Breaking into the Bandit Stealer Malware Infrastructure
By Bablu Kumar
Published: 2025-08-21 · Archived: 2026-04-05 18:52:45 UTC
Analysis and Attribution
CloudSEK’s contextual AI digital risk platform XVigil has discovered a post mentioning Bandit Stealer malware
on a Russian-speaking underground forum where a threat actor vouched for it.
CloudSEK researchers recently discovered at least 14 IP addresses serving the Bandit Stealer web panel, most of
which went down in a span of 24 hours. All of these IP addresses were running on port 8080.
https://www.cloudsek.com/blog/breaking-into-the-bandit-stealer-malware-infrastructure
Page 1 of 12

Results from URLScan.io
Bandit Web Panel Analysis
Our source identified a few website endpoints that allowed access to the website’s internal system without
entering the credentials due to a misconfiguration on the website.
Login page of Bandit Stealer web panel
Nothing particularly significant can be noted on the dashboard except a menu for options such as Builder and
Results.
Dashboard interface of the malware panel
https://www.cloudsek.com/blog/breaking-into-the-bandit-stealer-malware-infrastructure
Page 2 of 12

The Builder page shows the options for building a customized version of Bandit Stealer malware. And, in the
stealer operation, threat actors utilize key elements to carry out their activities:
Communication Channel: ChatID, Bot Token, and Server IP are utilized to establish a secure connection
with Telegram. This connection enables the threat actors to receive exfiltrated data from infected users,
such as compromised credentials and screenshots.
Cryptocurrency Wallet Addresses: Various cryptocurrency wallet addresses are employed to transfer
cryptocurrency amounts to the threat actor’s wallet.
Loader URL: The Loader URL serves as a mechanism for distributing the malware. For instance, in
malvertising campaigns, a hidden JavaScript code operates in the background and is responsible for
dropping the executable malware file onto the victim's system. This URL is a crucial component in the
initial infection process.
FileName: The FileName refers to the name assigned to the executable malware file. This file contains the
malicious code responsible for the intended actions, such as data theft and exfiltration.
Malware builder panel used for generating executable
https://www.cloudsek.com/blog/breaking-into-the-bandit-stealer-malware-infrastructure
Page 3 of 12

One of the discovered endpoints was /builds that had all the Bandit Stealer builder that had been generated so far
by this particular panel. Our source was able to acquire them for further analysis.
Next, another identified endpoint was /clients with multiple instances of likely exfiltrated data from multiple IP
addresses in JSON. In the JSON, the file name consists of the target’s Country Code + Public IP address,
followed by size and the exfiltration date and time. While our analysis confirms the data to be sent to the
Telegram bot, but we assume the malware likely also keeps a copy of the exfiltrated data in its web panel.
Analysis of Stealer Logs
Our source was able to exfiltrate the stealer logs from their web panel for Analysis. One of the log files was from
the test machine with lots of screenshots which they might have used for testing the malware. The screenshot
shows the process of anti-reversing tools being killed using Command Prompt. The other screenshot shows the
same process using PowerShell. As the malware has screen capture capabilities, it is assumed that the malware
have captured these screenshots during the infection (likely on the test machine).
https://www.cloudsek.com/blog/breaking-into-the-bandit-stealer-malware-infrastructure
Page 4 of 12

The process of killing anti-reversing tools
Another screenshot reveals the usages of a Telegram bot in the stealer malware as the C2 communication channel. 
Using Telegram bot for C2 servers
Malware Delivery Mechanism 
https://www.cloudsek.com/blog/breaking-into-the-bandit-stealer-malware-infrastructure
Page 5 of 12

