{ "id": "cc8fba90-b6be-4ec1-b26d-3f7f603e7b7d", "created_at": "2026-04-06T00:15:14.052404Z", "updated_at": "2026-04-10T03:36:47.915812Z", "deleted_at": null, "sha1_hash": "95e0b77e3ae7e28ee0f76b8a9d58a4daff9abe52", "title": "SHurk Steal Malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3695839, "plain_text": "SHurk Steal Malware\r\nBy Tomas Meskauskas\r\nPublished: 2025-06-09 · Archived: 2026-04-05 22:54:31 UTC\r\nWhat is SHurk Steal malware?\r\nSHurk Steal is a piece of malicious software designed to steal sensitive information. It is written in C++\r\nprogramming language and can be purchased on a hacker forum. It costs 400 rubles per week, 900 rubles per\r\nmonth or it can be purchased for a one-time fee of 3000 rubles. SHurk Steal targets Windows operating systems.\r\nSHurk Steal in detail\r\nSHurk Steal is advertised as an easy-to-use information stealer capable of stealing cookies, passwords, credit card\r\ndetails, and autofill data from browsers using the Chromium codebase. Also, it can steal cryptocurrency wallets\r\nhttps://www.pcrisk.com/removal-guides/21513-shurk-steal-malware\r\nPage 1 of 15\n\nthat are not connected to the internet (cold wallets), wallet files, IP addresses, and hijack Telegram sessions.\r\nTypically, cybercriminals use malware like SHurk Steal to steal login credentials, credit card details, and other\r\ninformation that could be used to steal personal accounts (for example, email, social media, banking accounts),\r\ncrypto wallets that could be used to distribute other malware, steal identities, money, make fraudulent purchases,\r\ntransactions, etc.\r\nTherefore, users who install malware like SHurk Steal become victims of identity theft, suffer monetary loss,\r\ncannot access their personal accounts, get their computers infected with ransomware, cryptocurrency miners,\r\nTrojans, or other malicious software, encounter problems related to browsing safety, online privacy, or other\r\nissues.\r\nIt is important to mention that cybercriminals behind SHurk Steal may use stolen information for personal gains or\r\nsell it to third parties (or do both). In one way or another, users who have a computer infected with SHurk Steal\r\nare likely to encounter financial and other problems. Therefore, this malware should be uninstalled from infected\r\nsystems immediately.\r\nThreat Summary:\r\nName SHurk Steal information stealer\r\nThreat Type Information stealer, password-stealing virus\r\nDetection\r\nNames\r\nAvast (Win32:Trojan-gen), Combo Cleaner (Trojan.GenericKD.46749892), ESET-NOD32 (A Variant Of Win32/PSW.Agent.OKX), Kaspersky (Trojan-PSW.Win32.Agent.tnky), Microsoft (Trojan:Win32/Casdet!rfn), Full List (VirusTotal)\r\nSymptoms\r\nMost information stealers are designed to stealthily infiltrate the victim's computer and\r\nremain silent, and thus no particular symptoms are clearly visible on an infected machine.\r\nDistribution\r\nmethods\r\nInfected email attachments, malicious online advertisements, social engineering, software\r\n'cracks'.\r\nDamage\r\nStolen passwords and banking information, identity theft, the victim's computer added to\r\na botnet.\r\nMalware\r\nRemoval\r\n(Windows)\r\nTo eliminate possible malware infections, scan your computer with legitimate antivirus\r\nsoftware. Our security researchers recommend using Combo Cleaner.\r\n Download Combo Cleaner\r\nhttps://www.pcrisk.com/removal-guides/21513-shurk-steal-malware\r\nPage 2 of 15\n\nTo use full-featured product, you have to purchase a license for Combo Cleaner. 7 days\r\nfree trial available. Combo Cleaner is owned and operated by RCS LT, the parent\r\ncompany of PCRisk.com.\r\nInformation stealers in general\r\nIn conclusion, information stealers like SHurk Steal are used to collect information that could be used to steal\r\nmoney, online accounts, and access even more personal information. More examples of information stealers are\r\nMars Stealer, FickerStealer, and Bloody Stealer. Distribution methods for malicious programs are provided below.\r\nHow did SHurk Steal infiltrate my computer?\r\nIt is common for information stealers and other malicious programs to be distributed via emails. Recipients install\r\nmalware by opening malicious files or website links in emails sent by cybercriminals. Typically, cybercriminals\r\nsend malicious Microsoft Office documents, executable files (like EXE), RAR, ZIP and other archive files,\r\nJavaScript files, PDF documents.