Bitcoin (BTC) is retesting a crucial support area after its price slid 5% from the recent highs and fell below the $90,000 barrier. Some analysts have suggested that the cryptocurrency’s structure remains intact, but warned that it must bounce quickly or risk retesting the November lows.
Bitcoin Retests $88,000 After Rejection
On Friday, Bitcoin lost the recently reclaimed $90,000 level, falling to a key support area before stabilizing. The flagship crypto has been attempting to recover from the November market correction, which sent its price to a seven-month low of $80,600.
Since reaching its local lows two weeks ago, the cryptocurrency has traded within a macro re-accumulation range, between $82,000 and $93,500, attempting to break out of this zone on Wednesday, when it reached a multi-week high of $94,150.
However, as the first week of December approaches its end, BTC has lost the upper area of its local range again, falling below its monthly open and tapping the $88,000 support.
Amid the drop, Analyst Ted Pillows noted that BTC has been struggling to reclaim the $94,000 resistance, adding that price “wants to go lower here before another breakout attempt.” Therefore, he suggested that a bounce back from the $88,000-$89,000 support zone is likely.
Altcoin Sherpa affirmed that the ongoing retest would confirm whether the recent bounce was “just lower highs and price is going lower or if we actually have any juice to bounce to like 100k or something.”
The analyst outlined two potential outcomes. In the first scenario, the flagship crypto would retrace to the $87,000-$89,000 area and bounce above the $93,000-$94,000 resistance levels.
In the second scenario, Bitcoin would continue to move sideways below the local resistance before eventually sliding to the November lows and potentially lower levels. Per the analysis, the leading cryptocurrency must bottom quickly, or it will risk the second outcome.
BTC Shows Shallowing Pullback Tendency
Analyst Rekt Capital also pointed out that Bitcoin continues to face rejection from the range high resistance. However, he considers that investors should not worry as long as the pullback isn’t as big as the previous ones.
If “the rejection is shallower than the previous two, then this resistance will continue to weaken until eventually breached,” he explained, adding that “as long as this weakening continues, BTC should be able to finally breach this resistance over time & try to challenge the multi-week Downtrend above.”
Earlier this week, the analyst affirmed that BTC’s consolidation structure will remain intact as long as Bitcoin closes the week above the range lows. He also noted that its Macro Downtrend, which “has been dictating resistance throughout this phase of the cycle,” remains the dominant structural barrier and the level to break.
As the price stabilized between the $88,500-$89,350 area, the analyst added that today’s retracement “continues to be a shallower pullback than the previous two,” which keeps the range “‘retrace shallowing’ tendency” intact.
He noted that Bitcoin could technically drop into the ascending two-week support trendline, or tap the $86,000 level and still perform a shallower correction than the recent 10% drop.
As of this writing, Bitcoin is trading at $89,400, a 2.9% decline in the daily timeframe.
As the market rebounds, Solana (SOL) is retesting a crucial area that has served as resistance since the November pullbacks. Some market watchers suggest that a short-term rally is likely, while others have highlighted potential signs of weakness.
Solana Eyes $144 Resistance
Solana is attempting to turn the $140 area into support while nearing a key local resistance for the third time in a month. The cryptocurrency has been trading between the $120-$144 levels since mid-November, struggling to hold the high zone of its local range amid the recent market volatility.
Last week, it bounced 10% toward the $140-$144 area but plunged to the range lows after Sunday’s correction, hitting a one-week low of $123 on Monday. As a result, it tested an ascending trendline that has served as support since 2023.
Ali Martinez explained that during the pullbacks, SOL has retested this key support trendline. Notably, each time the cryptocurrency has tapped this trendline, it has registered strong rebounds in the following months, suggesting that the price could rally more than 80% in the mid-term if this support holds.
Following Tuesday’s market rebound, SOL climbed back to the range’s highs, attempting to break above the local range once more. Market observer More Crypto Online affirmed that Wednesday’s rejection from $144 was expected, as it has been a strong resistance for weeks.
The trader considers that investors should not worry as long as the mid-zone of its range, between the $134-$139 levels, holds as support. “It’s not really a breakdown yet; we just have a first sharp pullback,” he affirmed, emphasizing that there’s no evidence that bears are taking the lead.
He noted that breaking below the mid-zone of its range would open the door to a retest of the recent lows and potentially risk a drop to the $117 area or lower. Nonetheless, if bulls take the lead and reclaim the $144 level as support, it will open the door to a retest of higher levels, including the $163 level, where the major next sell wall for SOL is situated.
