{ "id": "1406c3ef-5b2a-4f60-89a2-57483511a686", "created_at": "2026-04-06T00:16:02.419041Z", "updated_at": "2026-04-10T13:12:35.345441Z", "deleted_at": null, "sha1_hash": "7a412ad515d1820627885c55a7570b2ff562b1f0", "title": "Cyble - Inside Lightning Stealer", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1875275, "plain_text": "Cyble - Inside Lightning Stealer\r\nPublished: 2022-04-05 · Archived: 2026-04-05 13:49:51 UTC\r\nIn this report, Cyble analyzes a stealer that has been targeting over 30 browsers - Lightning Stealer.\r\nCyble Research Labs recently encountered Lightning Stealer – a new Info Stealer variant. An info stealer is a type\r\nof malware designed specifically to steal data from the victim’s system. This type of malware has emerged as a\r\nserious threat as Threat Actors use them to get initial access to corporate networks.\r\nLightning stealer can target 30+ Firefox and Chromium-based browsers and steal crypto wallets, Telegram data,\r\nDiscord tokens, and Steam user’s data. Unlike other info stealers, Lightning Stealer stores all the stolen data in\r\nthe  JSON format for exfiltration. \r\nFigure 1: Lightning Stealer C\u0026C  Panel\r\nWorld's Best AI-Native Threat Intelligence\r\nhttps://blog.cyble.com/2022/04/05/inside-lightning-stealer/\r\nPage 1 of 14\n\nLightning Stealer is a . NET-based Info Stealer. Figure 2 shows the file details.\r\nFigure 2: File information\r\nTechnical Analysis\r\nThe methods in Main()function of the malware binary (SHA 256:\r\na2a3b6db773b95fa27501f081b03daf2a29bfb800b4efa397cc4fc59ff755368) – which is ultimately responsible for\r\nstealing data have been presented in a sequential manner as per to their execution. Refer to Figure 3.\r\nhttps://blog.cyble.com/2022/04/05/inside-lightning-stealer/\r\nPage 2 of 14\n\nFigure 3: Main function\r\nThe malware first calls Input.GetLogGecko method. This method will return stolen passwords, cookies, and\r\nhistory from Firefox-based browsers upon execution.\r\nIt initially identifies the Firefox-based browsers present in a system bypassing the respective browser’s path in the\r\n“AppData” folder to the Directory.Exists() method. If this returns as “True,” those paths will be added to a new list\r\nfor stealing data. The figure below shows the Firefox-based browsers targeted by the malware.\r\nFigure 4: Firefox-based browsers targeted by malware\r\nFirefox-based browsers store user data in a Profiles folder under the “AppData\\Browser_name” directory.\r\nLightning Stealer checks this directory along with the file names mentioned below:\r\nkey4.db: Stores the encryption keys and master password for logins.json.\r\nlogins.json: These files store the usernames and passwords.\r\nplaces.sqlite: This file stores the user search history, downloads, and bookmarks data.\r\nIt steals the browser’s data only if the above files are present.\r\nhttps://blog.cyble.com/2022/04/05/inside-lightning-stealer/\r\nPage 3 of 14\n\nIt first steals the data from the login.json file and looks for mozglue.dll and nss3.dll, which will be used to decrypt\r\nthe “login.json” file. Figure 5 shows the credential-stealing functionality for Firefox-based browsers.\r\nFigure 5: Stealing login credentials from Firefox based browsers\r\nThen malware steals the cookies data from moz_cookies table in “cookies.sqlite ” file and stores the data in the\r\nfollowing format (refer Figure 6) :\r\nDomain =\r\nName =\r\nValue =\r\nPath =\r\nExpires =\r\nIsSecure =\r\nFigure 6: Cookie stealing functionality on Firefox-based browsers\r\nSimilarly, the malware steals the browser’s history from the moz_places table in the “places.sqlite” file and\r\nextracts the data in the following format:\r\nUrl =\r\nTitle =\r\nVisits =\r\nTime =\r\nThe figure below shows the browser’s history stealing functionality.\r\nhttps://blog.cyble.com/2022/04/05/inside-lightning-stealer/\r\nPage 4 of 14\n\nFigure 7: Steals history on Firefox-based browsers\r\nAfter stealing data from Firefox-based browsers, the malware targets Chromium-based browsers. Figure 8 shows\r\nthe Chromium-based browsers targeted by the Lightning stealer.