MARCO Stealer is a new information‑stealing malware described by Zscaler ThreatLabz as first observed in June 2025 and aimed at harvesting data from browsers, cryptocurrency extensions, and local files. It methodically builds a dossier on its victims, collecting system details such as the operating system version, hardware ID, IP address and geographical location to prioritise high‑value targets.
The malware’s primary goal is financial gain, focusing on browser data and “cryptocurrency wallet information from browser extensions” by raiding the storage of popular extensions to steal private keys. It also hunts for “sensitive files (both locally and from cloud services)”, specifically targeting Dropbox and Google Drive, which raises risk for corporate environments.
To stay hidden, it employs anti‑analysis techniques, including encrypted strings decrypted only at runtime and termination of analysis tools like Wireshark, x64dbg and Process Hacker. When exfiltrating data, Marco Stealer uses AES‑256 CBC encryption and posts the encrypted bundle to a C2 server via HTTP, with a unique key generated by hashing a hardcoded value, according to Zscaler ThreatLabz.