Sunday October 19, 2025

win.satacom (Satacom / LegionLoader) Downloader used to Deploy Cryptocurrency-Stealers and Info-Stealers

Advisory ID: NCC-CSIRT-2025-017

Summary: 

win.satacom is a family of Trojan-downloaders (also reported as Satacom / LegionLoader) that has been active since at least 2019. It functions primarily as a loader/downloader, installing follow-on payloads such as cryptocurrency-stealing browser extensions and information-stealers. Recent campaigns have delivered stealthy Chromium extensions that intercept web sessions and siphon cryptocurrencies from victims on exchange and web wallet pages. Microsoft Defender, Kaspersky, and other AV vendors detect variants of this family. 

Damage/Probability: High/High

Product(s): 

  • Windows endpoints
  • Chromium-based browsers (via malicious extensions)
  • Downloader distribution chains (phishing, droppers, packers)

Version(s): 

Not version-specific, it affects Windows systems where the downloader is executed and Chromium browsers that accept malicious extensions.

Platform(s): 

  • Microsoft Windows (x86/x64)
  • Chromium browser families (Chrome, Edge, Brave, etc.)
  • Common enterprise environments where browser-based crypto wallets are used

Description: 

Satacom acts as a downloader/dropper. After initial execution (often from a malicious installer, bundled software, or an obfuscated dropper), it contacts Command & Control servers to retrieve additional payloads and loaders. Variant analysis shows multiple string-deobfuscation and packing techniques.

Documented campaigns (2023 onward) show Satacom delivering malicious Chromium extensions engineered to perform web injections on crypto exchange and wallet pages to exfiltrate funds and session cookies. Other follow-on binaries observed include RedLine, other stealers, and loaders.

Variants use common downloader evasion (packing/obfuscation, staged encryption of strings, anti-analysis checks), persistence via scheduled tasks/startup entries, and fallback C2 techniques.

Campaigns have targeted users in multiple regions (e.g., Brazil, India, Indonesia, Turkey, Egypt and others in prior reporting) with a focus on users who transact in cryptocurrency.

Impacts: 

  • Loss/theft of cryptocurrency from web wallets and exchange accounts via browser extension or web-inject attacks.
  • Compromise of user credentials, session cookies, and stored secrets leading to account takeover (ATO).
  • Persistent foothold through additional downloaded payloads (infostealers, RATs).
  • Lateral movement in poorly segmented networks if follow-on payloads include remote access tools.

Solutions: 

  1. Scan endpoints with up-to-date anti-malware signatures (Microsoft Defender, Kaspersky, Broadcom/Symantec, Fortinet, etc.). Microsoft Defender and other engines include detections for Satacom variants.
  2. Monitor for suspicious child processes of browser and common installer processes, and for downloads from known malicious gateways.
  3. Inspect installed Chromium extensions centrally (via endpoint management or browser management policies) and flag any extension installed outside official enterprise channels or having excessive permissions.
  4. Employ End Point Detection and Response (EDR) mechanism to hunt for known behavior patterns
  5. Quarantine and remove detected Satacom binaries; block related Command & Control domains/IPs at network perimeter and in DNS
  6. Enforce browser extension policy, allow only approved extensions via enterprise browser management; remove all unapproved/unknown extensions; rotate credentials and revoke sessions for any accounts accessed from infected hosts.
  7. For users with suspected exposure, reset passwords, enable phishing-resistant Multi Factor Authentication where possible, and move high-value crypto to cold storage or wallets with hardware isolation.

References: