropped and launched Phoenix v4 for remote control, while investigators also found PDQ, Action1, ScreenConnect, Chromium_Stealer, and C2 infrastructure tied to screenai[.]online.
Show sources
- MuddyWater Uses Compromised Mailboxes in Global Phishing Campaign — www.infosecurity-magazine.com — 22.10.2025 18:00
- MuddyWater Uses Compromised Mailboxes in Global Phishing Campaign — www.infosecurity-magazine.com — 22.10.2025 18:00