New Maranhão Stealer Targets Users Through Pirated Software and Cloud Services

A sophisticated new information-stealing malware campaign dubbed Maranhão Stealer has emerged, targeting gaming enthusiasts through malicious pirated software distributed via cloud-hosted platforms.

The campaign, first identified by security researchers in May 2025, represents a concerning evolution in credential theft operations, combining social engineering tactics with advanced evasion techniques to compromise user accounts and cryptocurrency wallets.

The Maranhão Stealer distinguishes itself through its modern development approach, utilizing Node.js as its core programming language and packaging the malware within Inno Setup installers.

This technical foundation allows the threat actors to create seemingly legitimate software packages that bypass traditional security measures while maintaining sophisticated functionality for data exfiltration.

Illustration depicting password exposure with a person pointing to a screen displaying a URL and the text ‘YOUR PASSWORD’

Upon successful installation, the malware establishes a deceptive presence on infected systems by creating a directory structure mimicking legitimate Microsoft components.