\r\nFigure 8: Chromium-based browsers targeted by Lightning Stealer\r\nThe sensitive user data, such as login credentials and cookies, stored in Chrome-based browsers are present in an\r\nencrypted form. The malware enumerates and gets the name of all files present in the “Browser-name\\User Data\\”\r\nfolder and checks for the “Local State” file, which stores the encrypted keys used by Chrome to decrypt the login\r\ndata.\r\nIf this file is present, the malware uses the DPAPI()functionto decrypt the encryption keys in the “Local State” file\r\nby calling Dpapi.CryptUnprotectData() function as can be seen in figure below.\r\nhttps://blog.cyble.com/2022/04/05/inside-lightning-stealer/\r\nPage 5 of 14\n\nFigure 9: Use of DPAPI\r\nChromium browsers store the login data in the “Login Data” file, a .SQLite file. The malware steals the data from\r\nthe logins table present in this file and extracts the data in the following format:\r\nDomain =\r\nLogin =\r\nPassword =\r\nFigure 10: Stealing Login credentials from Chromium-based browsers\r\nThen malware steals cookies from cookies table present  “Cookies” file and stores the data in following format:\r\nDomain =\r\nName =\r\nPath =\r\nExpires =\r\nIsSecure = isSecure,\r\nValue = value\r\nhttps://blog.cyble.com/2022/04/05/inside-lightning-stealer/\r\nPage 6 of 14\n\nFigure 11: Stealing cookies from Chromium-based browsers\r\nIn a similar manner, the malware steals the data from the following “.sqlite” files:\r\ncredit cards data from the logins table in the “Login Data” file.\r\nFilter Data in the format:\r\nNumber =\r\nYear =\r\nMonth =\r\nName =\r\nSearch history from the URLs table in the “History” file.\r\nFilter Data in format:\r\nUrl =\r\nTitle =\r\nVisits =\r\nTime =\r\nAutofill data from autofill table in “Web data” file.\r\nFilter Data in format:\r\nName =\r\nValue =\r\nhttps://blog.cyble.com/2022/04/05/inside-lightning-stealer/\r\nPage 7 of 14\n\nFigure 12: Stealing Credit Cards, History, and Autofill data  from Chromium-based browsers\r\nThis stealer has the capability to steal data from crypto wallets present in the victim’s system. The wallets targeted\r\nby the stealer can be seen in the figure below. The malware targets the wallet files specific to the crypto\r\napplications mentioned in Figure 13. The malware then converts the wallet file’s content into Base64 and saves\r\nthem into a list.\r\nFigure 13: Targeted Crypto wallets\r\nThe malware then proceeds to steal the victim’s system info. Figure 14 shows the system info gathered by\r\nmalware.\r\nhttps://blog.cyble.com/2022/04/05/inside-lightning-stealer/\r\nPage 8 of 14\n\nFigure 14: Stealing System Info\r\nThis malware also steals the .txt and .doc files present in the “Desktop” of the victim’s system. The malware reads\r\nthe content of the file and encodes it using Base64. Then it saves the encoded data and file names on a list.\r\nFigure 15: Stealing files from victim’s desktop\r\nAfter this, the malware checks for the “Telegram Desktop\\tdata” file in the ApplicationData folder. Instead of\r\ncopying the file to a different directory for exfiltration, it loads its content in memory, encodes it, and saves it to a\r\nlist.\r\nFigure 16: Stealing Telegram data\r\nThe Lightning stealer steals the Discord token from the following directory:\r\n“discord\\\\Local Storage\\\\leveldb”\r\nIt retrieves a list of all files present in this directory and then starts stealing data from them.\r\nhttps://blog.cyble.com/2022/04/05/inside-lightning-stealer/\r\nPage 9 of 14\n\nFigure 17: Stealing Discord token\r\nThe malware steals data from Steam, a video game digital distribution service. The stealer identifies the Steam\r\ninstallation path by checking the registry key value at “HKEY_LOCAL_MACHINE\\Software\\Valve\\Steam.”  \r\nThe malware steals data from all the files present under the “config” folder.\r\nFigure 18: Stealing user data from Steam\r\nAfter this, the malware takes a screenshot of the victim’s screen and saves it in the “AppData\\Roaming\\” folder\r\nnamed “1.png”. Then, it converts the screenshot into Base64 encoded strings and saves it to a list.