{ "id": "6cbedae0-db49-40f2-81c2-0abe2077a177", "created_at": "2026-04-06T01:29:13.611715Z", "updated_at": "2026-04-10T03:37:08.544856Z", "deleted_at": null, "sha1_hash": "6b50d1f77415834c73fca131179f2c806db58302", "title": "New Info Stealer Bandit Stealer Targets Browsers, Wallets", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1736009, "plain_text": "New Info Stealer Bandit Stealer Targets Browsers, Wallets\r\nBy Sarah Pearl Camiling, Paul John Bardon ( words)\r\nPublished: 2023-05-26 · Archived: 2026-04-06 00:21:24 UTC\r\nMalware\r\nThis is an analysis of Bandit Stealer, a new Go-based information-stealing malware capable of evading detection as it targets\r\nmultiple browsers and cryptocurrency wallets.\r\nBy: Sarah Pearl Camiling, Paul John Bardon May 26, 2023 Read time: 9 min (2536 words)\r\nSave to Folio\r\nA newly emerged information-stealing malware named Bandit Stealer is gaining traction as it targets numerous browsers\r\nand cryptocurrency wallets while evading detection. Currently, there is a growing interest and promotional activity within\r\nthe malware community to increase awareness and use of the malware. While the focus of targeting is limited to the\r\nWindows platform as of this writing, it has the potential to expand to other platforms as Bandit Stealer was developed using\r\nthe Go programming language, possibly allowing cross-platform compatibility.\r\nFor this analysis, we used the sample hash (SHA256)\r\n050dbd816c222d3c012ba9f2b1308db8e160e7d891f231272f1eacf19d0a0a06, a 64-bit binary executable written in Go. In\r\nthe next sections, we provide insights into the functions and capabilities of this recently discovered information-stealing\r\nmalware.\r\nEscalation\r\nThe malware tries to use runas.exe, a command-line utility program in Windows operating systems (OS) that allows users to\r\nrun specific programs or commands with user credentials or permissions other than those from the current user's account.\r\nThis elevates the user’s privileges and executes itself with administrative access, allowing the user of the utility to execute\r\nmalicious activities without being detected or blocked by the security measures in place.\r\nMicrosoft has implemented various measures to prevent the unauthorized use of the runas.exe function, including the\r\nimplementation of security restrictions. This limits the privileges and actions that can be performed using runas.exe.\r\nMicrosoft has also strengthened user access controls, ensuring that only authorized individuals with the necessary\r\npermissions can execute privileged operations. In this case, the malware is trying to run itself as an administrator. However,\r\ndue to the existing mitigation or security improvements of Microsoft, it was prevented because using runas with\r\nadministrator rights requires a password.\r\nBy using the runas.exe command, users can run programs as an administrator or any other user account with appropriate\r\nprivileges, provide a more secure environment for running critical applications, or perform system-level tasks. This utility is\r\nparticularly useful in situations where the current user account does not have sufficient privileges to execute a specific\r\ncommand or program. In the case of Bandit Stealer, this is done with the following command line:\r\nrunas /user:Administrator \u003cBandit Stealer itself\u003e\r\nhttps://www.trendmicro.com/en_in/research/23/e/new-info-stealer-bandit-stealer-targets-browsers-wallets.html\r\nPage 1 of 17\n\nFigure 1. Runas.exe executes the binary itself as an administrator\r\nDespite this, Bandit Stealer is not successful in utilizing it because they need to provide the appropriate credentials.\r\nEvasion\r\nBandit Stealer checks for the following to determine if it's running in a sandbox environment and alters its behavior\r\naccordingly to avoid detection or analysis:\r\ncontainer\r\njail\r\nKVM\r\nQEMU\r\nsandbox\r\nVirtual Machine\r\nVirtualBox\r\nVMware\r\nXen\r\nFigure 2. Checking for sandbox-related strings to evade detection and analysis\r\nhttps://www.trendmicro.com/en_in/research/23/e/new-info-stealer-bandit-stealer-targets-browsers-wallets.html\r\nPage 2 of 17\n\nHowever, reading /proc/self/status is specific to Linux OS, and attempting to access this file path on a Windows system will\r\nresult in an error. It's possible that the malware is being tested and includes a feature that can infect Linux machines, hence\r\nthe presence of tshe Linux-specific command.