Warning on a New Wave of Attacks Distributing Jester Malware

Microsoft® Windows OS Systems Networks
Advisory ID:
May 11, 2022


The Ukrainian Computer Emergency Response Team reported that threat actors have been sending phishing emails with the subject line "chemical attack" to their citizens in an attempt to spread the information-stealing malware Jester Stealer. However, subject line could be modified to effectively lure victims into taking urgent actions. This type of attack has previously escaped into the wild and caused widespread damage, and there has been a historical pattern of cyberattacks on Ukraine with international ramifications that have resulted in billions of dollars in damages, thus the need for this advisory.

Description & Consequence

The mass email campaign includes a link to a macro-laced Microsoft Excel file, which when opened infects computers with Jester Stealer. The attack requires potential victims to enable harmful macros by opening the link within the email, which will redirect them to a macro-enabled Microsoft Excel document, which will then infect them with Jester Stealer, which has the ability to exfiltrate login credentials, credit card data, and other sensitive information. Using statically configured proxy addresses, the hackers obtain the stolen data via Telegram (e.g., within TOR). They also employ anti-analysis methods (anti-VM/debug/sandbox). Because the malware has no persistence mechanism, it is deleted as soon as its operation is finished. The new campaign's Jester Stealer malware steals data via the HTTP protocol. Stolen authentication data will be sent via HTTP POST requests to a web resource deployed on the Pipedream platform.

Once a system is compromised, it is vulnerable to data theft. The list of potential target areas includes:

  1. Internet browsers
  2. MAIL/FTP/VPN clients
  3. Cryptocurrency wallets
  4. Password managers
  5. Messaging Apps
  6. Game programs
  7. Jester Stealer is also capable of also swiping screenshots and stealing network passwords.


  1. For breaking news, stick to official news sources or official social media handles rather than random emails.
  2. Consider email attachment types carefully. Does it make sense that a warning like this necessitates the use of an Excel spreadsheet? Why not just include the entire warning in the email? When it comes to breaking news, people want everything in one place.
  3. Avoid enabling macros in suspicious Office files.
  4. Keep services up to date and vulnerabilities patched on a regular and timely basis.
  5. Make sure employees receive substantial training on spotting and reporting suspicious cyber activity, maintaining cyber hygiene, and securing their personal devices and home networks.



Related Articles