\r\nAnother way to distribute malware is to trick users into using fake software updaters. Those updaters are disguised\r\nas tools that fix., update installed software. However, they never update or fix any software - they install malware\r\nin a regular way or infect systems by exploiting bugs, flaws of outdated programs that are installed on them.\r\nTrojans are malicious programs that can be used to distribute malware too. Usually, Trojans are distributed using\r\nthe ways described in this section. As a rule, they are disguised as legitimate programs. Once installed, they can\r\ninfect computers with additional malware.\r\nFiles downloaded via third-party downloaders, free file hosting or freeware download websites, Peer-to-Peer\r\nnetworks like torrent clients, eMule, and so on, can be malicious as well. Users cause installation of malware by\r\ndownloading and executing those files. Typically, they are disguised as legitimate, regular, harmless files.\r\nSoftware cracking tools are illegal programs that are supposed to activate licensed software without for free.\r\nAlthough, it is common that their users infect computers with malware. In other words, it is common for cracking\r\ntools to be bundled with malware.\r\nHow to avoid installation of malware?\r\nFiles and programs should be downloaded from legitimate, trustworthy pages and via direct download links. Files\r\nor programs downloaded via Peer-to-Peer networks, third-party downloaders, unofficial pages, free file hosting\r\nsites etc., or programs installed via third-party installers can be malicious.\r\nThe operating system and programs installed on it have to be updated and activated with implemented functions or\r\ntools designed/provided by their official developers. Software cracking tools and third-party updaters can be\r\ndesigned to install malware. Moreover, it is not legal to use cracked software or cracking tools to activate it.\r\nAttachments and website links in irrelevant emails sent from suspicious, unknown addresses should not be\r\nopened. Pretty often, links or files in emails of this kind are used to deliver malware - they are designed to\r\nhttps://www.pcrisk.com/removal-guides/21513-shurk-steal-malware\r\nPage 3 of 15\n\ndistribute malicious software. It is important to know that emails used to deliver malware often look like emails\r\nfrom legitimate companies.\r\nThe operating system should be scanned for threats regularly. It is recommended to scan it with a reputable\r\nantivirus or anti-spyware software. If you believe that your computer is already infected, we recommend running a\r\nscan with Combo Cleaner Antivirus for Windows to automatically eliminate infiltrated malware.\r\nAppearance of the hacker forum used to promote SHurk Steal malware (GIF):\r\nInstant automatic malware removal:\r\nManual threat removal might be a lengthy and complicated process that requires advanced IT skills. Combo\r\nCleaner is a professional automatic malware removal tool that is recommended to get rid of malware. Download it\r\nby clicking the button below:\r\nhttps://www.pcrisk.com/removal-guides/21513-shurk-steal-malware\r\nPage 4 of 15\n\nDOWNLOAD Combo Cleaner\r\nBy downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use\r\nfull-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo\r\nCleaner is owned and operated by RCS LT, the parent company of PCRisk.com.\r\nQuick menu:\r\nWhat is SHurk Steal?\r\nSTEP 1. Manual removal of SHurk Steal malware.\r\nSTEP 2. Check if your computer is clean.\r\nHow to remove malware manually?\r\nManual malware removal is a complicated task - usually it is best to allow antivirus or anti-malware programs to\r\ndo this automatically. To remove this malware we recommend using Combo Cleaner Antivirus for Windows.\r\nIf you wish to remove malware manually, the first step is to identify the name of the malware that you are trying\r\nto remove. Here is an example of a suspicious program running on a user's computer:\r\nhttps://www.pcrisk.com/removal-guides/21513-shurk-steal-malware\r\nPage 5 of 15\n\nIf you checked the list of programs running on your computer, for example, using task manager, and identified a\r\nprogram that looks suspicious, you should continue with these steps:\r\nDownload a program called Autoruns. This program shows auto-start applications, Registry, and file\r\nsystem locations:\r\nhttps://www.pcrisk.com/removal-guides/21513-shurk-steal-malware\r\nPage 6 of 15\n\nRestart your computer into Safe Mode:\r\nWindows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click\r\nRestart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you\r\nsee the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.