Is SOL’s Crucial Support Weakening?
Meanwhile, Rekt Capital shared an analysis on longer timeframes, pointing out that Solana has been moving within a clear macro range, situated between the $123 and $296 levels, in the monthly timeframe, clustering in this area since early 2024.
Per the analyst, the cluster has been developing for an extended period, and the potential for distribution and its function as a re-accumulation structure decreases the longer it continues.
Despite this, he emphasized that the focus is on the 21-month horizontal support level. As the analysis noted, Solana recorded a 140% rally during the first major rebound from the region in Q3 and Q4, 2024.
In the second rebound from this support, which started in Q3 2025, SOL saw a significantly smaller rally, surging around 100% to its September local high. Now, the cryptocurrency is rebounding from this level, which could confirm a decreasing trend for the altcoin and raise the alarm about its strength.
“While it is positive to see this rebound, if the move turns into a weaker rebound than the previous ones, then questions will arise regarding the strength of this support,” Rekt Capital asserted.
To prevent this, Solana must breach the one-year downtrend or the multi-week downtrend on the weekly timeframe. “Failing to break either of these trendlines would produce a smaller rally because the prior rebound — the one that rallied around 100% — would fall short and reject from these downtrends instead.”
The analyst concluded that a sequence of progressively smaller bounces “would imply increasing weakness into that support, which in turn would favour the potential for distribution in Solana over time.”
Bitcoin (BTC) began the week dropping nearly 10% from the recent highs and retesting the $84,000 area before bouncing. As price risks more downside with early bear market signals, a market observer suggested that the upcoming weeks will be crucial for BTC’s future path.
Bitcoin Holds Key Weekly Range
Last week, Bitcoin led the brief market recovery, surging from its seven-month low of $80,600 toward the $93,000 area, retesting a key weekly re-accumulation range between these two levels. However, the Sunday correction sent the price back to the range lows, raising concerns about the flagship crypto’s short-term future.
Analyst Rekt Capital highlighted that BTC is stabilizing within its weekly range, holding its position above the $82,000 range low. This area marks the top of an early 2025 liquidity cluster that developed around the 50-Week EMA, where the price has tapped with three downside wicks over the past month.
“Last week’s Weekly Close above the Range Low enabled a relief move toward $93,500,” the analyst explained, “but that level acted as clean resistance,” after Friday’s rejection. To the analyst, maintaining stability around the weekly range lows is important because further downside wicking into the cluster is probable.
However, he noted that the consolidation structure remains intact as long as BTC’s price continues to hold above the range low in the weekly timeframe. Rekt Capital added that Bitcoin continues to trade below a sharply declining Macro Downtrend that “has been dictating resistance throughout this phase of the cycle.”
Per the analysis, “A breakout soon would require reclaiming higher price levels, whereas a later attempt would meet the trendline at lower valuations, narrowing the distance between the current price and resistance.”
“In either case, the Macro Downtrend remains the dominant structural barrier, and Bitcoin’s path forward depends on whether consolidation near the Weekly Range Low can bring price closer to a meaningful test of this sharply descending level,” he continued.
Rekt Capital also highlighted that BTC remains below the 21-Week EMA and 50-Week EMA, which could pose a problem for its future price action as the distance between these moving averages continues to narrow.
As he detailed, when these EMAs compress and ultimately cross, it tends to precede further downside. Although it usually takes weeks after the crossover for price acceleration to “fully unfold,” it still implies that the crossover risk is increasing.
The two EMAs currently represent potential resistance levels on future relief attempts, with the 50-Week EMA retest “leaving room for a future rejection if price revisits it.”
This position, the analyst explained, places BTC in a “vulnerable technical environment” as “the convergence of the EMAs toward the Macro Downtrend creates a layered zone of resistance that will be difficult to overcome unless price can reclaim one of these moving averages and stabilise above it.”
Until Bitcoin successfully turns one of the EMAs into support, “the structure resembles the early-stage clustering seen in prior cycles where EMAs compressed before a broader bearish continuation,” the analyst concluded.
As of this writing, Bitcoin is trading at $88,294, a 2.3% increase in the daily timeframe.
As the whole crypto market bled, Zcash (ZEC) started December with a massive one-day pullback, leading the losses among top cryptocurrencies. While some market observers suggest that the altcoin is positioned for a major move, others have warned that the price risks another major correction in the coming weeks.