\r\nThe malware downloads the content of the Pastebin link hxxps[:]//pastebin[.]com/raw/3fS0MSjN and saves it to a file\r\nnamed “blacklist.txt” in the AppData folder. This list contains hardware IDs, IP addresses, MAC addresses, usernames,\r\nhostnames, and process names typically used to detect whether the malware is running in a sandbox or testing environment.\r\nThis technique was previously used by other information stealers such as Creal Stealer, Luna Grabber, Kyoku Cookie token\r\nstealer and Pegasus Stealer. The similarities were based on the blacklist content, IPs, and MAC addresses used. This\r\nsuggests that it is either based on or using a port of the original Python-based stealer. It is likely that with Bandit Stealer, the\r\nGo programming language was employed to avoid detection and ensure cross-platform functionality similar to Python-based\r\nstealers.\r\nAfter downloading, the blacklist.txt file will be stored in path \u003cC:\\Users\\\u003cUsername\u003e\\AppData\\Roaming\\blacklist.txt\u003e. The\r\nmalware will then use the function bandits.utils.CompareWithBlacklist to compare the network interface addresses,\r\nhardware (HWID), and host name with the entries in the blacklist.\r\nFigure 3. Displays the location of the blacklist.txt file in %appdata% folder and a portion of its contents\r\nThe first half of a MAC addresses (24 bits) is called the Organizationally Unique Identifier (OUI), which identifies the\r\nmanufacturer or vendor of the network interface. One of the MAC addresses given from the blacklist, \"00:0c:29\"\r\ncorresponds to the OUI for VMware products such as virtual machines, which is commonly used for sandbox and malware\r\nanalysis. The malware leverages the command \"wmic csproduct get uuid\", a Windows Management Instrumentation\r\nCommand-line (WMIC) utility used to retrieve the unique hardware identifier (UUID) of the infected device.\r\nThe malware will retrieve the current username using os_user_Current and device name using os_hostname. Once the\r\nmalware checks for blacklisted IP addresses, MAC addresses, HWIDs, and users, it will proceed to terminate blacklisted\r\nprocesses related to malware analysis tools.\r\nhttps://www.trendmicro.com/en_in/research/23/e/new-info-stealer-bandit-stealer-targets-browsers-wallets.html\r\nPage 3 of 17\n\nFigure 4. Bandit Stealer gets the victim’s username and device name under the\r\nbandit_utils_CompareWithBlacklist function\r\nFigure 5. Shows the list of processes that the malware terminates to prevent the analysis of its behavior and to\r\nprotect its own presence on the infected system\r\nThe malware employs the Linux-specific pgrep and pkill commands to terminate the blacklisted processes. These commands\r\nare commonly used in Linux and Unix-like OS to search for and terminate processes based on their names or attributes, such\r\nas the process owner's username or command-line arguments. The pgrep command is used to find the Process ID (PID) of a\r\nrunning process based on its attributes. Conversely, the pkill command sends a signal to one or more running processes that\r\nleads to their termination. However, since these commands are Linux-specific, they cannot be used in Windows. It is likely\r\nthat the malware is still under development or being adapted to the Windows platform.\r\nhttps://www.trendmicro.com/en_in/research/23/e/new-info-stealer-bandit-stealer-targets-browsers-wallets.html\r\nPage 4 of 17\n\nFigure 6. The malware uses pgrep and pkill to terminate analysis tools or other processes that may interfere\r\nwith its operation\r\nPersistence\r\nIn order to persistently run and carry out its malicious activities, Bandit Stealer creates a registry entry for autorun. It will\r\ncreate an autorun registry entry \u003cHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\u003e with a value name\r\n“BANDIT STEALER” to ensure that the malware is executed every time the infected system starts up or restarts. This way,\r\neven after a system shutdown or reboot, the malware can still operate and steal data from the victim's system.