Executive Summary

This malware analysis documents a multi-stage Windows infostealer infection chain discovered via malware samples tracked on MalwareBazaar (softmix-online tag). The campaign uses a fake software download site (softmix.online) that distributes a password-protected archive which is a technique specifically chosen to bypass automated security inspection.

The attack unfolds through several layers of evasion (PowerShell downloader, encrypted archive, NSIS installer, and an Electron application) before executing the final payloads:

  1. The Electron Loader: The core logic resides in a JavaScript file (main.js) within the Electron app. It requests administrative rights, disables Microsoft Defender exclusions, exfiltrates initial host reconnaissance (system info, screenshot, public IP) to a Telegram bot, and fetches a second-stage binary from a loader host (62.60.226.198).

  2. The Go Infostealer: The final payload is a Go-based stealer obfuscated with garble and dynamic Win32 API resolution to defeat static analysis. Once executed, it harvests Chromium/Edge credentials, cookies, browsing history, and cryptocurrency-wallet extensions. This stolen data is then exfiltrated via HTTPS/TLS to a separate C2 server at 5.75.217.106:443.