{ "id": "e9e23bbc-ac23-45a5-abb4-0adc0caf8c0f", "created_at": "2026-04-06T00:17:32.282001Z", "updated_at": "2026-04-10T13:12:37.941461Z", "deleted_at": null, "sha1_hash": "72e92d5958587ee021ccbe493d333846d0a7c177", "title": "GitHub - hackirby/skuld: Next-Gen Stealer written in Go. Stealing from Discord, Chromium-Based \u0026 Firefox-Based Browsers, Crypto Wallets and more, from every user on every disk. (PoC. For educational purposes only)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 403262, "plain_text": "GitHub - hackirby/skuld: Next-Gen Stealer written in Go. Stealing\r\nfrom Discord, Chromium-Based \u0026 Firefox-Based Browsers,\r\nCrypto Wallets and more, from every user on every disk. (PoC. For\r\neducational purposes only)\r\nBy hackirby\r\nArchived: 2026-04-05 21:58:26 UTC\r\nFOR KS 1 1 9\r\n S TA R S 4 3 3 I S S U E S 1 5 O P E N L I C E N SE M I T\r\nGo-written Malware targeting Windows systems, extracting User Data from Discord, Browsers, Crypto Wallets\r\nand more, from every user on every disk. (PoC. For Educational Purposes only)\r\nTable of Contents\r\nAbout the project\r\nThis proof of concept project demonstrates a \"Discord-oriented\" stealer implemented in Go. The malware operates\r\non Windows systems and use fodhelper.exe technique for privileges elevation. By elevating privileges, the\r\nmalware gains access to all user sessions on every disk\r\nFeatures:\r\nantidebug: Terminates debugging tools.\r\nantivirus: Disables Windows Defender and blocks access to antivirus websites.\r\nantivm: Detects and exits when running in virtual machines (VMs).\r\nbrowsers:\r\nSteals logins, cookies, credit cards, history, and download lists from 37 Chromium-based browsers.\r\nSteals logins, cookies, history, and download lists from 10 Gecko browsers.\r\nclipper: Replaces the user's clipboard content with a specified crypto address when copying another\r\naddress.\r\ncommonfiles: Steals sensitive files from common locations.\r\ndiscodes: Captures Discord Two-Factor Authentication (2FA) backup codes.\r\ndiscordinjection:\r\nhttps://github.com/hackirby/skuld\r\nPage 1 of 10\n\nIntercepts login, register, and 2FA login requests.\r\nCaptures backup codes requests.\r\nMonitors email/password change requests.\r\nIntercepts credit card/PayPal addition requests.\r\nBlocks the use of QR codes for login.\r\nPrevents requests to view devices.\r\nfakerror: Trick user into believing the program closed due to an error.\r\ngames: Extracts Epic Games, Uplay, Minecraft (14 launchers) and Riot Games sessions.\r\nhideconsole: Module to hide the console.\r\nstartup: Ensures the program runs at system startup.\r\nsystem: Gathers CPU, GPU, RAM, IP, location, saved Wi-Fi networks, and more.\r\ntokens: Extracts tokens from 4 Discord applications, Chromium-based browsers, and Gecko browsers.\r\nuacbypass: Grants privileges to steal user data from others users.\r\nwallets: Steals data from 10 local wallets and 55 wallet extensions.\r\nwalletsinjection: Captures mnemonic phrases and passwords from 2 crypto wallets.\r\nGetting started\r\nPrerequisites\r\nGit\r\nThe Go Programming Language\r\nInstallation\r\nTo install this project using Git, follow these steps:\r\nClone the Repository:\r\ngit clone https://github.com/hackirby/skuld\r\nNavigate to the Project Directory:\r\ncd skuld\r\nUsage\r\nYou can use the Project template:\r\nOpen main.go and edit config with your Discord webhook and your crypto addresses\r\nBuild the template: (reduce binary size by using -s -w )\r\nhttps://github.com/hackirby/skuld\r\nPage 2 of 10\n\ngo build -ldflags \"-s -w\"\r\nYou can hide the console without hideconsole module (you must remove program.IsAlreadyRunning()\r\ncheck from main.go before) by running\r\ngo build -ldflags \"-s -w -H=windowsgui\"\r\nYou can also optionally pack the output executable with UPX which will reduce the binary size from\r\n~10MB to ~3MB. To do this, install UPX and run\r\nupx.exe --ultra-brute skuld.exe\r\nYou can also use skuld in your own Go code. Just import the desired module like this:\r\npackage main\r\nimport \"github.com/hackirby/skuld/modules/hideconsole\"\r\nfunc main() {\r\n hideconsole.Run()\r\n}\r\nPreview\r\nhttps://github.com/hackirby/skuld\r\nPage 