\r\nhttps://www.trendmicro.com/en_in/research/23/e/new-info-stealer-bandit-stealer-targets-browsers-wallets.html\r\nPage 5 of 17\n\nFigure 7. Shows the value name BANDIT STEALER, adding an entry to the autorun registry so the malware\r\ncan automatically execute its code without the need for user interaction or authorization\r\nCollection of the victim's data\r\nOnce the persistence is established, Bandit Stealer collects the victim's stolen information and stores it in the “vicinfo”\r\nfolder in \u003cC:\\Users\\\u003cUsername\u003e\\AppData\\Local\\\u003e.\r\nhttps://www.trendmicro.com/en_in/research/23/e/new-info-stealer-bandit-stealer-targets-browsers-wallets.html\r\nPage 6 of 17\n\nFigure 8. Displays the disassembled view of the created folder\r\nWe break down the specific information obtained from the victim and its corresponding details:\r\nTable 1. Stolen information and commands used\r\nStolen Information Details\r\nUsername, computer name,\r\nand current IP\r\nThe malware uses the functions os.Getenv and os.hostname, and the command line utility\r\ncurl to get the username, computer name and public IP of the victim.\r\nObtains the victim's hard\r\ndrive information\r\nThe malware retrieves the disk information in drive C using win32 API\r\nGetDiskFreeSpaceExW. Bandit Stealer gets the following information:\r\nTotal Size\r\nFree Space\r\nAvailable Space\r\nhttps://www.trendmicro.com/en_in/research/23/e/new-info-stealer-bandit-stealer-targets-browsers-wallets.html\r\nPage 7 of 17\n\nRetrieves the detailed\r\ninformation of the victim\r\nmachine\r\nThe malware gathers the following:\r\nOS Name\r\nOS Version\r\nOS Architecture\r\nPlatform\r\nOS Machine\r\nOS Processor\r\nProgram runtime of the\r\nmalware\r\nThe malware uses \"time_now\" function, a programming function that retrieves or\r\ngenerates the current time. It provides the current date and time information based on the\r\nsystem clock or a specified time zone.\r\nScreen size of the victim’s\r\nmachine\r\nThe malware executes the following command to retrieve the screen size:\r\nwmic desktopmonitor get screenheight, screenwidth\r\nUAC Information\r\nUAC (User Account Control) is a security feature in Windows OS. The malware runs the\r\ncommand below to determine if “UAC Enabled” in the victim machine:\r\ncmd /c net session\r\nIP location of the victim\r\nThe process involves making an HTTP request to the specified URL using the GET\r\nmethod. In this case, the URL https://ipapi.com/json/, which is a web service that\r\nprovides IP geolocation data in JSON format, is used.\r\nCountry code\r\nThe malware executes the command to retrieve the country code associated with an IP\r\naddress:\r\ncurl ipinfo.io/country\r\nAfter gathering all the information, the malware saves these in a file named \"userinfo.txt\" within the \u003cC:\\Users\\\r\n\u003cUsername\u003e\\AppData\\Local\\vicinfo\u003e folder.\r\nFigure 9. File name USERINFO.txt\r\nhttps://www.trendmicro.com/en_in/research/23/e/new-info-stealer-bandit-stealer-targets-browsers-wallets.html\r\nPage 8 of 17\n\nFigure 10. USERINFO.txt content\r\nBandit Stealer collects Telegram sessions to gain unauthorized access, allowing impersonation and malicious actions such as\r\naccessing private messages and data associated with the compromised account.