Zcash Loses Key Support Levels Amid Crash
Following the late Sunday market correction, Zcash has lost crucial levels and fallen to one-month lows. Over the past three months, the cryptocurrency has seen a parabolic rally, surging over 1,775% to its all-time high (ATH) of $750 in early November.
Since its ATH rally, the altcoin has been trading within the $440-$720 levels, bouncing between the range’s upper and lower boundaries amid the recent market volatility. However, the end-of-November pullback saw ZEC’s price unsuccessfully retest its key support area, closing the day below this area for the first time in nearly a month.
After losing this zone, Zcash continued to drop below other key support levels, breaking down the $400 barrier and hitting a local low of $328 on Monday morning before bouncing to the $340 area.
Amid this performance, some market observers warned that the altcoin could be in trouble and further bleeding may occur in the coming weeks. Sjuul from AltCryptoGems highlighted that ZEC registers the biggest price drops in the weekly and daily timeframes, with declines of 40.2% and 24%, respectively.
The analyst previously pointed out that the cryptocurrency lost its uptrend after falling below the EMA200, recording “a perfect bearish retest followed by a strong rejection” last week. As a result, Sjuul suggested that if Zcash did not reclaim the key moving average, the cryptocurrency would be positioned for a breakdown to lower support levels.
Similarly, Altcoin Sherpa considers that ZEC could drop another 30%-40% to the $200 area after losing the crucial $440 support. Nonetheless, he added that the price will likely see short-term bounces during its retracement.
ZEC’s Correction: Nothing To Worry About?
Mert Mumtaz, Helius co-founder and CEO, affirmed that a correction after a 700% rally “is normal,” adding that the privacy token “looks great” on higher timeframes. Notably, the cryptocurrency still shows 700% and 485% increases on the three-month and one-year timeframes.
The CEO also highlighted Zcash’s strengths: “privacy is not a narrative, private money is the entire purpose of crypto,” suggesting that the altcoin is positioned to challenge other leading cryptocurrencies like XRP in the future.
Meanwhile, another pseudonym market watcher considers that Zcash is preparing for a big move despite the correction. According to X analyst Make Sense, the cryptocurrency is at a make-or-break level after falling to the $320 mark, its first major support area below the November range.
If ZEC holds the current range, the price could reclaim its recently lost range and bounce to its $500-$600 mid-range. On the contrary, if it loses its current levels, the cryptocurrency could retest the $280 and even $200 area, he affirmed, before a trend reversal.
“This is where market makers decide the next trend: bounce early → mid-range rally or deep sweep → full trend reversal. Either way, volatility is about to explode,” he explained.
As of this writing, Zcash is trading at $338, a 20% decline in the monthly timeframe.
While the crypto market bounces from last week’s correction, Bitcoin (BTC) is attempting to reclaim a crucial area as support to continue its recovery rally. As the flagship crypto faces some resistance, some market watchers have suggested that this week’s close may be key for its end-of-year performance.
Bitcoin Faces Rejection Ahead Of November Close
Bitcoin has retested a crucial resistance level for the first time in a week, hitting a one-week high of $93,092 on Friday morning before retracing. The flagship crypto has failed to hold crucial support levels throughout the November corrections, trading below $100,000 for nearly two weeks.
A week ago, BTC plunged below $90,000 during the latest market correction, reaching a seven-month low of $80,600. However, the cryptocurrency led this week’s broader recovery, reclaiming key levels over the past few days.
Amid its recent performance, some market observers have noted that Bitcoin is currently retesting a crucial re-accumulation region, between $82,000 and $93,000, where the price consolidated after previous pullbacks, including the Q1 market correction.
Analyst Rekt Capital highlighted that BTC rebounded more than 7% from the local bottom and has revisited the range high resistance during Friday’s recovery. Now, Bitcoin is attempting to hold the high zone of its local range, retesting the $90,000-$91,000 area as support after being rejected from the key resistance.
Previously, he pointed out that last week’s weekly close aligned with the flagship crypto’s monthly range, setting the stage for a potential floor around the $86,000 area, which would develop a new range between this level and the $93,000 resistance.
To the analyst, Bitcoin must close the week, which also coincides with November’s monthly close, above $93,5000 and turn this level into support if it wants to further build on its newfound momentum and potentially revisit its two-month downtrend line, which currently sits near the $96,000 mark.
“The ~$93500 level happens to be a Four-Year Cycle level. History suggests price should be able to find a way to 12-month close above ~$93500 to finish 2025 green,” Rekt Capital added on X.
