{
  "name": "Direct-Sys Loader and CGrabber Stealer Five-Stage Malware Chain",
  "slug": "direct-sys-loader-and-cgrabber-stealer-five-stage-malware-chain",
  "description": "A sophisticated five-stage malware operation delivers two new malware families: Direct-Sys Loader and CGrabber Stealer. The attack begins with ZIP archives distributed via GitHub user attachment URLs, exploiting a legitimate Microsoft-signed binary (Launcher_x64.exe) for DLL sideloading. Direct-Sys Loader employs ChaCha20 encryption, direct syscall execution, and multiple anti-analysis checks including text file verification, enumeration of 67 analysis tool processes, and hypervisor detection. CGrabber Stealer collects extensive system metadata, browser credentials, cryptocurrency wallets, password managers, VPN configurations, and application artifacts from over 150 applications and extensions. The stealer excludes CIS region systems and uses ChaCha20 encryption with HMAC SHA256 authentication for data exfiltration via custom HTTP headers. Both families share identical cryptographic implementations, suggesting common development origin and representing operationally mature infrastructure designed for larg...",
  "published": "2026-04-17T07:21:31+00:00",
  "created_at": "2026-04-17T07:21:31+00:00",
  "modified_at": "2026-04-17T08:45:55+00:00",
  "created_at_opencti": "2026-04-17T07:21:31+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-04-17",
    "anti-analysis",
    "cgrabber stealer",
    "cryptocurrency theft",
    "direct-sys loader",
    "dll sideloading",
    "github distribution",
    "information stealer",
    "syscall"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "http://technologytorg.com/api/upload/chunk"
      },
      {
        "id": "",
        "name": "http://technologytorg.com/api/upload/start"
      },
      {
        "id": "",
        "name": "http://technologytorg.com/api/auth"
      },
      {
        "id": "",
        "name": "http://technologytorg.com/api/upload/complete"
      },
      {
        "id": "",
        "name": "7193eba9f262a73114d74885b99da63327da650cde1f1c7f7b6246d41d0b6936"
      },
      {
        "id": "",
        "name": "dd0016560f968f9b364f34fe0ece3e0a61763caace1215e82f2b3d0ed66aa808"
      },
      {
        "id": "",
        "name": "f464a4155526fa22c45a82d3aa75a13970189aad8cc3fa6050cf803a54d8baed"
      },
      {
        "id": "",
        "name": "fd8bba8b570050cbe0a82f21209eafe1ddaf007f4f5aec100b8b29cae9a76d49"
      },
      {
        "id": "",
        "name": "e1948cd1e96653464062e33fec9cd314a1208eee09e4c3f763ea22d9e69b506f"
      },
      {
        "id": "",
        "name": "bacddaa7168afc28ae53a3cabb93becef60051b1250482ecd0c804e7d110c32b"
      },
      {
        "id": "",
        "name": "9fcefc9e5b8e0da950d23383f26a51101569c5d7e8329a9f4d4d37e5f3fbcb24"
      },
      {
        "id": "",
        "name": "36a11595becbc011e39247028ae2352118edc578eee228ae116955b75e3d9dd3"
      },
      {
        "id": "",
        "name": "f15551c03d74e4b532a45588e960791875161254b392fb2b607f1652f28b71b1"
      },
      {
        "id": "",
        "name": "a47f46cd612ad3545cd96ed54cf0f5e33e87721515c359298fdb337c1ce7bf71"
      },
      {
        "id": "",
        "name": "6e5e8cb861ed0bb7193280d6e9fea8e4cc08bc0cd94d507818dee46f0316e194"
      },
      {
        "id": "",
        "name": "e042fbd39fc77ffa182797feb90b35fa0f92afd5f6ba948f6091aa716a98468d"
      },
      {
        "id": "",
        "name": "967d303ae8d9db6a0372703555b100ea40bc79b654f4a516528a194aae68b895"
      },
      {
        "id": "",
        "name": "cf0da23c1b3c24ac80cd0eb2b3d6ad3994ebb347174f0917931c26a7a0b65b41"
      },
      {
        "id": "",