\r\nFigure 11. bandit_messenger_GetTelegramSessions steals Telegram Desktop data and stores it under\r\n%localappdata%\\{ip address}\\Telegram\\user_data\r\nThe malware checks the folder paths of the browser and cryptocurrencies to gain unauthorized access to personal or\r\nconfidential information in order to exploit it for financial gain. Table 2 shows the list of the browsers scanned and their\r\ncorresponding paths:\r\nTable 2. Browsers checked for by Bandit Stealer\r\nBrowser Path\r\n7Star %appdata%\\7Star\\7Star\\User Data\\Local State\r\nYandexBrowser %appdata%\\Yandex\\YandexBrowser\\User Data\\Local State\r\nBrave-Browser %localappdata%\\BraveSoftware\\Brave-Browser\\User Data\\Local State\r\nAmigo %appdata%\\Amigo\\User Data\\Local State \r\nTorch %appdata%\\Torch\\User Data\\Local State\r\nGoogle Chrome Canary %appdata%\\Google\\Chrome SxS\\User Data\\Local State\r\nhttps://www.trendmicro.com/en_in/research/23/e/new-info-stealer-bandit-stealer-targets-browsers-wallets.html\r\nPage 9 of 17\n\nGoogle Chrome %localappdata%\\Google\\Chrome\\User Data\\Local State\r\nCent Browser %appdata%\\CentBrowser\\User Data\\Local State\r\nSputnik %appdata%\\Sputnik\\Sputnik\\User Data\\Local State\r\nIridium %localappdata%\\Iridium\\User Data\\Local State\r\nOrbitum %appdata%\\Orbitum\\User Data\\Local State\r\nUCozMedia %appdata%\\uCozMedia\\Uran\\User Data\\Local State\r\nEpic Privacy Browser %appdata%\\Epic Privacy Browser\\User Data\\Local State\r\nMicrosoft Edge %localappdata%\\Microsoft\\Edge\\User Data\\Local State\r\nKometa %appdata%\\Kometa\\User Data\\Local State\r\nThe following sensitive information will be stolen from the victim’s browser:\r\nLogin data\r\nCookies\r\nWeb history\r\nCredit card details\r\nhttps://www.trendmicro.com/en_in/research/23/e/new-info-stealer-bandit-stealer-targets-browsers-wallets.html\r\nPage 10 of 17\n\nFigure 12. Information taken from the victim’s browsers\r\nTable 3 shows the list of cryptocurrencies collected and their corresponding paths:\r\nTable 3. Cryptocurrencies stolen\r\nCryptourrency Path\r\nBitcoin %appdata%\\Bitcoin\r\nhttps://www.trendmicro.com/en_in/research/23/e/new-info-stealer-bandit-stealer-targets-browsers-wallets.html\r\nPage 11 of 17\n\nLitecoin %appdata%\\Litecoin\r\nDash %appdata%\\Dash\r\nEthereum %appdata%\\Ethereum\r\nElectrum %appdata%\\Electrum\r\nExodus %appdata%\\Exodus\r\nAtomic %localappdata%\\atomic\r\nAdditionally, the malware scans for specific browser extensions associated with cryptocurrency wallets by checking the path\r\nof the browser extensions. Table 4 shows the wallets that the malware searches for and their respective paths:\r\nTable 4. Cryptocurrency wallets scanned\r\nExtension\r\nName\r\nPath\r\nClover Wallet\r\n%localappdata%Google\\Chrome\\User Data\\Default\\Local Extension\r\nSettings\\nhnkbkgjikgcigadomkphalanndcapjk\r\nJaxx Liberty\r\n%localappdata%Google\\Chrome\\User\r\nData\\Default\\IndexedDB\\chromeextension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\r\nWombat\r\n%localappdata%Google\\Chrome\\User Data\\Default\\Local Extension\r\nSettings\\amkmjjmmflddogmhpjloimipbofnfjih\r\nTronLink\r\n%localappdata%Google\\Chrome\\User Data\\Default\\Local Extension\r\nSettings\\ibnejdfjmmkpcnlpebklmnkoeoihofec\r\nTrust Wallet\r\n%localappdata%Google\\Chrome\\User Data\\Default\\Local Extension\r\nSettings\\egjidjbpglichdcondbcbdnbeeppgdph\r\nCrypto.com\r\n%localappdata%Microsoft\\Edge\\User Data\\Default\\Local Extension\r\nSettings\\gpbdhlngfkgihnfeekcmkbbalpdflgmg\r\nBitKeep:\r\nCrypto \u0026\r\nNFT Wallet\r\n%localappdata%Microsoft\\Edge\\User Data\\Default\\Local Extension\r\nSettings\\jiidiaalihmmhddjgbnbgdfflelocpak\r\nSending the victim’s information\r\nBandit Stealer tries to execute isof -t \u003cpath of zip file\u003e, a utility in the Linux environment to list down all the processes that\r\nare actively using a file. It is possible that the author tries to terminate the processes that accesses the Zip file to use it and\r\nsend it to the server or Telegram.\r\nhttps://www.trendmicro.com/en_in/research/23/e/new-info-stealer-bandit-stealer-targets-browsers-wallets.html\r\nPage 12 of 17\n\nFigure 13. The screenshot shows the Telegram BOT ID and chat ID (top), and where Bandit Stealer sends the\r\ndata, https[:]//api[.]telegram[.]org/bot%s/sendDocument with filename “%localappdata%\\{Victim’s IP\r\nAddress}.zip” (bottom)\r\nDelivery\r\nThe malware file might have been unwittingly downloaded by users while visiting malicious websites or through phishing\r\nemails. In this section, we break down the different ways the malware was installed and executed.