Phoenix v4 and Chromium_Stealer malware deployment via malicious Word documents
Malware Activity
Summary
Hide ▲
Show ▼
The Phoenix v4 backdoor and Chromium_Stealer were deployed through malicious Microsoft Word documents, giving operators remote control and browser credential theft on infected systems. The payload chain depended on macros and embedded Visual Basic code, making the infection path effective against users who enabled content. The toolset combined persistence, C2 connectivity, and credential harvesting from Chrome, Edge, Opera, and Brave.
Related Happenings
Brave Software launches paid Brave Origin browser
Commercial Activity
H score0
First: 05.06.2026 00:37
Last: 05.06.2026 00:37
Sources 1
About this happening:
Brave Software launched **Brave Origin**, a paid browser variant that removes **cryptocurrency**, **AI**, rewards, and other monetization features while keeping **Brave Shields**....
Brave Software launches paid Brave Origin browser
Commercial ActivityAbout this happening: Brave Software launched **Brave Origin**, a paid browser variant that removes **cryptocurrency**, **AI**, rewards, and other monetization features while keeping **Brave Shields**....
AI chatbot cryptojacking campaign targeting high-performance GPU users
Campaign
H score51
First: 27.05.2026 10:45
Last: 27.05.2026 10:45
Sources 1
About this happening:
An active **cryptojacking campaign** is using **SEO poisoning** and, in some cases, **AI chatbot recommendations** to steer users toward malicious download pages for trusted utili...
AI chatbot cryptojacking campaign targeting high-performance GPU users
CampaignAbout this happening: An active **cryptojacking campaign** is using **SEO poisoning** and, in some cases, **AI chatbot recommendations** to steer users toward malicious download pages for trusted utili...
LofyGang Minecraft LofyStealer campaign
Campaign
H score38
First: 28.04.2026 20:39
Last: 28.04.2026 20:39
Sources 1
About this happening:
The **LofyGang** crew has re-emerged with a **Minecraft-player targeting** operation that uses **LofyStealer (GrabBot)**, increasing the risk of **credential and payment-data thef...
LofyGang Minecraft LofyStealer campaign
CampaignAbout this happening: The **LofyGang** crew has re-emerged with a **Minecraft-player targeting** operation that uses **LofyStealer (GrabBot)**, increasing the risk of **credential and payment-data thef...
Venom Stealer MaaS continuous credential theft and exfiltration
Malware Activity
H score21
First: 01.04.2026 16:30
Last: 01.04.2026 16:30
Sources 1
About this happening:
The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...
Venom Stealer MaaS continuous credential theft and exfiltration
Malware ActivityAbout this happening: The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...
Torg Grabber browser-extension theft activity
Malware Activity
H score21
First: 25.03.2026 20:32
Last: 25.03.2026 20:32
Sources 1
About this happening:
The **Torg Grabber** infostealer is actively stealing data from **850 browser extensions**, including **728 cryptocurrency wallet extensions**, which raises the risk of account ta...
Torg Grabber browser-extension theft activity
Malware ActivityAbout this happening: The **Torg Grabber** infostealer is actively stealing data from **850 browser extensions**, including **728 cryptocurrency wallet extensions**, which raises the risk of account ta...
Timeline
-
22.10.2025 18:00 2 articles · 7mo ago
MuddyWater phishing campaign with Phoenix v4 and Chromium_Stealer
Initial DisclosureGroup-IB disclosed a phishing campaign attributed with high confidence to MuddyWater that targeted international organizations across multiple regions by abusing compromised email accounts and a mailbox accessed via NordVPN to send trusted-looking messages. The malicious Microsoft Word documents urged recipients to enable macros, which executed embedded Visual Basic code that dropped and launched Phoenix v4 for remote control, while investigators also found PDQ, Action1, ScreenConnect, Chromium_Stealer, and C2 infrastructure tied to screenai[.]online.
Show sources
- MuddyWater Uses Compromised Mailboxes in Global Phishing Campaign — www.infosecurity-magazine.com — 22.10.2025 18:00
- MuddyWater Uses Compromised Mailboxes in Global Phishing Campaign — www.infosecurity-magazine.com — 22.10.2025 18:00