S0631: Chaes
Chaes is a multistage information stealer written in several programming languages that collects login credentials, credit card numbers, and other financial information. Chaes was first observed in 2020, and appears to primarily target victims in Brazil as well as other e-commerce customers in Latin America.[1]
Analyst context for executives and security teams
Chaes matters because it is described by ATT&CK as a Windows multistage information stealer focused on login credentials, credit card numbers, and other financial data, with reporting noting e-commerce customers in Brazil and Latin America. For leaders, the decision value is less about one malware name and more about validating whether Windows endpoint, browser, registry, script, and web-traffic monitoring can expose credential and financial-data theft behaviors before they become fraud, account takeover, or incident-response escalation.
Executive priority
Prioritize Chaes as a control-validation use case for credential theft and e-commerce risk. Security leaders should ask whether the organization can prove coverage for Windows script execution, browser/session theft indicators, registry persistence, fileless or disguised storage, and outbound web or alternative-protocol exfiltration. This is also useful compliance evidence: teams should be able to show that sensitive financial and authentication data paths are monitored, that suspicious persistence and user-executed files are investigated, and that incident responders can quickly determine which users, browsers, and accounts may be affected.
Technical view
ATT&CK provides no dedicated detection text for Chaes, so defenders should map coverage to its documented relationships. On Windows, validate telemetry and analytics around malicious-file execution, cmd.exe, Visual Basic, Python, JavaScript, Native API activity, InstallUtil and msiexec proxy execution, registry modification and Run Key persistence, browser session hijacking, web session cookie theft, input capture, screen capture, system and user discovery, deobfuscation, standard encoding, web-protocol C2, ingress tool transfer, and exfiltration over alternate protocols. Because Chaes is multistage and information-stealing, incident response should correlate initial execution, persistence, credential/session access, collection, and outbound transfer rather than treating each alert as isolated.
Likely telemetry
- Windows endpoint process creation and command-line telemetry for cmd.exe, scripting runtimes, InstallUtil, msiexec, and unusual child-process chains
- Windows Registry auditing for modifications, Run Keys, startup locations, and suspicious or disguised registry resources
- Endpoint file and artifact telemetry for user-opened malicious files, downloaded stages, deobfuscation/decoding activity, and files or resources named to resemble legitimate components
- Browser-related telemetry where available, including cookie/session store access, suspicious browser injection or manipulation indicators, and access to authentication material
- Network telemetry for outbound HTTP/S or other web-protocol communications, encoded payloads, tool transfer, and possible exfiltration over protocols distinct from primary command-and-control
Detection direction
- Build behavior-based detection around the ATT&CK relationships rather than relying on a malware family name, since official detection guidance is not provided.
- Correlate script execution, LOLBin-style proxy execution, registry persistence, and outbound web traffic into a multistage narrative; single-event detections will miss context or create excessive noise.
- Tune carefully for administrative and software-installation activity involving msiexec, InstallUtil, registry changes, Python, JavaScript, and Visual Basic, because these can be legitimate in enterprise environments.
- Validate browser and credential-theft visibility explicitly; many environments collect process and network logs but have limited evidence for cookie access, browser session hijacking, or input capture.
- Review whether encoded outbound content, alternate-protocol exfiltration, and web-protocol C2 are visible after proxy, TLS inspection, EDR, and privacy constraints are considered.
Mitigation priorities
- Harden Windows execution paths first: reduce exposure to untrusted files, constrain script interpreters where business allows, and monitor trusted utilities that can proxy execution.
- Protect identity and browser sessions: enforce strong authentication controls, reduce unnecessary session lifetime where feasible, and ensure rapid credential and session revocation procedures exist for suspected theft.
- Control persistence and stealth opportunities by monitoring and governing Registry Run Keys, startup folders, suspicious registry storage, and resources that imitate legitimate names or locations.
- Improve egress governance by restricting unnecessary outbound protocols, monitoring web-protocol destinations, and reviewing controls for encoded or unusual outbound data flows.
- Prepare incident-response playbooks for information stealers: identify affected users and browsers, rotate credentials, revoke sessions, preserve endpoint evidence, and assess potential financial-data exposure.
Analyst notes and limits
The object identifies Chaes as a Windows multistage information stealer that collects credentials, credit card numbers, and other financial information, first observed in 2020 and apparently focused on Brazil and other Latin American e-commerce customers. The strongest defensive value comes from its many ATT&CK technique relationships, which span execution, stealth, persistence, discovery, collection, credential access, command-and-control, and exfiltration. Local environment evidence is required to determine relevance, exposure, and detection quality.
