S0631: Chaes

Chaes matters because it is described by ATT&CK as a Windows multistage information stealer focused on login credentials, credit card numbers, and other financial data, with reporting noting e-commerce customers in Brazil and Latin America. For leaders, the decision value is less about one malware name and more about validating whether Windows endpoint, browser, registry, script, and web-traffic monitoring can expose credential and financial-data theft behaviors before they become fraud, account takeover, or incident-response escalation.

Executive priority

Prioritize Chaes as a control-validation use case for credential theft and e-commerce risk. Security leaders should ask whether the organization can prove coverage for Windows script execution, browser/session theft indicators, registry persistence, fileless or disguised storage, and outbound web or alternative-protocol exfiltration. This is also useful compliance evidence: teams should be able to show that sensitive financial and authentication data paths are monitored, that suspicious persistence and user-executed files are investigated, and that incident responders can quickly determine which users, browsers, and accounts may be affected.

Technical view

ATT&CK provides no dedicated detection text for Chaes, so defenders should map coverage to its documented relationships. On Windows, validate telemetry and analytics around malicious-file execution, cmd.exe, Visual Basic, Python, JavaScript, Native API activity, InstallUtil and msiexec proxy execution, registry modification and Run Key persistence, browser session hijacking, web session cookie theft, input capture, screen capture, system and user discovery, deobfuscation, standard encoding, web-protocol C2, ingress tool transfer, and exfiltration over alternate protocols. Because Chaes is multistage and information-stealing, incident response should correlate initial execution, persistence, credential/session access, collection, and outbound transfer rather than treating each alert as isolated.

Likely telemetry

Windows endpoint process creation and command-line telemetry for cmd.exe, scripting runtimes, InstallUtil, msiexec, and unusual child-process chains
Windows Registry auditing for modifications, Run Keys, startup locations, and suspicious or disguised registry resources
Endpoint file and artifact telemetry for user-opened malicious files, downloaded stages, deobfuscation/decoding activity, and files or resources named to resemble legitimate components
Browser-related telemetry where available, including cookie/session store access, suspicious browser injection or manipulation indicators, and access to authentication material
Network telemetry for outbound HTTP/S or other web-protocol communications, encoded payloads, tool transfer, and possible exfiltration over protocols distinct from primary command-and-control

Detection direction

Build behavior-based detection around the ATT&CK relationships rather than relying on a malware family name, since official detection guidance is not provided.
Correlate script execution, LOLBin-style proxy execution, registry persistence, and outbound web traffic into a multistage narrative; single-event detections will miss context or create excessive noise.
Tune carefully for administrative and software-installation activity involving msiexec, InstallUtil, registry changes, Python, JavaScript, and Visual Basic, because these can be legitimate in enterprise environments.
Validate browser and credential-theft visibility explicitly; many environments collect process and network logs but have limited evidence for cookie access, browser session hijacking, or input capture.
Review whether encoded outbound content, alternate-protocol exfiltration, and web-protocol C2 are visible after proxy, TLS inspection, EDR, and privacy constraints are considered.

Mitigation priorities

Harden Windows execution paths first: reduce exposure to untrusted files, constrain script interpreters where business allows, and monitor trusted utilities that can proxy execution.
Protect identity and browser sessions: enforce strong authentication controls, reduce unnecessary session lifetime where feasible, and ensure rapid credential and session revocation procedures exist for suspected theft.
Control persistence and stealth opportunities by monitoring and governing Registry Run Keys, startup folders, suspicious registry storage, and resources that imitate legitimate names or locations.
Improve egress governance by restricting unnecessary outbound protocols, monitoring web-protocol destinations, and reviewing controls for encoded or unusual outbound data flows.
Prepare incident-response playbooks for information stealers: identify affected users and browsers, rotate credentials, revoke sessions, preserve endpoint evidence, and assess potential financial-data exposure.

Analyst notes and limits

The object identifies Chaes as a Windows multistage information stealer that collects credentials, credit card numbers, and other financial information, first observed in 2020 and apparently focused on Brazil and other Latin American e-commerce customers. The strongest defensive value comes from its many ATT&CK technique relationships, which span execution, stealth, persistence, discovery, collection, credential access, command-and-control, and exfiltration. Local environment evidence is required to determine relevance, exposure, and detection quality.

ATT&CK does not provide official detection text, aliases, labels, or malware-level tactics for this object. Relationship descriptions include platforms beyond Windows, but the Chaes object itself is supplied with Windows as its platform, so defensive conclusions should be validated against Windows telemetry for this malware. The supplied fields do not support claims of current activity, attribution, customer exposure, guaranteed detection, or specific indicators of compromise.

