CrowdStrike has issued a warning regarding a fraudulent recovery manual designed to repair Windows devices, which is distributing a new information-stealing malware known as Daolpu. Following a problematic update to CrowdStrike Falcon that caused widespread IT outages, cybercriminals have exploited the situation by sending phishing emails that claim to offer solutions.

These phishing attempts include a document titled ‘New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm,’ masquerading as a Microsoft recovery manual. This document, which mimics a Microsoft support bulletin, contains macros that, when activated, download a malicious DLL file. This file is then executed, launching the Daolpu stealer on the infected system.

Once installed, Daolpu targets and terminates all active Chrome processes to collect login credentials, browser history, and cookies from Chrome, Edge, Firefox, and the Vietnamese browser Cốc Cốc. The stolen information is temporarily stored in a text file and subsequently sent to the attackers’ command-and-control server.

CrowdStrike has provided a YARA rule to help detect this malware and has advised customers to verify the authenticity of communications before following any instructions. The company also noted a rise in phishing attempts impersonating its representatives and highlighted that cybercriminals are rapidly creating new domains for these malicious activities.

In response to the chaos caused by the faulty CrowdStrike Falcon update, Microsoft has released a custom recovery tool to assist affected Windows systems. The situation remains fluid, with ongoing exploitation attempts by cybercriminals expected to continue.