The analyzed stealer sample also contained a self-spreading feature, acquiring a list of the victim’s Discord friends and channels via the Discord API, and sending a configured message to them.Kaspersky also observed the malware collecting credentials from known VPN clients, such as Mullvad VPN, NordVPN, ExpressVPN, and ProtonVPN.Using a pre-defined set of paths, the malware was seen exfiltrating files from multiple directories associated with the current user, packing them in a ZIP archive, and sending them to the command-and-control (C&C) server.The malware could also fetch additional modules from the C&C to expand its capabilities. These modules include a Chrome grabber, a wallet patcher, an extra collector, and a Python script placed in the startup folder to be executed at system boot.The native variant uses VMProtect, without code virtualization, implements anti-analysis features, collects RDP connection details, targets gaming files and clients for credential theft, captures screenshots, and exfiltrates browser data.Kaspersky identified two servers used to host the stealer panel and monitor victims, both secured via a sign-in page. The malware’s developer also maintained a Discord channel to interact with users and implemented a referral program to attract customers.“This campaign tends to be more of a one-shot campaign for quick financial gains rather than a long-running infection. The panel and the Discord chat were taken down around December 2025, leaving no message or traces of further development or a resurgence,” Kaspersky notes.Related:‘SolyxImmortal’ Information Stealer EmergesRelated:Infostealer Malware Delivered in EmEditor Supply Chain AttackRelated:New ‘Sandworm_Mode’ Supply Chain Attack Hits NPMRelated:New Keenadu Android Malware Found on Thousands of Devices
Kaspersky also observed the malware collecting credentials from known VPN clients, such as Mullvad VPN, NordVPN, ExpressVPN, and ProtonVPN.Using a pre-defined set of paths, the malware was seen exfiltrating files from multiple directories associated with the current user, packing them in a ZIP archive, and sending them to the command-and-control (C&C) server.The malware could also fetch additional modules from the C&C to expand its capabilities. These modules include a Chrome grabber, a wallet patcher, an extra collector, and a Python script placed in the startup folder to be executed at system boot.The native variant uses VMProtect, without code virtualization, implements anti-analysis features, collects RDP connection details, targets gaming files and clients for credential theft, captures screenshots, and exfiltrates browser data.Kaspersky identified two servers used to host the stealer panel and monitor victims, both secured via a sign-in page. The malware’s developer also maintained a Discord channel to interact with users and implemented a referral program to attract customers.“This campaign tends to be more of a one-shot campaign for quick financial gains rather than a long-running infection. The panel and the Discord chat were taken down around December 2025, leaving no message or traces of further development or a resurgence,” Kaspersky notes.Related:‘SolyxImmortal’ Information Stealer EmergesRelated:Infostealer Malware Delivered in EmEditor Supply Chain AttackRelated:New ‘Sandworm_Mode’ Supply Chain Attack Hits NPMRelated:New Keenadu Android Malware Found on Thousands of Devices
Using a pre-defined set of paths, the malware was seen exfiltrating files from multiple directories associated with the current user, packing them in a ZIP archive, and sending them to the command-and-control (C&C) server.The malware could also fetch additional modules from the C&C to expand its capabilities. These modules include a Chrome grabber, a wallet patcher, an extra collector, and a Python script placed in the startup folder to be executed at system boot.The native variant uses VMProtect, without code virtualization, implements anti-analysis features, collects RDP connection details, targets gaming files and clients for credential theft, captures screenshots, and exfiltrates browser data.Kaspersky identified two servers used to host the stealer panel and monitor victims, both secured via a sign-in page. The malware’s developer also maintained a Discord channel to interact with users and implemented a referral program to attract customers.“This campaign tends to be more of a one-shot campaign for quick financial gains rather than a long-running infection. The panel and the Discord chat were taken down around December 2025, leaving no message or traces of further development or a resurgence,” Kaspersky notes.Related:‘SolyxImmortal’ Information Stealer EmergesRelated:Infostealer Malware Delivered in EmEditor Supply Chain AttackRelated:New ‘Sandworm_Mode’ Supply Chain Attack Hits NPMRelated:New Keenadu Android Malware Found on Thousands of Devices