\r\n1.      The dropper, a self-extracting archive, executes the hot.exe file. Once the malware has carried out all its intended\r\nactions, it opens a Word document and deceives the user to open a seemingly harmless document and creating the illusion of\r\na non-malicious file being accessed.\r\nExecution parent: NewWarningNotice.exe (SHA256:\r\n106a184d39858af7b0264f26fe0fc657a84ccfd87df3a4f55e7060b3c3c1d92d) drops the following files:\r\n%temp%\\RarSFX0\\notice.docx (opens this document)\r\n%temp%\\RarSFX0\\hot.exe (Bandit Stealer)\r\nhttps://www.trendmicro.com/en_in/research/23/e/new-info-stealer-bandit-stealer-targets-browsers-wallets.html\r\nPage 13 of 17\n\nFigure 14. The dropped files in %temp% path folder (top), and the Word document opened to distract the user\r\nfrom the malicious activities happening in the background (bottom)\r\n2.      The dropper, also a self-extracting archive, executes the RUNFIRST.exe file. After the malware has completed all its\r\nintended actions, it will open a non-malicious file named openvpn-gui.exe.\r\nExecution Parent: OpenVpnGUI_unlimited.exe (SHA256:\r\n064338e9b9075b48890d9db21fec27a3c7ce10e80abc954ba3777b660eceeacb) drops the following file:\r\n%TEMP%\\RUNFIRST.exe (Bandit Stealer)\r\n%TEMP%\\openvpn-gui.exe\r\nhttps://www.trendmicro.com/en_in/research/23/e/new-info-stealer-bandit-stealer-targets-browsers-wallets.html\r\nPage 14 of 17\n\nFigure 15. Dropped files in the %temp% path folder\r\n3.      Once the self-extracting archive is executed, it will prompt the image shown in Figure 16, which acts as an installer of\r\na Heartsender application. Heartsender is a spam distribution tool that automates the process of sending large volumes of\r\nemails to numerous recipients. While they can be utilized for advertising and marketing purposes, it is uncommon for\r\nregular users to use this app due to the potential for abuse in phishing, scams, and the distribution of malware. In this\r\nsample, the author appears to have created a fake installer of Heartsender, which can be purchased online, to trick users into\r\ninstalling it with the embedded malware.\r\nOnce the victim chooses the Yes button, the malware will drop and execute the Lowkey.exe file, which is Bandit Stealer.\r\nExecution Parent: HeartSender.exe (SHA256: 64fe4148c74e0603c198459fd46b3ed3bece8066498f91782b6d98d5c3fc2d01)\r\ndrops the file %TEMP%\\Lowkey.exe (Bandit Stealer)\r\nFigure 16. The message box designed to deceive the victim into thinking that it is a genuine application\r\ninstaller (top), and after clicking the malware is dropped in the %temp%\\\u003crandom\u003e path folder (bottom)\r\nConclusion\r\nWhile Bandit Stealer was specifically developed to operate on Windows systems, we have observed the presence of Linux\r\ncommands. As the binary sample of Bandit Stealer is designed to run in Windows, some Linux commands used by the\r\nmalware include:\r\npgrep and pkill commands to terminate the blacklisted processes\r\nisof -t \u003cpath of zip file\u003e, a utility used in Linux environments to list down all processes that are actively using a file\r\n/proc/self/status, a file path specific to the Linux operating system\r\nIt is possible that these commands will be used in future cross-platform developments of the malware following the\r\nadvertisement in the malware community stating developers are continuously updating the malware's features and security\r\npatches.\r\nhttps://www.trendmicro.com/en_in/research/23/e/new-info-stealer-bandit-stealer-targets-browsers-wallets.html\r\nPage 15 of 17\n\nWe also observed Bandit Stealer bearing similarities with other info stealers, primarily based on the use of blacklisted items\r\nsuch as IPs and MAC addresses. It is worth noting that the blacklist appears to be publicly accessible, rendering it available\r\nfor use by anyone and making it challenging to attribute to specific threat actors. Based on our investigation, the malware is\r\nconsiderably original as there are no known malware families associated with it, and its emergence aligns with the\r\nanticipated advertisement.