New NullMixer malware Stealing user’s payment data and cryptocurrencies

NullMixer, is a new active campaign, hunting for users’ payment details, cryptocurrencies, and social media accounts.

Researchers at Kaspersky have uncovered a new campaign spreading NullMixer, a malware that steals users’ credentials, credit card data, cryptocurrencies, addresses, and even Facebook and Amazon accounts. 

More than 47,500 users were attacked with NullMixer while attempting to download cracked software from third-party sites. NullMixer is capable of spying on users and capturing any information they enter on the keyboard.

“When a user extracts and executes NullMixer, it drops a number of malware files to the compromised machine,” cybersecurity firm Kaspersky said in a Monday report. “It drops a wide variety of malicious binaries to infect the machine with, such as backdoors, bankers, downloaders, spyware, and many others.”

Cybercriminals are actively distributing NullMixer via websites that offer crack, keygen, and activators illegally. Such untrustworthy pages always pose a risk to users because, rather than providing appropriate software, they infect victims’ devices with malware. 

In most cases, users receive adware or other unwanted software, but NullMixer is far more dangerous because it can download a large number of Trojans at once, potentially infecting any computer network on a large scale.

A typical attack chain begins when a user attempts to download cracked software from one of the sites, which results in a password-protected archive containing an executable file that, in turn, drops and launches a second setup binary designed to deliver an array of malicious files.

Everything looks normal as if the user is really about to download the software they need. However, after following the installation instructions, the victim actually launches NullMixer, which drops multiple trojan files on the infected machine, including spyware, backdoors, downloaders, and other threats.

To appear high in search engine results (SERP), these malicious websites use search engine optimization (SEO) poisoning techniques such as keyword stuffing.  Similar tactics have been used before by Actors behind the GootLoader and SolarMarker campaigns.

Among the threat families spread by NullMixer is the infamous RedLine stealer, which searches infected machines for cryptocurrency wallet data and credit card, as well as Disbuk, also known as Socelar. 

Using Disbuk to steal cookies from Facebook and Amazon, attackers can gain access to the victims’ accounts, obtaining their addresses, credentials, and even payment information.

NullMixer, recently, was linked to the distribution of a malicious Google Chrome extension called FB Stealer, which is capable of stealing Facebook credentials and substituting search engines.


Kaspersky said it blocked attempts to infect more than 47,700 victims worldwide, with a majority of the users located in Brazil, India, Russia, Italy, Germany, France, Egypt, Turkey, and the U.S. NullMixer’s threat actor has not been linked to any known group.

DanaBot and a variety of information-stealing malware such as ColdStealer, Raccoon, PseudoManuscrypt, Redline Stealer, Stealer, and Vidar are among the other prominent malware families distributed by the dropper.

Also deployed using NullMixer are trojan downloaders like GCleaner, FormatLoader, LegionLoader (aka Satacom), PrivateLoader, LgoogLoader, ShortLoader, SgnitLoader, and SmokeLoader, as well as the C-Joker cryptocurrency wallet stealer.

The latest findings provide further evidence that malware and unwanted applications are increasingly spreading via pirated software. It’s also a good idea to check online accounts on a regular basis for any unusual access and transactions.

“Any download of files from untrustworthy resources is a real game of roulette: you never know when it will fire, and which threat you will get this time. Receiving NullMixer, users get several threats at once. Any information you type on your keyboard will be available to the attackers: from messages, you write to your friends on Facebook, the address you use to order on Amazon, to logins and passwords from your device or cryptocurrency accounts, and credit card data. As a result, the entire device with all your information is now in the hands of cybercriminals. Keep this in mind when you decide to download something from an unknown site because this threat can always be avoided by using only licensed products and robust security solutions,” comments Hayim Zigel, a security researcher at Kaspersky.

To protect yourself from NullMixer, Kaspersky recommends:

●      Do not download pirated software or any other illegal content, even if you are redirected to it from a legitimate website.

●      Only use trusted sources to download software. Malware and unwanted applications are often distributed through third-party resources where no one will check their security in the same way as official web stores do.

●      A safe practice is to check your online accounts regularly for unknown transactions. Even with careful Internet surfing, downloaded spyware can steal information as it is entered on safe websites.  Spyware functions like a video camera giving another user a window to each action performed on the infected computer. The owner is usually unaware that the malware is on the computer and continues to add personal information to secure, bank websites.

●      Use a robust security solution. Private browsing, like in Kaspersky Internet Security, can help you avoid internet tracking and protect you from threats.

Read more about NullMixer in the full report on Securelist.

5 thoughts on “New NullMixer malware Stealing user’s payment data and cryptocurrencies”

  1. I may need your help. I’ve been doing research on gate io recently, and I’ve tried a lot of different things. Later, I read your article, and I think your way of writing has given me some innovative ideas, thank you very much.

  2. Reading your article helped me a lot and I agree with you. But I still have some doubts, can you clarify for me? I’ll keep an eye out for your answers.

  3. Your article gave me a lot of inspiration, I hope you can explain your point of view in more detail, because I have some doubts, thank you.

Comments are closed.

Scroll to Top