{
	"id": "e7d45dbd-74a2-4823-b087-627f6735e2b9",
	"created_at": "2026-04-06T00:07:59.002227Z",
	"updated_at": "2026-04-10T13:12:27.682687Z",
	"deleted_at": null,
	"sha1_hash": "7a2eb191ab37359d622482d1a59a33b3b878f3ba",
	"title": "New Shameless Commodity Cryptocurrency Stealer (WeSteal) and Commodity RAT (WeControl)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1642341,
	"plain_text": "New Shameless Commodity Cryptocurrency Stealer (WeSteal) and\r\nCommodity RAT (WeControl)\r\nBy Robert Falcone, Simon Conant\r\nPublished: 2021-04-29 · Archived: 2026-04-05 13:45:49 UTC\r\nExecutive Summary\r\nIt seems that for every commodity malware takedown and prosecution, another replaces it to take a turn empowering\r\ncybercriminals. Often, commodity malware authors will disingenuously attempt to profess a guise of legitimacy for their\r\nmalware – a strategy that often doesn’t stand up in court.\r\nThe author of WeSteal, a new commodity cryptocurrency stealer, makes no attempt to disguise the intent for his malware.\r\nThe seller promises “the leading way to make money in 2021” (Figure 1).\r\nFigure 1. WeSteal advertisement.\r\nIn this blog, we analyze WeSteal, detail the obfuscation and techniques it uses for persistence and operation, and examine\r\nthe customers of this malware. We take a look at the actor WeSupply, with an operation and website by the same name, and\r\nat the Italian malware coder ComplexCodes, a co-conspirator and actual author of this malware.\r\nImmediately before the publication of this report, we discovered that the actors had both added some new features to\r\nWeSteal, and had also complemented it with a new commodity remote access tool (RAT) called “WeControl”. We document\r\nthese new revelations at the end of our report.\r\nPalo Alto Networks customers are protected from WeSteal and WeControl with Cortex XDR, the Next-Generation Firewall\r\nwith WildFire and Threat Prevention security subscriptions, and AutoFocus.\r\nOrigin of WeSteal\r\nActor “ComplexCodes” started advertising WeSteal on underground forums in mid-February 2021. However,\r\nComplexCodes had been selling a “WeSupply Crypto Stealer” since May 2020. A comparison of samples of the earlier\r\nWeSupply Crypto Stealer with WeSteal suggests that WeSteal is likely simply an evolution of the same project.\r\nThis Italian malware coder previously authored a “Zodiac Crypto Stealer” and “Spartan Crypter” for obfuscating malware to\r\navoid antivirus detection.\r\nhttps://unit42.paloaltonetworks.com/westeal/\r\nPage 1 of 11\n\nThe actor’s forum signature indicates an affiliation with a site that sells accounts for services such as Netflix and Disney+\r\n(Figure 2).\r\nFigure 2. Underground site that sells accounts.\r\nThe intent is once again on display with ComplexCode’s Discord-based commodity distributed denial-of-service (DDoS)\r\noffering, “Site Killah” (Figure 3).\r\nFigure 3. DDoS service advertisement.\r\nIntent of WeSteal\r\nhttps://unit42.paloaltonetworks.com/westeal/\r\nPage 2 of 11\n\nWhen pursuing cases against malware authors, prosecutors typically need to demonstrate the author’s intent for the malware.\r\nMany authors will hide behind meaningless Terms of Service statements that end users must not use the malware for\r\nillegitimate purposes. They will often describe potential “legitimate” uses for their malware – only to further describe anti-malware evasion properties, silent installation and operation or features such as cryptocurrency mining, password theft or\r\ndisabling webcam lights.\r\nThere is no such pretense by ComplexCodes with WeSteal. There is the name of the malware itself. Then there is the\r\nwebsite, “WeSupply,” owned by a co-conspirator, proudly stating “WeSupply – You profit” (Figure 4).\r\nFigure 4. WeSupply advertisement.\r\nAs well as calling the malware WeSteal and advertising the “Crypto Stealer” feature, WeSupply’s posts on forums also\r\ndescribe support for zero-day exploits and “Antivirus Bypassing” (Figure 5).\r\nhttps://unit42.paloaltonetworks.com/westeal/\r\nPage 3 of 11\n\nFigure 5. WeSteal features.\r\nThis is demonstrated with a screenshot claiming no antivirus detection for a sample (Figure 6). WeSteal includes a “Victim\r\ntracker panel” that tracks “Infections” – leaving no doubt about the context.\r\nFigure 6. WeSteal antivirus scanning results.\r\nhttps://unit42.paloaltonetworks.com/westeal/\r\nPage 4 of 11\n\nOf course, ComplexCodes profits from the sale of WeSteal by charging €20 for a month, €50 for three months and €125 for\r\none year (Figure 7).\r\nFigure 7. WeSteal advertisement on Sellix, an ecommerce store.\r\nThere isn’t any possible angle from which to claim legitimacy for a piece of software designed to steal cryptocurrency\r\ntransactions.\r\nCapabilities of WeSteal\r\nIn order to “steal” cryptocurrency from a victim, WeSteal uses regular expressions to look for strings matching the patterns\r\nof Bitcoin and Ethereum wallet identifiers being copied to the clipboard. When it matches these, it replaces the copied wallet\r\nID in the clipboard with one supplied by the malware. The victim then pastes the substituted wallet ID for a transaction, and\r\nthe funds are sent instead to the substitute wallet.\r\nRAT?\r\nWeSteal is advertised as featuring a “RAT Panel.” Not a single RAT feature is advertised nor observed in our analysis. It\r\nseems that ComplexCodes is rather ambitiously describing their simple hosted command-and-control (C2) service,\r\nelsewhere described as a “victim tracker,” as a “RAT Panel.”\r\nC2 as a Service\r\nAs we have observed in some other commodity malware, rather than leaving customers to run their own C2, WeSteal\r\noperates with a hosted C2 as a service (C2aaS).\r\nWeSteal is configured to use the following URLs for its C2 communications. We have observed two different C2 domains,\r\none of which is also the sales site for the malware.\r\nhttps://unit42.paloaltonetworks.com/westeal/\r\nPage 5 of 11\n\nhxxps://wesupply[.]to/t_api.php\r\nhxxps://wesupply[.]io/t_api.php\r\nSpeaking of “Service”\r\nThe WeSupply crew seems very invested in the “success” of their customers. In one forum sales thread, a would-be but\r\napparently inexperienced potential criminal asks:\r\n“how do you use the tool and how does it target someone?”\r\nTo which the helpful malware peddlers respond:\r\n“Open a ticket, will help you with all your questions.”\r\nObfuscation\r\nWeSteal is distributed as a Python-based Trojan in a script named \"westeal.py\". ComplexCodes converted it into an\r\nexecutable form using PyInstaller. The Trojan was specifically written for Python 3.9, as the PyInstaller package included\r\npython39.dll as the Python interpreter. The developer also used the open source PyArmor source code obfuscator, which\r\nencrypts the contents of the Python script and decrypts the contents before sending to the Python interpreter for execution, as\r\nseen here:\r\nfrom pytransform import pyarmor_runtime\r\npyarmor_runtime()\r\n_pyarmor(name, __file_, b'PYARMOR\\x00\\x00\\x03\\t\\x00a\\r\\r\\n\\x06[snip]\r\nPyArmor relies on the \"_pytransform.dll\" library to decrypt the contents of the Python script and sends them to the\r\n\"python39.dll\" interpreter. The WeSteal samples we analyzed were obfuscated using PyArmor's \"obf_mode\" setting\r\nconfigured to 2. This \"obf_mode\" setting includes the WeSteal Python bytecode as ciphertext that PyArmor decrypts using\r\nAES GCM at runtime.\r\nAn Interesting Persistence Technique\r\nThe “add_startup” function establishes persistent access to the system, by which WeSteal copies itself to the following\r\nlocation:\r\nC:\\Users\\\u003cusername\u003e\\AppData\\Local.exe\r\nWeSteal then creates the following batch script in the startup folder that will run each time the user logs in:\r\nc:\\Users\\\u003cusername\u003e\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\appdata.bat\r\nThe batch script contains the following command:\r\nstart %localappdata%\r\nThe command above uses a novel technique to obfuscate the batch file starting the WeSteal executable. The start command\r\nattempts to run the environment variable %localappdata%, which on a default Windows system is a path to the folder\r\nC:\\Users\\\u003cusername\u003e\\AppData\\Local. However, in this context, the Local in that environment variable is interpreted as a\r\nfile rather than a subfolder. The start command will run the WeSteal executable Local.exe (the start command does not\r\nrequire the .exe file extension) in the path C:\\Users\\\u003cusername\u003e\\AppData\\.