        "name": "48a5027c0e8121f9900022eebc3be702f41c102d30a6d0ebea2290c05fb7ae08"
      },
      {
        "id": "",
        "name": "5c9835ddd74c6b85519b4d888464979704a60e295a2c7ce404ae8724e3d6bf34"
      },
      {
        "id": "",
        "name": "d14911adad0c62539d15043cf2deededaf964757d8538044189e19a4a3910c5a"
      },
      {
        "id": "",
        "name": "e81d86991c49c626f0b28eb9b0bd93b4c12f810984514a92dcf7d7de305bad83"
      },
      {
        "id": "",
        "name": "de637d9fa83666dd1770306418383cd6109ed701c2ec4510c943a35540b51b9d"
      },
      {
        "id": "",
        "name": "6a7e947d6d672c27261f75d8cfa52cea8234e43b2ec72d9dd066d2b8e0429fa3"
      },
      {
        "id": "",
        "name": "4a5212b541773ffed373e5aebcf86c3bfbe4ede363606e6bcec6dd84e525928a"
      },
      {
        "id": "",
        "name": "3fc7e8f1e0845f1524e5a39ed191bfd8dba988fcd9549e07635509ccaabf5c6a"
      },
      {
        "id": "",
        "name": "8c7aea915472c54de06aecef05cb54dc07c3387a454f090191933ef2783e7832"
      },
      {
        "id": "",
        "name": "43b3c946f04abe68371942181d3d83ca3a79b65969bcd40f9967ee63b3759fb8"
      },
      {
        "id": "",
        "name": "9bf43b3e6f2204d5dd9c49eefc956bedc200730072c5a1cb40a9b5805cfb5a5f"
      },
      {
        "id": "",
        "name": "d4afa13cc31da34c8f0741336276baff53b3206b14ce7747ab129d9a9a1bd428"
      },
      {
        "id": "",
        "name": "88bf79cf6297ecd38ad395ef03927129ab3ae81cfc253b10568ca5a0d48f0a7c"
      },
      {
        "id": "",
        "name": "64f6fe389b6c8e3ad3d8aee6fda98bd82374269ef0baba8139c6f011f28151fd"
      },
      {
        "id": "",
        "name": "f83e67611091d3a66803dc7f79df6486d42b8a363e9cd3c331656df48385b0d1"
      },
      {
        "id": "",
        "name": "32738964380f85bf4cbe0573ec2eff4874c0057764bddfc7e15eae0ba3636416"
      },
      {
        "id": "",
        "name": "21f21efcf7771daa6037b7304caa7eaf819c3feee7aaa65b943d9066753f2951"
      },
      {
        "id": "",
        "name": "426f777c4a654390205a24f42a26ac10c6c58f71e9b7d7a48a526fd8b99764a2"
      },
      {
        "id": "",
        "name": "cbdcd2ae13258d7681b84a0066a59785eff2ec1ab5943a3a031584d9fe1946b9"
      },
      {
        "id": "",
        "name": "b748160d6573bb2fa82bf629ff0e49ebe0748855344ad3a1faf20a9225143915"
      },
      {
        "id": "",
        "name": "c4e43d6a9ff4580c4e299f33e39d59031327019acc9f3c31c64e67aed3cf7600"
      },
      {
        "id": "",
        "name": "e043c8e1a0d980fcc6d6db7ec3154553099a2b4e84b72807334df932ffb10225"
      },
      {
        "id": "",
        "name": "25477b4862be0ecbbe783926a3f9f1b26c35acef23a87100a208d52371ab66e5"
      },
      {
        "id": "",
        "name": "c8c77a1b6de14b873aaa7842c9ad729bdc5f289c4ad765c49646cd66c0410b6f"
      },
      {
        "id": "",
        "name": "99ae607df167457518fef27d35ea72d1a3c250dcc451000e596ce327bc783195"
      },
      {
        "id": "",
        "name": "874da4ec130131674f2b99aabe2004e87b0724e0581e6b0e33f5ffed2c92a7f7"
      },
      {
        "id": "",
        "name": "13b05f330e707cd8e32584ce155ca502254d5767fb3abb9643efba9b680e157c"
      },
      {
        "id": "",
        "name": "83f28f78af88aaeec75f7ca5dd461dd994649c3a3b8e7551ee6e2256a3e2217b"
      },
      {
        "id": "",
        "name": "5394d9eca45c6d092a44619322aeb2fb2af5838c2eea0efa88793048aadf7e24"
      },
      {
        "id": "",
        "name": "85f573bddcdf838c9b4a40e1c767aff996c6c26c812e7bba635fbf570dc7b19a"
      },
      {
        "id": "",
        "name": "388301364a3b830a8d807eda1ba5052fd7bb78048fd4d29d7c6037857be8204b"
      },
      {
        "id": "",
        "name": "5b771509b90aca14ea3664a48cef0a1556b8ec2f57cc20db80ecd91890f18888"
      },
      {
        "id": "",