$98,000 Rally or $88,000 Drop Next?
Market watcher Ted Pillows discussed BTC’s short-term future as it faces some resistance around the $92,000-$93,000 levels. To the analysts, reclaiming this area could propel the price towards the $98,000-$100,000 barrier in the coming weeks.
On the contrary, he suggested that failing to reclaim this level will send Bitcoin’s price below the $88,000 mark. Earlier this week, Ted warned that this was one of the most important levels to reclaim and hold as support in the short term, as a rejection from this area could trigger a significant drop below the recent lows.
Similarly, Daan Crypto Trades noted that the constant sell-off of the past few weeks has created “a ton of marginally lower highs, creating such a big liquidity pocket” between the $97,000-$98,000 zone.
This region also aligns with key horizontal price levels in bigger timeframes, making it a “good area to watch,” as BTC continues to consolidate in a relatively tight range.
The trader considers that if BTC’s price breaks down, the $88,000 mark could be a good place for a higher low. However, if the price holds above the $91,800 level, it may trigger another retest of the $93,000 resistance.
Ultimately, He warned that the market could likely see a “Choppy environment in the short-term surrounding Thanksgiving, which always sees pretty low volume & liquidity.”
As of this writing, Bitcoin is trading at $90,500, a 1.1% decline in the daily timeframe.
Katz Stealer is a feature-rich infostealer marketed and operated as Malware-as-a-Service (MaaS). It was launched in early 2025 and quickly garnered attention within the infostealer landscape.
The stealer includes robust credential and data discovery with theft capabilities as well as modern evasion and anti-analysis features. It is used to exfiltrate a broad range of personal or sensitive information including passwords, cryptocurrency keys, private messaging tokens, browser session data and more.
Katz Stealer is marketed through popular cybercrime forums as well as more broad networks (Telegram and Discord) and provides its subscribers with a web-based management panel. This interface is used to generate custom payloads, manage stolen data and logs, and perform other high-level campaign management. The turnkey nature of the Katz Stealer service, along with accessible pricing, have led to rapid adoption by threat actors across the spectrum of capability. In this post, we provide an overview of Katz Stealer’s general functionality and infrastructure.
Katz Stealer v0.1 advertisement on BreachForums (April 2025)
Marketing & the MaaS Platform
Katz Stealer operates as a commercially distributed MaaS (Malware-as-a-Service) platform. Similar to RaaS operations, the developers of Katz Stealer offer the service to their “affiliates” or “customers” for an up front fee. Affiliates are provided with access to a web-based management panel, which they can use to generate and configure custom builds of the stealer payloads.
Katz Stealer Panel (v0.3)
Various payload options can be toggled on or off during the build process, including checks for Virtual Machine hosts and different theft modules. The delivery format of the payload can be configured here as well. In addition, the panel functions as the data back-end for the stealer, allowing stolen victim data to be processed and searched. Attackers are also able to export and package stolen data in multiple ways, making it convenient for extortion purposes.
Katz Stealer Panel – Data management
Katz Stealer is marketed on many web-based crime forums as well as on its own portal site.
Katz Stealer – Seller forum post
The sellers highlight the robustness of support that Katz has for stealing from numerous applications and data types. The following feature set is currently advertised for Katz Stealer:
Katz Stealer – advertised feature set
The stealer is also heavily advertised across Telegram and Discord communities. The sellers accept payment in most stable cryptocurrencies (BTC, XMR). As of this writing, pricing for access to Katz Stealer were as follows:
Katz Stealer pricing (RU crime forum)Katz Stealer marketing on main Katz Stealer portal (July 2025)
Infection & Evasion Tactics
Katz Stealer leverages a multi-stage infection chain. Katz campaigns most frequently start with malicious archive files (.gz) delivered to the victim via phishing email or trojanized downloads. These emails (or malicious downloads) contain an obfuscated JavaScript dropper. The JavaScript code is highly obfuscated and subjected to multiple transformations in an effort to evade static analysis.
Obfuscated JavaScript – Katz Stealer dropper
When executed, the JavaScript dropper launches a PowerShell command, often with the -WindowStyle Hidden flag, to further evade user detection. This PowerShell script downloads what appears to be a harmless image file from a remote server. However, the image is weaponized using steganography. Analysis reveals the image contains a base64-encoded string embedded between specific markers. These markers can vary across samples.
