Razy

Category: infostealer · Aliases: Razy · Sample count (EMBER 2018): 3,391 · Enrichment: curated_sourced · Updated: 2026-06-11

Overview

Razy is a malware family that targets cryptocurrency. According to analysis published by Kaspersky, Razy installs or abuses a malicious browser extension in order to steal cryptocurrency from its victims. By operating inside the browser, it can interfere with how cryptocurrency-related web pages are displayed and how transactions are handled, allowing it to redirect funds or harvest wallet information.

Known aliases

Threat reports may refer to this family under multiple names:

MITRE ATT&CK Techniques

This family has been observed using the following ATT&CK techniques: T1176 T1539 T1555.003 T1clipboard T1041

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_RAZY {
    meta:
        description = "Detects Razy (infostealer)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "razy" ascii wide nocase
        $s2 = "razy" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Razy Activity
id: de9ef5bfa0065ca2b73af119704ccfa3
status: experimental
description: Detects generic indicators of the razy malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*razy*"
            - "*razy*"
    condition: selection
level: medium

References & External Analysis

Frequently Asked Questions

What is the Razy malware family?

Razy is malware focused on cryptocurrency theft. As described by Kaspersky, it uses a malicious browser extension to steal cryptocurrency from infected users.

How does Razy steal cryptocurrency?

Razy operates through a malicious browser extension, which lets it tamper with cryptocurrency-related web content and the browser environment in order to capture or redirect funds.

Why does Razy target browsers?

Cryptocurrency transactions are frequently performed through web interfaces, so by embedding itself as a browser extension Razy gains a position to observe and manipulate those activities.

Related Families (Category: infostealer)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/razy.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.