{ "id": "f0d15edf-6884-44ea-9e63-42c126429223", "created_at": "2026-04-06T00:18:25.254386Z", "updated_at": "2026-04-10T13:12:45.927789Z", "deleted_at": null, "sha1_hash": "8ef9968775c25582c441e660f2b93014db42ae38", "title": "Breaking into the Bandit Stealer Malware Infrastructure", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4541594, "plain_text": "Breaking into the Bandit Stealer Malware Infrastructure\r\nBy Bablu Kumar\r\nPublished: 2025-08-21 · Archived: 2026-04-05 18:52:45 UTC\r\nAnalysis and Attribution\r\nCloudSEK’s contextual AI digital risk platform XVigil has discovered a post mentioning Bandit Stealer malware\r\non a Russian-speaking underground forum where a threat actor vouched for it.\r\nCloudSEK researchers recently discovered at least 14 IP addresses serving the Bandit Stealer web panel, most of\r\nwhich went down in a span of 24 hours. All of these IP addresses were running on port 8080.\r\nhttps://www.cloudsek.com/blog/breaking-into-the-bandit-stealer-malware-infrastructure\r\nPage 1 of 12\n\nResults from URLScan.io\r\nBandit Web Panel Analysis\r\nOur source identified a few website endpoints that allowed access to the website’s internal system without\r\nentering the credentials due to a misconfiguration on the website.\r\nLogin page of Bandit Stealer web panel\r\nNothing particularly significant can be noted on the dashboard except a menu for options such as Builder and\r\nResults.\r\nDashboard interface of the malware panel\r\nhttps://www.cloudsek.com/blog/breaking-into-the-bandit-stealer-malware-infrastructure\r\nPage 2 of 12\n\nThe Builder page shows the options for building a customized version of Bandit Stealer malware. And, in the\r\nstealer operation, threat actors utilize key elements to carry out their activities:\r\nCommunication Channel: ChatID, Bot Token, and Server IP are utilized to establish a secure connection\r\nwith Telegram. This connection enables the threat actors to receive exfiltrated data from infected users,\r\nsuch as compromised credentials and screenshots.\r\nCryptocurrency Wallet Addresses: Various cryptocurrency wallet addresses are employed to transfer\r\ncryptocurrency amounts to the threat actor’s wallet.\r\nLoader URL: The Loader URL serves as a mechanism for distributing the malware. For instance, in\r\nmalvertising campaigns, a hidden JavaScript code operates in the background and is responsible for\r\ndropping the executable malware file onto the victim's system. This URL is a crucial component in the\r\ninitial infection process.\r\nFileName: The FileName refers to the name assigned to the executable malware file. This file contains the\r\nmalicious code responsible for the intended actions, such as data theft and exfiltration.\r\nMalware builder panel used for generating executable\r\nhttps://www.cloudsek.com/blog/breaking-into-the-bandit-stealer-malware-infrastructure\r\nPage 3 of 12\n\nOne of the discovered endpoints was /builds that had all the Bandit Stealer builder that had been generated so far\r\nby this particular panel. Our source was able to acquire them for further analysis.\r\nNext, another identified endpoint was /clients with multiple instances of likely exfiltrated data from multiple IP\r\naddresses in JSON. In the JSON, the file name consists of the target’s Country Code + Public IP address,\r\nfollowed by size and the exfiltration date and time. While our analysis confirms the data to be sent to the\r\nTelegram bot, but we assume the malware likely also keeps a copy of the exfiltrated data in its web panel.\r\nAnalysis of Stealer Logs\r\nOur source was able to exfiltrate the stealer logs from their web panel for Analysis. One of the log files was from\r\nthe test machine with lots of screenshots which they might have used for testing the malware. The screenshot\r\nshows the process of anti-reversing tools being killed using Command Prompt. The other screenshot shows the\r\nsame process using PowerShell. As the malware has screen capture capabilities, it is assumed that the malware\r\nhave captured these screenshots during the infection (likely on the test machine).\r\nhttps://www.cloudsek.com/blog/breaking-into-the-bandit-stealer-malware-infrastructure\r\nPage 4 of 12\n\nThe process of killing anti-reversing tools\r\nAnother screenshot reveals the usages of a Telegram bot in the stealer malware as the C2 communication channel. \r\nUsing Telegram bot for C2 servers\r\nMalware Delivery Mechanism \r\nhttps://www.cloudsek.com/blog/breaking-into-the-bandit-stealer-malware-infrastructure\r\nPage 5 of 12\n\nThe malware is being distributed through YouTube videos which is a commonly seen malware delivery\r\nmechanism among threat actors. In our previous report, we highlighted that since November 2022, there has been\r\na 200-300% month-on-month increase in Youtube videos containing links to stealer malware such as Vidar,\r\nRedLine, and Raccoon in their descriptions. \r\nTechnical Analysis \r\nBandit Stealer, a newly discovered form of information stealer malware, showcases advanced capabilities and\r\nevasive techniques. Written in the Go language, it employs various methods to circumvent detection by debugging\r\ntools and virtual machine environments, ensuring its covert operations remain undetected.