EKZ Stealer

EKZ Stealer is a dangerous information-stealing Trojan that targets saved passwords, browser cookies, autofill data, and payment information. The malware spreads through fake software updates and exploited enterprise software vulnerabilities, allowing attackers to silently harvest credentials from infected Windows systems.

Threat Summary	Details
Threat Type	Trojan, Information Stealer, Password-Stealing Malware
Detection Names	Trojan:Win32/Qwexlafiba!rfn, Trojan-PSW.Win64.Agent.aea, Trojan.PasswordStealer.GenericKDS.6861, Win64:MalwareX-gen [Misc]
Symptoms	Stolen accounts, suspicious login activity, browser credential theft, hidden background processes, session hijacking
Damage & Distribution	Credential theft, financial fraud, account compromise, identity theft; distributed via fake Fortinet updates, malicious PowerShell scripts, exploited FortiClient EMS vulnerability
Danger Level	Critical
Removal Tool	SpyHunter

EKZ Stealer emerged in targeted attacks against organizations using Fortinet’s FortiClient EMS software. Attackers exploited the critical vulnerability CVE-2026-35616 to push a fake update named FortiEndpoint_Patch.exe to managed systems. Once executed, the Trojan immediately began extracting sensitive browser data and transmitting it to attacker-controlled servers.

How EKZ Stealer Trojan Virus Installs on Systems

EKZ Stealer primarily spreads through compromised enterprise environments and social engineering tactics. In the observed campaign, cybercriminals abused FortiClient EMS configurations to inject malicious PowerShell commands into VPN profiles. Those scripts automatically downloaded and launched the malware when users connected to the VPN.

Outside enterprise attacks, information stealers commonly spread through:

• Fake software updates
• Cracked applications and pirated software
• Malicious email attachments
• Discord and Telegram file-sharing scams
• Trojanized gaming mods and cheat tools
• Fake CAPTCHA verification pages

Many infostealers disguise themselves as legitimate utilities or patches to avoid suspicion. Cybercriminals frequently use convincing branding and fake download statistics to trick victims into executing malicious files.

What Data EKZ Stealer Trojan Virus Tries to Steal

EKZ Stealer focuses heavily on browser-based credential theft. The malware targets Chromium-based browsers such as Google Chrome and Microsoft Edge, as well as Firefox-based applications including Mozilla Firefox, LibreWolf, Waterfox, Pale Moon, and Thunderbird.

Once active, EKZ Stealer attempts to collect:

• Saved usernames and passwords
• Browser cookies
• Session tokens
• Autofill information
• Stored payment card details
• Browsing-related authentication data

One of the malware’s most dangerous capabilities is its ability to bypass browser encryption protections. EKZ Stealer copies itself into browser application folders and abuses internal browser functions to retrieve encryption keys tied to the Windows user account. This allows it to decrypt stored credentials without triggering security warnings.

The stolen data is then packaged into log files and transmitted to attacker infrastructure through HTTP connections. Victims may experience account hijacking, unauthorized financial transactions, or identity theft shortly after infection.

Persistence Tactics Used by EKZ Stealer Trojan Virus

EKZ Stealer uses multiple evasion and anti-forensics techniques to remain hidden and complicate analysis.

Researchers observed the malware using:

• Base64-encoded PowerShell payloads
• Zeroed executable timestamps
• Temporary execution paths
• Self-deleting payload behavior
• Log cleanup routines

The malware often removes traces of itself after data theft is complete, making infections difficult to detect afterward. Some infostealers disappear within minutes of execution, leaving only stolen credentials behind.

Because attackers can deploy secondary malware after the initial infection, victims should assume additional persistence mechanisms may exist on compromised systems.

How to Remove EKZ Stealer Trojan Virus

If you suspect EKZ Stealer infected your system, act immediately:

1. Disconnect the infected computer from the internet.
2. Change all passwords from a clean device.
3. Revoke active browser sessions where possible.
4. Enable multi-factor authentication on critical accounts.
5. Scan the system using trusted anti-malware software.
6. Monitor financial accounts for suspicious activity.
7. Reinstall browsers and clear stored credentials.
8. Consider a full OS reinstall for enterprise compromises.

Organizations using FortiClient EMS should immediately patch systems vulnerable to CVE-2026-35616 and review VPN profile configurations for unauthorized modifications.

Conclusion

EKZ Stealer is a highly dangerous credential-stealing Trojan capable of bypassing browser protections and silently harvesting sensitive data from infected systems. Its use in targeted enterprise attacks demonstrates a growing trend of attackers abusing trusted management software to distribute malware at scale.

