{ "id": "6399485c-34a7-4d06-9396-c2b903bfb492", "created_at": "2026-04-06T00:11:06.958472Z", "updated_at": "2026-04-10T13:12:20.494153Z", "deleted_at": null, "sha1_hash": "7546600ef7b0cda1bd0f6b526840e7ec84ad3f81", "title": "Uncovering the “Easy Stealer” Infostealer", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1231570, "plain_text": "Uncovering the “Easy Stealer” Infostealer\r\nBy Joshua Penny, Senior CTI Analyst and Yashraj Solanki, CTI Analyst\r\nArchived: 2026-04-05 17:10:05 UTC\r\nWhilst conducting routine research, Bridewell Cyber Threat Intelligence (CTI) identified infrastructure associated\r\nwith a new information stealer called “Easy Stealer”. The stealer is under active development and its command\r\nand control servers are currently going largely undetected.\r\nThe information stealer is being sold on the underground, advertising a variety of information stealer capabilities,\r\nsuch as the ability to target crypto wallets and passwords. We’ve conducted an analysis of this stealer and are\r\npublishing initial findings to share with the wider security community.\r\nThe information stealer appears to be linked with a number of recent infection chains including possible\r\nconnections with Wasabi Seed, used by Proofpoint’s TA866 in a recent Screentime campaign. As we continue to\r\nanalyse the malware and threat actors behind it, we will update this blog with more information.\r\nhttps://www.bridewell.com/insights/blogs/detail/uncovering-the-easy-stealer-infostealer\r\nPage 1 of 10\n\nFigure 1. EasyStealer advert\r\nOverview\r\nOn July 23rd, the first advertisement for “Easy Stealer” appeared on the Russian criminal forum, XSS.is. The post\r\nwas created by the alias “EasyStealer”, claiming to be “one of the best products on the market, supported by an\r\nexperienced team”. The advertisement details a “User-friendly panel”, custom File Grabber, and Dynamic Loader. \r\nhttps://www.bridewell.com/insights/blogs/detail/uncovering-the-easy-stealer-infostealer\r\nPage 2 of 10\n\nFigure 2. EasyStealer marketplace description (Group-IB threat intelligence platform)\r\nKey features of the information stealer include:\r\nTechnical Information Panel\r\nRecursive collection of browsers on Chromium (passwords, cookies, autofill history, CC)\r\nCollection of +50 crypto wallets\r\nWorking in memory\r\nSupports PE and DLL formats\r\nWritten in Golang\r\nThe panel for the stealer is installed on the buyer's own infrastructure, allowing for exclusive control, whilst also\r\nproviding setup support. The stated pricing models are:\r\n$35 for 7 days,\r\n$115 for 30 days\r\n$250 for 90 days\r\nThe developers also advise two Telegram Channels, one for latest news and the other for support:\r\nt.me/EasyStealer (currently inactive at the time of writing this report)\r\nt.me/EasyStealerSupport\r\nEasyStealer Timeline\r\nFigure 3. Easy Stealer development timeline\r\nBased on samples submitted to VirusTotal, it can be observed that the first possible samples created by the\r\ndeveloper, were uploaded on 16th June 2023. This was most likely for the purpose of range testing. The first\r\nmention of Easy Stealer was on the “Lolzteam” forum requesting beta testers by the developers on the 16th of July\r\n2023. In the subsequent days following the first advertised post for Easy Stealer on the 23rd of July, the developers\r\npushed out new versions of the stealer, v0.0.3 and v0.0.4.\r\nOn the 29th of July the first review of Easy Stealer was posted on the installation and operation of the Easy Stealer\r\nPanel.\r\nhttps://www.bridewell.com/insights/blogs/detail/uncovering-the-easy-stealer-infostealer\r\nPage 3 of 10\n\nFigure 4. Easy Stealer Dashboard Panel\r\nInfrastructure Discovery \u0026 Analysis\r\nWe utilised open-source tooling to identify an initial IP address belonging to Easy Stealer: 91.103.252[.]210. This\r\nIP address is hosted on Shetler LLC and the Dashboard panel can be accessed on port 3000.\r\nhttps://www.bridewell.com/insights/blogs/detail/uncovering-the-easy-stealer-infostealer\r\nPage 4 of 10\n\nFigure 5. Easy Stealer FOFA search result\r\nInterestingly, the developer has failed to place any access control mechanisms on the server making it readily\r\naccessible to anyone who stumbles across it. We were able to analyse the server to identify that it's currently\r\nrunning a v0.0.1 build, which is known to be behind recent versions. When accessing the logs tab, we observed\r\nthat there is only a single IP address listed: 194.154.78[.]251.