The Curious Case of an Open Source Stealer: Phemedrone
By James
Published: 2024-09-06 · Archived: 2026-04-05 22:27:48 UTC
At SpyCloud, we recapture logs from more than sixty infostealer malware families, but very few of them are open
source stealers. Intrigued, our team at SpyCloud Labs took on the task of dissecting Phemedrone, an open source
stealer available to anyone on Telegram. 
When we dug in, we found Phemedrone to have some other unique characteristics as well, namely:
Here’s what we found.
Phemedrone, which as we mentioned is an entirely open source stealer, is written in C# and therefore provides
abundant opportunities for actors to customize the malware to suit their needs. It also gives bad actors an easy
snapshot of what they have stolen within its logs, leveraging password/cookie “tagging” for various categories.
However, when looking at the definitions for these tags, it becomes clear that many of these tags focus on Russian
targets, which is pretty unique for a stealer.
With code distributed mainly over Telegram (and previously on GitHub before being taken down), bad actors can
acquire and deploy Phemedrone for free. Phemedrone offers log encryption when sending to Telegram,
browser/application theft, cookie tagging, and more, as well as the ability to easily tweak the stealer in C#.
Phemedrone’s devs release regular updates for both their panel as well as their builder, which keeps Phemedrone
active and well-used. They also offer a chat for people to discuss Phemedrone.
https://spycloud.com/blog/phemedrone-stealer/
Page 1 of 15

Image 1: Phemedrone’s chat offering, in both English and Russian.
Phemedrone’s operation is fairly simple, opting to do password/cookie parsing on the victim’s machine instead of
just stealing entire raw password database files to be parsed on a panel later. This allows Phemedrone to then tag
stolen passwords and cookies with a variety of categories to make it easy to identify which logs are useful. By
default, many of these tag values are associated with primarily Russian targets, such as tinkoff and sberbank for
“BANK”.
Browser theft
Phemedrone accesses a variety of Chromium and Firefox/Gecko based browsers in order to steal data from them.
Phemedrone steals data from the internal Chromium/Firefox storage databases that store passwords, credit cards,
cookies, and more. Additionally, when stealing from Chromium based browsers, Phemedrone also targets the
following extensions:
https://spycloud.com/blog/phemedrone-stealer/
Page 2 of 15

Extension name Extension GUID
Authenticator bhghoamapcdpbohphigoooaddinpkbai
EOS Authenticator oeljdldpnmdbchonielidgobddffflal
BrowserPass naepdomgkenhinolocfifgehidddafch
MYKI bmikpgodpkclnkgmnpphehdgcimmided
Splikity jhfjfclepacoldmjmkmdlmganfaalklb
CommonKey chgfefjpcobfbnpmiokfjjaglahmnded
Zoho Vault igkpcodhieompeloncfnbekccinhapdb
Norton Password Manager admmjipmmciaobhojoghlmleefbicajg
Avira Password Manager caljgklbbfbcjjanaijlacgncafpegll
Trezor Password Manager imloifkgjagghnncjkhggdhalmcnfklk
MetaMask nkbihfbeogaeaoehlefnkodbefgpgknn
TronLink ibnejdfjmmkpcnlpebklmnkoeoihofec
BinanceChain fhbohimaelbohpjbbldcngcnapndodjp
Coin98 aeachknmefphepccionboohckonoeemg
iWallet kncchdigobghenbbaddojjnnaogfppfj
Wombat amkmjjmmflddogmhpjloimipbofnfjih
NeoLine cphhlgmgameodnhkjdmkpanlelnlohao
Terra Station aiifbnbfobpmeekipheeijimdpnlpgpp
Keplr dmkamcknogkgcdfhhbddcghachkejeap
Sollet fhmfendgdocmcbmfikdcogofphimnkno
ICONex flpiciilemghbmfalicajoolhkkenfel
KHC hcflpincpppdclinealmandijcmnkbgn
TezBox mnfifefkajgofkcjkemidiaecocnkjeh
Byone nlgbhdfgdhgbiamfdfmbikcdghidoadd
OneKey ilbbpajmiplgpehdikmejfemfklpkmke
Trust Wallets pknlccmneadmjbkollckpblgaaabameg
https://spycloud.com/blog/phemedrone-stealer/
Page 3 of 15

