Get in Touch

Get in Touch

Get in Touch

Please get in touch using the form below.

Close form

Home / Malware Reports / MetaStealer Stealware


MetaStealer is an information stealer variant of malware that was initially detected to have emerged on underground marketplaces and later involved in malspam campaigns. The MetaStealer malware has been advertised as an upgrade of the RedLine Stealer variant2. MetaStealer can be obtained on a subscription basis for $125 USD per month, or alternatively, for $1,000 USD, as a lifetime subscription. This subscription model enables threat actors, that lack their own infrastructure and self-made capabilities, to engage in credential stealing activities. The relatively affordable malware option is almost certainly an attractive tool for criminal groups of all sizes and ranks MetaStealer as a highly prevalent malware that is emerging across the online domain.

The first stage of the attack chain involves the distribution of MetaStealer via malicious emails, being masqueraded as messages pertaining to financial transactions. These emails are sent attached with an excel document, containing a VBS macro. Following the acceptance of the document by the target, the malware will be downloaded and executed3.

Following a system reboot, the file will progress to communicate with a command-and-control (C2) server, thus establishing a persistence mechanism4. Relevant security research has documented that the MetaStealer malware is associated with various infection techniques and behavioural trends, including Reliance on open-source libraries, Microsoft Defender Bypass, Scheduled Task Persistence, Password stealing, Keylogger activity and Hidden VNC server activity 5. As with other information stealer variants, MetaStealer is designed to steal sensitive data, such as: login credentials, credit card details and security codes6.


Information stealers, such as MetaStealer, are designed to stealthily infiltrate the target system and thus no symptoms are clearly visible on an infected machine, resulting in potential stolen passwords and banking information, identity theft and monetary loss. The compromise of sensitive company and customer credentials by a threat actor can lead to serious implications to the security posture and integrity of company systems, employees, and customers. If compromised credentials remain unactioned, there is a realistic possibility that they will be sold to a range of opportunistic threat actors and will subsequently be used to increase the effectiveness of further targeting. If employees have poor password hygiene in using the same password across multiple sites, a leak of one set of credentials could have a major knock-on effect to a wide array of systems and potentially lead to further compromise.

The Quorum Cyber Threat Intelligence team provides ransomware reports so that you can better understand the threats facing your organisation.

Download your report to read more today.