{ "id": "26c718dc-487e-47ca-8336-22ce46458050", "created_at": "2026-04-06T00:19:04.647834Z", "updated_at": "2026-04-10T03:36:48.382816Z", "deleted_at": null, "sha1_hash": "4839c5e86c1e602fe45ea43a115a69c466912d70", "title": "Ovidiy Stealer: Credential Theft Analysis | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1300092, "plain_text": "Ovidiy Stealer: Credential Theft Analysis | Proofpoint US\r\nBy July 13, 2017 Proofpoint Staff\r\nPublished: 2017-07-13 · Archived: 2026-04-05 13:00:06 UTC\r\nOverview\r\nProofpoint threat researchers recently analyzed Ovidiy Stealer, a previously undocumented credential stealer\r\nwhich appears to be marketed primarily in the Russian-speaking regions. It is under constant development, with\r\nseveral updated versions appearing since the original samples were observed in June 2017. The growing number\r\nof samples demonstrate that criminals are actively adopting this malware. Ovidiy Stealer is priced at 450-750\r\nRubles (~$7-13 USD) for one build, a price that includes a precompiled executable that is also \"crypted\" to thwart\r\nanalysis and detection.\r\nIt should be noted that some antivirus solutions are detecting Ovidiy Stealer with generic and heuristic signatures\r\nonly. With only heuristic detection, it is possible that an AV solution will detect the behavior of Ovidiy Stealer but\r\nlabel it in logs with a generic description and thus SOC analysts monitoring alerts may well see the event but not\r\nrecognize its significance. Instead, Ovidiy Stealer could be active an organization's network, throwing alerts but\r\nnot identified specifically.\r\nDistribution\r\nWe believe that Ovidiy Stealer is currently being spread via email as executable attachments, compressed\r\nexecutable attachments, and links to an executable download. It is also likely spread via file hosting / cracking /\r\nkeygen sites, where it poses as other software or tools. In several cases, we observed the Ovidiy Stealer bundled\r\nwith a “LiteBitcoin” installer, further validating this claim.\r\nhttps://www.proofpoint.com/us/threat-insight/post/meet-ovidiy-stealer-bringing-credential-theft-masses\r\nPage 1 of 12\n\nFigure 1: This file, spread as “litebitcoin-qt.zip,” bundles Ovidiy Stealer and another RAT, Remote Manipulator\r\nSystem by TektonIT. While the software is installing both malware samples begin to reach out to the Command and\r\nControl (C\u0026C) servers ovidiystealer[.]ru and rmansys[.]ru.\r\n[Update 7/14/2017: The content of this site has been removed since this article was published. The site itself\r\nappears to still be online.]\r\nhttps://www.proofpoint.com/us/threat-insight/post/meet-ovidiy-stealer-bringing-credential-theft-masses\r\nPage 2 of 12\n\nFigure 2: This file, spread as “Chase SoftWare 1.2 Jora.exe” appears to be an account checker for various\r\nfinancial institutions (that is, a hacking tool), that was bundled with Ovidiy\r\nOther observed filenames are listed below and include game lures, hack tool lures, social network lures and\r\nothers:\r\n●HideMiner.zip\r\n●VkHackTool.zip\r\n●update_teamspeak3.5.1.exe\r\n●WORLD OF TANKS 2017.txt.exe\r\n●dice_bot.exe\r\n●cheat v5.4.3 2017.exe\r\n●Vk.com BulliTl.exe\r\nhttps://www.proofpoint.com/us/threat-insight/post/meet-ovidiy-stealer-bringing-credential-theft-masses\r\nPage 3 of 12\n\nAnalysis\r\nAt the time of writing, we have observed versions 1.0.1 through 1.0.5 distributed in the wild. Ovidiy Stealer is\r\nwritten in .NET and most samples are packed with with either .NET Reactor or Confuser. Upon execution the\r\nmalware will remain in the directory in which it was installed, and where it will carry out tasks. Somewhat\r\nsurprisingly, there is no persistence mechanism built into this malware, so on reboot it will cease to run, but the\r\nfile will remain on the victim machine.