Executive Summary

A new and alarmingly efficient infostealer, marketed as logins[.]zip, has emerged on the cybercrime scene. According to a report from Hudson Rock, this Malware-as-a-Service (MaaS) offering is being advertised on clear web domains, boasting the ability to steal nearly all credentials and cookies from a compromised system in less than 12 seconds. The malware's authors claim this speed is achieved by leveraging two previously unknown Chromium zero-day exploits. The service is being sold for a monthly subscription, lowering the barrier to entry for criminals to conduct widespread credential theft campaigns, posing a significant threat to both individuals and organizations.

Threat Overview

logins[.]zip is an infostealer that operates on a MaaS model, providing subscribers with a browser-based builder to generate malicious payloads. The threat actors behind the service are marketing it as a superior alternative to established stealers like Lumma and RedLine, focusing on two key differentiators: speed and stealth.

• Speed: The claim of exfiltrating 99% of data in under 12 seconds is designed to appeal to criminals who want to perform smash-and-grab operations before detection.
• Stealth: The payload is a small 150KB stub with "polymorphic auto-obfuscation" to evade signature-based antivirus detection. More importantly, the alleged use of Chromium zero-days allows it to steal credentials and cookies without requiring administrative privileges, making it less likely to trigger UAC prompts or other security warnings.

The MaaS platform is actively developed and sold for a promotional price of $150 per month. It targets a wide array of data, including browser logins, session cookies, payment card information, Discord tokens, and Roblox cookies, with crypto wallet stealing capabilities planned for the future.

Technical Analysis

The most significant technical claim is the use of two Chromium zero-day exploits. While the specific CVEs are not known, this implies the malware can bypass security mechanisms within Chromium-based browsers (like Chrome, Edge, Opera) to access the securely stored credential database (the Login Data SQLite file) and cookie store. Normally, this data is encrypted using a key derived from the user's login credentials, requiring the malware to run with the user's privileges. A zero-day might allow the stealer to either bypass this encryption or access the decryption key through a novel method (T1212 - Exploitation for Credential Access).

Hudson Rock's analysis of sample logs confirmed they had a "unique structure" and, in some cases, contained more credentials than logs from other stealers on the same infected machine, lending some credibility to the attackers' claims of high efficiency. The core functionality aligns with standard infostealer TTPs:

• T1555.003 - Credentials from Web Browsers: The primary goal is to steal saved logins.
• T1539 - Steal Web Session Cookie: Hijacking active sessions to bypass MFA.
• T1552.001 - Credentials In Files: Searching for other sensitive files on the system.

Impact Assessment

The proliferation of a cheap, fast, and effective infostealer like logins[.]zip significantly lowers the bar for cybercrime and increases the overall risk for everyone. The stolen credentials are a gateway to further, more severe attacks.

• For Individuals: Victims face financial loss, identity theft, and the compromise of their various online accounts.
• For Organizations: The biggest threat is the compromise of corporate credentials. When an employee's machine is infected, the stealer can capture their VPN, SSO, and other enterprise logins. These credentials are then sold to other threat actors, including ransomware groups, who use them to gain initial access to corporate networks. A single infection on a personal device used for work can lead to a full-blown enterprise breach.

Cyber Observables for Detection

Detecting a polymorphic, zero-day-powered stealer is challenging. Detection should focus on delivery and exfiltration.

Detection & Response

• Detection: Since the binary is polymorphic, signature-based AV may be ineffective. Behavioral detection is key. An EDR should be configured to alert on processes that access sensitive browser files (Login Data, Cookies, Web Data) and then immediately make an outbound network connection. This is a core function of D3FEND's D3-PA: Process Analysis. Web filters and email security gateways should be used to block the delivery vectors (malicious attachments, links to droppers).

• Response: If an infection is detected, the immediate response is to isolate the machine from the network to prevent any further exfiltration or lateral movement. All credentials associated with the user of the infected machine must be considered compromised and should be immediately reset, and all active sessions should be terminated.

Mitigation

• User Education: The first line of defense is to prevent the initial execution. Train users to be suspicious of unsolicited attachments and to avoid downloading software from untrusted sources, especially game cracks or pirated software, which are common delivery vectors for infostealers (M1017 - User Training).

• Endpoint Security: Use a modern EDR solution with strong behavioral detection capabilities, rather than relying solely on traditional antivirus.

• Restrict Web-Based Content: Use web filtering to block access to known malicious domains and newly registered domains that are often used for C2 infrastructure (M1021 - Restrict Web-Based Content).

• Zero Trust Principles: For corporate environments, assume that user credentials will be compromised. Use phish-resistant MFA and device trust policies to ensure that even with a valid password, an attacker cannot access corporate resources from an untrusted or unmanaged device.