Silent Watcher Targets Windows Systems, Steals Data via Discord Webhooks

K7 Labs investigated the Cmimai Stealer, a Visual Basic Script (VBS)-based infostealer that surfaced in June 2025 and uses PowerShell and native Windows scripting to secretly exfiltrate data. This is a recent development in the cybersecurity environment.

This malware, first highlighted in a tweet, operates as a lightweight threat actor tool that circumvents execution policies, generates ephemeral PowerShell scripts, and systematically harvests system and browser metadata before transmitting it via Discord webhooks.

Notably, an additional sample surfaced on June 28, 2025, featuring a distinct webhook URL, indicating potential variants or campaign evolutions.

Core Functionality of Cmimai Stealer

The stealer initializes by logging execution events in a temporary file named “vbs_reporter_log.txt” within the system’s %TEMP% directory, then proceeds to query Windows Management Instrumentation (WMI) via the Win32_OperatingSystem class to extract critical system details such as OS version, caption, current username, computer name, and timestamps.

This data ...