\r\nhttps://unit42.paloaltonetworks.com/westeal/\r\nPage 6 of 11\n\nThe “heist” (or “cuckoo’s egg”?)\r\nThe get_clipboard and copy_to_clip functions carry out WeSteal’s cryptojacking functionality. These functions check for\r\nBitcoin (BTC) and Etherium (ETH) wallets copied to the clipboard and replace them with an actor's wallet, hoping that the\r\nuser will then paste the actor’s wallet instead of the intended one, redirecting a cryptocurrency transaction in the actor’s\r\nfavor. The actor is counting on the victim not noticing the substitution until it is too late and the irrevocable cryptocurrency\r\ntransaction has been completed.\r\nWeSteal uses regular expressions to identify wallets copied by the user to the clipboard. The regular expressions specifically\r\ndescribing the formats of Bitcoin and Ethereum wallets are seen in the constants identified in the decrypted WeSteal sample\r\n(Figure 8).\r\nFigure 8. Constants from a decoded WeSteal sample.\r\nWeSteal’s Customers, Wallets and Their “Hauls”\r\nAlso encoded in the samples were the hardcoded customer “handle,” and their BTC and ETH wallets. From this, we have\r\nsome idea of the current customer base and possibly an idea of their success.\r\nWe collated a small list of customers. In general, the wallets identified had only a small number of transactions since\r\nWeSteal was released, and those were of low value. However, at least one wallet (actor “pepsi”) received approximately\r\nhttps://unit42.paloaltonetworks.com/westeal/\r\nPage 7 of 11\n\n$800 in a single Ethereum transaction. It is, of course, possible that any of these transactions may be unrelated to the\r\nmalware.\r\nHandle Etherium Wallet Bitcoin Wallet\r\nHeroin 0xb5F7Bf1B46854f3EDA1201294941Edb13f9661EA 1AB3XSnioEFKKZcDadmSDX8YRcQzgRnG3c\r\npepsi 0x5f9C7078dFF737BbF872b438151Cd38ECfe0ebee 1NbyaaQTGPAhj8CuqRSRrXbWCCtyhdyv7T\r\ntouourien 0x419f92Af57Eeb3f50fbE10298cC4a684aB452011 bc1qg0gr8286k6kemtd3cwch6guzfp6yn9n3smlqt8\r\nAdribusted 0x49c8d0359cAf80FfebD8424128A951264f4f6506 bc1q8pufxrmm8k5n9v4w2auvlaedx9lm23c7sg6mye\r\nKing 0x1FdD9e44048F88B04C6DBba897E05ecCA55A61f9 1KVsfk5jT5fUGbUxomxAsKYxVvSZC9joXs\r\nbelzedar 0xc7D4E35C3ea831c3Bbf53550621315C79423E95F bc1q30el678lr9dwcydtm8gjztf389zrj6gfs6ezj5\r\nxjoking 0xa4FC40168EF940eD013E1dB6986C5746AAC3b2c3 1APLhq2yC421C3G6X5uhLhTmtZMjSUZ38G\r\nShakho 0x356d6162ADa9db9bd31b95Eec92Cd3B1D3273623 1CUYk9xCDU9WfTbLZj561M32Q55EZtcyEo\r\nWeZesk 0x269eCD3E97A37C27347E4E87D6f3f1B59A0BE2AB 1BcD15EEpeA1Mfz49oAMfdikeXjhCfiUU6\r\nX0NR8 0x86C19f41004d451dc6dcb4f0AC086EDdA1383b70 bc1qkmg9c0p52xgzqjqswdz6k9gxddwvchr8rt3pm8\r\nwizzz 0xAaD7685A29bE275E9404Ba88260E19dB52644DE3 bc1qx7ha77kanm3nn8fe2ap4ts2uyxjxgmc35llud7\r\nPepe 0xB97749901245b417060bbdFf3D7d1eC90b584a7c 17SjdBcboW2EPFMyoPwzp64eyjMwTLoBSG\r\nThe actor WeSupply is unsurprisingly observed using their own tool (using a second forum handle, “Shakho”). Also\r\nunsurprising is that many of these handles are also noted in the same forums where WeSteal is promoted.\r\nRecent Observed Updates, Including WeControl RAT\r\nImmediately before the publication of this report, we noticed some new samples that bore a striking similarity to WeSteal\r\n(also Pyarmor-obfuscated compiled Python), but were also different from other WeSteal samples.\r\nThis caused us to refresh our research of forums and the actors’ website. We note them advertising improvements to\r\nWeSteal, as well as selling a new piece of malware called “WeControl” RAT.\r\nWeSteal Improvements\r\nWhen we first analyzed WeSteal, we wondered why the actors included only the ability to monitor for and steal just two\r\ncryptocurrencies, Bitcoin and Ethereum. Although those are the most popular cryptocurrencies, it would surely be simple\r\nenough to code for the wallet patterns of other cryptocurrencies as well.\r\nhttps://unit42.paloaltonetworks.com/westeal/\r\nPage 8 of 11\n\nFigure 9. Updated WeSteal marketing.\r\nUnsurprisingly, we now note that the authors have added three cryptocurrencies to the list of those that can be stolen:\r\nBitcoin: BTC\r\nEthereum: ETH\r\nLitecoin: LTC\r\nBitcoin Cash: BCH\r\nMonero: XMR\r\nWeControl RAT\r\nUnfortunately, the timing of the discovery of a new commodity RAT at the actors’ site precluded us including a full analysis\r\nin this report.\r\nhttps://unit42.paloaltonetworks.com/westeal/\r\nPage 9 of 11\n\nFigure 10. WeControl advertised at the actors’ website\r\nWeControl is marketed as a “rat/botnet hybrid.” The description seems to indicate that the actors have incorporated the C2-\r\nas-a-service model of WeSteal into this RAT as well. This is not “the first” web-based C2aaS as they claim – WebMonitor\r\nRAT has been offering C2aaS for over two years.\r\nUsing a familiar technique from WeSteal, WeControl is again compiled Python obfuscated with PyArmor.\r\nWe first observed a sample of WeControl mid-April 2021. At the time of publication, we have collected just seven samples\r\nof WeControl. The hashes for these can be found at the end of this report.\r\nConclusion\r\nWeSteal is a shameless piece of commodity malware with a single, illicit function. Its simplicity is matched by a likely\r\nsimple effectiveness in the theft of cryptocurrency. The low-sophistication actors who purchase and deploy this malware are\r\nthieves, no less so than street pickpockets. Their crimes are as real as their victims.\r\nThe fast and simple monetization chain and anonymity of cryptocurrency theft, together with the low cost and simplicity of\r\noperation, will undoubtedly make this type of crimeware attractive and popular to less-skilled thieves.\r\nWeControl is similarly both designed and marketed as a tool for illicit activity, lacking in propriety no less than the earlier\r\nWeSteal.\r\nhttps://unit42.paloaltonetworks.com/westeal/\r\nPage 10 of 11\n\nThe ease of detection and blocking of the C2 as a service works against the Italian malware author ComplexCodes. It’s\r\nsurprising that customers trust their “victims” to the potential control of the malware author, who no doubt could in turn\r\nusurp them, stealing the victim “bots” or replacing customers’ wallets with one of ComplexCodes’ own at any time. It’s also\r\nsurprising that the malware author would risk criminal prosecution for what must surely be a small amount of profit, given\r\nthe apparently small customer base.\r\nOrganizations with effective spam filtering, proper system administration and up-to-date Windows hosts have a much lower\r\nrisk of infection.\r\nPalo Alto Networks customers are further protected from WeSteal and WeControl with Cortex XDR or the Next-Generation\r\nFirewall with WildFire and Threat Prevention security subscriptions. AutoFocus users can track WeSteal and WeControl\r\nactivity using the WeSteal and WeControl tags.\r\nPalo Alto Networks has shared our findings, including file samples and indicators of compromise, in this report with our\r\nfellow Cyber Threat Alliance members. CTA members use this intelligence to deploy protections to their customers rapidly\r\nand to systematically disrupt malicious cyber actors. For more information on the Cyber Threat Alliance, visit\r\nhttps://www.cyberthreatalliance.org/.\r\nIndicators of Compromise\r\nWeSteal Samples\r\nA SHA256 hash list of the 157 identified WeSteal samples, as of the time of publishing this report, is available at our\r\nGitHub repository.\r\nWeControl Samples\r\n59ffba39fc87eacd7c19498b5bb495d9c86c8bec40f3282e996aa80d77c45fa7\r\ned6875d60a67149c6cee4798a305810c6bcaa9b0b9349ec397ed331d96707e37\r\n2bdc916680402a973afca8407d83c299092515cf5cc78ad0a92a8ce2d72b6f7c\r\n8d37eef0308d5bd03d6c93ab247ca82d2157053822428ad1c787771de8e4332f\r\ne2b11c10832991577184abd4f57af7383f30142a52fc8e2b41145f416860acf1\r\n0920763b06f0a90f57910aaeff361d978bf37b025cbb9bc206d290eeb81e6217\r\neac7d579002f5e7f2cbff86b8e233c433f14ae25faf112eabaa1e2dd4f2a9a3d\r\nC2 / sales domains\r\nwesupply[.]to\r\nwesupply[.]io\r\nSource: https://unit42.paloaltonetworks.com/westeal/\r\nhttps://unit42.paloaltonetworks.com/westeal/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/westeal/"
	],
	"report_names": [
		"westeal"
	],
	"threat_actors": [],
	"ts_created_at": 1775434079,
	"ts_updated_at": 1775826747,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7a2eb191ab37359d622482d1a59a33b3b878f3ba.pdf",
		"text": "https://archive.orkl.eu/7a2eb191ab37359d622482d1a59a33b3b878f3ba.txt",
		"img": "https://archive.orkl.eu/7a2eb191ab37359d622482d1a59a33b3b878f3ba.jpg"
	}
}