Published on July 5, 2026

Hackers Abuse EdgeUpdate and GoogleUpdater to Deploy TimbreStealer Infostealer


Severity

Medium

Detail

Security researchers have identified a targeted phishing campaign distributing the TimbreStealer infostealer by abusing legitimate Microsoft Edge and Google updater binaries through DLL side-loading. The campaign primarily targets organizations in Mexico, using phishing emails with invoicing-themed filenames such as CONTENIDO, COMPROBANTES, and CFDI to increase credibility.

Researchers observed advanced anti-analysis techniques, including custom API resolution, encrypted payloads, geofencing, runtime decryption, and sandbox detection, making the malware significantly more difficult to detect and analyze.

How?

The attack begins with phishing emails containing links to malicious ZIP archives hosted on attacker-controlled DigitalOcean infrastructure. These archives include legitimate EdgeUpdate msedgeupdate.exe or GoogleUpdater goopdate.exe executables bundled with malicious DLL files msedgeupdate.dll or goopdate.dll.

When the victim executes the updater, the legitimate application unknowingly side-loads the malicious DLL allowing TimbreStealer to run without raising immediate suspicion. The malware then decrypts its embedded payload at runtime using RC4-based encryption. Next, it performs geofencing and anti-analysis checks by verifying the system language, timezone, and desktop environment before proceeding to harvest sensitive information.

It specifically targets browser credentials, cookies, browsing history, email client data, cloud storage folders, and user documents. Finally, it prepares the collected data for exfiltration to attacker-controlled infrastructure while employing additional evasion and privilege escalation techniques to hinder detection.

Conclusion

This campaign demonstrates the continued effectiveness of DLL side-loading techniques combined with legitimate software binaries to evade endpoint security solutions. Organizations should remain vigilant against phishing attacks and strengthen monitoring for suspicious updater activity.

  • Educate users to identify phishing emails containing invoice-themed ZIP archives or unexpected download links.
  • Monitor for abnormal execution of msedgeupdate.exe and goopdate.exe, particularly when loading unusually large DLL files.
  • Restrict execution of untrusted binaries and implement application allowlisting where appropriate.
  • Monitor for unusual access to browser SQLite databases, email client data stores, cloud-sync directories, and sensitive user folders.

Source

https://cyberpress.org/timbrestealer-infostealer-attack/