\r\nOvidiy Stealer is modular and contains functionality to target a multiple applications -- primarily browsers -- listed\r\nbelow.\r\nFileZilla\r\nGoogle Chrome\r\nKometa browser\r\nAmigo browser\r\nTorch browser\r\nOrbitum browser\r\nOpera browser\r\nBecause a separate module carries out the targeting of each application, the fewer the modules selected, the\r\nsmaller the malware payload size. Buyers can select as few as a single module, for example just “Google\r\nChrome”.\r\nFigure 3: Example code displaying the targeted directories for Chromium based browsers\r\nhttps://www.proofpoint.com/us/threat-insight/post/meet-ovidiy-stealer-bringing-credential-theft-masses\r\nPage 4 of 12\n\nFigure 4: Example displaying the code for locating and stealing stored FileZilla passwords\r\nOvidiy Stealer utilizes SSL/TLS for communication with its command and control server. It currently utilizes the\r\ndomain ovidiystealer[.]ru for its command and control (C\u0026C) communications; which is is also the domain used\r\nto market and sell the malware. The initial C\u0026C beacon is a POST reporting the following details:\r\nid: DiskID and ProcessorID\r\nver: Ovidiy Stealer version\r\ncn: Windows username\r\nos: Operating system and version (e.g. Windows 7)\r\nuser: Registered Ovidiy Stealer username\r\nFigure 5: Network traffic capture of initial checkin beacon generated by the stealer\r\nThe unique ID provided for each infected machine is a combination of the 8 character DiskID and 16 character\r\nProcessorID, combined into one string. We observed a commonly hardcoded ProcessorID of\r\n“BFEBFBFF000206A7” being used if the function checking the ProcessorID resulted in an empty buffer, and at\r\nleast one sample containing “Rofl” for that value. Ovidiy Stealer traffic also includes a hardcoded User-Agent\r\n“E9BC3BD76216AFA560BFB5ACAF5731A3”. This is the md5 hash of the phrase 'litehttp', which is also the\r\ndefault User-Agent of the open-source LiteHTTP Bot.[1]. We believe that Ovidiy author reused the open-source\r\ncode of the LiteHTTP Bot project.\r\nhttps://www.proofpoint.com/us/threat-insight/post/meet-ovidiy-stealer-bringing-credential-theft-masses\r\nPage 5 of 12\n\nFigure 6: Code reuse shown: Ovidiy Stealer on the left, LiteHTTP Bot on the right\r\nIf the stealer is able to find passwords from targeted applications, it will follow up its initial checkin with another\r\nrequest reporting the passwords of targeted applications:\r\nid: DiskID and ProcessorID\r\nsite: Website with saved credentials\r\nprogram: Targeted application\r\nlogin: Saved application username\r\npass: Saved application password\r\nuser: Registered Ovidiy Stealer username\r\nFigure 7: Network traffic capture of credentials exfiltration beacon generated by the stealer\r\nSales and Support\r\nOvidiy Stealer is offered for sale on ovidiystealer[.]ru, a domain which will help attract potential customers and,\r\nas noted above, also the C\u0026C domain. The malware boasts support, features, and login access to the web panel.