GitHub Repo

Analytics Story: 0bj3ctivity Stealer

Date: 2025-08-22 ID: 467ee9e6-6f84-424b-89d8-49a03581a4a9 Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

ObjectivyStealer is an information-stealing malware designed to extract sensitive data from infected endpoints. It commonly targets web browsers, messaging applications, cryptocurrency wallets, and local system files to gather stored credentials, cookies, autofill data, and session tokens. The malware often arrives via phishing emails, malicious attachments, cracked software, or drive-by downloads. Upon execution, ObjectivyStealer attempts to evade detection by operating from user profile or temporary directories and leveraging obfuscation to disguise its activity. Persistence is typically established through registry run keys or scheduled tasks, ensuring it remains active after system reboots. Detection is primarily achieved through endpoint monitoring of abnormal process behaviors, including unauthorized access to browser storage files, creation of unusual persistence artifacts, and suspicious outbound network connections. Analysts may also identify compressed or encrypted data being exfiltrated to remote command-and-control (C2) infrastructure. Timely detection is critical, as successful infections can result in credential theft, financial fraud, or additional malware deployment.

Why it matters

During analysis, 0bj3ctivityStealer was observed executing from a user profile directory, indicating likely delivery via a phishing attachment or trojanized software. Once active, the malware began enumerating system information and targeting browser credential stores, extracting cookies, saved passwords, and session tokens. Telemetry revealed unauthorized access attempts to directories belonging to Chrome and Edge, followed by data compression and encryption routines. Network monitoring detected abnormal HTTPS POST requests containing encoded payloads destined for a known 0bj3ctivityStealer command-and-control server. Persistence was established through registry modifications, ensuring execution on system reboot. The malware continued to operate silently, exfiltrating harvested data at regular intervals. Correlation with threat intelligence confirmed the activity matched 0bj3ctivityStealer campaigns seen in underground marketplaces, where stolen data is often sold or leveraged for further compromise. Without intervention, this activity would likely lead to unauthorized account access, financial theft, and potential secondary infections from additional malware dropped post-exfiltration.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
CMD Carry Out String Command Parameter Windows Command Shell Hunting
Download Files Using Telegram Ingress Tool Transfer TTP
Malicious PowerShell Process - Execution Policy Bypass PowerShell Anomaly
Non Firefox Process Access Firefox Profile Dir Credentials from Web Browsers Anomaly
Potential Telegram API Request Via CommandLine Bidirectional Communication, Exfiltration Over C2 Channel Anomaly
PowerShell 4104 Hunting PowerShell Hunting
Powershell Fileless Script Contains Base64 Encoded Content Obfuscated Files or Information, PowerShell TTP
PowerShell Loading DotNET into Memory via Reflection PowerShell Anomaly
Randomly Generated Scheduled Task Name Scheduled Task Hunting
Registry Keys Used For Persistence Registry Run Keys / Startup Folder TTP
Scheduled Task Creation on Remote Endpoint using At At TTP
Scheduled Task Deleted Or Created via CMD Scheduled Task TTP
Windows Credential Access From Browser Password Store Query Registry Anomaly
Windows Credentials from Password Stores Chrome Extension Access Query Registry Anomaly
Windows Credentials from Password Stores Chrome LocalState Access Query Registry Anomaly
Windows Credentials from Password Stores Chrome Login Data Access Query Registry Anomaly
Windows Scheduled Task with Suspicious Name Scheduled Task TTP
Windows Time Based Evasion via Choice Exec Time Based Evasion Anomaly
Windows Unsecured Outlook Credentials Access In Registry Unsecured Credentials Anomaly
Windows Unusual Process Load Mozilla NSS-Mozglue Module CMSTP Anomaly
WinEvent Scheduled Task Created to Spawn Shell Scheduled Task TTP
WinEvent Scheduled Task Created Within Public Path Scheduled Task TTP
Wscript Or Cscript Suspicious Child Process Process Injection, Parent PID Spoofing, Create or Modify System Process TTP
Windows DNS Query Request by Telegram Bot API DNS, Bidirectional Communication Anomaly
Windows Gather Victim Network Info Through Ip Check Web Services IP Addresses Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Powershell Script Block Logging 4104 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 15 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 22 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4663 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4688 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4698 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4700 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4702 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security

References

Source: GitHub | Version: 3