SapphireStealer Sneaks In: Deceptive Legal Documents Prey On Russians

Key Takeaways

  • Cyble Research and Intelligence Labs (CRIL) encountered an executable file obtained from a deceptive URL masquerading as a fake Russian government site, possibly distributed via spam emails.  
  • The downloaded executable file is identified as SapphireStealer, disguised with a PDF icon, designed to deceive users into believing it is a PDF document. 
  • Upon execution, the executable file drops and displays the embedded lure PDF document within it, leading the user to believe that they have opened a genuine PDF file. 
  • The lure PDF contains scanned images of documents, one resembling a guideline for enforcing a court order against a debtor, while the other mimics a subpoena summoning an individual as a witness in a Russian administrative violation case. 
  • However, in the background, SapphireStealer collects sensitive information, including login credentials from various browsers, web data, local state, network cookies, and more from the victim’s device. 
  • Finally, the malware sends the pilfered data to a Command-and-Control (C&C) server in the form of a compressed ZIP file. 
  • The Threat Actor (TA) behind this campaign remains unknown due to the lack of available information. 


In late February, CRIL observed a campaign that targets Russian individuals with the information stealer malware known as “SapphireStealer.”  The SapphireStealer is an open-source information-stealing tool previously documented by Talos researchers. Since its initial public release in December 2022, it has been increasingly seen across various public malware sources. 

Threat Actors (TAs) responsible for this campaign remain unidentified. We suspect the campaign begins with a spam email containing a link that leads to downloading an executable file (disguised with a PDF icon to deceive the recipient into thinking it is a PDF document) from a fake Russian government website URL.  

The downloaded executable is identified as SapphireStealer that propagates from a counterfeit Russian government website (govermentu[.]ru) and is downloaded from the following URL: