Cyble threat intelligence researchers have uncovered an infostealer campaign that spreads the Maranhão Stealer through social engineering websites claiming to offer pirated software, cracked game launchers and cheats.
The threat actors lure victims through sites such as derelictsgame[.]in with malicious files such as DerelictSetup.zip and Fnaf Doom.zip, Cyble researchers wrote in a blog post today.
The malware is written in Node.js and packaged as an Inno Setup installer. It uses Run registry keys and scheduled tasks to establish persistence, hides its payloads as system and hidden attributes, conducts detailed host reconnaissance, and extracts sensitive information such as credentials, cookies, and cryptocurrency wallet data through reflective DLL injection into browsers to bypass protections like Chrome’s AppBound encryption.
“The inclusion of reflective DLL injection and AppBound-aware data collection further underlines its sophistication,” Cyble said. “If successful, infections could lead to widespread credential compromise, account hijacking, theft of digital assets, and further malware deployment within victim environments.”
Maranhão Infostealer Campaign Targets Credentials, Crypto
The Maranhão Stealer has been active since May 2025 and continues to be actively developed, the researchers said, noting several evolutions in the malware.
Once executed, the malware hides in a directory named “Microsoft Updater” under %localappdata%\Programs. It creates Run registry keys and a scheduled task to gain persistence before launching updater.exe, its main component.
“From this point, the malware conducts extensive system reconnaissance, screen capturing, and credential theft, with a particular focus on web browsers and cryptocurrency wallets,” the researchers wrote.
The password-decrypting functionality is embedded in infoprocess.exe, written in Go and obfuscated for stealth. Instead of using PsExec to spawn child processes, as earlier versions did, the malware now creates child processes directly through Win32 API calls, “reflecting a clear evolution toward stealthier and more sophisticated execution techniques,” the researchers said.
The core Maranhão Stealer functionality and objectives have remained consistent throughout the malware’s evolution, the researchers said. “The campaign demonstrates how threat actors blend social engineering, commodity tools, and modern development stacks to distribute sophisticated information-stealing malware at scale,” they wrote.
Maranhão Stealer Malware Analysis
Some of the malicious files identified by Cyble include: Fnafdoomlauncher.exe, Fnaf.exe, RootedTheGameSetup.zip, Slinkyhook.exe, and more.
The researchers did a technical analysis of Fnafdoomlauncher.exe. The installer runs in “/VERYSILENT” mode for stealth, then drops components like updater.exe and crypto.key into the directory C:\Users\<username>\AppData\Local\Programs\Microsoft Updater. updater.exe establishes persistence by creating a Run registry key that is executed automatically at login.
The malware then disguises its components to evade detection, marking files in the Microsoft Updater directory with both the System and Hidden attributes. The stealer also installs screen capture functionality, using inline C# code within PowerShell to capture the contents of each screen.
After completing system reconnaissance, the stealer payload turns its attention to data theft from web browsers. The researchers said the malware actively collected data from Google Chrome, Microsoft Edge, Brave, and Opera in their analysis environment, enumerating user profiles and extracting browsing history, cookies, download records, and saved login credentials.
Additional targets — including other browsers and cryptocurrency wallets — were identified in memory dump analysis, they said. “This suggests that the malware has broader capabilities and can adapt its behaviour depending on the victim’s environment,” they wrote.
The malware was also observed contacting several APIs hosted under the domain maranhaogang[.]fun, likely for initial infection reporting, victim tracking, and data exfiltration.
The full Cyble blog takes a deep dive into the malware and also includes recommendations and 45 Indicators of Compromise (IoCs) and file hashes.
