Urelas

Category: trojan · Aliases: InfoStealer.Urelas, Trojan-PSW.Win32.Urelas, GameThief.Urelas · Sample count (EMBER 2018): 666 · Enrichment: documented_reference_only · Updated: 2026-07-02T09:03:09Z

Overview

Executive Summary

Urelas is a specialized Information Stealer (InfoStealer) Trojan primarily designed to harvest credentials and digital assets related to online gaming platforms. While its focus on gaming may seem less critical than banking trojans, it represents a significant security risk as users frequently reuse passwords across personal and corporate accounts, and stolen gaming accounts are highly liquid assets sold on the cybercriminal black market.

Infection Vector and Technical Capabilities

Urelas is typically distributed via peer-to-peer (P2P) networks, untrustworthy gaming forums, or malicious Discord servers. It is almost always disguised as a "crack," a "keygen," or a "cheat engine" for popular video games, tricking users into willingly bypassing their antivirus to execute the payload. Its technical operation focuses on targeted credential extraction:

Threat Assessment

While initially targeting gamers, a Urelas infection in a corporate environment is a serious incident. The theft of web browser cookies and the presence of a keylogger mean that corporate email, VPN, and SSO credentials are highly likely to have been compromised alongside the gaming data.

Incident Response and Remediation

Known aliases

Threat reports may refer to this family under multiple names:

MITRE ATT&CK Techniques

This family has been observed using the following ATT&CK techniques: T1555 T1056.001 T1048

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_URELAS {
    meta:
        description = "Detects Urelas (trojan)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "urelas" ascii wide nocase
        $s2 = "infostealer.urelas" ascii wide nocase
        $s3 = "trojan-psw.win32.urelas" ascii wide nocase
        $s4 = "gamethief.urelas" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Urelas Activity
id: c0e991916dcf2fb2927af9292a688f7f
status: experimental
description: Detects generic indicators of the urelas malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*urelas*"
            - "*infostealer.urelas*"
            - "*trojan-psw.win32.urelas*"
            - "*gamethief.urelas*"
    condition: selection
level: medium

References & External Analysis

Frequently Asked Questions

Where can I learn more about urelas?

Refer to the linked MITRE ATT&CK technique pages, which document the behaviors associated with this family.

Related Families (Category: trojan)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/urelas.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.