The image below shows an example of a Katz Stealer ‘stego image’ “new_image.jpg”. The markers delineating the base64-encoded sections in this sample (0fad38ab91d5676378265405b4f42d98e475c44c) are <<INICIO>> and <<FIM>>. The script scans the image for these markers, extracts the string, and decodes it entirely in memory, ensuring that no malicious payload is written to disk at this stage.
Markers embedded in image file with base64-encoded Katz Stealer code
Once the payload is decoded, Katz Stealer leverages a User Account Control (UAC) bypass by abusing cmstp.exe, a legitimate Windows utility, to gain elevated privileges. It then establishes persistence by creating a scheduled task, ensuring that the malware survives system reboots.
The third stage Katz Stealer payload is the .NET loader responsible for final geofencing and anti-analysis checks prior to further execution. Katz Stealer checks the local system’s locale settings, keyboard layout and default language settings in an effort to exclude use within the CIS (Commonwealth of Independent States) such as Russia, Belarus and other former Soviet Union states.
Additionally, the malware performs a series of checks to determine if it is being executed within a virtual or sandbox/analysis environment. It reads various BIOS identifiers from the Windows registry looking for strings related to common VM platforms (e.g., VirtualBox, VMWare). Default resolution and system uptime are also checked as these are valuable for indicating analyst or researcher environments.
The next stage of the infection spawns the main Katz Stealer module, via process hollowing, within MSBuild.exe (Microsoft Build Engine). First, Katz Stealer drops a dummy INF file, then invokes cmstp.exe to execute. This is a well-established UAC bypass technique, and it allows attackers to fully bypass UAC while avoiding prompts of additional user interaction.
The malware also establishes persistence at this time by creating a scheduled task. The task is set to trigger upon every system restart. The main module is executed within MSBuild.exe via process hollowing. The prior-stage loader spawns an instance of MSBuild.exe, reserving a section of memory to implant and execute the main Katz Stealer module. Running in this context, elevated and within the privileged memory space of MSBuild.exe, the malware is able to operate with SYSTEM-level access hidden from surface-level detection tools.
Once active, Katz Stealer injects itself into target processes to begin harvesting data. Katz is heavily focused on browser data, and multiple browsers are supported. Rather than intercepting existing user browser sessions, Katz launches the targeted browser processes in headless mode, which ensures it remains hidden from the user. A specialized DLL (written to disk by the dropper in %temp%) is injected into the headless browser process, allowing the malware to fully access sensitive browser data in an elevated context.
Infostealer Features
Katz Stealer is capable of stealing files, tokens and credentials from nearly every common application or service that a typical user might have. The infostealer can harvest data from all commonly used web browsers (Chrome, Edge, Brave, Firefox and various Chromium/Gecko-offshoots). Saved passwords, login session cookies, saved session tokens, autofill data (including stored credit card CVV data) are all targeted. Katz also has the ability to decode encrypted browser data in some cases, as detailed in the next section.
Messaging and gaming platforms are also targeted, including the harvesting of gaming session tokens and user account data from secure messenger platforms (e.g., Discord, Telegram), along with credentials for well-known gaming sites and communities like Steam.
WiFi & Steam credential harvesting in Katz Stealer
In addition, Katz Stealer targets a wide range of Email, FTP, and VPN clients. The malware parses and extracts stored messages and credentials from Outlook, Windows Live Mail, Foxmail, Eudora and other mail clients. Katz extracts and logs any configuration files and stored credentials related to VPN clients, FTP Software and known WiFi networks.
Katz Stealer also has the ability to capture screenshots (scheduled or ad-hoc), audio and video. It monitors clipboard activity for strings that resemble passwords, passkeys and cryptocurrency wallet addresses. Attackers often combine these features to capture one-time passcodes or other time-sensitive info displayed on the screen of the targeted system(s). Finally, Katz Stealer is heavily focused on cryptocurrency wallets. Private keys, wallet files, and discovered seed phrases are all captured for a wide array of cryptocurrency wallets.
Browser Injection Process and Encryption Bypass
Data stored by web browsers (passwords, autofill data, cookies) are a primary target for Katz Stealer. The malware is able to bypass some modern browser security measures. Once the Katz Stealer DLL is injected into a browser process, the infostealer can extract sensitive data using the browser’s own security context and available APIs.
