PROBABLYPWNED
MalwareJuly 4, 20264 min read

TimbreStealer Hijacks Edge and Chrome Updaters via DLL Sideload

New infostealer campaign abuses EdgeUpdate and GoogleUpdater binaries through DLL sideloading to target Mexican businesses. Invoice-themed lures deliver credential theft malware.

James Rivera

A targeted infostealer campaign is abusing legitimate Microsoft Edge and Google Chrome updater binaries to deploy TimbreStealer malware against Mexican businesses. The attack chain reported by Cisco Talos uses DLL sideloading to execute malicious code through trusted executables, evading security tools that whitelist browser updaters.

The campaign delivers phishing lures with invoice-themed names—CONTENIDO, COMPROBANTES, CFDI—targeting the Mexican fiscal document formats that businesses handle routinely. Victims receive ZIP archives hosted on DigitalOcean infrastructure containing what appear to be legitimate updater executables alongside malicious DLL files.

DLL Sideloading Attack

The archives contain legitimate copies of msedgeupdate.exe or goopdate.exe—the real Microsoft Edge and Google Chrome updater binaries. Alongside these sit malicious DLL files named msedgeupdate.dll or goopdate.dll.

When victims execute the updater, Windows' DLL search order causes it to load the malicious DLL from the same directory rather than the legitimate system copy. The trusted Microsoft or Google executable becomes an unwitting loader for the attacker's payload.

The malicious DLLs stand out from legitimate versions:

  • File size: 45-50 MB versus under 500 KB for legitimate updater DLLs
  • PE structure: 27 sections, far more than normal
  • Anomalous entropy: Packed or obfuscated content

These differences would be obvious to manual analysis but may slip past automated tools that trust the parent executable.

Geographic Targeting and Evasion

TimbreStealer implements multiple checks to ensure it runs only in target environments:

  • Language verification: Rejects Russian locale systems
  • Timezone validation: Confirms UTC-5 through UTC-8 (matching Mexico)
  • Sandbox detection: Validates desktop window ownership to avoid analysis environments

The geographic focus on Mexico and specific exclusion of Russian-language systems suggests either a Russian-speaking operator avoiding domestic targets or deliberate false-flag tradecraft.

Data Exfiltration Targets

Once active, TimbreStealer focuses on broad credential and data harvesting:

Browsers:

  • Chrome, Edge (including Beta, Dev, and SxS variants)
  • Firefox profiles

Email clients:

  • Thunderbird
  • Postbox mail stores

Cloud storage:

  • OneDrive sync folders
  • Dropbox local caches

The emphasis on email clients and cloud storage suggests operators interested in both credentials and document access—potentially for business email compromise follow-up or direct data theft.

Connection to Broader Infostealer Trends

TimbreStealer joins a crowded field of infostealers targeting business users in 2026. We've covered similar campaigns including PamStealer targeting macOS and the ResiLoader campaign delivering Stealc through fake verification pages.

The infostealer ecosystem has exploded in recent years. According to industry reports, infostealer malware contributed to the theft of more than 1.8 billion credentials from 5.8 million infected devices—an 800% jump over the prior four months.

DLL sideloading via trusted updaters is a well-documented technique, but it remains effective because organizations often exclude browser updaters from security monitoring. The technique was previously documented in NOBS project research on browser update abuse.

Recommendations

  1. Monitor for oversized DLLs - Alert on DLL files in browser directories exceeding normal sizes
  2. Application whitelisting - Control which executables can load DLLs from non-system paths
  3. User awareness - Train staff on invoice-themed phishing, especially in financial roles
  4. Block DigitalOcean IPs - If you don't use DigitalOcean, consider blocking their IP ranges at the perimeter
  5. Monitor browser update paths - Legitimate updates shouldn't require user interaction with downloaded archives

For organizations building phishing defense programs, our guide on recognizing phishing emails covers the social engineering patterns these campaigns exploit.

Why This Matters

DLL sideloading attacks abuse the trust organizations place in legitimate software. Browser updaters run regularly, are typically whitelisted, and execute with user privileges that allow broad system access.

When attackers package malicious DLLs alongside real Microsoft or Google executables, they inherit that trust. Security tools that would flag unknown executables may allow the activity because the parent process appears legitimate.

The targeted nature of this campaign—specific country, specific business document formats, specific language exclusions—indicates a focused operation rather than spray-and-pray malware distribution. Mexican businesses handling fiscal documentation should be particularly vigilant for invoice-themed attachments, even when they appear to come from familiar sources.

Related Articles