Because the Trojan can erase traces of its activity after execution, many victims may never realize their credentials were stolen until accounts are compromised. Immediate remediation, password resets, and full system scans are critical after exposure.

Manual Removal for EKZ Stealer (For advanced users)

Step 1: Enter Safe Mode with Networking

Since info-stealers may resist removal while active, booting into Safe Mode helps disable their execution.

1. Windows 10/11:
   • Press Win + R, type msconfig, and hit Enter.
   • Go to the Boot tab and check Safe boot → Network.
   • Click Apply → OK and restart your PC.
2. Windows 7/8:
   • Restart your PC and keep pressing F8 before Windows loads.
   • Select Safe Mode with Networking and press Enter.

---

Step 2: End Malicious Processes in Task Manager

1. Press Ctrl + Shift + Esc to open Task Manager.
2. Look for suspicious processes (e.g., randomized names, high CPU usage, or unknown apps).
3. Right-click on them and select End Task.

Common info-stealer process names include StealC.exe, RedLine.exe, Vidar.exe, or generic system-like names.

---

Step 3: Uninstall Suspicious Programs

1. Press Win + R, type appwiz.cpl, and hit Enter.
2. Look for unknown or recently installed suspicious software.
3. Right-click the suspect entry and select Uninstall.

---

Step 4: Delete Malicious Files and Registry Entries

Info-stealers leave behind hidden files and registry keys to ensure persistence.

1. Open File Explorer and navigate to:
   • C:\Users\YourUser\AppData\Local
   • C:\Users\YourUser\AppData\Roaming
   • C:\ProgramData
   • C:\Windows\Temp
   Delete any unfamiliar folders with random names.
2. Open Registry Editor:
   • Press Win + R, type regedit, and press Enter.
   • Navigate to:
     • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
     • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
     • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
     • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
   • Look for randomized or suspicious registry keys (e.g., StealerLoader, Malware123).
   • Right-click and delete any malicious entries.

---

Step 5: Clear Browser Data and Reset DNS

Since info-stealers target browsers, you need to clear stored credentials.

Clear Browsing Data

1. Open Chrome, Edge, or Firefox.
2. Go to Settings → Privacy and Security → Clear Browsing Data.
3. Select Passwords, Cookies, and Cached files and click Clear Data.

Reset DNS

1. Open Command Prompt as Administrator.
2. Type the following commands, pressing Enter after each:bashCopyEditipconfig /flushdns ipconfig /release ipconfig /renew
3. Restart your computer.

---

Step 6: Scan for Rootkits

Even after manual removal, some info-stealers may hide as rootkits.

1. Download Malwarebytes Anti-Rootkit or Microsoft Safety Scanner.
2. Run a deep scan and remove any detected threats.

---

Step 7: Change All Passwords & Enable MFA

Since info-stealers extract credentials, immediately update passwords for:

• Email accounts
• Banking and finance sites
• Social media
• Cryptocurrency wallets
• Business and work logins

Enable two-factor authentication (2FA) to prevent unauthorized access.

---

Method 2: Automatically Removing EKZ Stealer Using SpyHunter (Recommended)

(For users who want a fast, hassle-free solution)

SpyHunter is a professional anti-malware tool capable of detecting and removing info-stealers, trojans, keyloggers, and spyware.

Step 1: Download SpyHunter

Click here to download SpyHunter

Step 2: Install and Launch SpyHunter

1. Locate the SpyHunter-Installer.exe file in your Downloads folder.
2. Double-click to start the installation.
3. Follow the on-screen instructions and launch SpyHunter after installation.

Step 3: Perform a Full System Scan

1. Click “Start Scan” to analyze your system.
2. SpyHunter will detect any info-stealers, trojans, or keyloggers.
3. Click “Remove” to delete all detected threats.

Step 4: Enable Real-Time Protection

• Go to Settings and enable Real-Time Malware Protection to prevent future infections.

---

Prevention Tips: How to Stay Safe from Info-Stealers

• Avoid Cracked Software & Torrents – They are a major infection source.
• Use Strong, Unique Passwords – Utilize a password manager.
• Enable Two-Factor Authentication (2FA) – Reduces the risk of stolen credentials being misused.
• Keep Software & OS Updated – Patches fix security vulnerabilities.
• Be Wary of Phishing Emails – Do not open attachments from unknown senders.
• Use an Antivirus or Anti-Malware Tool – A good tool like SpyHunter helps detect and remove threats.