{ "id": "34ccb4d7-0642-418e-9f35-6814b57d077f", "created_at": "2026-04-06T00:18:47.081229Z", "updated_at": "2026-04-10T03:36:47.940031Z", "deleted_at": null, "sha1_hash": "1e032d1459e49f21cf94de7caac7ea32218afd46", "title": "Mini Stealer: Possible Predecessor of Parrot Stealer Malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 865843, "plain_text": "Mini Stealer: Possible Predecessor of Parrot Stealer Malware\r\nBy cybleinc\r\nPublished: 2022-08-29 · Archived: 2026-04-05 21:34:04 UTC\r\nCyble analyzes the recent trend of Mini Stealer's Builder and Panel being released for free and the potential links\r\nbetween Mini Stealer and Parrot Stealer.\r\nMini Stealer’s Builder \u0026 Panel released for free\r\nDuring a routine threat hunting exercise, Cyble Research and  Intelligence Labs (CRIL) discovered a post on a\r\ncybercrime forum where a Threat Actor (TA) released MiniStealer’s builder and panel for free.\r\nThe TA claims that the stealer can target operating systems such as Windows 7, 10, and 11. Using such builders,\r\nTAs can easily generate malicious payloads. MiniStealer mainly targets FTP applications and Chromium-based\r\nbrowsers.\r\nSee Cyble in Action\r\nWorld's Best AI-Native Threat Intelligence\r\nhttps://blog.cyble.com/2022/08/29/mini-stealer-possible-predecessor-of-parrot-stealer/\r\nPage 1 of 8\n\nFigure 1 – Post on a cybercrime forum\r\nNearly a month after the release of MiniStealer, the same TA made a post selling Parrot Stealer’s builder and panel\r\nfor USD 50. The TA stated that this stealer is based on MiniStealer. We suspect that the TA might have added the\r\nfunctionalities in Parrot stealer which were missing in MiniStealer.\r\nFigure 2 – TA Selling Parrot stealer\r\nThe figure below shows the Parrot stealer panel.\r\nhttps://blog.cyble.com/2022/08/29/mini-stealer-possible-predecessor-of-parrot-stealer/\r\nPage 2 of 8\n\nFigure 3 – Parrot Stealer Web Panel\r\nBuilder and Web Panel\r\nThe zip file leaked by TA contains two folders, as shown below. These folders contain the following files:\r\nBuilder:\r\nMiniStealerBuilder.exe, Stub\r\nPanel:\r\nWeb Panel Source code\r\nFigure 4 – Leaked Files\r\nThe builder released by the TA is a .NET-based binary. It has the functionality to add the Command and Control\r\n(C\u0026C) details to the payload. The builder loads a file named “stub,” which is the actual payload, and then writes\r\nthe C\u0026C details to it for generating the final payload.\r\nThe test button shown in the figure below sends the Test Logs to the C\u0026C server to check if the connection can be\r\nestablished. These logs contain three connection strings TestUser, TestPass, and TestHost.\r\nhttps://blog.cyble.com/2022/08/29/mini-stealer-possible-predecessor-of-parrot-stealer/\r\nPage 3 of 8\n\nFigure 5  – MiniStealer Builder\r\nThe TA has also released the source code of the web panel, which can be used to receive stolen data from a target\r\nnetwork. The figure below shows the web panel.\r\nFigure 6  – MiniStealer panel\r\nTechnical Analysis\r\n(Sample SHA256:e837a0e6b01ca695010ee8bc4df57a6a9c6ef6e2c22e279501e06f61f0354f67)\r\nMini Stealer is a 64-bit .NET-binary that uses Timestomping. Timestomping is a technique that modifies the\r\ntimestamps of a file. Adversaries use this technique on their payloads to deflect any unnecessary attention during\r\nforensic investigations.\r\nhttps://blog.cyble.com/2022/08/29/mini-stealer-possible-predecessor-of-parrot-stealer/\r\nPage 4 of 8\n\nFigure 7  – File Details\r\nThe stealer uses multiple AntiAnalysis checks to prevent debugging of the sample. To detect profiling, the code\r\nverifies if the COR_ENABLE_PROFILING environment variable is present and set to 1. Profilers are designed to\r\nmonitor, troubleshoot, and debug managed code executed by the .NET Common Language Runtime.  The figure\r\nbelow showcases the stealer detecting profiling.\r\nFigure 8  – Detecting profiling\r\nThis stealer spawns a thread for continuously checking if the stealer payload is being debugged. To check for the\r\npresence of debuggers, this thread executes methods such as IsDebuggerPresent, OutputDebugString, and\r\nDebugger.IsLogging.\r\nFigure 9  – Anti-Analysis\r\nhttps://blog.cyble.com/2022/08/29/mini-stealer-possible-predecessor-of-parrot-stealer/\r\nPage 5 of 8\n\nThis stealer payload steals data from the following Chromium-based browsers and FTP applications. The stealer\r\nappears to be in the development stage as several FTP applications are hardcoded in the stealer, but it does not\r\nappear to target all of them.