\r\nFigure 6. Easy Stealer logs\r\nThis information helps make some initial assumptions; that this server is used for testing and development, and\r\nthat the IP address could be an indication as to the location of the developer. When analysing the IP address, it can\r\nbe seen that it places it in Moscow, Russia and is assigned to a Telecommunications company called “PJSC\r\nVimplecom”.\r\nFigure 7. Possible Easy Stealer developer IP address\r\nhttps://www.bridewell.com/insights/blogs/detail/uncovering-the-easy-stealer-infostealer\r\nPage 5 of 10\n\nUsing tools such as FOFA, we were able to fingerprint and identify an additional five servers linked to Easy\r\nStealer. Based on information provided by Virus Total, there is currently a very low/ no detection at all for the\r\nservers hosting Easy Stealer likely due to its early stage of development and lack of known campaigns that are\r\nassociated with it. IP address 193.233.255[.]86 has higher detections due to historical association with other\r\ninformation stealer campaigns.\r\nFigure 8. Easy Stealer C2 global distribution\r\nA number of the C2 servers are either historical or still active but more secure. IP address 46.151.29[.]182 is\r\ncompletely clean in VirusTotal but has two samples currently communicating with it.\r\nhttps://www.bridewell.com/insights/blogs/detail/uncovering-the-easy-stealer-infostealer\r\nPage 6 of 10\n\nFigure 9. Easy Stealer C2 Virus Total Result\r\nInitial Findings\r\nWe have also uncovered a number of interesting observations associated with the C2 server 46.151.29[.]182 that\r\nwill be subject to ongoing analysis and will be included in this report once completed. However, our initial\r\nfindings based on the information known so far arepublished in this report. We welcome collaboration and input\r\nfrom the wider security community, please get in touch at email address\r\nBased on our initial findings, we can observe a possible correlation with Proofpoint’s TA866 and their campaign\r\ncalled “Screentime”. In this, the Threat Actor uses its “custom toolset including WasabiSeed and Screenshotter,\r\nTA866 analyses victim activity via screenshots before installing a bot and stealer.“ In this campaign, WasabiSeed\r\nis utilised to drop a number of files, ending with the Rhadamanthys Information Stealer.\r\nhttps://www.proofpoint.com/uk/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me\r\nBased on the infection chain identified by Bridewell, we have identified a possible Wasabi Seed sample dropping\r\nEasy Stealer. A number of attributes from our findings link to this Proofpoint report which we will continue to\r\ncorrelate. We have observed the use of Wasabi Seed, JavaScript files and similar persistence mechanisms such as\r\nthe use of .lnk files. However, we have also observed the use of PowerShell to drop Easy Stealer.\r\nWhen understanding the Easy Stealer infection chain, we came across open-source reporting by an independent\r\nsecurity researcher called ULTRAFRAUD detailing a malware sample payload directory and C2 IP address. We\r\ncurrently believe that this sample is Wasabi Seed and is the file used to drop Easy Stealer.\r\nFigure 10. Easy Stealer Virus Total Result\r\nhttps://www.bridewell.com/insights/blogs/detail/uncovering-the-easy-stealer-infostealer\r\nPage 7 of 10\n\nThe above image shows the payload/C2 IP address 87.251.67[.]84, associated with the possible Wasabi Seed\r\nsample.\r\nThe connection between this finding and Easy Stealer is shown in the following Virus Total graph which can be\r\nfound\r\nhere: https://www.virustotal.com/graph/gc94fed32595f4b72afc706de02913667c14812e7ca8146299522e993c80dc7ac\r\nFigure 11. Virus Total Graph of Easy Stealer Relationships\r\nAs we continue to understand the infection chain, we will update this blog with more findings.\r\nComparison of Easy Stealer with other of existing Information Stealers\r\nThe sample associated with the command and control IP address 46.151.29[.]182 has the following file hash:\r\n88ceea988a4b66edfa194eae2aaf50951c6fbbc7d5aa8d19351d36531667fd89 which was used for initial analysis.\r\nThe following characteristics were utilised to observe any form of relevance with other malware:\r\nhttps://www.bridewell.com/insights/blogs/detail/uncovering-the-easy-stealer-infostealer\r\nPage 8 of 10\n\nCode Block similarity: There were no malware samples found sharing code structure with this particular\r\nmalware sample.\r\nSSDeep Hash: SSDeep hashes are a type of fuzzing hashes which are useful for comparing if two or more\r\nfiles are similar. There were no malware samples having the same SSDeep hash as this sample.