MetaWallet pfknkoocfefiocadajpngdknmkjgakdg
Guarda Wallet fcglfhcjfpkgdppjbglknafgfffkelnm
Exodus idkppnahnmmggbmfkjhiakkbkdpnmnon
JaxxxLiberty mhonjhhcgphdphdjcdoeodfdliikapmj
Atomic Wallet bhmlbgebokamljgnceonbncdofmmkedg
Electrum hieplnfojfccegoloniefimmbfjdgcgp
Mycelium pidhddgciaponoajdngciiemcflpnnbg
Coinomi blbpgcogcoohhngdjafgpoagcilicpjh
GreenAddress gflpckpfdgcagnbdfafmibcmkadnlhpj
Edge doljkehcfhidippihgakcihcmnknlphh
BRD nbokbjkelpmlgflobbohapifnnenbjlh
Samourai Wallet apjdnokplgcjkejimjdfjnhmjlbpgkdi
Copay ieedgmmkpkbiblijbbldefkomatsuahh
Bread jifanbgejlbcmhbbdbnfbfnlmbomjedj
KeepKey dojmlmceifkfgkgeejemfciibjehhdcl
Trezor jpxupxjxheguvfyhfhahqvxvyqthiryh
Ledger Live pfkcfdjnlfjcmkjnhcbfhfkkoflnhjln
Ledger Wallet hbpfjlflhnmkddbjdchbbifhllgmmhnm
Bitbox ocmfilhakdbncmojmlbagpkjfbmeinbd
Digital Bitbox dbhklojmlkgmpihhdooibnmidfpeaing
YubiKey mammpjaaoinfelloncbbpomjcihbkmmc
Google Authenticator khcodhlfkpmhibicdjjblnkgimdepgnd
Microsoft Authenticator bfbdnbpibgndpjfhonkflpkijfapmomn
Authy gjffdbjndmcafeoehgdldobgjmlepcal
Duo Mobile eidlicjlkaiefdbgmdepmmicpbggmhoj
OTP Auth bobfejfdlhnabgglompioclndjejolch
FreeOTP elokfmmmjbadpgdjmgglocapdckdcpkn
https://spycloud.com/blog/phemedrone-stealer/
Page 4 of 15

Aegis Authenticator ppdjlkfkedmidmclhakfncpfdmdgmjpm
LastPass Authenticator cfoajccjibkjhbdjnpkbananbejpkkjb
Dashlane flikjlpgnpcjdienoojmgliechmmheek
Keeper gofhklgdnbnpcdigdgkgfobhhghjmmkj
RoboForm hppmchachflomkejbhofobganapojjol
KeePass lbfeahdfdkibininjgejjgpdafeopflb
KeePassXC kgeohlebpjgcfiidfhhdlnnkhefajmca
Bitwarden inljaljiffkdgmlndjkdiepghpolcpki
NordPass njgnlkhcjgmjfnfahdmfkalpjcneebpl
LastPass gabedfkgnbglfbnplfpjddgfnbibkmbb
Nifty Wallet jbdaocneiiinmjbjlgalhcelgbejmnid
Math Wallet afbcbjpbpfadlkmhmclhkeeodmamcflc
Coinbase Wallet hnfanknocfeofbddgcijnmhnfnkdnaad
Equal Wallet blnieiiffboillknjnepogjhkgnoac
EVER Wallet cgeeodpfagjceefieflmdfphplkenlfk
Jaxx Liberty ocefimbphcgjaahbclemolcmkeanoagc
BitApp Wallet fihkakfobkmkjojpchpfgcmhfjnmnfpi
Mew CX nlbmnnijcnlegkjjpcfjclmcfggfefdm
GU Wallet nfinomegcaccbhchhgflladpfbajihdf
Guild Wallet nanjmdkhkinifnkgdeggcnhdaammmj
Saturn Wallet nkddgncdjgifcddamgcmfnlhccnimig
Harmony Wallet fnnegphlobjdpkhecapkijjdkgcjhkib
TON Wallet nphplpgoakhhjchkkhmiggakijnkhfnd
OpenMask Wallet penjlddjkjgpnkllboccdgccekpkcbin
MyTonWallet fldfpgipfncgndfolcbkdeeknbbbnhcc
DeWallet pnccjgokhbnggghddhahcnaopgeipafg
TrustWallet egjidjbpglichdcondbcbdnbeeppgdph
https://spycloud.com/blog/phemedrone-stealer/
Page 5 of 15

