{
	"id": "8cdf8bd6-c63e-4b33-919b-35f1543f4274",
	"created_at": "2026-04-06T00:19:12.678373Z",
	"updated_at": "2026-04-10T13:12:24.03385Z",
	"deleted_at": null,
	"sha1_hash": "4642dc08b440111eba9daf51bd7226e746b9553d",
	"title": "Oski Stealer : A Credential Theft Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 675908,
	"plain_text": "Oski Stealer : A Credential Theft Malware\r\nBy Isha Kudkar\r\nPublished: 2021-01-16 · Archived: 2026-04-05 22:40:28 UTC\r\n4 min read\r\nJan 16, 2021\r\nCredential theft malware continues to be one amongst the foremost prevalent sorts of malware employed in cyber\r\nattacks. The most objective of nearly all credential theft malware is to assemble the maximum amount of\r\nconfidential and sensitive information, like user credentials and financial information, as possible.\r\nThe Oski stealer is a malicious information stealer, which was first introduced in November 2019. The Oski\r\nstealer steals personal and sensitive credentials from its target so the attackers responsible can misuse it to get\r\nrevenue in various ways. Research shows that this information stealer is distributed through deceptive websites\r\nthat are opened because of hijacked router DNS settings.\r\nOski is currently being sold on Russian underground hacking forums at a low price of $70-$100.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/shallvhack/oski-stealer-a-credential-theft-malware-b9bba5164601\r\nPage 1 of 4\n\nFig. 1 Forum Thread for selling Oski Stealer\r\nResearchers at ‘CyberArk’ have analyzed the newest malware samples they may get their hands on and report on\r\nthe complete list of Oski’s capabilities. Written in C++, the malware can steal the subsequent things:\r\nLogin credentials from different applications\r\nBrowser information (cookies, autofill data, and credit cards)\r\nCrypto wallets\r\nSystem information\r\nCapture Screenshots\r\nDifferent user files\r\nThe code of the malware is super clean and indicates that the author is knowledgeable, ensuring reliable operation.\r\nHowever, Oski doesn’t have any sophisticated obfuscation, anti-analysis, or anti-debugging tricks under its sleeve\r\nyet, but this will always be added later. The very fact that the code basis is neatly done creates the setting to figure\r\non this tool further and add more features within the future.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/shallvhack/oski-stealer-a-credential-theft-malware-b9bba5164601\r\nPage 2 of 4\n\nFig. 2 Malware Flow\r\nAttackers try to trick users into installing Oski by hijacking router DNS settings in order that browsers then open\r\ncorrupted pages and pop-ups. This motivates visitors to put in an application designed to deliver the latest\r\ninformation referring to the COVID-19. In fact, the file that’s downloaded through these malicious sites installs\r\nOski, a trojan horse capable of stealing sensitive information. It targets data from browsers like cookies and\r\nbrowsing history, autofill data, and saved login credentials. It also attempts to steal databases that contain two-factor authentication data, cryptocurrency wallets, and word files, and might take screenshots of the victim’s\r\nscreen and perform other dubious actions. Attackers behind Oski are able to hijack various accounts, including\r\nsocial media, email, cryptocurrency trading accounts, and so on.\r\nGet Isha Kudkar’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nhttps://medium.com/shallvhack/oski-stealer-a-credential-theft-malware-b9bba5164601\r\nPage 3 of 4\n\nRemember me for faster sign in\r\nFurthermore, they could be capable of hijacking accounts that have an extra layer of protection beyond passwords.\r\nCyber criminals misuse stolen accounts to create fraudulent purchases and transactions, spread spam campaigns,\r\ntrick other users into paying money to them, steal identities, etc. They may additionally be able to access text and\r\ndocuments files containing lead, take screenshots when victim’s open them, or capture other computing activities.\r\nVictims of Oski attacks might thus suffer monetary loss, have their identities stolen, experience problems\r\nregarding online privacy, browsing safety and other serious issues. Therefore, this malware must be far from\r\ninfected systems immediately.\r\nOther Harmful Features of Oski Stealer:\r\nOski Stealer modifies the default registry settings by making vicious entries in it which allows the virus to be\r\nautomatically activated on every occasion the machine is started. It messes with important system files that are\r\nefficient for smooth computer functioning and prevents many installed apps similarly as drivers from working in\r\nan appropriate manner. It displays bogus security warnings, error messages, updates notification etc. and tries to\r\nforce you into installing bogus software. This nasty trojan keeps performing malicious acts within the background\r\nall the time which consumes enormous amounts of memory resources and degrades the PC performance severely.\r\nIt causes the device to reply in a very very slow manner and take over usual time to finish any task. It assists\r\nremote criminals to urge access to your system and contribute malevolent deeds inside for his or her delicate\r\nwelfare. viewing these hazards, you’re strongly recommended to delete Oski Stealer from the PC without wasting\r\nany time. And to prevent this, you must only choose reliable or official websites and direct links to download any\r\napplication and avoid using unofficial domains and other third-party downloaders, peer-to-peer networks,\r\nfreeware download pages etc.\r\nTo remove Malware :\r\nIf you’re concerned that malware or PC threats like Oski Stealer may have infected your computer, we\r\nrecommend you begin an in-depth system scan with SpyHunter. SpyHunter is a complicated malware protection\r\nand remediation application that provides subscribers a comprehensive method for safeguarding PCs from\r\nmalware, additionally to providing one-on-one technical support service.\r\nLink to download — https://www.spyhunter.com/2Qk6Q2N/\r\nSource: https://medium.com/shallvhack/oski-stealer-a-credential-theft-malware-b9bba5164601\r\nhttps://medium.com/shallvhack/oski-stealer-a-credential-theft-malware-b9bba5164601\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://medium.com/shallvhack/oski-stealer-a-credential-theft-malware-b9bba5164601"
	],
	"report_names": [
		"oski-stealer-a-credential-theft-malware-b9bba5164601"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434752,
	"ts_updated_at": 1775826744,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4642dc08b440111eba9daf51bd7226e746b9553d.pdf",
		"text": "https://archive.orkl.eu/4642dc08b440111eba9daf51bd7226e746b9553d.txt",
		"img": "https://archive.orkl.eu/4642dc08b440111eba9daf51bd7226e746b9553d.jpg"
	}
}