216.73.217.50

Silent Watcher: Dissecting Cmimai Stealer's VBS Payload

· Published 13/08/2025 11:57 · Modified 13/08/2025 15:47

Export JSON

Essential information

Published
13/08/2025 11:57
Modified
13/08/2025 15:47
Tags
2025-08-13 browser data cmimai stealer discord exfiltration infostealer powershell screenshot vbs windows wmi
Related entities
9 techniques (mitre), 1 malware

Description

A -based called has emerged, targeting systems since June 2025. It collects system information, browser metadata, and screenshots, exfiltrating data via webhooks. The malware uses scripts for collection and screen capture, running in a persistent loop every hour. It leverages for system information gathering and employs JSON formatting for data . While lacking advanced features like encrypted communication or credential theft, serves as both an and a reconnaissance tool. Defensive considerations include monitoring high-risk process combinations, watching for specific scripts and image files, and detecting traffic with a unique User-Agent.

External references