Researchers Detail 'ChronoStealer', a New Modular Info-Stealing Malware-as-a-Service

Check Point Research Uncovers 'ChronoStealer', a Modular Malware-as-a-Service Lowering the Bar for Cybercrime

MEDIUM
January 26, 2026
5m read
MalwareThreat Intelligence

Related Entities

Organizations

Check Point Research

Products & Tech

Telegram

Other

ChronoStealer

MITRE ATT&CK Techniques

T1555.003Credential Access

Credentials from Web Browsers

T1055Defense Evasion

Process Injection

T1102.002Command and Control

Bidirectional Communication

T1566.001Initial Access

Spearphishing Attachment

T1552.005Credential Access

Cloud Instance Metadata API

Full Report

Executive Summary

Check Point Research has published a detailed analysis of a new Malware-as-a-Service (MaaS) offering named ChronoStealer. This modular information stealer is sold on a subscription basis on underground forums, making sophisticated cybercrime tools accessible to a broad audience of low-skilled actors for a low monthly fee. The malware's primary function is to steal saved credentials from dozens of browsers and applications. Its functionality can be extended via optional modules for keylogging, screen capture, and stealing cryptocurrency wallets and session cookies. ChronoStealer uses the Telegram API for command and control (C2) and data exfiltration, a technique that helps it evade network-based detection. The emergence of powerful, easy-to-use MaaS platforms like ChronoStealer significantly lowers the barrier to entry for data theft and poses a growing threat to individuals and organizations.

Threat Overview

  • Malware: ChronoStealer
  • Type: Information Stealer, Malware-as-a-Service (MaaS)
  • Distribution: Phishing emails with malicious attachments, trojanized software from torrent sites.
  • Objective: Mass collection of credentials, cryptocurrency, and other sensitive data.

The MaaS model is a key aspect of this threat. The developers of ChronoStealer are not conducting the attacks themselves; instead, they rent out their malware and infrastructure to other criminals ('subscribers'). This business model allows them to profit while maintaining distance from the direct act of compromise. The subscribers are provided with a web-based control panel to manage their infected machines (bots) and view the stolen data, making the entire operation feel like using a legitimate software product.

Technical Analysis

ChronoStealer is designed for flexibility and stealth.

  • Modularity: The malware has a core credential-stealing engine. Subscribers can purchase additional modules to enhance its capabilities:
    • Cryptocurrency wallet stealer (targeting dozens of wallet types).
    • Keylogger.
    • Screen capture module.
    • Session cookie stealer for popular web services.
  • Initial Access: It is typically distributed through traditional methods like phishing emails with malicious attachments (T1566.001 - Spearphishing Attachment) or bundled with cracked software on torrent sites (T1195.002 - Compromise Software Supply Chain).
  • Persistence: The malware achieves persistence by injecting itself into legitimate Windows processes, making it harder to detect and remove (T1055 - Process Injection).
  • Collection: It is programmed to automatically seek out and harvest credentials from over 50 different web browsers, FTP clients, and email applications (T1555.003 - Credentials from Web Browsers).
  • Command and Control (C2): ChronoStealer uses the Telegram API for C2 communications and data exfiltration. This is a common evasion technique, as Telegram traffic is encrypted and often allowed on corporate networks, helping the malware's traffic blend in with legitimate activity (T1102.002 - Bidirectional Communication).

Impact Assessment

The proliferation of MaaS platforms like ChronoStealer democratizes cybercrime. It enables individuals with minimal technical skill to launch effective data theft campaigns against a large number of targets. For organizations, this increases the volume and variety of threats they face. A single employee falling victim to a phishing email can lead to the compromise of their corporate credentials, which can then be used for network intrusion, business email compromise (BEC) attacks, or sold to other criminals. For individuals, an infection can lead to the theft of banking credentials, social media accounts, and cryptocurrency, resulting in financial loss and identity theft.

