Dangerous new infostealer targets top password managers

password manager security
(Image credit: Passwork)

A new Windows infostealer is on the loose, stealing highly sensitive information and featuring clever ways to evade detection by security software.

Known as the Meduza Stealer, its sole purpose is "comprehensive data theft," according to cybersecurity researchers at Uptycs who discovered the malware, as it scours "users' browsing activities, extracting a wide array of browser-related data."

The security firm added that crypto wallet extensions, password managers and 2FA extensions are also vulnerable. In order to avoid detection, Meduza terminates itself if connection with the threat actor's server fails. 

Protecting your business from the biggest threats online

Protecting your business from the biggest threats online
Perimeter 81's Malware Protection intercepts threats at the delivery stage to prevent known malware, polymorphic attacks, zero-day exploits, and more. Let your people use the web freely without risking data and network security.

Preferred partner (What does this mean?) 


Interestingly, it also self-terminates if the victim's system is located in certain countries, such as those within the Commonwealth of Independent States (CIS) and Turkmenistan.

Meduza also gathers data from Windows Registry entries and a list of installed games on the target's endpoint, indicating its far-reaching information extraction goals. A web panel interface also gives the attacker details on what Meduza has managed to steal, as well as the ability to download or delete said data. 

According to the researchers at Uptycs, "This in-depth feature set showcases the sophisticated nature of the Meduza Stealer and the lengths its creators are willing to go to ensure its success."

It is currently for sale on dark web forums and the encrypted messaging app Telegram, with a monthly subscription costing $199 and a lifetime license $1,199.

Providing malicious tools as a service is fast becoming the norm, allowing criminals to carry out cyberattacks without needing technical knowledge - they merely rent the software used to deal the damage from others.  

Research by antivirus firm Sophos claims to show that dropper-as-a-service (DaaS) platforms are being used more and more by malware developers, and ransomware-as-a-service (RaaS) models are becoming more popular too, again due to their ease of use by cybercriminals.

Lewis Maddison
Reviews Writer

Lewis Maddison is a Reviews Writer for TechRadar. He previously worked as a Staff Writer for our business section, TechRadar Pro, where he had experience with productivity-enhancing hardware, ranging from keyboards to standing desks. His area of expertise lies in computer peripherals and audio hardware, having spent over a decade exploring the murky depths of both PC building and music production. He also revels in picking up on the finest details and niggles that ultimately make a big difference to the user experience.