{ "id": "22263063-d9a3-4fc3-aece-d55d4a6b9291", "created_at": "2026-04-06T00:11:21.057458Z", "updated_at": "2026-04-10T13:12:22.466733Z", "deleted_at": null, "sha1_hash": "3543c14afd71dbc285d0f9c3f261d3762054511c", "title": "W1 Feb| EN | Story of the week: Stealers on the Darkweb", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1397277, "plain_text": "W1 Feb| EN | Story of the week: Stealers on the Darkweb\r\nBy Hyunmin Suh\r\nPublished: 2021-02-03 · Archived: 2026-04-05 18:19:25 UTC\r\nCo-author: Minjei Cho, Researcher at\r\nBefore deep dive into credential/info stealers in the dark web, let’s have a look at the term.\r\nCredential/Info Stealer — malware that is collecting credential information such as login information saved\r\nin browser. It is often associated with Remote Access Tools (RATs) \u0026 Botnets.\r\nMuch has been discussed about the stealers and the market interlinked with the dark web and surface web, but\r\nthere aren’t many simple and easy-to-understand diagram in accordance with the supply chain how this malicious\r\necosystem works from the dark web to the surface web. To help you better understand, we’ve attempted to divide\r\nthe system into five stages based on what we observed.\r\n1. Sellers of the stealer\r\nAZORult was known to be the one of the most notorious stealer, but the author has stopped its maintenance in\r\n2018. However, the source code of AZORult is still shared and modified by independents which claims to be the\r\nlatest version.\r\nBesides AZORult, there are two other famously mentioned stealers,\r\nVidar stealer and Raccoon stealer.\r\nVidar stealer is sold on a Russian speaking hacking forum and has operated since Nov, 2018. The price of Vidar\r\nranges from $130~$750 depending on the usage period. Vidar is written in C++ and it searches wide range of\r\nfollowing data:\r\nAll popular browsers of different bit sizes (passwords, cookies, autofill)\r\nWallets of cryptocurrencies\r\nCC — Card data other than CVV\r\nFiles\r\nTelegram authorization (Windows)\r\nBrowser history (Last 10,000 entries from a specific browser)\r\nFTP, WINSCP, MAIL\r\nRaccoon, also found on a Russian speaking hacking forum, has operated since April, 2019. The price ranges from\r\n$75~$200 depending on the duration which has a similar pricing scheme to Vidar, and other stealers in general. It\r\nhttps://medium.com/s2wlab/w1-feb-en-story-of-the-week-stealers-on-the-darkweb-49945a31601d\r\nPage 1 of 10\n\nis written in C/C++ and it works on 32/64-bit systems without dependencies on .NET framework. Features\r\ninclude:\r\nInformation found in popular browsers (passwords, cookies, autofill)\r\nIP\r\nGeographical information\r\nCredit Card\r\nWallets of cryptocurrencies\r\nSystem Information\r\n2. Distribution method\r\nThere are various attempts to lure victims to click on a risk link, like targeting high-traffic torrent, redirecting a\r\nsite hosted with the malicious payloads or disguising it as an installer file. In the case of South Korea, Vidar is\r\ndistributed as an installer file disguised as KMSAuto which is used for Windows genuine product validation.\r\nhttps://asec.ahnlab.com/en/17633/\r\nPress enter or click to view image in full size\r\nVidar disguised as KMSauto authentication tool, source: ASEC Blog\r\nStealer can also be distributed within a ransomware campaign. PC risk published an article that Vidar was once\r\nused with Gandcrab campaign (2019) that the stealer took a role of downloading additional forms of malware\r\nwhich showed it was more capable than just an info stealer. https://www.pcrisk.com/internet-threat-news/14270-\r\nvidar-and-gandcrab-distributed-in-same-campaign\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wlab/w1-feb-en-story-of-the-week-stealers-on-the-darkweb-49945a31601d\r\nPage 2 of 10\n\nVidar and GandCrab distributed in the same campaign, source: pcrisk.com\r\nLater on, it appeared in a new spam campaign along with Nemty Special Edition Ransomware targeting South\r\nKorean in May 2020. https://asec.ahnlab.com/ko/1316/\r\nInside the attachment of the fake job application email, two executable files exist in a compressed format (.zip)\r\nshown in picture below.\r\nPress enter or click to view image in full size\r\nTwo executable files compressed in attachment of the fake job application email, source: ASEC\r\nblog\r\nhttps://medium.com/s2wlab/w1-feb-en-story-of-the-week-stealers-on-the-darkweb-49945a31601d\r\nPage 3 of 10\n\nBoth executables are disguised as Nemty and Vidar. While Nemty ransomware focusing on encrypting user files,\r\nVidar is used to exfiltrate credential information in this instance.\r\n3. Exploring the details of stealers\r\nLet’s have a look at the details of stealers, main functions and how they work.\r\nMain functions of stealers\r\nMain functions of stealers can vary depending on developers; however, most of stealers we observed share\r\ncommon functions as below.\r\n#Collect Browser Information\r\nPasswords\r\nSaved Logins / Autofills\r\nPayment Methods\r\nCookies\r\n#Copying Files\r\nCopy all files from a certain directory\r\nCopy files\r\nSpecific Apps or Software files ( Bitcoin wallet, Telegram, etc )\r\n#Send System Information\r\nOS version\r\nUsername\r\nIP Address\r\n#Account theft in various applications\r\nGet Hyunmin Suh’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\n#Screenshot\r\n#Additional Malware Download\r\nHow Stealers Steal Data\r\nChrome and other browsers based on the Chromium engine (Opera, Yandex, etc.) store sensitive data in the same\r\nlocation in general.