๐Ÿ›ก๏ธ SecOps

MicroStealer Infostealer Targets Education and Telecom via Discord Webhook Exfiltration

ANY.RUN analysts have documented MicroStealer, an infostealer active since December 2025 that specifically targets education and telecommunications sector organisations. MicroStealer uses multi-stage delivery, harvests browser credentials, session tokens, cryptocurrency wallets, and screenshots, and exfiltrates data exclusively via Discord webhooks โ€” making it invisible to traditional network monitoring that blocks dedicated C2 domains. Detection rates on VirusTotal remain low.

3 min read
#infostealer#microstealer#discord-abuse#credential-theft#education-sector#telecom#malware#low-detection

ANY.RUN malware analysis researchers have published analysis of MicroStealer, a credential-stealing infostealer that has been active since December 2025 and has shown sustained targeting of education and telecommunications sector organisations. The malwareโ€™s exclusive use of Discord webhooks for data exfiltration โ€” a pattern increasingly common among commodity infostealers following the broader industry trend documented earlier this week โ€” results in low detection rates by network-based security controls and traditional antivirus engines.

Delivery and Execution Chain

MicroStealerโ€™s delivery uses a multi-stage chain designed to bypass static analysis:

Stage 1 โ€” Lure document: Phishing emails carry password-protected archive attachments (ZIP or RAR) containing a malicious LNK (Windows shortcut) file. The password is included in the email body โ€” a technique that prevents email gateway attachment scanning from inspecting the archive contents.

Stage 2 โ€” LNK execution: The LNK file executes a PowerShell command that downloads a obfuscated dropper script from a legitimate file hosting service (GitHub, GitLab, or OneDrive โ€” varying by campaign). Using legitimate hosting services for stage-2 download prevents URL reputation filtering from blocking the download.

Stage 3 โ€” MicroStealer payload: The dropper deploys the MicroStealer executable and establishes persistence via a Windows Registry run key. The executable is a .NET binary packed with a commercial packer to reduce AV detection.

Data Collection Capabilities

MicroStealer harvests:

  • Browser credentials: Chromium-based browser credential databases (Chrome, Edge, Brave, Opera), Firefox credential stores
  • Session tokens: Cookies from all browsers, including authentication session cookies for common enterprise SaaS (Microsoft 365, Salesforce, Google Workspace)
  • Cryptocurrency wallets: Extension storage for MetaMask, Phantom, Coinbase Wallet; standalone wallet application files
  • Screenshots: Multiple sequential desktop screenshots at collection time, providing the attacker a visual overview of the victimโ€™s active work
  • System information: OS version, hostname, installed security software, domain membership
  • Clipboard content: Contents of the clipboard at collection time

All collected data is compressed and transmitted via a Discord webhook URL embedded in the executable. Discord webhooks accept POST requests to the discord.com API โ€” a domain and service that is universally permitted in enterprise network environments.

Education and Telecom Sector Targeting

The sector concentration is notable. Education institutions are attractive targets for infostealers for several reasons: they typically have larger-than-average user populations, diverse software environments that make policy enforcement difficult, and valuable data including research datasets, financial aid records, and in some cases payment card data from student services. Credentials from education accounts (university email, learning management systems) are also valued for follow-on social engineering attacks.

Telecommunications operators hold sensitive data including subscriber records, call detail records, network infrastructure credentials, and in some jurisdictions, lawful intercept infrastructure access. Credential theft from telecom employees with system administration access provides the entry point for more serious intrusions.

Detection

ANY.RUNโ€™s analysis provides YARA rules and network signatures for MicroStealer detection. Key behavioural indicators:

  • LNK file spawning PowerShell with base64-encoded commands and outbound connections to GitHub/GitLab during initial execution
  • .NET process making HTTPS POST requests to discord.com/api/webhooks/ with multipart form data (exfiltration pattern)
  • New registry run key pointing to %APPDATA% directory created by a PowerShell parent process

For organisations in education and telecommunications: review email security gateway configuration for password-protected archive handling โ€” consider requiring password-protected attachments to be flagged for manual review rather than allowing automatic delivery. Monitor for Discord API webhook traffic originating from non-browser processes via EDR process-level network attribution.

Share this article