{
	"id": "6a2b2dd9-5c6e-4bb2-92cf-ce2243774c91",
	"created_at": "2026-04-06T01:29:57.300868Z",
	"updated_at": "2026-04-10T03:21:39.030623Z",
	"deleted_at": null,
	"sha1_hash": "4f2fadeeb025b10e33d50db334bb42b1f655e160",
	"title": "Mystic Stealer | Zscaler",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 629375,
	"plain_text": "Mystic Stealer | Zscaler\r\nBy Brett Stone-Gross\r\nPublished: 2023-06-15 · Archived: 2026-04-06 00:20:34 UTC\r\nTechnical Analysis\r\nLooking at the existing releases, it seems clear that the developer of Mystic Stealer is looking to produce a stealer\r\non par with the current trends of the malware space while attempting to focus on anti-analysis and defense\r\nevasion.\r\nIn terms of capabilities, it's a fairly standard set of functionality as seen with many stealers today. The malware\r\ncollects system information which is packaged together for a check-in to the C2 server:\r\nKeyboard layout\r\nLocale\r\nCPU information\r\nNumber of CPU processors\r\nScreen dimensions\r\nComputer name\r\nUsername\r\nRunning processes\r\nSystem architecture\r\nOperating system version\r\nKey data theft functionality includes the ability to capture history and auto-fill data, bookmarks, cookies, and\r\nstored credentials from nearly 40 different web browsers. In addition, it collects Steam and Telegram credentials\r\nas well as data related to installed cryptocurrency wallets. The malware targets more than 70 web browser\r\nextensions for cryptocurrency theft and uses the same functionality to target two-factor authentication (2FA)\r\napplications. The approach used by Mystic Stealer is similar to what was reported for Arkei Stealer. Further details\r\non targeted browsers, cryptocurrency plugins, and 2FA apps are available in the appendix.\r\nDepending on a configuration provided by the C2 server, the malware will capture a screenshot of the desktop,\r\nwhich is exfiltrated to the C2 server.\r\nOn May 20, the Mystic Stealer seller posted updates that include loader functionality and a persistence capability\r\nto forums as shown in Figure 1. Loader refers to the ability to download and execute additional malware payloads.\r\nThis is reflective of a continuing trend where loaders allow one threat actor to support the distribution of affiliate\r\nmalware being loaded on compromised devices. This is already a notable risk for many organizations due to the\r\nuse of malware distribution networks and initial access brokers for the distribution of high-severity payloads like\r\nransomware. It underscores the need to take preventative steps to ensure a security posture that reduces the risk of\r\nmalware delivery and footholds early on in attack campaigns.\r\nhttps://www.zscaler.com/blogs/security-research/mystic-stealer\r\nPage 1 of 4\n\nFigure 1. MysticStealer forum post advertising v1.2 update with loader support\r\nAs previously noted, there are several anti-analysis and evasion features additionally present in Mystic Stealer:\r\nBinary expiration. The trojan will terminate execution if the running build is older than a specified date. This is\r\nlikely an execution guardrail that attempts to prevent anti-malware researchers and sandboxes that analyze the\r\nsample much later than when it was intended to be distributed or executed on victim machines. Figure 2 shows a\r\nMystic Stealer sample that retrieves the current system time and compares the value to 1685318914\r\n(0x6473ED02), which when converted from an epoch to a timestamp translates to Sun May 28 17:08:34 2023.\r\nFigure 2. Example Mystic Stealer date expiration feature\r\nhttps://www.zscaler.com/blogs/security-research/mystic-stealer\r\nPage 2 of 4\n\nAnti-virtualization. Mystic Stealer is configurable and some samples contain anti-VM features, detecting\r\nhypervisor runtime environments, and avoiding execution. This is helpful for avoiding execution in sandbox\r\nenvironments but it isn't always effective.