\r\nhttps://blog.cyble.com/2022/04/05/inside-lightning-stealer/\r\nPage 10 of 14\n\nFigure 19: Taking a screenshot of the victim’s system\r\nThe malware stores all the stolen data in the lists shown in the figure below.\r\nFigure 20: Storing stolen data in lists\r\nThen it creates a file named “444.txt” in the “AppData\\Roaming\\” folder. Before writing content to this file, it\r\nconverts the stolen data into JSON strings using JsonSerializer.Serialize() method.\r\nhttps://blog.cyble.com/2022/04/05/inside-lightning-stealer/\r\nPage 11 of 14\n\nFigure 21: Storing data as JSON strings\r\nAfter this, the malware exfiltrates the data to the following domain:\r\nhxxp[:]//panelss[.]xyz/Stealer/TSave\r\nThe body of the request is sent in JSON format, as can be seen in the figure below.\r\nFigure 22: Data exfiltration\r\nConclusion\r\nInfo Stealers are adopting new techniques to become more evasive. As the information stolen by such malware is\r\nsensitive, organizations should follow good security practices. In the past, Cyble Research Labs has observed data\r\nbreaches of large organizations because of such threats. We have also witnessed ransomware groups leveraging\r\nInfo Stealers to gain initial network access and, eventually, exfiltrating sensitive data. Lightning Stealer is an\r\nemerging Info Stealer, and we may see variants of it emerge in the future.\r\nRecommendations\r\nhttps://blog.cyble.com/2022/04/05/inside-lightning-stealer/\r\nPage 12 of 14\n\nAvoid downloading pirated software from warez/torrent websites. The “Hack Tool” present on sites such as\r\nYouTube, torrent sites, etc., mainly contains such malware. \r\nUse strong passwords and enforce multi-factor authentication wherever possible.  \r\nTurn on the automatic software update feature on your computer, mobile, and other connected devices. \r\nUse a reputed anti-virus and internet security software package on your connected devices, including PC,\r\nlaptop, and mobile. \r\nRefrain from opening untrusted links and email attachments without first verifying their authenticity.  \r\nEducate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs. \r\nBlock URLs that could be used to spread the malware, e.g., Torrent/Warez. \r\nMonitor the beacon on the network level to block data exfiltration by malware or TAs. \r\nEnable Data Loss Prevention (DLP) Solution on the employees’ systems. \r\nMITRE ATT\u0026CK® Techniques  \r\nTactic  Technique ID  Technique Name \r\nExecution   T1204  User Execution \r\nCredential Access \r\nT1555\r\nT1539\r\nT1552\r\nT1528 \r\nCredentials from Password Stores \r\nSteal Web Session Cookie\r\nUnsecured Credentials\r\nSteal Application Access Token \r\nCollection  T1113  Screen Capture \r\nDiscovery \r\nT1518 \r\nT1124 \r\nT1007 \r\nSoftware Discovery\r\nSystem Time Discovery\r\nSystem Service Discovery \r\nCommand and Control  T1071  Application Layer Protocol \r\nExfiltration  T1041  Exfiltration Over C2 Channel \r\nIndicators of Compromise (IoCs):   \r\nIndicators \r\nIndicator\r\ntype \r\nDescription \r\nhxxps[:]//panelss[.]xyz URL  C2 URL \r\n1b922b6d15085da82e20fee0789a6617\r\n231a8e1a06d1673c8922d149af9d8f156dcbe228\r\na2a3b6db773b95fa27501f081b03daf2a29bfb800b4efa397cc4fc59ff755368\r\nMd5\r\nSHA-1\r\nSHA-256\r\nStealer\r\nPayload \r\nhttps://blog.cyble.com/2022/04/05/inside-lightning-stealer/\r\nPage 13 of 14\n\n473781fe7d820ef805d1aa79ace86816\r\nb7a42714b4e5dd7cfb6a2c8d7eb30d8bcce9a7ba\r\n6e016bcbead2dddb80dd4a592b1f3c042c52dc8a26ee37e0943f1a8c433e4c5f\r\nMd5\r\nSHA-1\r\nSHA-256\r\nStealer\r\nPayload \r\nSource: https://blog.cyble.com/2022/04/05/inside-lightning-stealer/\r\nhttps://blog.cyble.com/2022/04/05/inside-lightning-stealer/\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.cyble.com/2022/04/05/inside-lightning-stealer/" ], "report_names": [ "inside-lightning-stealer" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434562, "ts_updated_at": 1775826755, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7a412ad515d1820627885c55a7570b2ff562b1f0.pdf", "text": "https://archive.orkl.eu/7a412ad515d1820627885c55a7570b2ff562b1f0.txt", "img": "https://archive.orkl.eu/7a412ad515d1820627885c55a7570b2ff562b1f0.jpg" } }