For the past several months, Taurus Project—a relatively new stealer that appeared in the spring of 2020—has been distributed via malspam campaigns targeting users in the United States. The macro-laced documents spawn a PowerShell script that invokes certutil to run an autoit script ultimately responsible for downloading the Taurus binary.

Taurus was originally built as a fork by the developer behind Predator the thief. It boasts many of the same capabilities as Predator the thief, namely the ability to steal credentials from browsers, FTP, VPN, and email clients as well as cryptocurrency wallets.

Starting in late August, we began noticing large malvertising campaigns, including, in particular, one campaign that we dubbed Malsmoke that distributes Smoke Loader. During the past few days we observed a new infection pushing the Taurus stealer.

Campaign scope

Like the other malvertising campaigns we covered, this latest one is also targeting visitors to adult sites. Victims are mostly from the US, but also Australia and the UK.

Traffic is fed into the Fallout exploit kit, probably one of the most dominant drive-by toolsets at the moment. The Taurus stealer is deployed onto vulnerable systems running unpatched versions of Internet Explorer or Flash Player.

Figure 1: Traffic capture showing the malvertising chain into Fallout EK loading Taurus

Because of code similarities, many sandboxes and security products will detect Taurus as Predator the thief.

Figure 2: The string 'TAURUS' as seen in the malware binary

The execution flow is indeed pretty much identical with scraping the system for data to steal, exfiltrating it and then loading additional malware payloads. In this instance we observed SystemBC and QBot.

Stealer - loader combo continues to be popular

Stealers are a popular malware payload these days and some families have diversified to become more than plain stealers, not only in terms of advanced features but also as loaders for additional malware.

Even though the threat actors behind Predator the thief have appeared to have handed over a fork of their original creation and disappeared, the market for stealers is still very strong.

Malwarebytes users are protected against this threat via our anti-exploit layer which stops the Fallout exploit kit.

We would like to thank Fumik0_ for background information about Predator the thief and Taurus.

Indicators of Compromise

Malvertising infrastructure




Taurus binary


Taurus C2