{
	"id": "ab28fc17-2c37-4c47-ae2d-9964cd206a95",
	"created_at": "2026-04-10T03:21:53.658776Z",
	"updated_at": "2026-04-10T03:22:19.467399Z",
	"deleted_at": null,
	"sha1_hash": "71e8a13d4882f8a2c39740a8f2d9ed550ca8fdbe",
	"title": "ObserverStealer: Unmasking the New Contender in Cyber Crime",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1654324,
	"plain_text": "ObserverStealer: Unmasking the New Contender in Cyber Crime\r\nBy Taisiia G.\r\nPublished: 2023-06-23 · Archived: 2026-04-10 02:14:09 UTC\r\n6 min read\r\nJun 23, 2023\r\nSince I have a day off today, instead of re-watching the first season of Vinland Saga on Netflix, I thought, why not\r\nbrowse the forums and try to find some juicy stuff instead? So, here we go. Since my blog is rather a reflection of\r\nmy thinking process, it is very informal in its nature. I hope you do not mind and still enjoy reading it. I decided to\r\ndedicate my second article to the stealer advertised on numerous forums since the mid of May 2023, dubbed as\r\nObserverStealer. Before writing about it, I verified that no vendor has written about it, which always makes the\r\ninvestigation more interesting. You never know what you can find.\r\nI began by revisiting the forum where I first saw the advertisement for this stealer over a month ago (see Figure\r\n1).\r\nPress enter or click to view image in full size\r\nFigure 1. Observer Stealer advertisement on one of the forums\r\nAccording to the announcement, ObserverStealer is a very “convenient stealer” that can change the build\r\nconfiguration without requiring a replacement. Users can add extensions, browsers, and files they wish to collect.\r\nhttps://medium.com/@cyberhust1er/observerstealer-unmasking-the-new-contender-in-cyber-crime-6e54a40d801d\r\nPage 1 of 11\n\nAdditionally, the tool includes a loader and supports notifications through the Telegram bot. Some of the technical\r\nfeatures mentioned are as follows:\r\nThe program’s weight is between 300–330 KB.\r\nIt is written in C++ with a backend in NodeJS.\r\nIt can be used on Windows 8.1 to 11.\r\nIt was also mentioned that program cannot be used in countries within the Commonwealth of Independent States\r\n(CIS), such as Belarus, Russia, Ukraine, etc. The price of the stealer $150/month.\r\nCurrently, ObserverStealer is in the BETA development stage. As is customary with this type of malware, the\r\ndevelopers are offering temporary free access to users in exchange for, hopefully, good feedback. Although some\r\nreviews have been positive, others have noted technical issues that the developers should address before selling\r\naccess to the stealer.\r\nWhen scrolling down the comment line, I came across a statement that I found quite amusing (see Figure 2). The\r\ncomment was made by a user named WhiteSnake, who has been promoting another infostealer dubbed\r\nWhiteSnake on the forum since February 2023. WhiteSnake suggested that other users should launch a DDoS\r\nattack on the C2 panels of ObserverStealer in retaliation for their marketing tactics of convincing users to switch\r\nto ObserverStealer from other stealers (see Figure 3–4). The representatives of the other two stealer groups,\r\nLumma and Eternity, supported this idea. This makes me wonder again what connection various stealers have with\r\neach other.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@cyberhust1er/observerstealer-unmasking-the-new-contender-in-cyber-crime-6e54a40d801d\r\nPage 2 of 11\n\nFigure 2. WhiteSnake reaction on ObserverStealer post\r\nPress enter or click to view image in full size\r\nFigure 3. ObserverStealer promotion strategy\r\nhttps://medium.com/@cyberhust1er/observerstealer-unmasking-the-new-contender-in-cyber-crime-6e54a40d801d\r\nPage 3 of 11\n\nFigure 4. DDoS script made by WhiteSnake\r\nOnce I finish investigating a forum, my next step is to search for C2 panels. There are multiple ways to find the\r\nC2 panels. One of the ways that I often employ when trying to identify the C2 panels is by checking the video\r\nrecordings provided by the seller in which they demonstrate the use of the product. This way, when reviewing the\r\nrecording, I could spot IP — 77.73.134[.]51 (port 1337), which I will consider as one of the indicators to\r\ninvestigate later. Since WhiteSnake has provided me with another IP address — 5.42.64[.]41(port 1234), by\r\nmentioning it in a DDoS script, I think I have enough information to proceed to the next step — pivoting. Several\r\ngreat sources can be used to do that. Among my favourites are Shodan, Censys, VirusTotal, and URLScan. Since\r\nhttps://medium.com/@cyberhust1er/observerstealer-unmasking-the-new-contender-in-cyber-crime-6e54a40d801d\r\nPage 4 of 11\n\nObserverStealer is not the new-new stealer of a few days old, I will use URLScan since someone likely has\r\nalready scanned the mentioned IP address.