\r\nMystic uses the CPUID assembly instruction to detect virtual environments by inspecting the result for specific\r\nvalues that are indicative of virtualization software. In particular, the code checks for the manufacturer ID string\r\n(with a length of 12 bytes) for the following values:\r\n“XenVMMXenVMM” (Xen HVM)\r\n“VMwareVMware” (VMware)\r\n“Microsoft Hv” (Microsoft Hyper-V)\r\n“ KVMKVMKVM  “ (KVM)\r\n“prl hyperv  “ (Parallels)\r\n“VBoxVBoxVBox” (VirtualBox)\r\nThis detection code is likely derived from Pafish.\r\nWindows APIs imported by hash. The stealer resolves and dynamically loads Windows APIs using a custom\r\nXOR based hashing algorithm represented in the Python snippet shown below:\r\nNote that the constant value (e.g., 0x240CE91) changes between Mystic samples. The malware walks the export\r\ntables for the following Windows DLLs and hashes each export name until a match is found:\r\nKernel32.dll\r\nAdvapi32.dll\r\nKernel32.dll\r\nGdiplus.dll\r\nCrypt32.dll\r\nUser32.dll\r\nWs2_32.dll\r\nOle32.dll\r\nGdi32.dll\r\nNtdll.dll\r\nDynamic constant calculation. Constant values in the code are obfuscated and dynamically calculated at\r\nruntime. For example, the API hashing algorithm shown above uses the constant 0x240CE91. However, this\r\nconstant does not directly exist in the code. Instead, the value 0x240CEA6 is present and the code performs an\r\nXOR operation with the value 0x37 to produce the actual constant 0x240CE91 as shown in Figure 3. \r\nhttps://www.zscaler.com/blogs/security-research/mystic-stealer\r\nPage 3 of 4\n\nFigure 3. Example Mystic Stealer constant obfuscation technique\r\n \r\nEncrypted binary custom protocol. The client communicates with the C2 server using a custom protocol over\r\nTCP, which we discuss in more depth later.\r\nPolymorphic string obfuscation. We identified that the malware obfuscates strings using a library that is very\r\nsimilar to ADVobfuscator. The obfuscator generates code at compile time that builds strings on the stack, which\r\nare then decrypted at runtime. The obfuscation is polymorphic, and therefore, every sample will contain strings\r\nthat are uniquely encrypted with simple mathematical operations such as addition, subtraction, and XOR. As a\r\nresult, this technique may bypass static antivirus signatures and complicate malware reverse engineering. \r\nThe Mystic Stealer seller refers to this obfuscation as a morpher that obfuscates builds with full undetectability\r\n(FUD) in sales threads. In one forum, the seller advertised that the project's morpher enabled the bypass of\r\nSmartScreen, which members identified as a dubious claim based on the operation of obfuscators and\r\nSmartScreen. Some forum users suspected the use of an open-source obfuscator. This ended up as a point of\r\ncontention in the forum, lowering the perception and trust of the project with some users.\r\nSource: https://www.zscaler.com/blogs/security-research/mystic-stealer\r\nhttps://www.zscaler.com/blogs/security-research/mystic-stealer\r\nPage 4 of 4\n\nruntime. For example, constant does not the API hashing directly exist algorithm in the code. Instead, shown above uses the value 0x240CEA6 the constant 0x240CE91. is present However, and the code this performs an\nXOR operation with the value 0x37 to produce the actual constant 0x240CE91 as shown in Figure 3.\n   Page 3 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/mystic-stealer"
	],
	"report_names": [
		"mystic-stealer"
	],
	"threat_actors": [],
	"ts_created_at": 1775438997,
	"ts_updated_at": 1775791299,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4f2fadeeb025b10e33d50db334bb42b1f655e160.pdf",
		"text": "https://archive.orkl.eu/4f2fadeeb025b10e33d50db334bb42b1f655e160.txt",
		"img": "https://archive.orkl.eu/4f2fadeeb025b10e33d50db334bb42b1f655e160.jpg"
	}
}