Security researchers have discovered a malware campaign targeting Windows systems that attempts to steal login credentials from several popular applications, including Discord, Outlook, all major web browsers, and NordVPN. The malware does this through a multi-step "fileless" attack scheme.

Vanja Svajcer, a researcher at Cisco Talos, detailed the malware in a blog post, stating that it is a variant of an existing Trojan horse called Masslogger.

"While the behavior of the Masslogger Trojan has been documented previously, we have found that the new campaign is notable for using a compiled HTML file format to start the infection chain," Svajcer explained.

And while the malware launches its attacks from within system memory (it is fileless), the delivery of the payload relies on a tried and true vector: phishing emails, a longtime (and easily avoidable) staple of malicious actors.

The infection is hidden within a compressed RAR archive "with a slightly unusual filename extension" that is delivered to the target as an email attachment. Once opened, a series of steps are initiated to inject the malware into volatile memory (system RAM).

Svajcer notes that both home and business users are at risk, and that the increased awareness and focus on the more predominant ransomware attacks now makes it easier for this type of malware to slip under the radar.

"It is important to keep in mind that criminal actors are still active and can cause significant damage to organizations by stealing user credentials. The credentials themselves have value on the dark web, and actors sell them for money or use them in other attacks," Sweisser wrote.

Interestingly, this version of Masslogger also has a keylogger component, but it has been disabled. Keyloggers and user credential theft are usually closely related.

The latest Masslogger campaign began a month ago, and Cisco Talos believes that, at least for now, it is focused on organizations in Turkey, Latvia, and Italy. In the past, this security organization has observed similar campaigns using earlier versions of Masslogger around the world.

This campaign is easy to avoid because it relies on phishing emails. This phishing email is easy to avoid because it relies on phishing emails.