Official MITRE ATT&CK definition

Chaes

Chaes is a multistage information stealer written in several programming languages that collects login credentials, credit card numbers, and other financial information. Chaes was first observed in 2020, and appears to primarily target victims in Brazil as well as other e-commerce customers in Latin America.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 28 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1218.007	Msiexec Sub-technique	Chaes has used .MSI files as an initial way to start the infection chain.[1]
Enterprise	T1204.002	Malicious File Sub-technique	Chaes requires the user to click on the malicious Word document to execute the next part of the attack.[1]
Enterprise	T1132.001	Standard Encoding Sub-technique	Chaes has used Base64 to encode C2 communications.[1]
Enterprise	T1573	Encrypted Channel	Chaes has used encryption for its C2 channel.[1]
Enterprise	T1106	Native API	Chaes used the `CreateFileW()` API function with read permissions to access downloaded payloads.[1]
Enterprise	T1218.004	InstallUtil Sub-technique	Chaes has used Installutill to download content.[1]
Enterprise	T1059.005	Visual Basic Sub-technique	Chaes has used VBscript to execute malicious code.[1]
Enterprise	T1566.001	Spearphishing Attachment Sub-technique	Chaes has been delivered by sending victims a phishing email containing a malicious .docx file.[1]
Enterprise	T1033	System Owner/User Discovery	Chaes has collected the username and UID from the infected machine.[1]
Enterprise	T1048	Exfiltration Over Alternative Protocol	Chaes has exfiltrated its collected data from the infected machine to the C2, sometimes using the MIME protocol.[1]
Enterprise	T1059.006	Python Sub-technique	Chaes has used Python scripts for execution and the installation of additional files.[1]
Enterprise	T1539	Steal Web Session Cookie	Chaes has used a script that extracts the web session cookie and sends it to the C2 server.[1]
Enterprise	T1036.005	Match Legitimate Resource Name or Location Sub-technique	Chaes has used an unsigned, crafted DLL module named `hha.dll` that was designed to look like a legitimate 32-bit Windows DLL.[1]
Enterprise	T1221	Template Injection	Chaes changed the template target of the settings.xml file embedded in the Word document and populated that field with the downloaded URL of the next payload.[1]
Enterprise	T1112	Modify Registry	Chaes can modify Registry values to stored information and establish persistence.[1]
Enterprise	T1547.001	Registry Run Keys / Startup Folder Sub-technique	Chaes has added persistence via the Registry key `software\microsoft\windows\currentversion\run\microsoft windows html help`.[1]
Enterprise	T1056	Input Capture	Chaes has a module to perform any API hooking it desires.[1]
Enterprise	T1574.001	DLL Sub-technique	Chaes has used search order hijacking to load a malicious DLL.[1]
Enterprise	T1027.011	Fileless Storage Sub-technique	Some versions of Chaes stored its instructions (otherwise in a `instructions.ini` file) in the Registry.[1]
Enterprise	T1071.001	Web Protocols Sub-technique	Chaes has used HTTP for C2 communications.[1]
Enterprise	T1059.003	Windows Command Shell Sub-technique	Chaes has used cmd to execute tasks on the system.[1]
Enterprise	T1059.007	JavaScript Sub-technique	Chaes has used JavaScript and Node.Js information stealer script that exfiltrates data using the node process.[1]
Enterprise	T1185	Browser Session Hijacking	Chaes has used the Puppeteer module to hook and monitor the Chrome web browser to collect user information from infected hosts.[1]
Enterprise	T1105	Ingress Tool Transfer	Chaes can download additional files onto an infected machine.[1]
Enterprise	T1113	Screen Capture	Chaes can capture screenshots of the infected machine.[1]
Enterprise	T1140	Deobfuscate/Decode Files or Information	Chaes has decrypted an AES encrypted binary file to trigger the download of other files.[1]
Enterprise	T1082	System Information Discovery	Chaes has collected system information, including the machine name and OS version.[1]
Enterprise	T1555.003	Credentials from Web Browsers Sub-technique	Chaes can steal login credentials and stored financial information from the browser.[1]

Relationship explorer

All related ATT&CK context

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.1
Created: Jun 30, 2021, 16:13 UTC (UTC+00:00)
Modified: Apr 16, 2025, 20:38 UTC (UTC+00:00)
Raw hash: 9a91670f6b97fe0f...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	Jun 3, 2026, 07:54 UTC (UTC+00:00)	1.1	Apr 16, 2025, 20:38 UTC (UTC+00:00)	Current bundle	`9a91670f6b97…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Cybereason Chaes Nov 2020

Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021.
Open source URL
[2]
Chaes

(Citation: Cybereason Chaes Nov 2020)
[3]
mitre-attack S0631
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams