Executive Summary

Russian law enforcement authorities have arrested three individuals in Moscow and the surrounding region, suspected to be the primary developers and operators of the Meduza Stealer malware. This action follows a significant breach in May 2025, where the group used Meduza Stealer to exfiltrate confidential data from a government institution in Astrakhan, Russia. The malware, which has been active since mid-2023, is a sophisticated information stealer distributed as a malware-as-a-service (MaaS) on Russian-language hacking forums and Telegram channels. It is capable of harvesting credentials, cryptocurrency wallet data, and sensitive information from a wide range of applications and browsers. The group is also linked to the development of additional malware designed to disable security protections and build botnets for large-scale attacks. The arrests mark a notable shift in Russian law enforcement’s approach to domestic cybercrime, particularly when Russian organizations are targeted. This incident underscores the persistent threat posed by advanced infostealers to both public and private sector organizations, especially those handling sensitive or financial data. All information in this summary is directly supported by the cited primary sources.

Technical Information

Meduza Stealer is a Windows-based information-stealing trojan that first appeared in June 2023. It is distributed primarily through Russian-language cybercrime forums and Telegram channels, operating under a subscription-based malware-as-a-service model. Pricing for access to Meduza Stealer ranged from $199 per month to $1,199 for lifetime use, making it accessible to a broad range of cybercriminals (InfoStealers.com, 2025-10-31).

The malware is delivered to victims using various social engineering techniques, including phishing emails and fake Telegram “technical support” bots. For example, in October 2024, a campaign used a fake Telegram bot to distribute Meduza Stealer to users of Ukraine’s government mobilization app (The Record, 2025-10-31). In the Russian incident that led to the arrests, the group used Meduza Stealer to breach a government institution in Astrakhan in May 2025, exfiltrating confidential data from its servers (BleepingComputer, 2025-10-31; InfoStealers.com, 2025-10-31).

Meduza Stealer’s technical capabilities are extensive. It can extract credentials, cookies, browser history, bookmarks, autofill data, and local storage from over 100 browsers, including Chrome, Edge, Firefox, Opera, Brave, and Yandex. The malware targets more than 100 cryptocurrency wallets, both browser-based (such as MetaMask, Trust Wallet, Binance Chain) and desktop applications (such as Exodus, Coinomi, Bitcoin Core). It also targets password managers (1Password, LastPass, Bitwarden, Dashlane, KeePassXC) and two-factor authentication extensions (Authenticator, Authy). Additional targets include messaging apps (Telegram, Discord), gaming platforms (Steam), VPN clients (OpenVPN), email clients (Outlook), and miner-related data.

The malware collects system information, including hardware details (CPU, GPU, RAM), IP address, timezone, screenshots, and lists of installed software, which can be used for victim profiling. Since December 2023, Meduza Stealer has included the ability to "revive" expired Chrome authentication cookies, enabling attackers to take over accounts even after session expiration (BleepingComputer, 2025-10-31; InfoStealers.com, 2025-10-31).

Meduza Stealer is designed to operate stealthily. Upon execution, it checks the victim’s geolocation and aborts if the system is located in a Commonwealth of Independent States (CIS) country, such as Russia, Kazakhstan, or Belarus, to avoid attracting local law enforcement attention (InfoStealers.com, 2025-10-31).

The group behind Meduza Stealer is also believed to have developed additional malware for disabling antivirus protection and building botnets for distributed denial-of-service (DDoS) attacks, although specific names for these tools have not been disclosed (The Record, 2025-10-31; InfoStealers.com, 2025-10-31).

MITRE ATT&CK Mapping: The attack lifecycle of Meduza Stealer aligns with several MITRE ATT&CK techniques. Initial access is typically achieved through phishing (T1566) and malicious link or attachment delivery (T1204). Execution relies on user interaction (T1204.002) and command and scripting interpreters (T1059). Defense evasion includes disabling security tools (T1562.001) and geofencing (T1020). Credential access is achieved through credential dumping (T1003) and stealing web session cookies (T1539). Data is collected from information repositories (T1213) and local systems (T1005), then exfiltrated over command-and-control channels (T1041). The impact includes data theft (T1005) and botnet creation (T1102).

Attribution: The arrested individuals are described as young IT specialists, and law enforcement statements, along with the seizure of computer equipment, mobile devices, and bank cards, provide strong evidence of their involvement. The group is also believed to be behind Aurora Stealer, another infostealer that gained traction in 2022, based on expert analysis and operational patterns (BleepingComputer, 2025-10-31). However, direct technical artifacts linking the two malware families have not been publicly disclosed.