\r\nTo avoid analysis and hinder reverse engineering efforts, Bandit Stealer employs clever tactics. It actively checks\r\nfor the presence of debuggers using techniques like IsDebuggerPresent and CheckRemoteDebuggerPresent.\r\nFurthermore, it possesses the ability to detect sandbox environments, swiftly shutting itself down if such\r\nenvironments are detected, thereby eluding analysis attempts. The malware even terminates reverse engineering\r\ntools that could potentially interfere with its functionality.\r\nNotably, Bandit Stealer has been observed spreading through YouTube videos to reach mass users.\r\nIn order to establish persistence on infected systems, the malware creates an autorun registry entry, named \"Bandit\r\nStealer.\" By doing so, it ensures that the malicious code runs each time the machine is booted up.\r\nhttps://www.cloudsek.com/blog/breaking-into-the-bandit-stealer-malware-infrastructure\r\nPage 6 of 12\n\nCollected PC, User, and IP Information \r\nThe stealer is designed to obtain valuable information from PCs and users. It discreetly collects data such as PC\r\nand user details, screenshots, geolocation and IP information, webcam images, and data from popular browsers,\r\nFTP applications, and digital wallets. The stolen data is then sent to a secure Telegram bot, packaged in a ZIP file\r\nfor easy transfer. \r\nThe Stealer employs a curated blacklist obtained from an external URL, in some instances a Pastebin URL, and\r\nstores it in C:\\Users\\USERNAME\\AppData\\Roaming\\blacklist.txt and the file gets deleted once the stealer\r\nfinishes execution. This blacklist serves a crucial role in determining whether the Stealer is running within a\r\nsandbox/virtual environment or on an actual system. Additionally, it aids in identifying specific processes and\r\nreversing tools that the Stealer aims to terminate in order to thwart any potential analysis or reverse engineering\r\nattempts.\r\nBlacklisted IP Addresses:\r\nhttps://www.cloudsek.com/blog/breaking-into-the-bandit-stealer-malware-infrastructure\r\nPage 7 of 12\n\nBlacklisted Mac Addresses:\r\nThe list of blacklisted HWIDs:\r\nhttps://www.cloudsek.com/blog/breaking-into-the-bandit-stealer-malware-infrastructure\r\nPage 8 of 12\n\nBlacklisted PC User and Names:\r\nInformation Stealing \u0026 C2 Server Communication\r\nBandit steals web browser data that includes the theft of saved login information, crucial cookies, browsing\r\nhistory and sensitive credit card details stored within the browser's user profile.\r\nhttps://www.cloudsek.com/blog/breaking-into-the-bandit-stealer-malware-infrastructure\r\nPage 9 of 12\n\nList of Target Browsers\r\nChrome Browser Iridium Browser 7Star Browser Vivaldi Browser\r\nYandex Chrome Orbitum Orbitum uCozMedia\r\nMicrosoft Edge Torch Web Browser Kometa Browser CentBrowser\r\nBraveSoftware Amigo Browser Epic Privacy Browser SeaMonkey browser\r\nQupZilla\r\nThe malware also targets a large list of digital cryptocurrency wallets.\r\nList of Cryptocurrency Wallets\r\nCoinbase wallet\r\nextension\r\nSaturn Wallet extension MetaMask extension Bither Bitcoin wallet\r\nBinance chain\r\nwallet extension\r\nCoin98 Wallet ronin wallet extension multidoge coin\r\nTronLink Wallet multibit Bitcoin\r\nKardiachain wallet\r\nextension\r\nLiteCoin\r\nTerra Station Electron Cash Jaxx liberty Wallet Dash Wallet\r\nGuildwallet\r\nextension\r\nElectrum-btcp Math Wallet extension Ethereum\r\nhttps://www.cloudsek.com/blog/breaking-into-the-bandit-stealer-malware-infrastructure\r\nPage 10 of 12\n\nBitpay wallet\r\nextension\r\nExodus Nifty Wallet extension Atomic\r\nArmory Bytecoin Wallet Coinomi wallet Monero wallet\r\ndogecoin\r\nHere is an example of captured Firefox cookies by the Bandit Stealer.\r\nTheft of browser cookies by Bandit Stealer\r\nThe collected data is then packaged up into a ZIP file and then exfiltrated to the C2 server which points to the\r\nTelegram server (149.154.167.220).\r\nhttps://www.cloudsek.com/blog/breaking-into-the-bandit-stealer-malware-infrastructure\r\nPage 11 of 12\n\nData exfiltration to the C2 server belonging to Telegram (149.154.167.220)\r\nSource: https://www.cloudsek.com/blog/breaking-into-the-bandit-stealer-malware-infrastructure\r\nhttps://www.cloudsek.com/blog/breaking-into-the-bandit-stealer-malware-infrastructure\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.cloudsek.com/blog/breaking-into-the-bandit-stealer-malware-infrastructure" ], "report_names": [ "breaking-into-the-bandit-stealer-malware-infrastructure" ], "threat_actors": [ { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-10T02:00:03.148052Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-10T02:00:04.732992Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434705, "ts_updated_at": 1775826765, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8ef9968775c25582c441e660f2b93014db42ae38.pdf", "text": "https://archive.orkl.eu/8ef9968775c25582c441e660f2b93014db42ae38.txt", "img": "https://archive.orkl.eu/8ef9968775c25582c441e660f2b93014db42ae38.jpg" } }