\r\nThe admin panel for Ovidiy Stealer allows the botmaster to view statistics on infected machines, view logs, build\r\nmore stubs, and manage the account.\r\nhttps://www.proofpoint.com/us/threat-insight/post/meet-ovidiy-stealer-bringing-credential-theft-masses\r\nPage 6 of 12\n\nFigure 8: Ovidiy Stealer website landing page. Note the “We accept Free-Kassa” button.\r\nFigure 9: Ovidiy Stealer admin panel\r\nFrom the admin console, the botmaster has the capabilities to view and filter logs from infected machines.\r\nhttps://www.proofpoint.com/us/threat-insight/post/meet-ovidiy-stealer-bringing-credential-theft-masses\r\nPage 7 of 12\n\nFigure 10: Viewing Ovidiy Stealer client logs\r\nTo simplify purchasing, the team behind Ovidiy Stealer uses a service known as 'RoboKassa' to collect payment\r\nfor new stubs. RoboKassa is a Russian equivalent to PayPal, allowing users to conduct payment using credit cards\r\nand other types of payment to the sellers; in this case the seller is “Ovidiy” (Fig. 11).\r\nFigure 11: Payment via RoboKassa offering several options\r\nLike many other markets with many choices, the malware market is competitive and developers must market the\r\nstrengths and benefits of their products in order to attract buyers. To help drive sales, the development team\r\nincludes statistics on the progress of certain modules, and other plans for future releases of the malware. In\r\naddition, the site includes “testimonials\" from satisfied customers, presumably to demonstrate to other would-be\r\ncriminals that they can be profitable when using Ovidiy Stealer.\r\nhttps://www.proofpoint.com/us/threat-insight/post/meet-ovidiy-stealer-bringing-credential-theft-masses\r\nPage 8 of 12\n\nFigure 12: Reviews and development progress. The user ACE’s comments translate to English as: “I only need the\r\nstealer for burglary on order. I explain what it is: I accept an order for the hijacking of a certain person's account.\r\nAfter I work with him and install the stealer. That's all, for one order I get 300-500 rubles. Without this project it\r\nwould be impossible! Thank you!”\r\nThe main author of this project goes by the handle \"TheBottle,\" evident from the informational page of the Ovidiy\r\nStealer website. Moreover, the name 'TheBottle' is observed in at least one sample's PDB string:\r\nC:\\Users\\TheBottle\\documents\\visual studio 2017\\Projects\\Ovidiy\\Ovidiy\\obj\\Debug\\Ovidiy.pdb\r\nhttps://www.proofpoint.com/us/threat-insight/post/meet-ovidiy-stealer-bringing-credential-theft-masses\r\nPage 9 of 12\n\nFigure 13: Self proclaimed author of Ovidiy Stealer, ‘TheBottle’, translated to English\r\nConclusion\r\nOvidiy Stealer is a new password stealer that entered the criminal ranks barely one month ago. While it is not the\r\nmost advanced stealer we have seen, marketing and an entry-level price scheme make it attractive and accessible\r\nto many would-be criminals. Ovidiy Stealer is lightweight and simple enough to work with relative ease, allowing\r\nfor simple and efficient credential exfiltration. A lightweight, easy-to-use, and effective product coupled with\r\nfrequent updates and a stable support system give Ovidiy Stealer the potential to become a much more widespread\r\nthreat. Stolen credentials continue to be a major risk for individuals and organizations, because password re-use\r\ncan enable one stolen login to compromise several more accounts, and the sale of stolen accounts continues to be a\r\nlucrative market for criminal looking for quick profits. Ovidiy Stealer highlights the manner in the cybercrime\r\nmarketplace drives innovation and new entrants and challenges organizations that must keep pace with the latest\r\nthreats to their users, their data, and their systems.