Sector-Specific Implications: The Meduza Stealer incident highlights the risk posed by advanced infostealers to government institutions, financial entities, and private sector organizations. The malware’s broad targeting capabilities increase the risk of credential theft, financial fraud, and unauthorized access to critical systems. The incident also signals a shift in Russian law enforcement’s approach to domestic cybercrime, with increased willingness to pursue actors who target Russian organizations, potentially impacting the broader cybercriminal ecosystem (The Record, 2025-10-31).

Affected Versions & Timeline

Meduza Stealer has been active since June 2023, with distribution and sales on Russian-language forums and Telegram channels. The malware was marketed as a subscription service, with pricing tiers ranging from $199 per month to $1,199 for lifetime access (InfoStealers.com, 2025-10-31). Its technical capabilities have evolved over time, with the addition of features such as the ability to revive expired Chrome authentication cookies in December 2023 (BleepingComputer, 2025-10-31).

The group’s activities came under law enforcement scrutiny following a breach of a government institution in Astrakhan, Russia, in May 2025. This incident led to the opening of a criminal case under Part 2, Article 273 of the Russian Criminal Code, which covers the creation, use, and distribution of malicious software. The arrests were announced on October 31, 2025, following coordinated raids in Moscow and the surrounding region (BleepingComputer, 2025-10-31; The Record, 2025-10-31; InfoStealers.com, 2025-10-31).

Threat Activity

The Meduza Stealer group has been active since at least mid-2023, distributing their malware as a service to other cybercriminals. The malware has been used in attacks targeting both Russian and international organizations, including government, financial, and private sector entities. Notable campaigns include the use of phishing emails impersonating industrial automation companies and the distribution of the malware via fake Telegram bots targeting users of Ukraine’s government mobilization app (The Record, 2025-10-31).

The group’s operational security measures included geofencing to avoid infecting systems in CIS countries, a common tactic among Russian-speaking cybercriminals to evade local law enforcement. Despite this, the group targeted a Russian government institution in Astrakhan in May 2025, leading to their identification and arrest (InfoStealers.com, 2025-10-31).

In addition to Meduza Stealer, the group developed other malware designed to disable antivirus protection and build botnets for large-scale DDoS attacks. These tools were used to facilitate further attacks and maintain persistence within compromised environments (The Record, 2025-10-31).

The group’s activities demonstrate a high level of technical sophistication and adaptability, with the ability to target a wide range of applications and data types. Their use of a malware-as-a-service model enabled other threat actors to leverage Meduza Stealer in their own campaigns, amplifying the impact of the malware across multiple sectors.

Mitigation & Workarounds

The following mitigation strategies are prioritized by severity:

Critical: Organizations should immediately review endpoint security controls and ensure that all systems are protected by up-to-date antivirus and endpoint detection and response (EDR) solutions capable of detecting and blocking Meduza Stealer and similar infostealers. Network monitoring should be implemented to detect suspicious outbound connections to known command-and-control infrastructure associated with infostealers.

High: User awareness training should be conducted to educate employees about phishing techniques, social engineering, and the risks associated with opening unsolicited email attachments or interacting with unknown Telegram bots. Multi-factor authentication (MFA) should be enforced for all critical accounts, and password managers should be configured to require strong, unique passwords.

Medium: Regularly update and patch all operating systems, browsers, and applications to reduce the attack surface for malware delivery. Implement application whitelisting to prevent unauthorized execution of unknown binaries.

Low: Review and restrict the use of browser extensions and third-party applications, particularly those related to cryptocurrency wallets and password managers. Conduct periodic security assessments and penetration testing to identify and remediate potential vulnerabilities.

If an infection is suspected, immediately isolate affected systems from the network, conduct a thorough forensic analysis, and reset all credentials that may have been compromised. Report incidents to relevant authorities and share indicators of compromise (IOCs) with trusted partners.

References

https://www.bleepingcomputer.com/news/security/alleged-meduza-stealer-malware-admins-arrested-after-hacking-russian-org/ (October 31, 2025) https://therecord.media/meduza-stealer-malware-suspected-developers-arrested-russia (October 31, 2025) https://www.infostealers.com/article/russian-authorities-bust-meduza-infostealer-developers-young-hackers-detained-in-major-cybercrime-crackdown/ (October 31, 2025)

About Rescana

Rescana provides a third-party risk management (TPRM) platform that enables organizations to continuously monitor and assess the security posture of their vendors and partners. Our platform supports the identification of emerging threats, facilitates rapid incident response, and helps organizations maintain compliance with industry standards. For questions or further information, please contact us at ops@rescana.com.