MicroStealer Evades Detection With Electron-to-Java Payload Chain

A newly documented infostealer called MicroStealer is spreading rapidly while flying under the radar of most security tools. Researchers at ANY.RUN observed the malware in over 40 sandbox sessions within a single month, yet signature-based detection remains minimal. The stealer's unusual delivery mechanism—chaining NSIS installers to Electron apps to Java payloads—appears designed specifically to frustrate static analysis.

MicroStealer targets the usual high-value data: browser credentials, session cookies, cryptocurrency wallet extensions, and Discord tokens. But its multi-stage architecture and aggressive obfuscation set it apart from commodity stealers flooding criminal markets.

The Delivery Chain

The infection begins with a file named RocobeSetup.exe, an NSIS installer that masquerades as legitimate software. Rather than dropping a traditional executable, this installer contains an Electron application called Game Launcher.exe.

Here's where things get unusual. The Electron app doesn't contain the malicious payload directly. Instead, it extracts and executes a Java JAR file (soft.jar) using an embedded Java Runtime Environment bundled with the installer. This JRE independence means victims don't need Java installed—the malware brings its own.

Threat actors distribute MicroStealer through compromised or impersonated social media accounts, lending credibility to download links. The malware's website delivers payloads hosted on Dropbox and Discord's content delivery network, both commonly abused due to their trusted reputation scores.

This layered approach serves multiple purposes. Each technology transition—NSIS to Electron to Java—creates opportunities to evade detection. Security tools optimized for analyzing PE executables may miss malicious behavior buried in JavaScript or Java bytecode. The architecture also complicates manual reverse engineering.

What MicroStealer Steals

Once executing, MicroStealer systematically harvests credentials across multiple categories.

Browser data forms the primary target. The malware extracts saved passwords, cookies, and session data from Chromium-based browsers including Chrome, Edge, Brave, and Vivaldi. It uses Windows DPAPI decryption to unlock protected credential stores—a technique shared with more established stealers like Lumma and Vidar.

Cryptocurrency wallets receive special attention. MicroStealer targets browser extensions for MetaMask, Phantom, and Trust Wallet, extracting seed phrases and private keys. Desktop wallet applications including Exodus, Electrum, and AtomicWallet are also harvested for wallet files.

Discord exploitation goes beyond simple token theft. The malware injects JavaScript code into Discord's desktop client using Webpack injection and Chrome DevTools Protocol, allowing it to intercept authentication tokens and monitor user activity in real time. This persistence survives Discord restarts. The technique mirrors what we've seen in larger credential theft operations—stolen tokens from infostealers fuel account compromises like the Instagram mass account leak that exposed millions of users.

System reconnaissance profiles victims to assess value. MicroStealer queries Steam and Discord accounts to determine if the target owns valuable game inventories or maintains high-value social connections—a triage step that may influence how operators prioritize stolen data.

Evasion Techniques

The malware employs multiple layers of obfuscation. The Node.js component uses LZ-String compression to obscure strings, while the Java module is protected by ZKM (Zelix KlassMaster) v21.0.0, a commercial obfuscator rarely seen in commodity malware.

Virtual machine detection terminates execution in analysis environments. The malware checks for processes associated with VMware, VirtualBox, and QEMU, refusing to run if detected. This explains why sandbox visibility has remained high while endpoint detection lags.

For persistence, MicroStealer creates a Windows Task Scheduler entry with an ONLOGON trigger and a 5-second delay—just enough time for the user session to initialize before the stealer begins harvesting.

Exfiltration and C2

Stolen data leaves victim systems through dual channels: Discord webhooks and attacker-controlled servers. The malware identifies itself using the User-Agent string "MicroStealer/1.0" in initial beacon requests—a surprising lack of operational security that may indicate less sophisticated operators or rapid development.

A hardcoded Steam API key (440D7F4D810EF9298D25EDDF37C1F902) enables victim profiling, allowing operators to check Steam inventory values before deciding whether to monetize stolen credentials.

Detection and Defense

Traditional signature-based detection is failing against MicroStealer. Behavior-based analysis in sandbox environments like ANY.RUN reveals the complete attack chain, but organizations relying solely on endpoint protection may miss infections.

Defenders should monitor for:

• NSIS installers spawning Electron applications
• Unexpected Java processes with network activity
• Discord client modifications or injected code
• Task Scheduler entries with suspiciously generic names

For guidance on protecting against credential-stealing malware, see our malware defense fundamentals.

The rise of multi-stage stealers like MicroStealer reflects an ongoing arms race. As detection improves for traditional malware delivery, threat actors adapt with increasingly complex chains. Expect this pattern to continue through 2026.