        "name": "3ce809c2d8a73a63eab49b305ebbe79b8e425b964c7f1e51ea2e215399039692"
      },
      {
        "id": "",
        "name": "ff41b103830786d8553c69c8f82b8000601e7218cbe92b06431f45cefd61de3b"
      },
      {
        "id": "",
        "name": "b283772fc5a63036f58ad6362fd8ecbbf63f80d554779e198899c6a136c65b66"
      },
      {
        "id": "",
        "name": "5dbbd9b8bbca090e197dc18e6e7b0a10ba5901db3a0ab95d3b143c0d4a21d8a2"
      },
      {
        "id": "",
        "name": "da2e3f245cc6a14e398a4a4bca4789b4aaf53f5a01b19ead4cb15876b3f9fccb"
      },
      {
        "id": "",
        "name": "deccb0c8f5715f2c31a0440a13761d18d7104663b3a69ce905332124703ade53"
      },
      {
        "id": "",
        "name": "fff4a97fdc67df84479c8a40b7efbfb0e12c97dca1385cca9529b4aff86ca193"
      },
      {
        "id": "",
        "name": "c40a9109f8c07f41e75d53bc598508321a5f7e8feeaf6ae379be29ec5cfb9c7d"
      },
      {
        "id": "",
        "name": "f56d0c5ffb9795209afbbdfe34067140c0a924745e4bbad14a56476581779f60"
      },
      {
        "id": "",
        "name": "6b64d5d7e0155f140ce8f9336d13def5e3d0d602510c55f1e572ac0f27e0729f"
      },
      {
        "id": "",
        "name": "711364c6c7e4d5bd1ffc4fe22b3d82adf8700881c2c6f09df535c3fa2ab5f75d"
      },
      {
        "id": "",
        "name": "d7ba4952f1e477b63259528e96bb106e9cf57fbb6b17f5d27346efdccfa4e35a"
      },
      {
        "id": "",
        "name": "53cb0d58c1ba8e71f611880a9fa596c23fa0a9d35a7bf1ac75cdfe498cbfb602"
      },
      {
        "id": "",
        "name": "1bca9de5c9962888e1fea336777a58d5c0e0071fcd57693fe25c3ff6ea42d43a"
      },
      {
        "id": "",
        "name": "d99617c9b23e96103d147bcc9c0b490daac7679ee8fad236c4cf7f7f2cd86456"
      },
      {
        "id": "",
        "name": "486a121d3a32218e2df9cdaa2db117ffc1a4254ef7f9eda1f334316244c7849c"
      },
      {
        "id": "",
        "name": "1bf3c7c19516479de60ef3dc67f3fb62bf0c98e9f1a0751978701ea53384f3c2"
      },
      {
        "id": "",
        "name": "932a2cbb9b927b97cc67727ace589fbbcf332bf481d955f71f61dfd42f6253d6"
      },
      {
        "id": "",
        "name": "47e729605419ac23d07cbdc6d13db748117f98c2159ccd8307abd79d3bd3f236"
      },
      {
        "id": "",
        "name": "b166b1dfe98c6cc4981b93689810269bb27e197156a865c8f12c3fb926cc9b13"
      },
      {
        "id": "",
        "name": "b37943923000b626797acc960d4f8d6ffd87d290f51f1d7e053d87ad1628f932"
      },
      {
        "id": "",
        "name": "08a1db1836b7495c9d92199c0d5443c3c2eaeaf6b1f17323e1d6ac4837611780"
      },
      {
        "id": "",
        "name": "adc770c676c9fa1136630f55f23d22e0aed4c1dba5d45f57023dbb22bfb67512"
      },
      {
        "id": "",
        "name": "e86164199b94e50318893a52c2449180e0a46d02a0954e6acc4299a2388f61fb"
      },
      {
        "id": "",
        "name": "939c54956613ed402b43bff9ca54666172ddec13556df4aea2ad36a8fce235f0"
      },
      {
        "id": "",
        "name": "5e8a944131733223a74c0c6c245a19757012e19f7f27d8caf5a3aca7ef122c6a"
      },
      {
        "id": "",
        "name": "82d7f7bf12e9dc89251fa189b034549497e35c3906e6eb72f1c1c00dd4a45ae2"
      },
      {
        "id": "",
        "name": "74d45b5489e561d7bb6d03495fcf3a0dbe8b1c4b3fdce1229d58df01ab63e1f9"
      },
      {
        "id": "",
        "name": "8b9a0e56b267217ccb0423ed86f3baa9ae57f74dbf9c23103031d5dd3bb45012"
      },
      {
        "id": "",
        "name": "54a506ca31052a24554089f4d82cb071d65d3ec3cff50bf74188bc1f11480532"
      },
      {
        "id": "",
        "name": "b5dbeffaffbdb15995939a4b238bf8d42d076948eab8e7444a39387ed485d135"
      },
      {
        "id": "",
        "name": "224de3e2bc78d1f991e2d0fc44fa71fda99f7b3164a7a49d4f01f764c9006633"