NC Wallet imlcamfeniaidioeflifonfjeeppblda
Moso Wallet ajkifnllfhikkjbjopkhmjoieikeihjb
Enkrypt Wallet kkpllkodjeloidieedojogacfhpaihoh
CirusWeb3 Wallet kgdijkcfiglijhaglibaidbipiejjfdp
Martian and Sui Wallet efbglgofoippbgcjepnhiblaibcnclgk
SubWallet onhogfjeacnfoofkfgppdlbmlmnplgbn
Pontem Wallet phkbamefinggmakgklpkljjmgibohnba
Talisman Wallet fijngjgcjhjmmpcmkeiomlglpeiijkld
Kardiachain Wallet pdadjkfkgcafgbceimcpbkalnfnepbnk
Phantom Wallet bfnaelmomeimhIpmgjnjophhpkkoljpa
Oxygen Wallet fhilaheimglignddjgofkcbgekhenbh
PaliWallet mgfffbidihjpoaomajlbgchddlicgpn
BoltX Wallet aodkkagnadcbobfpggnjeongemjbjca
Liquality Wallet kpopkelmapcoipemfendmdghnegimn
xDefi Wallet hmeobnffcmdkdcmlb1gagmfpfboieaf
Nami Wallet Ipfcbjknijpeeillifnkikgncikgfhdo
MaiarDeFi Wallet dngmlblcodfobpdpecaadgfbeggfjfnm
MetaMask Edge Wallet ejbalbakoplchlghecdalmeeeajnimhm
Goblin Wallet mlbafbjadjidk1bhgopoamemfibcpdfi
Braavos Smart Wallet jnlgamecbpmbajjfhmmmlhejkemejdma
UniSat Wallet ppbibelpcjmhbdihakflkdcoccbgbkpo
OKX Wallet mcohilncbfahbmgdjkbpemcciiolgcge
Manta Wallet enabgbdfcbaehmbigakijjabdpdnimlg
Suku Wallet fopmedgnkfpebgllppeddmmochcookhc
Suiet Wallet khpkpbbcccdmmclmpigdgddabeilkdpd
Koala Wallet lnnnmfcpbkafcpgdilckhmhbkkbpkmid
ExodusWeb3 Wallet aholpfdialjgjfhomihkjbmgjidlcdno
https://spycloud.com/blog/phemedrone-stealer/
Page 6 of 15