\r\nIndicators of Compromise (IOCs)\r\nIOC\r\nIOC\r\nType\r\nDescription\r\nhttps://www.proofpoint.com/us/threat-insight/post/meet-ovidiy-stealer-bringing-credential-theft-masses\r\nPage 10 of 12\n\novidiystealer.ru Domain\r\nOvidiy Stealer\r\nC\u0026C\r\n7de66557dacbabe5228faa294c357ad02c9f07eb2395229f209776bc9a09dfb4 SHA256\r\nLitebitcoin-qt.zip Ovidiy\r\nStealer\r\n3ddc17470fb86dcb4b16705eb78bcbcb24dce70545f512ce75c4a0747474ef52 SHA256\r\nChase SoftWare\r\n1.2 Jora.exe\r\nOvidiy Stealer\r\n5a44126ea4c5c9bbc3c44fec0346c3071b55fb6abb10ad3299590a3b0e2a8fc7 SHA256\r\nUber.exe\r\nOvidiy Stealer\r\n8d70877b4014a726e64d3338c454489628a78dcee3e533152ff2223e3bdec506 SHA256 Ovidiy Stealer\r\nd469e7f2531eed4c3f418a71acdbd08dd167409047812ab78f5407730d077792 SHA256 Ovidiy Stealer\r\nd5711ac689d2cae77d19fab19768870adec983e4cdbd04f58d77828ef61eec88 SHA256 Ovidiy Stealer\r\na18fce17e57b324b8552ac8ff34a912a6788be028988288d9b6752c7911a0936 SHA256 Ovidiy Stealer\r\nc16408967de0ca4d3a1d28530453e1c395a5166b469893f14c47fc6683033cb3 SHA256 Ovidiy Stealer\r\n255899d86d58a95499473046fcb6ad821ac500af8679635487d9003ba0f7b3ec SHA256 Ovidiy Stealer\r\n2a54eb17cc418da37fa3a45ceb840882bf1800909753e6431c2e3b0fcef4308a SHA256 Ovidiy Stealer\r\n84097d78bc73c9d8b4d7f4751c0dbb79da5d8883bd0fd27194cc21e05fdbca04 SHA256 Ovidiy Stealer\r\nhttps://www.proofpoint.com/us/threat-insight/post/meet-ovidiy-stealer-bringing-credential-theft-masses\r\nPage 11 of 12\n\nc0bf76eee1a42607236652151e1ff67a5e058e780e487d18e946dad6c2084f5d SHA256 Ovidiy Stealer\r\nd733dbd549111ecfb732da39bd67d47c631a0b15b2fb4e8ff446b63088cd4ed4 SHA256 Ovidiy Stealer\r\n062bd1d88e7b5c08444de559961f68694a445bc69807f57aa4ac581c377bc432 SHA256 Ovidiy Stealer\r\n80d450ca5b01a086806855356611405b2c87b3822c0c1c38a118bca57d87c410 SHA256 Ovidiy Stealer\r\n22fc445798cd3481018c66b308af8545821b2f8f7f5a86133f562b362fc17a05 SHA256 Ovidiy Stealer\r\n8542a49b3b927d46fefae743b61485004a3540a4e204ee882028a85f08f4b3ee SHA256 Ovidiy Stealer\r\nET and ETPRO Suricata/Snort Coverage\r\n2827113 | Observed DNS Query to Ovidiy Stealer CnC Domain\r\n2827114 | MSIL/Ovidiy Stealer CnC Checkin\r\n2827115 | MSIL/Ovidiy Stealer Reporting Passwords\r\n2820681 | ETPRO TROJAN W32/XPCSpyPro/RemoteManipulator RAT Checkin\r\n2808335 | ETPRO POLICY Win32/RemoteAdmin.RemoteUtilities.C Checkin\r\n2811005 | ETPRO POLICY RADMINRMS.WIN32.1 Checkin POST\r\nReferences:\r\n[1] https://github.com/zettabithf/LiteHTTP/\r\nSaveSave\r\nSaveSave\r\nSource: https://www.proofpoint.com/us/threat-insight/post/meet-ovidiy-stealer-bringing-credential-theft-masses\r\nhttps://www.proofpoint.com/us/threat-insight/post/meet-ovidiy-stealer-bringing-credential-theft-masses\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.proofpoint.com/us/threat-insight/post/meet-ovidiy-stealer-bringing-credential-theft-masses" ], "report_names": [ "meet-ovidiy-stealer-bringing-credential-theft-masses" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434744, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4839c5e86c1e602fe45ea43a115a69c466912d70.pdf", "text": "https://archive.orkl.eu/4839c5e86c1e602fe45ea43a115a69c466912d70.txt", "img": "https://archive.orkl.eu/4839c5e86c1e602fe45ea43a115a69c466912d70.jpg" } }