Urelas is a specialized Information Stealer (InfoStealer) Trojan primarily designed to harvest credentials and digital assets related to online gaming platforms. While its focus on gaming may seem less critical than banking trojans, it represents a significant security risk as users frequently reuse passwords across personal and corporate accounts, and stolen gaming accounts are highly liquid assets sold on the cybercriminal black market.
Infection Vector and Technical Capabilities
Urelas is typically distributed via peer-to-peer (P2P) networks, untrustworthy gaming forums, or malicious Discord servers. It is almost always disguised as a "crack," a "keygen," or a "cheat engine" for popular video games, tricking users into willingly bypassing their antivirus to execute the payload.
Its technical operation focuses on targeted credential extraction:
Targeted File Extraction: Urelas actively searches the file system for configuration files, save states, and credential databases associated with major gaming platforms (like Steam, Origin, Battle.net) and specific popular MMOs.
Keylogging and Web Browser Theft: Like most modern stealers, it also incorporates a keylogger to capture typed passwords and modules to extract saved credentials and session cookies directly from web browsers (Chrome, Firefox).
Rapid Exfiltration: The stolen data is compressed, encrypted, and exfiltrated to an attacker-controlled Command and Control (C2) server. Once the primary data is stolen, some variants may attempt to download secondary payloads to monetize the machine further (e.g., cryptocurrency miners).
Threat Assessment
While initially targeting gamers, a Urelas infection in a corporate environment is a serious incident. The theft of web browser cookies and the presence of a keylogger mean that corporate email, VPN, and SSO credentials are highly likely to have been compromised alongside the gaming data.
Incident Response and Remediation
Mandatory Credential Reset: Assume total credential compromise. Immediately force a password reset for the user's Active Directory account, corporate email, VPN access, and enforce strict Multi-Factor Authentication (MFA).
User Education and Reprimand: The presence of Urelas strongly indicates the user was attempting to run pirated software or game hacks on a corporate device, which is a severe violation of acceptable use policies.
EDR Triage: Utilize EDR to ensure the Urelas executable has been completely removed and verify that it did not successfully download and execute a secondary payload (like a cryptominer) before quarantine.
Known aliases
Threat reports may refer to this family under multiple names:
This family has been observed using the following ATT&CK techniques: T1555T1056.001T1048
Generated Detections (Boilerplate)
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.