The malware is being distributed through YouTube videos which is a commonly seen malware delivery
mechanism among threat actors. In our previous report, we highlighted that since November 2022, there has been
a 200-300% month-on-month increase in Youtube videos containing links to stealer malware such as Vidar,
RedLine, and Raccoon in their descriptions. 
Technical Analysis 
Bandit Stealer, a newly discovered form of information stealer malware, showcases advanced capabilities and
evasive techniques. Written in the Go language, it employs various methods to circumvent detection by debugging
tools and virtual machine environments, ensuring its covert operations remain undetected.
To avoid analysis and hinder reverse engineering efforts, Bandit Stealer employs clever tactics. It actively checks
for the presence of debuggers using techniques like IsDebuggerPresent and CheckRemoteDebuggerPresent.
Furthermore, it possesses the ability to detect sandbox environments, swiftly shutting itself down if such
environments are detected, thereby eluding analysis attempts. The malware even terminates reverse engineering
tools that could potentially interfere with its functionality.
Notably, Bandit Stealer has been observed spreading through YouTube videos to reach mass users.
In order to establish persistence on infected systems, the malware creates an autorun registry entry, named "Bandit
Stealer." By doing so, it ensures that the malicious code runs each time the machine is booted up.
https://www.cloudsek.com/blog/breaking-into-the-bandit-stealer-malware-infrastructure
Page 6 of 12

Collected PC, User, and IP Information 
The stealer is designed to obtain valuable information from PCs and users. It discreetly collects data such as PC
and user details, screenshots, geolocation and IP information, webcam images, and data from popular browsers,
FTP applications, and digital wallets. The stolen data is then sent to a secure Telegram bot, packaged in a ZIP file
for easy transfer. 
The Stealer employs a curated blacklist obtained from an external URL, in some instances a Pastebin URL, and
stores it in C:\Users\USERNAME\AppData\Roaming\blacklist.txt and the file gets deleted once the stealer
finishes execution. This blacklist serves a crucial role in determining whether the Stealer is running within a
sandbox/virtual environment or on an actual system. Additionally, it aids in identifying specific processes and
reversing tools that the Stealer aims to terminate in order to thwart any potential analysis or reverse engineering
attempts.
Blacklisted IP Addresses:
https://www.cloudsek.com/blog/breaking-into-the-bandit-stealer-malware-infrastructure
Page 7 of 12

Blacklisted Mac Addresses:
The list of blacklisted HWIDs:
https://www.cloudsek.com/blog/breaking-into-the-bandit-stealer-malware-infrastructure
Page 8 of 12

Blacklisted PC User and Names:
Information Stealing & C2 Server Communication
Bandit steals web browser data that includes the theft of saved login information, crucial cookies, browsing
history and sensitive credit card details stored within the browser's user profile.
https://www.cloudsek.com/blog/breaking-into-the-bandit-stealer-malware-infrastructure
Page 9 of 12

List of Target Browsers
Chrome Browser Iridium Browser 7Star Browser Vivaldi Browser
Yandex Chrome Orbitum Orbitum uCozMedia
Microsoft Edge Torch Web Browser Kometa Browser CentBrowser
BraveSoftware Amigo Browser Epic Privacy Browser SeaMonkey browser
QupZilla
The malware also targets a large list of digital cryptocurrency wallets.
List of Cryptocurrency Wallets
Coinbase wallet
extension
Saturn Wallet extension MetaMask extension Bither Bitcoin wallet
Binance chain
wallet extension
Coin98 Wallet ronin wallet extension multidoge coin
TronLink Wallet multibit Bitcoin
Kardiachain wallet
extension
LiteCoin
Terra Station Electron Cash Jaxx liberty Wallet Dash Wallet
Guildwallet
extension
Electrum-btcp Math Wallet extension Ethereum
https://www.cloudsek.com/blog/breaking-into-the-bandit-stealer-malware-infrastructure
Page 10 of 12

Bitpay wallet
extension
Exodus Nifty Wallet extension Atomic
Armory Bytecoin Wallet Coinomi wallet Monero wallet
dogecoin
Here is an example of captured Firefox cookies by the Bandit Stealer.
Theft of browser cookies by Bandit Stealer
The collected data is then packaged up into a ZIP file and then exfiltrated to the C2 server which points to the
Telegram server (149.154.167.220).
https://www.cloudsek.com/blog/breaking-into-the-bandit-stealer-malware-infrastructure
Page 11 of 12

Data exfiltration to the C2 server belonging to Telegram (149.154.167.220)
Source: https://www.cloudsek.com/blog/breaking-into-the-bandit-stealer-malware-infrastructure
https://www.cloudsek.com/blog/breaking-into-the-bandit-stealer-malware-infrastructure
Page 12 of 12