Obj3ctivity Stealer Keeps Evolving, Targeting Credentials, Crypto Wallets, Chat App Data via Phishing Emails

• Improved malware: A new email phishing campaign with a multi-stage infection chain revealed a sophisticated threat, Obj3ctivity Stealer.
• Malware capabilities: The stealer includes a full set of capabilities to gather and exfiltrate data and demonstrates advanced evasion techniques.
• Exfiltrated data: It focuses on system and browser data, credentials, cryptocurrency wallet details, and chat apps like Telegram and Signal.

The Obj3ctivity Stealer malware has emerged as a significant cybersecurity threat in 2025. Delivered via phishing emails, it targets sensitive information with advanced evasion techniques and multifaceted attack methods.  

Features and Attack Methods  

Trellix Advanced Research Center (ARC) observed a novel campaign delivering 0bj3ctivity Stealer via phishing emails disguised as quote requests. Discovered earlier this year by HP Wolf Security experts, Obj3ctivity Stealer employs a carefully crafted infection chain. 

Victims are lured into downloading custom JavaScript hosted on cloud services such as Mediafire. The script has over 3,000 lines of code that include obfuscated code hiding a PowerShell payload and 60 lines of actual code.

The malware uses steganography techniques to deploy subsequent stages, masking malware within image files to evade detection. 

Once installed, the malware injects the final payload into legitimate processes, such as Regasm.exe, using advanced process hollowing techniques. It focuses on stealing system information, browser data, credentials, cryptocurrency wallet details, and even sensitive files from chat applications like Telegram and Signal. 

The malware communicates unidirectionally with the command and control (C2) server via Telegram bots and SMTP protocols.  

Obj3ctivity Stealer’s other techniques include sandbox detection and execution flow obfuscation via techniques such as junk code, control flow flattening, and randomized names for variables, functions, classes, and namespaces.  

Implications  

This malware analysis highlights the increasing complexity of infostealers, which now prioritize stealth, versatility, and scalability, and Obj3ctivity Stealer makes it a severe risk to enterprises and individuals alike.  

With malware already observed in government institutions and manufacturing companies predominantly in the U.S., Germany, and Montenegro, as well as in some cases in Europe, Southeast Asia, and Australia, cybersecurity teams are urged to intensify their monitoring and protection efforts.  

This month, a eSentire cybersecurity report highlighted how identity-centric threats relying on infostealers dominate the modern cybercrime landscape. Meanwhile, a new infostealer emerged, as Octalyn Stealer targeted VPN configurations and cryptocurrency wallets.