❗Since mid-December, researchers at Spamhaus have observed an uptick in activity from GCleaner (a.k.a OnlyLogger) malware. Here we can see GCleaner is clearly active, dropping Stealc malware…..

Researchers are seeing two variants of GCleaner, with different infrastructure and URLs for the first request:

1️⃣ A loader - packed with common packers like Dave packer

2️⃣ Impersonating BroomCleaner (as OnlyLogger impersonated GCleaner)

In the example shared, GCleaner is impersonating BroomStealer, and using a library embedded in the NSIS installer to perform the requests.

Is anyone else seeing this activity? Please share your insights in the comments 👇

👀 We'll keep you updated, as we learn more.

#Malware #GCleaner #Stealc #OnlyLogger #BroomStealer #ThreatIntel #ThreatHunting