      },
      {
        "id": "",
        "name": "1fc2dc830d1ad42261c2842b704ebc75ed782c1814c03915a22becbf161d13ed"
      },
      {
        "id": "",
        "name": "f6dfc06fb7fa8e733ae7b2541d7b1771cd1b6d11984b97f636a9ac47e23ad811"
      },
      {
        "id": "",
        "name": "aa9797ee5cc8658dbf3b339e7fd0e63d1a2c2c4066aa10b271ca6f25b7d4403f"
      },
      {
        "id": "",
        "name": "0184983d2230ffb21b0e728927fe73cf24bff65e32fbd751f258db1c1b17be7f"
      },
      {
        "id": "",
        "name": "758a6fe99001ea137d6dd8dda7b52af132f33571515bc58a2a9c77231d5cbf81"
      },
      {
        "id": "",
        "name": "2e4960d8f0601d9838b2a724af51dbd7bdc6843731af1f11b855c36d4e15616f"
      },
      {
        "id": "",
        "name": "74953ff4ae57d251ca4d173578eb72d02d6f3f23bd72586e769d06fefde94b48"
      },
      {
        "id": "",
        "name": "8dacdbf7e7dd12da5bbe0f95567c957f2db53468994b100b5ddb00ee85f19d60"
      },
      {
        "id": "",
        "name": "3f87a2a56e7a3a78405e6a02d74f10884efb60608794a181cefccf739526aa81"
      }
    ],
    "malware": [
      {
        "id": "99b81ab8-7708-41d9-9ee9-b5585ead9dc4",
        "name": "Direct-Sys Loader",
        "slug": "direct-sys-loader"
      },
      {
        "id": "legacy:malware:83991ff4bcf8ed5a",
        "name": "CGrabber Stealer",
        "slug": "cgrabber-stealer"
      }
    ],
    "attack_patterns": [
      {
        "id": "c473a756-355a-42ad-a0df-cd3a8fa006d1",
        "name": "T1057"
      },
      {
        "id": "2f07e892-0128-454b-9413-803505e67b48",
        "name": "T1030"
      },
      {
        "id": "cf746a02-00ea-419e-912d-7b03f969c491",
        "name": "T1518.001"
      },
      {
        "id": "93b2c4dd-5523-4464-8976-78754ee372fd",
        "name": "T1012"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "a72b6e11-a5d5-4f5a-8f0d-8861e90c34f7",
        "name": "T1555"
      },
      {
        "id": "e615d5ec-8d67-4048-b21d-a5fb09925bb9",
        "name": "T1552.001"
      },
      {
        "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6",
        "name": "T1204.002"
      },
      {
        "id": "5bab4974-1fc2-4144-b093-28ebcb8767dc",
        "name": "T1114"
      },
      {
        "id": "60972cf6-e90b-4600-af3c-13c468391d9c",
        "name": "T1106"
      },
      {
        "id": "97d377d8-89c7-48f8-a79f-0f48bd60df74",
        "name": "T1005"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "dcdb439a-a7ce-4b60-8f9f-469a0acf7ba5",
        "name": "T1055.004"
      },
      {
        "id": "05ac27d4-58d0-44b2-a984-cd5aefd1f7f9",
        "name": "T1497.001"
      },
      {
        "id": "436e795b-553f-444e-b837-65818d8f539f",
        "name": "T1119"
      },
      {
        "id": "7364ca96-72bf-4b7f-afef-ce2583b1ed58",
        "name": "T1562.001"
      },
      {
        "id": "42414354-718a-4603-8b00-52fa7d6fe061",
        "name": "T1497.002"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "fa3b8b48-d97c-4242-83a6-07d435a5a79e",
        "name": "T1041"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "playbergs.info"
      },
      {
        "id": "",
        "name": "attackzombie.com"
      },
      {
        "id": "",
        "name": "startbuldingship.com"
      },
      {
        "id": "",
        "name": "evasivestars.com"
      },
      {
        "id": "",
        "name": "gogenbydet.cc"
      },
      {
        "id": "",
        "name": "technologytorg.com"
      },
      {
        "id": "",
        "name": "sinixproduction.com"
      }
    ]
  },
  "external_refs": [
    "https://otx.alienvault.com/pulse/69e1fb9b3bbb36c5db446094",
    "https://www.cyderes.com/howler-cell/direct-sys-loader-cgrabber-stealer-five-stage-malware-chain"
  ]
}