3 of 10\n\nhttps://github.com/hackirby/skuld\r\nPage 4 of 10\n\nhttps://github.com/hackirby/skuld\r\nPage 5 of 10\n\nhttps://github.com/hackirby/skuld\r\nPage 6 of 10\n\nhttps://github.com/hackirby/skuld\r\nPage 7 of 10\n\nRemove\r\nThis guide will help you removing skuld from your system\r\n1. Open powershell as administrator\r\n2. Kill processes that could be skuld\r\nhttps://github.com/hackirby/skuld\r\nPage 8 of 10\n\ntaskkill /f /t /im skuld.exe\r\ntaskkill /f /t /im SecurityHealthSystray.exe\r\n(use tasklist to list all running processes, skuld.exe and SecurityHealthSystray.exe are the default names)\r\n3. Remove skuld from startup\r\nreg delete \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"Realtek HD Audio Universal Servic\r\n(Realtek HD Audio Universal Service is the default name)\r\n4. Enable Windows defender:\r\nYou can do it by running this .bat script (I'm not the developer behind it, make sure the file does not contain\r\nmalware)\r\nContributing\r\nContributions to this project are welcome! Feel free to open issues, submit pull requests, or suggest improvements.\r\nMake sure to follow the Contributing Guidelines\r\nYou can also support this project development by leaving a star ⭐ or by donating me. Every little tip helps!\r\nLicense\r\nThis library is released under the MIT License. See LICENSE file for more informations.\r\nContact\r\nIf you have any questions or need further assistance, please contact @hackirby:matrix.org\r\nAcknowledgments\r\nThis project has been greatly influenced by numerous infostealers available on GitHub. Many functions and\r\nsensitive paths have been derived from public repositories. My objective was to innovate by creating something\r\nnew with code from existing projects. I extend my gratitude to all those whose work has contributed to this stealer,\r\nespecially\r\nFallenAstaroth for tempfile-less browsers data extraction\r\nᴍᴏᴏɴD4ʀᴋ for browsers data decryption\r\naddi00000 for Discord embeds design\r\nBlank-c for antivirus-related functions and more\r\nhttps://github.com/hackirby/skuld\r\nPage 9 of 10\n\n6nz for antivm blacklists\r\nDisclaimer\r\nImportant Notice: This tool is intended for educational purposes only.\r\nThis software, referred to as skuld, is provided strictly for educational and research purposes. Under no\r\ncircumstances should this tool be used for any malicious activities, including but not limited to unauthorized\r\naccess, data theft, or any other harmful actions.\r\nUsage Responsibility:\r\nBy accessing and using this tool, you acknowledge that you are solely responsible for your actions. Any misuse of\r\nthis software is strictly prohibited, and the creator (hackirby) disclaims any responsibility for how this tool is\r\nutilized. You are fully accountable for ensuring that your usage complies with all applicable laws and regulations\r\nin your jurisdiction.\r\nNo Liability:\r\nThe creator (hackirby) of this tool shall not be held responsible for any damages or legal consequences resulting\r\nfrom the use or misuse of this software. This includes, but is not limited to, direct, indirect, incidental,\r\nconsequential, or punitive damages arising out of your access, use, or inability to use the tool.\r\nNo Support:\r\nThe creator (hackirby) will not provide any support, guidance, or assistance related to the misuse of this tool. Any\r\ninquiries regarding malicious activities will be ignored.\r\nAcceptance of Terms:\r\nBy using this tool, you signify your acceptance of this disclaimer. If you do not agree with the terms stated in this\r\ndisclaimer, do not use the software.\r\nSource: https://github.com/hackirby/skuld\r\nhttps://github.com/hackirby/skuld\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://github.com/hackirby/skuld" ], "report_names": [ "skuld" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434652, "ts_updated_at": 1775826757, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/72e92d5958587ee021ccbe493d333846d0a7c177.pdf", "text": "https://archive.orkl.eu/72e92d5958587ee021ccbe493d333846d0a7c177.txt", "img": "https://archive.orkl.eu/72e92d5958587ee021ccbe493d333846d0a7c177.jpg" } }