Aurox Wallet kilnpioakcdndlodeeceffgjdpojajlo
Fewcha Move Wallet ebfidpplhabeedpnhjnobghokpiioolj
Carax Demon Wallet mdjmfdffdcmnoblignmgpommbefadffd
Leap Terra Wallet aijcbedoijmgnlmjeegjaglmepbmpkpi
Cryptowallet theft
Phemedrone also targets cryptowallets on the victim’s machine, looking for “wallet.dat” files to steal from.
Additionally, Phemedrone steals from the following hardcoded cryptowallets:
This functionality allows Phemedrone to steal victims’ cryptocurrency with ease.
Discord token theft
Phemedrone will target Discord tokens by accessing the Discord leveldb database, stored on a victim’s computer.
It will then regex for “dQw4w9WgXcQdQw4w9WgXcQ:[^\”]*”, which it will use to extract the victim’s Discord
token for authentication purposes. This string is appended to each encrypted Discord token stored in the victim’s
Discord leveldb database. The exact string is actually a rickroll easter egg.
FileGrabber
Phemedrone also includes a basic filegrabber, which will iterate through My Documents and Desktop and steal all
files based on config supplied max file size and directory depth.
FTP theft
Phemedrone will target a popular FTP application, FileZilla, for theft. From FileZilla, Phemedrone will steal a
victim’s “recentservers.xml” as well as their “sitemanager.xml”
Screenshot
Phemedrone will automatically obtain a screenshot of the victim’s screen post installation for exfiltration. 
Steam theft
Phemedrone will target the game application Steam for theft, stealing *ssfn* and \\config.vdf files, which
attackers can use to take over a victim’s Steam account.
Telegram theft
Phemedrone targets Telegram for theft, too. Phemedrone grabs the DefaultIcon from a victim’s registry, in
addition to stealing a victim’s tdata information, which can be used to take over their Telegram account.
VPN theft
https://spycloud.com/blog/phemedrone-stealer/
Page 7 of 15

Phemedrone targets several common VPN providers for theft in order to steal a victim’s VPN connection info.
Phemedrone targets the following applications:
OpenVPN: Steals Profiles and ovpn files
ProtonVPN: Steals ProtonVPN user.config
SurfShark: Steals SurfShark *.dat
Cookie and password tagging
Phemedrone has the ability to look through stolen cookies/passwords and provide a “snapshot” of what was stolen
using a list of tags contained in the binary. These tags look for domains and are as follows:
Tag Category Tag Domain
Cheats celka.
Cheats nursultan.
Cheats xone
Cheats akrien
Cheats interium
Cheats nixware
Cheats skeet
Games roblox.com.
Games genshin
Games minecraft.net
Games epicgames.com
Games steampowered.com
Bank tinkoff
Bank sberbank
Money yoomoney
Money amazon
Money funpay
Money americanexpress
Crypto binance
https://spycloud.com/blog/phemedrone-stealer/
Page 8 of 15

Crypto bybit
These tags are added to the generated Information.txt, along with information about the victim’s system, total
passwords stolen, total cookies stolen, and an ASCII heart with the Phemedrone author signature. These tags are
easily customizable, and in fact, in variants such as “Mephedrone”, we can see tags added to the list, such as
“FACEBOOK”.
Image 2: The Phemedrone Stealer author tag added to the top of logs.
As observed in the above table, in the BANK section, both of the domains are for banks commonly used in
Russia. Additionally, in the MONEY section, half (yoomoney, funpay) are services commonly used in Russia. As
will be discussed in later sections, while this malware does have a CIS check in the binary, this check is an
optional toggle switch during the creation of a bot and can easily be toggled off, allowing Phemedrone to target
areas where the MONEY/BANK sections could be used to their fullest.
Useragent generation
As observed in the screenshot below, Phemedrone has the ability to generate random useragents, which it uses
during communication with its C2. This possibly helps it sneak by detections that might rely on hardcoded
useragent values.
https://spycloud.com/blog/phemedrone-stealer/
Page 9 of 15

Image 3: Code from Phemedrone which shows how it can easily change its useragent on the fly.
Phemedrone contains several anti-analysis checks which can be enabled during the build phase of the malware. If
any of the checks described below are successful, Phemedrone exits.
Anti-debugger
Phemedrone’s anti-debugger check checks the victim’s environment for the following processes, which may
indicate that Phemedrone is being debugged:
Anti-VM
Phemedrone’s anti-VM check checks the victim’s computer for the following virtual machine (VM) strings, which
indicate that Phemedrone is being run in a VM:
CIS check
Phemedrone has a check that checks if a victim is a speaker of the following languages spoken in Commonwealth
of Independent States (CIS) countries, by using a keyboard language check, as observed in Image 4:
https://spycloud.com/blog/phemedrone-stealer/
Page 10 of 15