\r\nAs of this writing, we have not identified any active threat groups associated with this particular malware because of its\r\nrecent emergence and limited data on its operation. We have not observed traces of what the group might have been doing\r\nwith the information it has stolen as the malware is in its early stages. However, the malware actor can potentially exploit\r\nthem for purposes such as identity theft, financial gain, data breaches, credential stuffing attacks, and account takeovers.\r\nMoreover, while we still don’t know why Heartsender was used as a decoy, we noticed cracked versions of this application\r\navailable on other websites, which could potentially be the source of the sample. As it is, legitimate advertising and\r\nmarketing companies opt to use other applications that allow them more functions such as analytics and multiple, real-time\r\ncollaboration capabilities. This is one indicator for companies and security teams to double check before proceeding to\r\ninstall any application. \r\nIndicators of Compromise (IOCs)\r\n \r\nSHA256 Detections\r\n782ec01fa989886571a72b77dc662640a9df7a5fbdc8a863a256820c7faf8e3b TrojanSpy.Win64.BANDITSTEAL.THEOBBC\r\n050dbd816c222d3c012ba9f2b1308db8e160e7d891f231272f1eacf19d0a0a06 TrojanSpy.Win64.BANDITSTEAL.THDBGBC\r\nc4776e3d50d53cb0cad3f6b4e685bbb8e0b6efe0b3e761db2b64a4232f21996e TrojanSpy.Win64.BANDITSTEAL.THEOBBC\r\necc311fcf3884ead2e5614baedfe412e6d797d044df005dff2fae86f9c80d63a TrojanSpy.Win64.BANDITSTEAL.THEOIBC\r\n191ce844c2381564bfc289789e364d1330ddc05bd97c9a8c13139e5f240c2527 TrojanSpy.Win64.BANDITSTEAL.THEAFBC\r\n70a577151ba8b726808ad4bda7a4caf31eb2f4ab7e70045247b145d5feda5440 TrojanSpy.Win64.BANDITSTEAL.THEAHBC\r\nda3c3df0712fffd047e3b7326852d96def7584f5070c3c7803e47593899b4d0a\r\n1cd60650fa3e560d8f7c80d4d059e669e64486bd3ca6daed52d8fdce14d0455b TrojanSpy.Win64.BANDITSTEAL.THEBCBC\r\nd934a1bde6bb75936d223426e64497e92526b8bc75a4f8a59a87f1d25ed1a0d2\r\n106a184d39858af7b0264f26fe0fc657a84ccfd87df3a4f55e7060b3c3c1d92d\r\n064338e9b9075b48890d9db21fec27a3c7ce10e80abc954ba3777b660eceeacb Trojan.Win32.BANDITSTEAL.THEOBBC\r\n64fe4148c74e0603c198459fd46b3ed3bece8066498f91782b6d98d5c3fc2d01\r\n69088f95523d2199e5a277a67a2f70a42e653bf58fb0f3790aa1436bd101eeb1 Trojan.Win32.BANDITSTEAL.THEOIBC\r\n191ce844c2381564bfc289789e364d1330ddc05bd97c9a8c13139e5f240c2527 TrojanSpy.Win64.BANDITSTEAL.THEAFBC\r\necc311fcf3884ead2e5614baedfe412e6d797d044df005dff2fae86f9c80d63a blacklist.txt\r\nApp details\r\n5144443087                                                                                         Telegram CHAT ID\r\nhttps://www.trendmicro.com/en_in/research/23/e/new-info-stealer-bandit-stealer-targets-browsers-wallets.html\r\nPage 16 of 17\n\n5943289606:AAGNEW2B3zDRhGDxY7E1tg7_m2BJcVkUJDw          Telegram BOT ID\r\nURLs\r\nhttps[:]//api[.]telegram[.]org/bot5943289606:AAGNEW2B3zDRhGDxY7E1tg7_m2BJcVkUJDw/sendDocument     \r\nURL where the malware sends data\r\nhttps[:]//pastebin[.]com/raw/3fS0MSjN        URL where the malware downloads the blacklist.txt file\r\nTags\r\nSource: https://www.trendmicro.com/en_in/research/23/e/new-info-stealer-bandit-stealer-targets-browsers-wallets.html\r\nhttps://www.trendmicro.com/en_in/research/23/e/new-info-stealer-bandit-stealer-targets-browsers-wallets.html\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.trendmicro.com/en_in/research/23/e/new-info-stealer-bandit-stealer-targets-browsers-wallets.html" ], "report_names": [ "new-info-stealer-bandit-stealer-targets-browsers-wallets.html" ], "threat_actors": [ { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-10T02:00:03.148052Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-10T02:00:04.732992Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775438953, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6b50d1f77415834c73fca131179f2c806db58302.pdf", "text": "https://archive.orkl.eu/6b50d1f77415834c73fca131179f2c806db58302.txt", "img": "https://archive.orkl.eu/6b50d1f77415834c73fca131179f2c806db58302.jpg" } }