Cyber Observables for Detection

Security teams should monitor for the following indicators:

Type Value Description Context
network_traffic_pattern Outbound network traffic to api.telegram.org from unexpected processes. ChronoStealer uses the Telegram API for C2. Legitimate Telegram clients are one thing, but other processes making these connections are highly suspicious. EDR network logs, Firewall/Proxy logs
process_name lsass.exe Info-stealers often attempt to access the memory of the LSASS process to dump credentials. EDR logs, Windows Security Event Logs
file_name *.zip, *.rar Phishing campaigns distributing ChronoStealer often use malicious attachments inside archives to evade email scanners. Email gateway logs, endpoint file creation logs

Detection & Response

  • Egress Traffic Filtering: Block or alert on all outbound connections to api.telegram.org from any process that is not the official Telegram desktop client. This can be an effective way to disrupt the malware's C2 channel. D3FEND Technique: Outbound Traffic Filtering (D3-OTF).
  • Credential Access Protection: Use endpoint security features (like Windows Defender Attack Surface Reduction rules) to block processes from accessing the LSASS memory, a common technique for credential theft.
  • Email Security: Deploy an advanced email security solution that can scan inside archives and use sandboxing to detect malicious attachments used in phishing campaigns.

Mitigation

  1. User Training: Since phishing is a primary distribution vector, ongoing security awareness training is crucial. Teach users to be suspicious of unsolicited attachments, especially those inside ZIP or RAR files.
  2. Password Managers & MFA: Encourage the use of password managers, which can prevent credential theft from browsers. Enforce MFA on all corporate accounts to mitigate the impact of stolen passwords.
  3. Endpoint Protection: Use a modern EDR solution that can detect suspicious behaviors like process injection and credential dumping, rather than just relying on file-based signatures.
  4. Restrict Software Installation: Prevent users from installing unauthorized software, especially from untrusted sources like torrent websites, which are a common source of trojanized malware.

Timeline of Events

1
January 26, 2026
This article was published

MITRE ATT&CK Mitigations

Antivirus/Antimalware

M1049enterprise

Modern EDRs can detect the behavioral patterns of info-stealers, such as accessing browser credential stores or LSASS memory.

Mapped D3FEND Techniques:

D3-PA

Filter Network Traffic

M1037enterprise

Filtering egress traffic can block the malware's C2 communication, especially to known services like Telegram's API.

Mapped D3FEND Techniques:

D3-OTF

User Training

M1017enterprise

Training users to spot and report phishing is a key defense against the primary delivery vector.

D3FEND Defensive Countermeasures

Outbound Traffic Filtering

D3-OTFMaps to MITREM1037
D3FEND

To counter ChronoStealer's use of the Telegram API for C2, organizations should implement strict egress filtering policies. On corporate firewalls and web proxies, create a rule to block or, at a minimum, alert on all connections to api.telegram.org. An exception can be made for specific source IPs if the official Telegram client is a sanctioned business application, but for most corporate environments, traffic to this endpoint from servers or general workstations is highly anomalous. This filtering disrupts the malware's ability to exfiltrate stolen data and receive commands, effectively neutralizing it post-infection and providing a clear signal to incident responders that a host is compromised.

Credential Access Protection

D3-CAPMaps to MITREM1043
D3FEND

Deploy and enable modern endpoint protection features designed to prevent credential theft. For Windows environments, this includes enabling Attack Surface Reduction (ASR) rules, specifically the rule 'Block credential stealing from the Windows local security authority subsystem (lsass.exe)'. This can prevent info-stealers like ChronoStealer from dumping credentials from memory. Additionally, enabling Windows Defender Credential Guard uses virtualization-based security to isolate the LSASS process, making it significantly harder for malware to access. These platform-native hardening measures provide a robust defense against a wide range of credential theft malware.

Sources & References

A Deep Dive into ChronoStealer: The New Modular Malware-as-a-Service
Check Point Research (research.checkpoint.com) January 26, 2026
'ChronoStealer' MaaS Lowers the Bar for Data Theft Attacks
Threatpost (threatpost.com) January 26, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

malwareinfostealerMaaSMalware-as-a-ServicecybercrimeTelegramCheck Point

📢 Share This Article

Help others stay informed about cybersecurity threats

Continue Reading

Previous All Next