The Reveal Platform
Intel Name: Inside maranhão stealer: node.js-powered infostealer using reflective dll injection
Date of Scan: September 16, 2025
Impact: High
Summary: Maranhão Stealer is spreading through social engineering sites that offer pirated software, cracked games, and cheats, using cloud services for delivery. Written in Node.js and packaged with Inno Setup, it mirrors trends seen in modern stealer campaigns. The malware establishes persistence via Run registry keys and scheduled tasks, hiding its files with system and hidden attributes. It performs in-depth host profiling and uses DLL injection to steal credentials, cookies, browsing history, and wallet data from browsers. Exfiltrated data is sent to attacker-controlled servers through maranhaogang\[.]fun APIs for tracking, monitoring, and data theft.
