Razy is a malware family that targets cryptocurrency. According to analysis published by Kaspersky, Razy installs or abuses a malicious browser extension in order to steal cryptocurrency from its victims. By operating inside the browser, it can interfere with how cryptocurrency-related web pages are displayed and how transactions are handled, allowing it to redirect funds or harvest wallet information.
Threat reports may refer to this family under multiple names:
This family has been observed using the following ATT&CK techniques: T1176 T1539 T1555.003 T1clipboard T1041
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.
rule MALWARE_WIN_RAZY {
meta:
description = "Detects Razy (infostealer)"
author = "SystemHelpdesk Boilerplate Generator"
date = "2026-07-06"
strings:
$s1 = "razy" ascii wide nocase
$s2 = "razy" ascii wide nocase
condition:
uint16(0) == 0x5a4d and any of them
}title: Suspicious Razy Activity
id: de9ef5bfa0065ca2b73af119704ccfa3
status: experimental
description: Detects generic indicators of the razy malware family.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains:
- "*razy*"
- "*razy*"
condition: selection
level: mediumRazy is malware focused on cryptocurrency theft. As described by Kaspersky, it uses a malicious browser extension to steal cryptocurrency from infected users.
Razy operates through a malicious browser extension, which lets it tamper with cryptocurrency-related web content and the browser environment in order to capture or redirect funds.
Cryptocurrency transactions are frequently performed through web interfaces, so by embedding itself as a browser extension Razy gains a position to observe and manipulate those activities.
Explore other malware families in the same category:
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/razy.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.