Image 4: This is an optional check in the build process for a bot and is disabled by default.
Mutex check
Using the hardcoded config, Phemedrone checks to see if it is already running by checking to see if its mutex
already exists.
Phemedrone’s bot builder has three different “sender” customization options, with some of the options behaving
differently than the others. The three options are as follows:
Gate sender
Phemedrone’s gate sender allows actors using Phemedrone to specify a C2 that hosts the Phemedrone gate.php
script. Bots that connect to this php gate will send their logs there, and then:
Panel sender
Phemedrone’s panel sender allows actors to stand up a panel on a domain they control and then specify the
IP/PORT combination when building their bot. This sender stores logs on the server, and then also notifies a
Telegram chat when logs arrive. Connected victims as well as logs can be viewed in Phemedrone’s console-based
panel application.
Telegram sender
Phemedrone’s Telegram sender allows actors to specify a Telegram channel/telegram bot as the preferred
destination for exfiltrated logs. The Telegram sender also has an option to encrypt all logs sent with this method,
so that the logs are not sitting in Telegram unencrypted. Phemedrone leverages a basic AES + RSA encryption
algorithm for all logs, as observed in Image 5. Telegram exfil is an increasingly popular choice for malware, as
well as phishing, and this encryption adds an extra layer of security for people choosing to use that option.
https://spycloud.com/blog/phemedrone-stealer/
Page 11 of 15

Image 5: Code from Phemedrone shows that it can successfully encrypt information using AES+RSA.
Based on an overlap between behavior and log format, we’ve noticed that there are variants of Phemedrone with
logs sold on forums. One of those variants is a family called “Mephedrone”.
Checking our logs, we’ve noticed that we most often see Phemedrone affecting the United States, with 20% of
logs attributed to that country. A full breakdown of countries can be found in the image and corresponding table
below:
https://spycloud.com/blog/phemedrone-stealer/
Page 12 of 15

Country Percentage
United States 20.00%
Netherlands 19.00%
Republic of Korea 18.58%
Germany 8.41%
Italy 7.67%
Brazil 5.9%
Israel 3.24%
https://spycloud.com/blog/phemedrone-stealer/
Page 13 of 15

Argentina 3.24%
Bulgaria 3.1%
Finland 2.95%
Singapore 2.8%
Vietnam 2.51%
Russia 2.36%
Interestingly, Russia consisted of 2% of the total infections, despite the CIS check in the malware.
Information file
A final interesting feature of Phemedrone is that – as it parses the passwords out of its respective password stores
on the victim computer (instead of on a panel) – it’s able to create snapshots in a generated Information.txt file,
which allows actors to rapidly see which logs they’ve obtained. As observed in Image 6, the generated
Information.txt file has a snapshot where log count can be observed:
Image 6: Phemedrone’s Information.txt log snapshot, which shows what log counts can be observed.
Phemedrone is an interesting case study in the evolution of infostealer families. As this article describes, there are
several characteristics that make Phemedrone particularly attractive to cybercriminals:
https://spycloud.com/blog/phemedrone-stealer/
Page 14 of 15

While Phemedrone appears to be used to target Russian users and services, particularly in instances where
banking or financial information can be harvested, the US is still the most affected country according to our
research.
User exposures from Phemedrone infections (even on personal devices) can threaten businesses if actors gain
access to credentials and other identity data that opens doors to your environment. We recommend security teams
integrate Post-Infection Remediation steps into existing malware remediation playbooks for confirmed exposures
to minimize risk and prevent follow-on attacks like account takeover and fraud.
We’ll continue to monitor developments of Phemedrone’s capabilities and review recaptured logs to better
understand exfiltration trends. Keep an eye out for more reverse-engineering analyses from our team at SpyCloud
Labs.
Get the latest cybercrime research, insights, and best practices in your inbox
Source: https://spycloud.com/blog/phemedrone-stealer/
https://spycloud.com/blog/phemedrone-stealer/
Page 15 of 15