News·4 min read

Hackers Abuse EdgeUpdate and GoogleUpdater to Deploy TimbreStealer Infostealer

A targeted campaign deploying the TimbreStealer infostealer by abusing legitimate updater binaries EdgeUpdate (msedgeupdate) and GoogleUpdater (goopdate) via DLL side-loading. Researchers Euler Neto a

CS
CyberShield Team
2026-07-04
Share:
Hackers Abuse EdgeUpdate and GoogleUpdater to Deploy TimbreStealer Infostealer

A targeted campaign deploying the TimbreStealer infostealer by abusing legitimate updater binaries EdgeUpdate (msedgeupdate) and GoogleUpdater (goopdate) via DLL side-loading. Researchers Euler Neto and Cristóbal Tárraga tracked the intrusion set to phishing lures that deliver ZIP archives hosted on DigitalOcean IPs; victims appear to be primarily companies in Mexico, using invoicing-themed names (CONTENIDO, COMPROBANTES, CFDI) […] The post Hackers Abuse EdgeUpdate and GoogleUpdater to Deploy TimbreStealer Infostealer appeared first on Cyber Security News.

A targeted campaign deploying the TimbreStealer infostealer by abusing legitimate updater binaries EdgeUpdate (msedgeupdate) and GoogleUpdater (goopdate) via DLL side-loading. Researchers Euler Neto and Cristóbal Tárraga tracked the intrusion set to phishing lures that deliver ZIP archives hosted on DigitalOcean IPs; victims appear to be primarily companies in Mexico, using invoicing-themed names (CONTENIDO, COMPROBANTES, CFDI) to increase credibility. Phishing messages point to direct IP-hosted ZIPs (for example hxxps://68[.]183[.]155[.]111). Archives contain legitimate-looking updater executables accompanied by a malicious DLL named msedgeupdate.dll or goopdate.dll. Analysts note the anomalously large DLL sizes roughly 45–50 MB versus under 500 KB for legitimate updaters and an unusual PE structure: 27 sections many of which are zeroed and named with 4-byte hex values. The malware stores dynamically generated content in zero-entropy sections and builds execution artifacts at runtime, thwarting static detection. File downloaded from a link sent in a Phishing email (Source : WatchGuard). The malicious DLL implements custom API resolution and avoids standard imports by parsing the PEB and export tables. Two RC4-based decryptors in Section 4 (referred to as Decrypt 01 and Decrypt 02) are used extensively. Decrypt 01 yields strings such as “Zw” and “ntdll.dll,” indicating the use of direct syscalls or ntdll exports to further evade import-based analysis. A 256-byte key generator prepares material for decrypting a large, 0x3A7C00-byte blob in Section 3; the decrypted output contains a PE-like payload where the “PE” signature bytes are intentionally nulled to deter identification. TimbreStealer Infostealer attack WatchGuard said in a report shared with Cyberpress, this campaign echoes techniques documented by Cisco Talos in 2024 but introduces important novelties that increase stealth and complicate analysis. The Export functions have random names and almost of them have the same code. The malware actions all occur on the DLLEntry function. Runtime checks implement geofencing and anti-analysis logic. The malware verifies UI language (it rejects Russian locales), queries GetTimeZoneInformation to confirm a timezone bias corresponding to UTC-5 through UTC-8 (Mexico), and validates desktop window ownership to avoid sandbox environments. DLL Export functions, with random names (Source : WatchGuard). Conditional execution and mutable decryption keys require a precise order of operations to reveal embedded payloads, increasing the effort needed for reverse engineering. Once active, TimbreStealer focuses on broad data exfiltration, particularly browser and mail artifacts. It targets Chrome and Edge user data paths (including Beta, Dev and SxS variants), Firefox profiles, Thunderbird and Postbox mail stores, and cloud-sync folders such as OneDrive and Dropbox. The malware issues SQL queries against browser SQLite files (History, Urls, Visits, etc.), temporarily writes and VACUUMs databases to produce collectible files, and harvests filesystem directories (Desktop, Documents, Downloads, AppData). Icons packaged in the payload mirror tactics seen in the Cisco Talos report, used to extract and assemble the final payload components. The difference that this format starts with “50 45 00 00”, which converting to ASCII means “PE”. PE-like bytes in the decrypted payload (Source : WatchGuard). Privilege escalation attempts are opportunistic: the loader may call runas via ShellExecuteExW, manipulate windows using FindWindowW/SwitchToThisWindow, or instantiate COM objects with CoCreateInstance. For cover, phishing pages sometimes serve blank PDFs when access doesn’t appear to originate from Mexico; in other cases the malware creates temporary PDFs with randomized trailing bytes using CryptGenRandom to vary artifacts. Defenders should treat this campaign as high risk for Mexico-focused organizations. Key indicators include large, anomalous updater-named DLLs; ZIPs hosted on cloud provider IPs with CFDI-related filenames; unusual PEB/export parsing behavior; and suspicious browser SQLite activity or VACUUM operations. Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google. The post Hackers Abuse EdgeUpdate and GoogleUpdater to Deploy TimbreStealer Infostealer appeared first on Cyber Security News.

Share:

Join the Discussion

Comments coming soon. Follow us on social media for real-time discussions.