The malware could also fetch additional modules from the C&C to expand its capabilities. These modules include a Chrome grabber, a wallet patcher, an extra collector, and a Python script placed in the startup folder to be executed at system boot.The native variant uses VMProtect, without code virtualization, implements anti-analysis features, collects RDP connection details, targets gaming files and clients for credential theft, captures screenshots, and exfiltrates browser data.Kaspersky identified two servers used to host the stealer panel and monitor victims, both secured via a sign-in page. The malware’s developer also maintained a Discord channel to interact with users and implemented a referral program to attract customers.“This campaign tends to be more of a one-shot campaign for quick financial gains rather than a long-running infection. The panel and the Discord chat were taken down around December 2025, leaving no message or traces of further development or a resurgence,” Kaspersky notes.Related:‘SolyxImmortal’ Information Stealer EmergesRelated:Infostealer Malware Delivered in EmEditor Supply Chain AttackRelated:New ‘Sandworm_Mode’ Supply Chain Attack Hits NPMRelated:New Keenadu Android Malware Found on Thousands of Devices
The native variant uses VMProtect, without code virtualization, implements anti-analysis features, collects RDP connection details, targets gaming files and clients for credential theft, captures screenshots, and exfiltrates browser data.Kaspersky identified two servers used to host the stealer panel and monitor victims, both secured via a sign-in page. The malware’s developer also maintained a Discord channel to interact with users and implemented a referral program to attract customers.“This campaign tends to be more of a one-shot campaign for quick financial gains rather than a long-running infection. The panel and the Discord chat were taken down around December 2025, leaving no message or traces of further development or a resurgence,” Kaspersky notes.Related:‘SolyxImmortal’ Information Stealer EmergesRelated:Infostealer Malware Delivered in EmEditor Supply Chain AttackRelated:New ‘Sandworm_Mode’ Supply Chain Attack Hits NPMRelated:New Keenadu Android Malware Found on Thousands of Devices
Kaspersky identified two servers used to host the stealer panel and monitor victims, both secured via a sign-in page. The malware’s developer also maintained a Discord channel to interact with users and implemented a referral program to attract customers.“This campaign tends to be more of a one-shot campaign for quick financial gains rather than a long-running infection. The panel and the Discord chat were taken down around December 2025, leaving no message or traces of further development or a resurgence,” Kaspersky notes.Related:‘SolyxImmortal’ Information Stealer EmergesRelated:Infostealer Malware Delivered in EmEditor Supply Chain AttackRelated:New ‘Sandworm_Mode’ Supply Chain Attack Hits NPMRelated:New Keenadu Android Malware Found on Thousands of Devices
“This campaign tends to be more of a one-shot campaign for quick financial gains rather than a long-running infection. The panel and the Discord chat were taken down around December 2025, leaving no message or traces of further development or a resurgence,” Kaspersky notes.Related:‘SolyxImmortal’ Information Stealer EmergesRelated:Infostealer Malware Delivered in EmEditor Supply Chain AttackRelated:New ‘Sandworm_Mode’ Supply Chain Attack Hits NPMRelated:New Keenadu Android Malware Found on Thousands of Devices
Related:‘SolyxImmortal’ Information Stealer EmergesRelated:Infostealer Malware Delivered in EmEditor Supply Chain AttackRelated:New ‘Sandworm_Mode’ Supply Chain Attack Hits NPMRelated:New Keenadu Android Malware Found on Thousands of Devices
Related:Infostealer Malware Delivered in EmEditor Supply Chain AttackRelated:New ‘Sandworm_Mode’ Supply Chain Attack Hits NPMRelated:New Keenadu Android Malware Found on Thousands of Devices
Related:New ‘Sandworm_Mode’ Supply Chain Attack Hits NPMRelated:New Keenadu Android Malware Found on Thousands of Devices
Source: SecurityWeek
