A new infostealer called ThirdEye has been observed in the wild, potentially targeting Windows users.
FortiGuard Labs, the threat research division of cybersecurity firm Fortinet, described the new threat in a technical write-up published on Tuesday.
In it, the firm said ThirdEye is designed to extract valuable system information from compromised machines, which can be used in future cyber-attacks.
FortiGuard further explained that while ThirdEye is not considered technically elaborate, its capabilities include harvesting BIOS and hardware data, enumerating files and folders, identifying running processes and collecting network information.
“While this malware is not considered sophisticated, it’s designed to steal various information from compromised machines that can be used as stepping-stones for future attacks,” reads the advisory.
Read more on infostealers: RedEyes Group Targets Individuals with Wiretapping Malware
After collecting the compromised system’s information, the malware sends it to a command-and-control (C2) server. Notably, the infostealer uses a unique string, “3rd_eye,” to identify itself to the C2.
Analysis of the samples revealed that the earliest variant, discovered in April 2023, collected limited information compared to the more recent samples. Over time, the infostealer has evolved, adding additional data-gathering capabilities.
Further, most ThirdEye variants were submitted to a public scanning service from Russia, and the latest variant has a file name in Russian, suggesting a potential focus on Russian-speaking organizations.
Fortinet emphasized that while there is no concrete evidence of ThirdEye being used in attacks, system defenders should still be wary of this malware tool.
“While ThirdEye is not yet considered sophisticated, our investigation found the attacker has put effort into improving the infostealer, such as recent samples collecting more system information compared to older variants,” Fortinet wrote. “We expect that effort to continue.”
The new infostealer comes amid a rise in this type of malware, with recent data by Secureworks suggesting a significant surge in stolen logs on the online marketplace Russian Market.