TimbreStealer Hijacks Edge and Chrome Updaters via DLL Sideload
New infostealer campaign abuses EdgeUpdate and GoogleUpdater binaries through DLL sideloading to target Mexican businesses. Invoice-themed lures deliver credential theft malware.
A targeted infostealer campaign is abusing legitimate Microsoft Edge and Google Chrome updater binaries to deploy TimbreStealer malware against Mexican businesses. The attack chain reported by Cisco Talos uses DLL sideloading to execute malicious code through trusted executables, evading security tools that whitelist browser updaters.
The campaign delivers phishing lures with invoice-themed names—CONTENIDO, COMPROBANTES, CFDI—targeting the Mexican fiscal document formats that businesses handle routinely. Victims receive ZIP archives hosted on DigitalOcean infrastructure containing what appear to be legitimate updater executables alongside malicious DLL files.
DLL Sideloading Attack
The archives contain legitimate copies of msedgeupdate.exe or goopdate.exe—the real Microsoft Edge and Google Chrome updater binaries. Alongside these sit malicious DLL files named msedgeupdate.dll or goopdate.dll.
When victims execute the updater, Windows' DLL search order causes it to load the malicious DLL from the same directory rather than the legitimate system copy. The trusted Microsoft or Google executable becomes an unwitting loader for the attacker's payload.
The malicious DLLs stand out from legitimate versions:
- File size: 45-50 MB versus under 500 KB for legitimate updater DLLs
- PE structure: 27 sections, far more than normal
- Anomalous entropy: Packed or obfuscated content
These differences would be obvious to manual analysis but may slip past automated tools that trust the parent executable.
Geographic Targeting and Evasion
TimbreStealer implements multiple checks to ensure it runs only in target environments:
- Language verification: Rejects Russian locale systems
- Timezone validation: Confirms UTC-5 through UTC-8 (matching Mexico)
- Sandbox detection: Validates desktop window ownership to avoid analysis environments
The geographic focus on Mexico and specific exclusion of Russian-language systems suggests either a Russian-speaking operator avoiding domestic targets or deliberate false-flag tradecraft.
Data Exfiltration Targets
Once active, TimbreStealer focuses on broad credential and data harvesting:
Browsers:
- Chrome, Edge (including Beta, Dev, and SxS variants)
- Firefox profiles
Email clients:
- Thunderbird
- Postbox mail stores
Cloud storage:
- OneDrive sync folders
- Dropbox local caches
The emphasis on email clients and cloud storage suggests operators interested in both credentials and document access—potentially for business email compromise follow-up or direct data theft.
Connection to Broader Infostealer Trends
TimbreStealer joins a crowded field of infostealers targeting business users in 2026. We've covered similar campaigns including PamStealer targeting macOS and the ResiLoader campaign delivering Stealc through fake verification pages.
The infostealer ecosystem has exploded in recent years. According to industry reports, infostealer malware contributed to the theft of more than 1.8 billion credentials from 5.8 million infected devices—an 800% jump over the prior four months.
DLL sideloading via trusted updaters is a well-documented technique, but it remains effective because organizations often exclude browser updaters from security monitoring. The technique was previously documented in NOBS project research on browser update abuse.
Recommendations
- Monitor for oversized DLLs - Alert on DLL files in browser directories exceeding normal sizes
- Application whitelisting - Control which executables can load DLLs from non-system paths
- User awareness - Train staff on invoice-themed phishing, especially in financial roles
- Block DigitalOcean IPs - If you don't use DigitalOcean, consider blocking their IP ranges at the perimeter
- Monitor browser update paths - Legitimate updates shouldn't require user interaction with downloaded archives
For organizations building phishing defense programs, our guide on recognizing phishing emails covers the social engineering patterns these campaigns exploit.
Why This Matters
DLL sideloading attacks abuse the trust organizations place in legitimate software. Browser updaters run regularly, are typically whitelisted, and execute with user privileges that allow broad system access.
When attackers package malicious DLLs alongside real Microsoft or Google executables, they inherit that trust. Security tools that would flag unknown executables may allow the activity because the parent process appears legitimate.
The targeted nature of this campaign—specific country, specific business document formats, specific language exclusions—indicates a focused operation rather than spray-and-pray malware distribution. Mexican businesses handling fiscal documentation should be particularly vigilant for invoice-themed attachments, even when they appear to come from familiar sources.
Related Articles
OnyxC2 Infostealer Targets 210 Apps, Offers Refunds If Detected
BlackFog researchers detail OnyxC2 MaaS stealer pricing at $250/month. Targets browsers, crypto wallets, password managers with DLL sideloading delivery that bypasses VirusTotal detection.
Jun 12, 2026Avalon Malware Framework Bundles Credentials, Ransomware, Wiper
New modular malware framework Avalon combines credential theft, lateral movement, and CrownX ransomware in one package. AI-assisted development suspected.
Jul 4, 2026ResiLoader Kills 140+ Security Tools Before Deploying StealC
Malwarebytes documents a new loader that abuses a legitimate driver to terminate EDR processes, then uses process hollowing to inject the StealC infostealer through fake Google and Cloudflare verification pages.
Jul 3, 2026PamStealer Validates Your Mac Password Before Stealing It
Jamf Threat Labs uncovers a macOS infostealer that impersonates the Maccy clipboard manager, validates credentials through PAM, then harvests browser data, crypto wallets, and iCloud Keychain.
Jul 3, 2026