ATT&CK does not provide official detection text, aliases, labels, or malware-level tactics for this object. Relationship descriptions include platforms beyond Windows, but the Chaes object itself is supplied with Windows as its platform, so defensive conclusions should be validated against Windows telemetry for this malware. The supplied fields do not support claims of current activity, attribution, customer exposure, guaranteed detection, or specific indicators of compromise.
Chaes
Chaes is a multistage information stealer written in several programming languages that collects login credentials, credit card numbers, and other financial information. Chaes was first observed in 2020, and appears to primarily target victims in Brazil as well as other e-commerce customers in Latin America.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1218.007 | Msiexec Sub-technique | Chaes has used .MSI files as an initial way to start the infection chain.CitationCybereason Chaes Nov 2020 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Chaes requires the user to click on the malicious Word document to execute the next part of the attack.CitationCybereason Chaes Nov 2020 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | Chaes has used Base64 to encode C2 communications.CitationCybereason Chaes Nov 2020 |
| Enterprise | T1573 | Encrypted Channel | Chaes has used encryption for its C2 channel.CitationCybereason Chaes Nov 2020 |
| Enterprise | T1106 | Native API | Chaes used the |
| Enterprise | T1218.004 | InstallUtil Sub-technique | Chaes has used Installutill to download content.CitationCybereason Chaes Nov 2020 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | Chaes has used VBscript to execute malicious code.CitationCybereason Chaes Nov 2020 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Chaes has been delivered by sending victims a phishing email containing a malicious .docx file.CitationCybereason Chaes Nov 2020 |
| Enterprise | T1033 | System Owner/User Discovery | Chaes has collected the username and UID from the infected machine.CitationCybereason Chaes Nov 2020 |
| Enterprise | T1048 | Exfiltration Over Alternative Protocol | Chaes has exfiltrated its collected data from the infected machine to the C2, sometimes using the MIME protocol.CitationCybereason Chaes Nov 2020 |
| Enterprise | T1059.006 | Python Sub-technique | Chaes has used Python scripts for execution and the installation of additional files.CitationCybereason Chaes Nov 2020 |
| Enterprise | T1539 | Steal Web Session Cookie | Chaes has used a script that extracts the web session cookie and sends it to the C2 server.CitationCybereason Chaes Nov 2020 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Chaes has used an unsigned, crafted DLL module named |
| Enterprise | T1221 | Template Injection | Chaes changed the template target of the settings.xml file embedded in the Word document and populated that field with the downloaded URL of the next payload.CitationCybereason Chaes Nov 2020 |
| Enterprise | T1112 | Modify Registry | Chaes can modify Registry values to stored information and establish persistence.CitationCybereason Chaes Nov 2020 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Chaes has added persistence via the Registry key |
| Enterprise | T1056 | Input Capture | Chaes has a module to perform any API hooking it desires.CitationCybereason Chaes Nov 2020 |
| Enterprise | T1574.001 | DLL Sub-technique | Chaes has used search order hijacking to load a malicious DLL.CitationCybereason Chaes Nov 2020 |
| Enterprise | T1027.011 | Fileless Storage Sub-technique | Some versions of Chaes stored its instructions (otherwise in a `instructions.ini` file) in the Registry.CitationCybereason Chaes Nov 2020 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Chaes has used HTTP for C2 communications.CitationCybereason Chaes Nov 2020 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | |
| Enterprise | T1059.007 | JavaScript Sub-technique | Chaes has used JavaScript and Node.Js information stealer script that exfiltrates data using the node process.CitationCybereason Chaes Nov 2020 |
| Enterprise | T1185 | Browser Session Hijacking | Chaes has used the Puppeteer module to hook and monitor the Chrome web browser to collect user information from infected hosts.CitationCybereason Chaes Nov 2020 |
| Enterprise | T1105 | Ingress Tool Transfer | Chaes can download additional files onto an infected machine.CitationCybereason Chaes Nov 2020 |
| Enterprise | T1113 | Screen Capture | Chaes can capture screenshots of the infected machine.CitationCybereason Chaes Nov 2020 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Chaes has decrypted an AES encrypted binary file to trigger the download of other files.CitationCybereason Chaes Nov 2020 |
| Enterprise | T1082 | System Information Discovery | Chaes has collected system information, including the machine name and OS version.CitationCybereason Chaes Nov 2020 |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | Chaes can steal login credentials and stored financial information from the browser.CitationCybereason Chaes Nov 2020 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 9a91670f6b97… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Cybereason Chaes Nov 2020
Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021.
Open source URL -
[2]
Chaes
(Citation: Cybereason Chaes Nov 2020)
-
[3]
mitre-attack S0631Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.