<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>WinSCP - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/winscp/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 13:26:15 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/winscp/feed.xml" rel="self" type="application/rss+xml"/><item><title>WinSCP Credential Access by Information Stealers</title><link>https://feed.craftedsignal.io/briefs/2026-07-winscp-credential-access/</link><pubDate>Fri, 03 Jul 2026 13:26:15 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-winscp-credential-access/</guid><description>Information-stealing malware such as Phantom Stealer targets WinSCP's security configuration folder to harvest sensitive SSH and FTP credentials, leading to unauthorized access to remote systems and potential lateral movement.</description><content:encoded><![CDATA[<p>This brief details the threat of information-stealing malware, exemplified by families like Phantom Stealer, targeting the WinSCP client's sensitive configuration files. WinSCP, a popular open-source SFTP, FTP, WebDAV, SCP, and S3 client for Windows, stores SSH and FTP session credentials, including passwords and private key references, within the user profile path <code>C:\Users\&lt;username&gt;\AppData\Roaming\Martin Prikryl\WinSCP 2\Configuration\Security</code>. Malicious actors leverage infostealers to programmatically access these files, bypassing WinSCP's native protection mechanisms and directly extracting stored credentials. This activity is considered highly suspicious, as legitimate access to this directory should primarily originate from the <code>winscp.exe</code> process itself. Detection relies on monitoring Windows Security Event 4663 (Object Access) for unauthorized processes reading or modifying files within this critical security folder.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Initial compromise of an endpoint occurs, typically via phishing or drive-by download, leading to the execution of information-stealing malware (e.g., Phantom Stealer).</li>
<li>The deployed malware performs reconnaissance on the compromised system to identify installed applications commonly used for sensitive data storage, such as WinSCP.</li>
<li>The malware locates the WinSCP security configuration folder, usually found at <code>%APPDATA%\Martin Prikryl\WinSCP 2\Configuration\Security\</code>.</li>
<li>The malware attempts to access and read files within this directory using a process other than <code>winscp.exe</code>, triggering Windows Security Event 4663 for object access.</li>
<li>Sensitive SSH and FTP credentials, including plaintext passwords and private key references, are extracted from the configuration files.</li>
<li>The harvested credentials are then staged for exfiltration to the attacker's command and control (C2) infrastructure, enabling further malicious activity like lateral movement or access to external services.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful credential theft from WinSCP configurations can lead to significant follow-on attacks. Attackers can gain unauthorized access to remote servers (via SSH or FTP), cloud environments, or other critical infrastructure connected through WinSCP. This provides opportunities for data exfiltration, deployment of ransomware, or establishment of persistent access within the victim's network. Organizations may face severe financial losses, reputational damage, regulatory fines, and extensive remediation efforts due to expanded breaches facilitated by these stolen credentials. While a specific victim count is not provided, credential theft is a common tactic across all sectors.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect suspicious WinSCP credential access.</li>
<li>Enable Windows Security Event 4663 logging for &quot;Audit Object Access&quot; in Group Policy, specifically for success and failure events on file system objects, to capture relevant activity.</li>
<li>Investigate all alerts generated by the <code>Detect WinSCP Security Configuration Access by Non-WinSCP Process</code> rule, focusing on the accessing process, its parent, and any associated network connections.</li>
<li>Educate users on the risks of phishing and social engineering to prevent initial malware delivery that facilitates credential theft.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>credential-theft</category><category>infostealer</category><category>windows</category><category>data-exfiltration</category></item></channel></rss>