The AZORult malware strain, an information stealer and downloader, has been observed by Minerva labs’ research team to be posing as a signed Google Update installer and achieves persistence by replacing the real Google Updater program on machines that have been compromised.

This trojan, also known to be acting as a downloader for multiple other malware payloads, deploys malware in multi-stage campaigns and has been detected as part of complex campaigns that have been involved in spreading ransomwaredata and cryptocurrency stealing malware.

AZORult is designed to exfiltrate sensitive information, especially in large quantities, from files, passwords, browser history, cookies, banking credentials, and even cryptocurrency wallets.