Stay updated with the latest Cybersecurity News on our TecnetBlog.

Maranhão Stealer: Credential Theft Hidden in Pirated Games

Written by Adriana Aguilar | Sep 17, 2025 6:07:13 PM

If you’ve ever downloaded a cracked game launcher, a “mod,” or some shady “free tool,” this article is for you. Since May 2025, a new threat called Maranhão Stealer has been circulating—an infostealer written in Node.js that disguises itself as game installers or “free” utilities.

Its mission? To steal credentials, cookies, browser histories, and wallet data to hijack accounts and drain funds. And it uses advanced techniques like reflective DLL injection into browsers to bypass modern protections.

At TecnetOne, we’ll break down how it works, why it’s so dangerous, and what you can do to protect your home devices—and your company.

 

How Do You Get Infected?

 

Attackers build social engineering websites hosted on cloud platforms, posing as game portals, “cheats,” or pirated software download hubs. The bait is usually a ZIP file with an Inno Setup installer—examples include names like Fnafdoomlauncher.exe, VersionX64_Setup.exe, RootedTheGameSetup.zip, etc.

 


Infection chain (Source: CYBLE)

 

Once executed:

 

  1. Stealth deployment: The installer runs in /VERYSILENT mode and drops files in
    %LocalAppData%\Programs\Microsoft Updater\ (e.g., updater.exe, infoprocess.exe, crypto.key)—a path designed to sound legitimate.

 

  1. Persistence: It creates a Run registry key and/or a scheduled task to relaunch every session.

 

  1. Concealment: All files and folders are marked with Hidden and System attributes to stay invisible.

 

Initial variant (left), New variant (right) (Source: CYBLE)

 

Also of interest: New Shamos Malware on Mac: Beware of ClickFix Attacks

 

What Does It Do to Your System?

 

System Reconnaissance

 

Before stealing anything, it profiles your device using WMI queries—collecting OS version, CPU, GPU, disk, UUID—along with your IP address and geolocation to decide next steps.

 


Install files (Source: CYBLE)

 

Screenshots

 

It uses embedded C# in PowerShell to capture screenshots and store them as PNGs. This confirms user presence, reveals open apps, and monitors sensitive activity (email, banking, CRM, etc.).

 


Persistence through registry (Source: CYBLE)

 

Credential and Cookie Theft

 

This is its core strength. The malware launches your browser (Chrome, Edge, Brave, Opera, etc.) in headless mode and injects a DLL reflectively—without writing it to disk:

 

  1. Uses low-level Windows APIs (NtAllocateVirtualMemory, NtWriteProcessMemory, CreateThreadEx) to inject into browser memory.

 

  1. Bypasses protections like Chrome's AppBound encryption to access session cookies, saved passwords, tokens, and history.

 

  1. Exfiltrates everything to the attacker's infrastructure (e.g., domain maranhaogang[.]fun).

 

attrib.exe (Source: CYBLE)

 

Wallet Hijacking

 

While it targets browsers, it also scans for crypto wallets like Electrum, Exodus, Atomic, Coinomi, Guarda. If found, it attempts to drain balances or steal keys.

 


ip-api.com to collect the victim details (Source: CYBLE)

 

Why Is It So Hard to Detect?

 

  1. Modern stack, old tricks: Written in Node.js, packed with Inno Setup, and includes Go-based obfuscated components.

 

  1. Rapid evolution: Recent variants ditched obvious indicators like writing to C:\Windows\ and now reside in plausible user-space paths.

 

  1. Anti-analysis: Uses names like "Microsoft Updater", system/hidden attributes, and avoids dropping DLLs to disk—evading most AVs.

 

  1. Reflective injection: Accesses in-memory secrets, including active sessions and cookies.

 


Screen capture (Source: CYBLE)

 

Who Is Targeted?

 

Mainly gamers and users of pirated software or cheats. But once inside, any work-related data is also at risk. If you use the same machine for gaming and work—SaaS tools, email, banking, CRM—all are vulnerable.

 

Stealing browser data (Source: CYBLE)

 

Read more: Lumma Infostealer Malware Targeting Opera in Mexico

 

Warning Signs

 

  1. Unknown executables like updater.exe in %LocalAppData%\Programs\Microsoft Updater\

 

  1. Spike in headless browser processes

 

  1. Unexpected screenshots (Display (1).png, etc.)

 

  1. Outbound connections to unknown domains like maranhaogang[.]fun

 

  1. Persistence keys in HKCU\Software\Microsoft\Windows\CurrentVersion\Run\

 


Starts the browser in headless mode (Source: CYBLE)

 

How to Protect Yourself (and Your Company)

 

For Individual Users

 

  1. Avoid pirated downloads—what’s free might cost you everything.

 

  1. Browser isolation—use separate browsers/profiles for banking and work.

 

  1. MFA everywhere—prefer TOTP or security keys over SMS.

 

  1. Password manager with unique credentials for each service.

 

  1. Real EDR/AV software—avoid “miracle cleaners.”

 

  1. Purge saved browser passwords if you handle sensitive data.

 

  1. Rotate credentials immediately if you suspect compromise.

 


Reflective Loader in chrome.exe (Source: CYBLE)

 

For Organizations

 

  1. EDR with in-memory injection detection and headless browser rules

 

  1. App allowlisting to block unsigned Inno Setup binaries

 

  1. DNS/Proxy filtering and Threat Intel feeds to block known C2 domains

 

  1. Enterprise browser policies: disable password saving, protect cookies, isolate sensitive sites

 

  1. Network segmentation & Zero Trust: limit the blast radius

 

  1. Harden PowerShell (e.g., Constrained Language Mode, ScriptBlock Logging)

 

  1. IR playbooks for infostealers: revoke tokens, rotate passwords, invalidate cookies, audit SaaS sessions

 

At TecnetOne, we help integrate Acronis with your SIEM/SOAR, fine-tune EDR detection, and simulate attacker chains to validate coverage.

 


Stolen data (Source: CYBLE)

 

If You're Already Infected

 

  1. Isolate the machine from the network

 

  1. Acquire memory and disk images (for forensic analysis)

 

  1. Reinstall from a trusted image—don’t rely on surface-level cleanups

 

  1. Change all credentials, starting with recovery email

 

  1. Transfer wallet funds to fresh keys generated on a clean machine

 

  1. Monitor access logs for unusual behavior over the following days

 


C&C communication (Source: CYBLE)

 

Final Thoughts

 

Maranhão Stealer proves that infostealers have evolved—Node.js, stealthy packaging, reflective browser injection, and convincing lures. Today, your browser is your true perimeter.

If you secure it—and eliminate infection sources like pirated downloads—you massively reduce risk.

At TecnetOne, we help shift your defenses from reactive to proactive—with browser hardening, EDR tuning, and real-time threat hunting to stop credential theft in its tracks.

 
View full post