\r\nVT Feature Hash: This is a type of internal hash that Virus Total leverages to determine file similarities.\r\nThere were no file samples found sharing the same VT feature hash to this sample.\r\nImphash: Also known as import hash is the hash calculated based on the import functions invoked by the\r\nmalware and their corresponding sequence. A total of 13 files were identified which shared the import hash\r\nwith this sample.\r\nThe number of files sharing this Imphash can still be considered to be low in number and suggests uniqueness of\r\nthe malware sample. This is because there exists a large variety of malware in the wild whereas the number of\r\nimport functions are limited. Hence, it is plausible that some malware samples use the same import functions in\r\nthe same order. These files were labelled as Redline, Zusy, Stealc, DCrat, generic trojan, ransomware and other\r\nunknowns.\r\nBased on the above observations, it can be stated with moderate-high confidence that Easy Stealer is new and\r\nunique when compared to other information stealers and not a variant from one of the existing malware families.\r\nAdditionally, basic malware analysis assisted in validating that the malware sample analysed is in fact Easy\r\nStealer. This was based on over hundred references made to the string “easy” which can be attributed to Easy\r\nStealer. Some of the  specific strings are mentioned in the table below. \r\nKey References to Easy Stealer Based on Malware Analysis\r\neasy/user easy/reqursion.Start easy/network.HTTP\r\neasy/decrypt easy/decrypt.GrabFromBrowser easy/wallets.Grab.func2\r\neasy/discord easy/shell.Liquidation easy/zip.addFiles\r\neasy/network easy/decrypt.MasterKey easy/user.SystemInfo\r\neasy/wallets easy/network.SaveConfig easy/reqursion/main.go\r\neasy/telegram easy/registry.GetRegistryKey easy/geoposition\r\nBased on our analysis of the first submitted sample of Easy Stealer, some of the potential crypto wallets that the\r\nmalware attempts to search for were found. These included but are not limited to Zcash, Armory, Yandex,\r\nElectrum, Ethereum, Exodus and Jaxx. It should be noted that we have not yet conducted an exhaustive\r\nmalware analysis and there are likely to be additional capabilities or features that the infostealer may have\r\nwhich have gone unnoticed and unadvertised.\r\nFiles Hashes Submission\r\n88ceea988a4b66edfa194eae2aaf50951c6fbbc7d5aa8d19351d36531667fd89 2023-09-22 (CH)\r\nhttps://www.bridewell.com/insights/blogs/detail/uncovering-the-easy-stealer-infostealer\r\nPage 9 of 10\n\n25a71650ac89b1b9bb43a8b879243688df40b95ab5a47b6676d818fe471695c3 2023-06-16 (US)\r\n2e87653bba901fc4b3f75d17fc744815147443598d8166ffbb03a678003814f2 2023-06-28 (RU)\r\ndb97ccc408b5c9df4c87dc7dbaacd1a6a5eaf771997ef815e4dbfd7a4ec58222 2023-06-29 (Unknown)\r\ne4999b9645ea89a3e3142e6579b449d9caaec0a3a70784d24141cc10c0c48416 2023-06-29 (Unknown)\r\n9169f5a0e68ca42366f85d40a7bd9cd46430723e05920cd8db11602dfb4b173e 2023-07-07 (US)\r\nd0e3e7a543911861799f7c50278115c73cfa5cdac306de2631aababe1bdaa2a2 2023-07-23 (CA)\r\ne8d9fb1649babc353746e3e5c3b2773b572e7e00662e64d22b762ce93ee1a9c2 2023-07-23 (CA)\r\nTo conclude, given the ease of using the panel due to its user friendly design and the affordable price range\r\ncombined with similar capabilities of this malware when compared with other information stealers, the Easy\r\nStealer is likely to see an increase in distribution among various cyber criminals as it continues through active\r\ndevelopment.\r\nSource: https://www.bridewell.com/insights/blogs/detail/uncovering-the-easy-stealer-infostealer\r\nhttps://www.bridewell.com/insights/blogs/detail/uncovering-the-easy-stealer-infostealer\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.bridewell.com/insights/blogs/detail/uncovering-the-easy-stealer-infostealer" ], "report_names": [ "uncovering-the-easy-stealer-infostealer" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "59d91b6f-bccf-4ae4-a14c-028b198848b6", "created_at": "2023-03-10T02:01:52.119563Z", "updated_at": "2026-04-10T02:00:03.36177Z", "deleted_at": null, "main_name": "TA866", "aliases": [], "source_name": "MISPGALAXY:TA866", "tools": [ "Screenshotter", "AHK Bot", "WasabiSeed" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434266, "ts_updated_at": 1775826740, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7546600ef7b0cda1bd0f6b526840e7ec84ad3f81.pdf", "text": "https://archive.orkl.eu/7546600ef7b0cda1bd0f6b526840e7ec84ad3f81.txt", "img": "https://archive.orkl.eu/7546600ef7b0cda1bd0f6b526840e7ec84ad3f81.jpg" } }