A new threat actor by the name Magnat has been discovered, spreading different types of malware including backdoor and malicious Chrome extensions and information stealers. There are two previously unknown malware families that are often delivered together in these campaigns. Magnat is believed to be the author of these new families.

What has happened?

Researchers from Talos have recently discovered a malicious campaign offering fake installers of popular software to unsuspecting users.
  • The attackers deliver multiple malware in distribution campaigns that began in late 2018 and mostly targeted Canada, facing around 50% of total infections, followed by Australia, the U.S., and some EU countries.
  • The attackers’ motive behind the attack is financial gain by selling stolen credentials, fraudulent transactions, and remote desktop access to systems.
  • The campaign uses malvertising as an initial vector to target users interested in downloading popular software.

The different types of malware

The attackers deploy three types of final payloads in almost all malware campaigns.
  • Two commodity password stealers Azorult and Redline.
  • MagnatBackdoor, a backdoor that configures targeted systems for RDP access, adds a new user, sets a scheduled task, and creates an outbound SSH tunnel that forwards the RDP service.
  • MagnatExtension, a chrome extension installer, has multiple features for stealing data from a web browser, capturing screenshots, a form grabber, keylogger, arbitrary JavaScript executor, and cookie stealer.


Magnat is delivering multiple payloads and may pose a serious security threat to enterprises. Such threats are very effective and require multiple layers of security measures for protection, such as cybersecurity awareness sessions, network filtering, and endpoint protection, among others.

Cyware Publisher