Researches, News, and more
DeXpose Blog
AnyDesk Clone Drops .NET Loader with AES Encrypted Payload and AV Evasion Delivering Phemedrone Stealer
On June 16, 2025, a suspicious domain impersonating AnyDesk — anydeske[.]icu — was reported on Twitter. The site served what appeared to be a legitimate remote access tool but actually delivered a malicious .NET loader. Further investigation…
Flesh Stealer: A Report on Multivector Data Theft
Introduction FleshStealer is a sophisticated, modular, and obfuscated .NET-based information-stealing malware designed for comprehensive data exfiltration from Windows systems. Its architecture is built for scale and stealth, utilizing multithreading to simultaneously run multiple data harvesting…
Understanding SalatStealer: Features and Impact
Introduction Salat Stealer is a stealthy malware developed in the Go programming language, designed to infiltrate systems and extract sensitive data. Once it infects a device, it gathers extensive system information, such as hard drive…
Six Months Undetected: Analysis of archive.org hosted .NET PE Injector
Introduction On February 11, 2025, Filescan.io shared a troubling discovery: a 6-month-old .NET PE injector had remained undetected on Archive.org, a platform widely used for archiving web content. The file was flagged as clean, allowing it to remain accessible for months.…
In-Depth Technical Analysis of Lumma Stealer
Introduction Lumma is a sophisticated information stealer, written in C/C++, that has been active in the wild since at least August 15, 2022. The first publicly identified sample appeared on Malware Bazaar on December 20,…