\r\nI started by scanning the IP address 77.73.134[.]51, but it didn’t provide any recent results that could connect it to\r\nObserverStealer. Even checking with Shodan and Censys didn’t yield any results, so, it is likely, the IP address is\r\nno longer in use. However, I did come across a tweet from Chris Duggan that revealed the connection between\r\n77.73.134[.]51 and our next IP address, 5.42.64[.]41, by pivoting on the SSH Key using Shodan\r\n(hash:-235894729) . This indicates that Observer Stealer previously used the IP address.\r\nProceeding to the next step, I scanned my second available IP — 5.42.64[.]41 on URLScan, and it gave me some\r\nresults as could be expected, considering that more than a month had passed since the moment of advertisement\r\n(see Figure 5).\r\nPress enter or click to view image in full size\r\nFigure 5. URLScan search results for IP 5.42.64[.]41\r\nInvestigating the IP — 5.42.64[.]41, I found out that it’s hosted by LetHost LLC, located in Ukraine. Pivoting from\r\nthis IP, using a hash: 599bcb7c7d723e17254471f56fec317ec688bd1c8d62463f6001a8178db749c6 , allowed to\r\ndiscover two additional IP’s: 179.43.155[.]205 (port 81) and 91.215.85[.]38 (port 1234) — see Figure 6.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@cyberhust1er/observerstealer-unmasking-the-new-contender-in-cyber-crime-6e54a40d801d\r\nPage 5 of 11\n\nFigure 6. Pivoting results\r\nAdditional way to discover the same IP’s could be through Censys. I was pivoting from the initial IP address\r\n5.42.64[.]41 through the favicon’s name, which is quite unique in this case: icon-“b3de897a.png”. To discover\r\nmore IP addresses, I thus used the following query: services.http.response.favicons.name= “*icon-b3de897a.png” (see Censys).\r\nPress enter or click to view image in full size\r\nFigure 7. ObserverStealer panel\r\nSince I didn’t identify any additional C2 panels, I am stopping here and proceeding to the next step. Before I did, I\r\nnoticed something interesting about the panel. Instead of choosing the title, developers of the panel chose to auto-generate the random title, which changes every time the page is refreshed ( see Figures 8–9). Was it an attempt to\r\nmake panels more challenging to identify with search engines like Shodan or Censys? I think it was.\r\nhttps://medium.com/@cyberhust1er/observerstealer-unmasking-the-new-contender-in-cyber-crime-6e54a40d801d\r\nPage 6 of 11\n\nPress enter or click to view image in full size\r\nFigure 8. ObserverStealer auto-generated title (V1)\r\nPress enter or click to view image in full size\r\nFigure 9. ObserverStealer auto-generated title(V2)\r\nGoing to the next step — I will check what I can find with VirusTotal related to these two IP addresses:\r\n77.73.134[.]51: 1234 (inactive)\r\n5.42.64[.]41: 1234 (active)\r\n179.43.155[.]205: 81 (active)\r\n91.215.85[.]38: 1234 (active)\r\nhttps://medium.com/@cyberhust1er/observerstealer-unmasking-the-new-contender-in-cyber-crime-6e54a40d801d\r\nPage 7 of 11\n\nWhen, the first IP address didn’t show any relevant for us results, the second IP address — 5.42.64[.]41 gave us a\r\nlot of useful information, including the list of files communicating with this specific IP (see Figure 10). I attached\r\nthe list of hashes at the end of the article.