This allows Katz Stealer to bypass some encryption barriers that attempt to obfuscate sensitive data. For Chromium-based browsers, Google has introduced (in 2024) ABE (Application Bound Encryption), which ties the decryption of stored passwords and cookies to the logged-in OS user. Katz Stealer is able to defeat this by programmatically masquerading as the browser once injected. The malware locates the browser’s “Local State” file (which is responsible for storing the master encryption key for the logged-in user’s browser session data) and uses the Windows cryptography API to decrypt that key.
With the plaintext master key now available, the malware can subsequently decrypt all saved passwords and cookies from the browser’s SQLite databases. These extracted keys are saved to disk as text files (e.g., decrypted_chrome_key.txt) in the current user’s %APPDATA% folder.
Katz Stealer stored browser key data (text files)
These stored files can be called upon for later use should the infostealer need to decrypt further or new browser session data. This technique appears to be borrowed (at least partially) from the open-source project ChromeKatz, which allows the dumping of Chrome credentials via similar methods of impersonation within the browser.
Open-source ChromeKatz project
For Firefox and other Mozilla/Gecko-based browsers, Katz Stealer locates Firefox’s profile directories and harvests the core files that contain all the browser user and session information. This includes saved usernames and passwords (logins.json) along with the databases that hold decryption keys for all the local logins (key4.db). By collecting all the raw logins, keys, and session data, the attacker can crack or decrypt the passwords offline.
Cryptocurrency Theft Features
Katz Stealer searches the victim’s filesystem for any files related to modern desktop cryptocurrency wallet applications. The malware targets data from multi-coin wallets like Exodus and Coinomi, as well as specific wallet data pertaining to Dash, Dogecoin, Litecoin, Monero (XMR), Bitcoin and Ethereum. The stealer uses a combination of known file paths, folder names, and extensions to locate relevant data. Once identified, the malware copies wallet files, private keys, and backed-up seed phrases to its own temporary folder.
Katz Stealer is also capable of stealing data from individual crypto-based browser extensions. Katz Stealer contains over 150 specific browser extension “IDs” which correspond to cryptocurrency wallet extensions (e.g., MetaMask, Phantom, Binance). The malware scans the browser’s extension data for these IDs, and when found, gathers all relevant files and data such as extension logs, wallet vault files, and any cached seed phrases. For more hardened browsers like Brave, Katz contains tailored code which can locate Brave’s wallet data as well, and process it directly.
C2 and Network Behavior
Once a victim is successfully infected, Katz Stealer establishes an active and persistent C2 channel. Each instance of the stealer contains a hardcoded C2 IP address. Upon infection, the malware calls out to the C2 and identifies itself via a campaign-unique ID.
The malware continues to beacon out to the C2 server to ensure a consistent and available connection. In the event the C2 is unreachable, the implant continues to beacon to the C2 until connectivity can be established, or some sort of termination command is received. Most analyzed Katz stealer samples contain hardcoded C2 IP addresses as opposed to more ‘resilient’ options like DNS-centric C2 communications.
C2 IP address in Katz Stealer implant
The bulk of C2 communications within Katz Stealer are IP-based with the use of HTTP/HTTPs for the primary functions. There are multiple attacker-controlled domains used to control the main malware infrastructure and host the MaaS components with the management panels.
Katz Stealer is not a ‘one shot’ infostealer; it is designed to continually exfiltrate the victim’s data. The malware not only extracts data found on a targeted system at the point of infection but also as data updated, changed, or freshly introduced. Credentials, tokens, and plain text data may be sent line-by-line via HTTP Post to the C2 servers. Larger data blocks like screenshots, audio-visual data and cryptocurrency wallets are transferred via similar methods, but broken up into chunks which are then reconstructed on the server side.
Once the malware operators have determined that the stealer has harvested all targeted and desired data, they are able to invoke steps to remove traces of the incident. The malware removes all temporary files and folders used to store locally harvested data; any output logs or temporary data files are wiped and all injected processes are terminated, removing the malicious code from memory.
Conclusion
Katz Stealer represents a potent combination of credential theft and modern malware design. It has multi-faceted stealing abilities across browsers, messaging systems and cryptodata, along with stealthy delivery methods (in memory staging, pseudo-steganography, process injection and hollowing). This feature set, and low barrier of entry are resulting in a notable increase in Katz Stealer use and an overall rise in the adoption of this tool as a viable infostealing platform.
However, Katz Stealer still relies on social engineering and user interaction to enable a successful compromise. This is a malicious mix of old and new. The SentinelOne Singularity is capable of detecting and preventing malicious behaviors and artifacts associated with Katz Stealer.
Login