\r\nhttps://www.pcrisk.com/removal-guides/21513-shurk-steal-malware\r\nPage 7 of 15\n\nVideo showing how to start Windows 7 in \"Safe Mode with Networking\":\r\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nWindows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type\r\nAdvanced, in the search results select Settings. Click Advanced startup options, in the opened \"General PC\r\nSettings\" window, select Advanced startup.\r\nClick the \"Restart now\" button. Your computer will now restart into the \"Advanced Startup options menu\". Click\r\nthe \"Troubleshoot\" button, and then click the \"Advanced options\" button. In the advanced option screen, click\r\n\"Startup settings\".\r\nClick the \"Restart\" button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode\r\nwith Networking.\r\nhttps://www.pcrisk.com/removal-guides/21513-shurk-steal-malware\r\nPage 8 of 15\n\nVideo showing how to start Windows 8 in \"Safe Mode with Networking\":\r\nhttps://www.pcrisk.com/removal-guides/21513-shurk-steal-malware\r\nPage 9 of 15\n\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nWindows 10 users: Click the Windows logo and select the Power icon. In the opened menu click \"Restart\" while\r\nholding \"Shift\" button on your keyboard. In the \"choose an option\" window click on the \"Troubleshoot\", next\r\nselect \"Advanced options\".\r\nIn the advanced options menu select \"Startup Settings\" and click on the \"Restart\" button. In the following window\r\nyou should click the \"F5\" button on your keyboard. This will restart your operating system in safe mode with\r\nnetworking.\r\nhttps://www.pcrisk.com/removal-guides/21513-shurk-steal-malware\r\nPage 10 of 15\n\nVideo showing how to start Windows 10 in \"Safe Mode with Networking\":\r\nhttps://www.pcrisk.com/removal-guides/21513-shurk-steal-malware\r\nPage 11 of 15\n\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nExtract the downloaded archive and run the Autoruns.exe file.\r\nIn the Autoruns application, click \"Options\" at the top and uncheck \"Hide Empty Locations\" and \"Hide\r\nWindows Entries\" options. After this procedure, click the \"Refresh\" icon.\r\nhttps://www.pcrisk.com/removal-guides/21513-shurk-steal-malware\r\nPage 12 of 15\n\nCheck the list provided by the Autoruns application and locate the malware file that you want to\r\neliminate.\r\nYou should write down its full path and name. Note that some malware hides process names under legitimate\r\nWindows process names. At this stage, it is very important to avoid removing system files. After you locate the\r\nsuspicious program you wish to remove, right click your mouse over its name and choose \"Delete\".\r\nhttps://www.pcrisk.com/removal-guides/21513-shurk-steal-malware\r\nPage 13 of 15\n\nAfter removing the malware through the Autoruns application (this ensures that the malware will not run\r\nautomatically on the next system startup), you should search for the malware name on your computer. Be sure to\r\nenable hidden files and folders before proceeding. If you find the filename of the malware, be sure to remove it.\r\nhttps://www.pcrisk.com/removal-guides/21513-shurk-steal-malware\r\nPage 14 of 15\n\nReboot your computer in normal mode. Following these steps should remove any malware from your computer.\r\nNote that manual threat removal requires advanced computer skills. If you do not have these skills, leave malware\r\nremoval to antivirus and anti-malware programs.\r\nThese steps might not work with advanced malware infections. As always it is best to prevent infection than try to\r\nremove malware later. To keep your computer safe, install the latest operating system updates and use antivirus\r\nsoftware. To be sure your computer is free of malware infections, we recommend scanning it with Combo Cleaner\r\nAntivirus for Windows.\r\nSource: https://www.pcrisk.com/removal-guides/21513-shurk-steal-malware\r\nhttps://www.pcrisk.com/removal-guides/21513-shurk-steal-malware\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.pcrisk.com/removal-guides/21513-shurk-steal-malware" ], "report_names": [ "21513-shurk-steal-malware" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434514, "ts_updated_at": 1775792207, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/95e0b77e3ae7e28ee0f76b8a9d58a4daff9abe52.pdf", "text": "https://archive.orkl.eu/95e0b77e3ae7e28ee0f76b8a9d58a4daff9abe52.txt", "img": "https://archive.orkl.eu/95e0b77e3ae7e28ee0f76b8a9d58a4daff9abe52.jpg" } }