\r\nPress enter or click to view image in full size\r\nFigure 10. VT results showing files communicating to IP: 5.42.64[.]41\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@cyberhust1er/observerstealer-unmasking-the-new-contender-in-cyber-crime-6e54a40d801d\r\nPage 8 of 11\n\nFigure 11. VT showing the file link to IP 5.42.64[.]41\r\nIn this article, I won’t analyze any samples, but upon initial inspection, nothing seems noteworthy except for port\r\n1337, which is relatively uncommon. The stealer has similar functions to other stealers. If you want to analyze a\r\nsample, check out @Jane_0sint’s example shared on Twitter, which lets you preview the sample’s execution in\r\nAny.Run sandbox. Scanning the other two IPs (179.43.155[.]205 and 91.215.85[.]38) didn’t give any results on\r\nVirusTotal, so that I will leave it from here.\r\nGet Taisiia G.’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nLastly, I checked the Telegram page dedicated to the stealer. Although the administrator initially had two private\r\nand public channels on Telegram, on the day of writing, I saw that they chose to delete them and added an\r\nadditional News section to the panel instead. The reason for closing channels is the chance that the channel can be\r\nblocked, as well as to limit access to it( see Figure 12). On the forum, the Matrix contact details\r\n(@observer:matrix.fedibird.com) were shared instead. Access to the private channel can still be obtained by\r\ncontacting the seller in PM via Matrix or Forum.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@cyberhust1er/observerstealer-unmasking-the-new-contender-in-cyber-crime-6e54a40d801d\r\nPage 9 of 11\n\nFigure 12. Observer Stealer explaining the switch from Telegram to Matrix\r\nTo conclude, ObserverStealer is a new player in the malware arena that still tries to earn its place under the sun. It\r\nis advertised on multiple web forums, and from my observation seller takes steps towards making the panel more\r\ndifficult to find, as well as generally limiting access to the information related to stealer. In any case, it’s worth\r\nkeeping eyes open and monitoring the development of stealer-related activities to stop it timely.\r\nIOCs\r\n77.73.134[.]51\r\n5.42.64[.]41\r\n179.43.155[.]205\r\n91.215.85[.]38\r\n11fc584f1bd753c3f68de7313a2bcc5fe51c150002dbad3e331bbf12ce007281\r\n1e9dc15ff729f34b4b65c0742c433494f969a8f606d46dab010f34d05ee057f6\r\n1facdfcd57424c577662c7cee0bc3fd03d2ac8420f5c8fc9f02908261bb0b3e1\r\n26bc9287f34be69cef7beca9e91c4a4f1de6f5934d9bc643f8d8de7754bda294\r\n2a5c0c087f07dd64f42dd93356233dcef45b37cf606c3881277b79295b0e210d\r\n3b21c39c7e327f8876cf45ee882fa8b1c5d6eb140e11e1b0aa03f65e9d73f9d3\r\n4b3e6ae964d293d711de434896b19651ee1ffb089f279dc38bdcbd56008ed4dc\r\n4e1d47f621979e582f61659baf8a38479c4fcb02fed4d3b3ab48bfed89e3d9e9\r\n69f9b5e563e314a1eef85dca636b85ae0afdd3e91fd5b66351ce60eaa8d63778\r\nhttps://medium.com/@cyberhust1er/observerstealer-unmasking-the-new-contender-in-cyber-crime-6e54a40d801d\r\nPage 10 of 11\n\n74e353ca0b63d17e49ec99744fd027701fc54956a792f741b0143bc52791768a\r\n79c62136dbeb4d294fb569ba6679363b1e790f884dc923b6bee4a6ee33d8f1fb\r\n79c6fdedbe965a9ebf8d80f13e27332b18cdb0b313c5bb9a7c2b6723b53d3335\r\n83cef007c65d676564637cfacc639a13ae6a06d37851ca08d734a25ab35da520\r\n9e57ccd47600e2e5483b7464549bad124f2f529f09ad29a570f4e583a3355968\r\na35eb6812a61448900993e7e42017dcad0ba5c29fef0eba8b5d13c7d9a111cc0\r\na9db0b8c828a3dedfb985b117f4d4dba043ca09cf6b5f59ef44e3d5d40f5ba9b\r\naec3ff058065df87c6eb2f5f654c27a9c56f72a053661fcbe8a4193e26fd486a\r\nb119196b6f6c2127e37c6ddaf36d26087420b7e77017016f90dee3c000750960\r\nb796b25f10ac609c4a05393fb5ac4b33da8c5325148a8c30cd273bdbe475eeff\r\ncd2abfbc7b13db5ad7162c634034a7661bb81f19ddc7052cbae27346d3fada39\r\nSource: https://medium.com/@cyberhust1er/observerstealer-unmasking-the-new-contender-in-cyber-crime-6e54a40d801d\r\nhttps://medium.com/@cyberhust1er/observerstealer-unmasking-the-new-contender-in-cyber-crime-6e54a40d801d\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/@cyberhust1er/observerstealer-unmasking-the-new-contender-in-cyber-crime-6e54a40d801d"
	],
	"report_names": [
		"observerstealer-unmasking-the-new-contender-in-cyber-crime-6e54a40d801d"
	],
	"threat_actors": [],
	"ts_created_at": 1775791313,
	"ts_updated_at": 1775791339,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/71e8a13d4882f8a2c39740a8f2d9ed550ca8fdbe.pdf",
		"text": "https://archive.orkl.eu/71e8a13d4882f8a2c39740a8f2d9ed550ca8fdbe.txt",
		"img": "https://archive.orkl.eu/71e8a13d4882f8a2c39740a8f2d9ed550ca8fdbe.jpg"
	}
}