\r\nThe TA might have added these functionalities in Parrot Stealer, which is suspected to be an upgraded paid version\r\nof MiniStealer. For the FTP application, the stealer steals data from configuration files. For browsers, the stealer\r\ncopies certain files for exfiltration present in the AppData\\Browser directory, which stores user session and login\r\ncredentials, as shown in the figure below.\r\nFigure 10 – Stealing Data\r\nOver 25 Chromium-based browsers:\r\nChrome, AvastBrowser, AVGBrowser, Browser360, CCleanerBrowser, CentBrowser, Chedot, Citrio, CocCoc,\r\nComodoDragon, CoolNovo, Coowon, ElementsBrowser, EpicPrivacyBrowser, IridiumBrowser, Kometa,\r\nLiebaoBrowser, Maxthon, OperaGX, OperaNeon, Orbitum, QIPSurf, Sleipnir, SlimJet, Sputnik, SRWareIron,\r\nuCozMedia, Vivaldi, Yandex,\r\nOver 20 FTP Applications:\r\nFilezilla, FlashFXP, AutoFTPManager, AutoFTPPro, BitKinex, BulletproofFTP, ClassicFTP, CoreFTP, CuteFTP,\r\nCyberduck, Dreamweaver, FreeFTP, DirectFTP, ftpcommander, FTPEXPLORER, FTPRush, FTPvoyager,\r\nLeapFTP, MultiCommander, SmartFTP, SuperPutty, TotalCommander, TurboFTP, WSFTP, WinSCP\r\nConclusion\r\nThe availability of free malware builders and panels can assist TAs in carrying out attacks, as TAs do not need to\r\ninvest time and money to get malware payloads for cybercrime purposes. There is always the possibility that TA\r\nmight have released the builder and panel of MiniStealer for free for marketing purposes and to build a reputation\r\namongst themselves on cybercrime forums.\r\nhttps://blog.cyble.com/2022/08/29/mini-stealer-possible-predecessor-of-parrot-stealer/\r\nPage 6 of 8\n\nThe TA’s behavior further reinforces this theory as after 1 month; they began selling a paid stealer, which is\r\nsuspected to be based on MiniStealer. CRIL continuously monitors emerging threats and has observed a surge in\r\nthe use of stealer malware by TAs.\r\nOur Recommendations \r\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the best practices given below:   \r\nHow to prevent malware infection?  \r\nAvoid downloading pirated software from warez/torrent websites. The “Hack Tool” present on sites such as\r\nYouTube, torrent sites, etc., contains such malware.  \r\nUse strong passwords and enforce multi-factor authentication wherever possible.   \r\nTurn on the automatic software update feature on your computer, mobile, and other connected devices.  \r\nUse a reputed anti-virus and internet security software package on your connected devices, including PC,\r\nlaptop, and mobile.  \r\nRefrain from opening untrusted links and email attachments without first verifying their authenticity.   \r\nEducate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.  \r\nBlock URLs that could be used to spread the malware, e.g., Torrent/Warez.  \r\nMonitor the beacon on the network level to block data exfiltration by malware or TAs.  \r\nMITRE ATT\u0026CK® Techniques \r\nTactic  \r\nTechnique\r\nID  \r\nTechnique Name  \r\nExecution    T1204   User Execution  \r\nDefense Evasion  \r\nT1497.001  \r\nT1070.006\r\nVirtualization/Sandbox Evasion: System\r\nChecks  \r\nIndicator Removal on Host: Timestomp\r\nCredential Access  \r\nT1555  \r\nT1539  \r\nT1552  \r\nT1528  \r\nCredentials from Password Stores  \r\nSteal Web Session Cookie  \r\nUnsecured Credentials  \r\nSteal Application Access Token  \r\nDiscovery  \r\nT1087  \r\nT1518  \r\nT1057  \r\nT1007  \r\nAccount Discovery  \r\nSoftware Discovery  \r\nProcess Discovery  \r\nSystem Service Discovery  \r\nCommand and\r\nControl  \r\n T1071  Application Layer Protocol  \r\nhttps://blog.cyble.com/2022/08/29/mini-stealer-possible-predecessor-of-parrot-stealer/\r\nPage 7 of 8\n\nExfiltration   T1041   Exfiltration Over C2 Channel \r\nIndicators of Compromise (IOCs) \r\nIndicators \r\nIndicator\r\ntype  \r\nDescription  \r\nd65def0ad7f1b428bc1045cf2214b82f\r\ne2beda0ef5d1c38bb96fb7eb6ee25990073e6a17\r\ne837a0e6b01ca695010ee8bc4df57a6a9c6ef6e2c22e279501e06f61f0354f67\r\nMD5\r\nSHA1\r\nSHA256  \r\nMalicious\r\nbinary \r\nSource: https://blog.cyble.com/2022/08/29/mini-stealer-possible-predecessor-of-parrot-stealer/\r\nhttps://blog.cyble.com/2022/08/29/mini-stealer-possible-predecessor-of-parrot-stealer/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.cyble.com/2022/08/29/mini-stealer-possible-predecessor-of-parrot-stealer/" ], "report_names": [ "mini-stealer-possible-predecessor-of-parrot-stealer" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434727, "ts_updated_at": 1775792207, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1e032d1459e49f21cf94de7caac7ea32218afd46.pdf", "text": "https://archive.orkl.eu/1e032d1459e49f21cf94de7caac7ea32218afd46.txt", "img": "https://archive.orkl.eu/1e032d1459e49f21cf94de7caac7ea32218afd46.jpg" } }