{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/winscp/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["WinSCP"],"_cs_severities":["high"],"_cs_tags":["credential-theft","infostealer","windows","data-exfiltration"],"_cs_type":"advisory","_cs_vendors":["Martin Prikryl"],"content_html":"\u003cp\u003eThis brief details the threat of information-stealing malware, exemplified by families like Phantom Stealer, targeting the WinSCP client's sensitive configuration files. WinSCP, a popular open-source SFTP, FTP, WebDAV, SCP, and S3 client for Windows, stores SSH and FTP session credentials, including passwords and private key references, within the user profile path \u003ccode\u003eC:\\Users\\\u0026lt;username\u0026gt;\\AppData\\Roaming\\Martin Prikryl\\WinSCP 2\\Configuration\\Security\u003c/code\u003e. Malicious actors leverage infostealers to programmatically access these files, bypassing WinSCP's native protection mechanisms and directly extracting stored credentials. This activity is considered highly suspicious, as legitimate access to this directory should primarily originate from the \u003ccode\u003ewinscp.exe\u003c/code\u003e process itself. Detection relies on monitoring Windows Security Event 4663 (Object Access) for unauthorized processes reading or modifying files within this critical security folder.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial compromise of an endpoint occurs, typically via phishing or drive-by download, leading to the execution of information-stealing malware (e.g., Phantom Stealer).\u003c/li\u003e\n\u003cli\u003eThe deployed malware performs reconnaissance on the compromised system to identify installed applications commonly used for sensitive data storage, such as WinSCP.\u003c/li\u003e\n\u003cli\u003eThe malware locates the WinSCP security configuration folder, usually found at \u003ccode\u003e%APPDATA%\\Martin Prikryl\\WinSCP 2\\Configuration\\Security\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malware attempts to access and read files within this directory using a process other than \u003ccode\u003ewinscp.exe\u003c/code\u003e, triggering Windows Security Event 4663 for object access.\u003c/li\u003e\n\u003cli\u003eSensitive SSH and FTP credentials, including plaintext passwords and private key references, are extracted from the configuration files.\u003c/li\u003e\n\u003cli\u003eThe harvested credentials are then staged for exfiltration to the attacker's command and control (C2) infrastructure, enabling further malicious activity like lateral movement or access to external services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful credential theft from WinSCP configurations can lead to significant follow-on attacks. Attackers can gain unauthorized access to remote servers (via SSH or FTP), cloud environments, or other critical infrastructure connected through WinSCP. This provides opportunities for data exfiltration, deployment of ransomware, or establishment of persistent access within the victim's network. Organizations may face severe financial losses, reputational damage, regulatory fines, and extensive remediation efforts due to expanded breaches facilitated by these stolen credentials. While a specific victim count is not provided, credential theft is a common tactic across all sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment to detect suspicious WinSCP credential access.\u003c/li\u003e\n\u003cli\u003eEnable Windows Security Event 4663 logging for \u0026quot;Audit Object Access\u0026quot; in Group Policy, specifically for success and failure events on file system objects, to capture relevant activity.\u003c/li\u003e\n\u003cli\u003eInvestigate all alerts generated by the \u003ccode\u003eDetect WinSCP Security Configuration Access by Non-WinSCP Process\u003c/code\u003e rule, focusing on the accessing process, its parent, and any associated network connections.\u003c/li\u003e\n\u003cli\u003eEducate users on the risks of phishing and social engineering to prevent initial malware delivery that facilitates credential theft.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T13:26:15Z","date_published":"2026-07-03T13:26:15Z","id":"https://feed.craftedsignal.io/briefs/2026-07-winscp-credential-access/","summary":"Information-stealing malware such as Phantom Stealer targets WinSCP's security configuration folder to harvest sensitive SSH and FTP credentials, leading to unauthorized access to remote systems and potential lateral movement.","title":"WinSCP Credential Access by Information Stealers","url":"https://feed.craftedsignal.io/briefs/2026-07-winscp-credential-access/"}],"language":"en","title":"CraftedSignal Threat Feed - WinSCP","version":"https://jsonfeed.org/version/1.1"}