Also known as: MrAnon
Type: Trojan, Stealer
Platform: Microsoft Windows
Damage potential: Stolen credentials, unauthorized account access, privacy invasion, damaged or stolen files, cryptocurrency theft, installing other malware, and further cyberattacks.
MrAnon is an information-stealing trojan that targets Windows devices. The malware was first identified in Germany in 2023 as a malicious PDF file spread through a phishing campaign (a fake hotel booking). The trojan is compressed with cx-Freeze — a software that turns Python programs into separate files — to avoid antivirus detection. MrAnon Stealer may gather various information, including the victim’s credentials, browser sessions, and cryptocurrency extensions.
MrAnon Stealer tries to avoid detection by breaking itself up into several standalone files. However, once it infects a device, you may notice several symptoms.
- Unusually slow computer performance
- Programs take longer to load, start, or respond
- Disabled antivirus or anti-malware software
- Suspicious pop-ups and redirects to unfamiliar websites
- Strange browser behavior (e.g., crashing)
- Unresponsive programs and apps
- Unauthorized network activity, like increased data usage
- New, unusual files (.exe, .run, ZIP, or RAR)
Sources of the infection
MrAnon Stealer typically spreads through a phishing email masquerading as a hotel booking request. The email may have a subject similar to “December Room Availability Query” and contain a PDF file that installs the trojan when opened.
- Drive-by downloads. Users may unknowingly download MrAnon by visiting an unsafe website.
- Malvertising. MrAnon may spread through ads that contain hidden malware or malicious code.
- Cracked software. Free or cracked software may carry MrAnon or other malware, installing it on the victim’s device without their knowledge.
- P2P sharing networks. MrAnon may spread when users share infected files on peer-to-peer (P2P) networks.
Reduce the chances of a MrAnon infection by taking the following cybersecurity precautions.
- Use email with caution. Don’t open suspicious emails — and never click on links or attachments unless you know and trust the sender.
- Keep your software up to date. Don’t ignore software or browser updates because they may contain important security patches.
- Browse safely. Be sensible when browsing, and don’t click on suspicious links or pop-ups.
- Download from trusted sources. Always download apps and programs from trusted websites (like the App Store and Google Play).
- Use Threat Protection. This advanced NordVPN feature blocks malicious websites and potentially harmful ads. Additionally, it scans the files you download for malware.
Removing MrAnon manually may be complex. However, most modern antivirus programs should be capable of automatically detecting and removing this trojan. If you think your device is infected but don’t have antivirus software, purchase and install a reliable solution. Then, disconnect from the internet and run a thorough scan. Follow the instructions the antivirus software provides to remove MrAnon — and ensure you run regular scans going forward.