\r\nhttps://medium.com/s2wlab/w1-feb-en-story-of-the-week-stealers-on-the-darkweb-49945a31601d\r\nPage 4 of 10\n\nStealer can steal information stored in the browser by performing decryption with the user’s authority. In the case\r\nof Chrome, the credential information is normally encrypted and stored in SQLite format if the user chooses the\r\noption to save the login information. If the user revisits the site, chrome browser will decrypt the information\r\nstored in the SQLite database with user’s authority which the malware can do the same.\r\nPress enter or click to view image in full size\r\nExample of Imported Login Data of Chrome Browser to SQLite\r\n4. Stolen Information evidenced in DDW (Deep, Dark Web)\r\nInformation obtained fraudulently by stealers are often observed in three areas.\r\n1) Botnet Market\r\nGenesis Market is known to be the biggest dark web market specialty in followings:\r\nFingerPrints(FP)\r\nCookies\r\nInject Scripts info\r\nForm Grabbers (Logs)\r\nSaved Logins\r\nOther personal data obtained from different devices in the web\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wlab/w1-feb-en-story-of-the-week-stealers-on-the-darkweb-49945a31601d\r\nPage 5 of 10\n\nMain page of genesis market\r\nBots are sold in following format:\r\nPress enter or click to view image in full size\r\nThe price of each product seems to fluctuate substantially depending on the importance of cookies and its quantity.\r\nThe average price of product usually positioned from $10~$30 as seen in the above picture. However, if the\r\nnumber of cookies is sufficient and its information is highly relevant to financial accounts, the price may take up\r\nto $350.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wlab/w1-feb-en-story-of-the-week-stealers-on-the-darkweb-49945a31601d\r\nPage 6 of 10\n\n2) Carding forum\r\nA perfect example of carding site is ‘Joker’s stash’ but the operator of Joker’s stash claims to leave for a retirement\r\na month after the domain seizure taken by FBI and Interpol. https://threatpost.com/jokers-stash-carding-site-taken-down/162548/\r\nDespite the absence of Joker’s Stash, there are still flooding number of carding sites in Russian speaking forums\r\nselling credit card information. There can be many other techniques to obtain credit card information from the\r\nvictim’s device, and stealers will do such a thing to collect all the credit card information viciously to be dumped\r\nand sold on carding forums.\r\n3) Hacking forum\r\nThe stealers’ logs are not just sold in the carding forums and botnet markets but they are often shared in closed\r\nRussian speaking hacking forums. The below picture is posted this early week 1st of February, 2021, titled ‘858\r\nLOGS MIX WORLDWIDE FOR FREE 2020’. These logs are often shared without compensations, and the size\r\nof logs files can range from couple of MBs to tens of GBs.\r\nPress enter or click to view image in full size\r\n5. Where to use?\r\nBased on our research, there are three assumptions of buying and sharing stealer logs.\r\n1. Finding any financial related accounts such as paypal login information in order to get a fraudulent\r\naccess to the account.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wlab/w1-feb-en-story-of-the-week-stealers-on-the-darkweb-49945a31601d\r\nPage 7 of 10\n\nIn Genesis market, it is not hard to find a Paypal login information which stored in the chrome browser. Detail\r\ninformation can be seen after purchasing the product.\r\nA picture below is a sample of pay account found in the stealer logs which was shared on an Russian speaking\r\nhacking forum.\r\nPress enter or click to view image in full size\r\nIt may require many tries to find an account with big valid budgets, but the activity of sharing botnet/stealers logs\r\ndoesn’t seem to decrease.\r\n2. Stealing corporate login information of the victim trying to access to its corporate portal remotely\r\nWe have observed many urls that are seem to be corporate related accounts such as azure or aws, cloud-like\r\naccounts.\r\nAdversary favours the accounts named ‘administrator’ OR ‘admin’ will likely be attempted with brute force\r\nattack.\r\n3. Information gathering at a national level\r\nIn Genesis market, there is a dashboard showing the list of current bots per country and how many have been\r\nadded. Since the bots are classified with the country code, adversary or the ‘client’ can have an intuitive view of\r\nvictims by country. In this sense, the information can be efficiently collected if the user is targeting specific\r\ncountry or language.\r\nhttps://medium.com/s2wlab/w1-feb-en-story-of-the-week-stealers-on-the-darkweb-49945a31601d\r\nPage 8 of 10\n\nhttps://medium.com/s2wlab/w1-feb-en-story-of-the-week-stealers-on-the-darkweb-49945a31601d\r\nPage 9 of 10\n\nSource: https://medium.com/s2wlab/w1-feb-en-story-of-the-week-stealers-on-the-darkweb-49945a31601d\r\nhttps://medium.com/s2wlab/w1-feb-en-story-of-the-week-stealers-on-the-darkweb-49945a31601d\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://medium.com/s2wlab/w1-feb-en-story-of-the-week-stealers-on-the-darkweb-49945a31601d" ], "report_names": [ "w1-feb-en-story-of-the-week-stealers-on-the-darkweb-49945a31601d" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434281, "ts_updated_at": 1775826742, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3543c14afd71dbc285d0f9c3f261d3762054511c.pdf", "text": "https://archive.orkl.eu/3543c14afd71dbc285d0f9c3f261d3762054511c.txt", "img": "https://archive.orkl.eu/3543c14afd71dbc285d0f9c3f261d3762054511c.jpg" } }