{ "id": "8a3604ad-bc54-468f-890d-4d9a77a10ce1", "created_at": "2026-04-06T00:10:54.264401Z", "updated_at": "2026-04-10T03:37:09.406476Z", "deleted_at": null, "sha1_hash": "b3c727ce6207aa4211611a320fd44bfb07d821f7", "title": "The Titan Stealer: Notorious Telegram Malware Campaign - Uptycs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1385103, "plain_text": "The Titan Stealer: Notorious Telegram Malware Campaign -\r\nUptycs\r\nBy Karthickkumar Kathiresan\r\nPublished: 2023-01-23 · Archived: 2026-04-05 22:35:18 UTC\r\nResearch by: Karthickkumar Kathiresan and Shilpesh Trivedi\r\nThe Uptycs threat research team recently discovered a campaign involving the Titan Stealer malware, which is\r\nbeing marketed and sold by a threat actor (TA) through a Telegram channel for cybercrime purposes. The stealer is\r\ncapable of stealing a variety of information from infected Windows machines, including credential data from\r\nbrowsers and crypto wallets, FTP client details, screenshots, system information, and grabbed files.\r\nThe TA has posted a screenshot of the builder tool for the malware, which includes options for targeting/stealing\r\nspecific types of information, such as browser data, crypto wallet information, FTP client details, and Telegram\r\nplugins. The builder also includes options for collecting specific file types from the victim's machine.\r\nFigure 1 - Titan stealer builder\r\nMalware Operation\r\nThe figure illustrates the malicious operation followed by the Titan Stealer malware.\r\nhttps://www.uptycs.com/blog/titan-stealer-telegram-malware-campaign\r\nPage 1 of 12\n\nFigure 2 - Titan Stealer workflow\r\nTechnical Analysis\r\nStage 1\r\nFigure 3 - Initial Titan Stealer binary\r\nThe analyzed binary is a 32-bit executable compiled with GCC. Figure 3 above shows information about the\r\ndifferent sections in the binary. The second section named \".data,\" has a larger raw size compared to the other\r\nsections and contains encrypted data for the Titan Stealer.\r\nWhen the binary is executed, it decrypts the XOR-encoded payload in the same memory region, which is a\r\nGolang-compiled binary. The binary (stage 1) then uses a process-hollowing technique to inject itself into a\r\nlegitimate target process called \"AppLaunch.exe.\"\r\nhttps://www.uptycs.com/blog/titan-stealer-telegram-malware-campaign\r\nPage 2 of 12\n\nFigure 4 - Decryption loop and the dumped payload binary\r\nThe screenshot below shows the process chain of Titan Stealer.\r\nFigure 5 - Process chain\r\nStage 2\r\nThe stage 2 binary is a 32-bit executable that starts running from the memory region of the \"AppLaunch.exe\"\r\nprocess after it has been successfully injected. The build ID of the Golang-compiled binary is also provided.\r\nFigure 6 - Go build ID\r\nBrowser Information\r\nThe malware attempts to read all the files in the \"User Data\" folder of various browsers using the CreateFile API,\r\nin order to steal information such as credentials, autofill states, browser metrics, crashpad data, crowd deny data,\r\ncache data, code cache data, extension state data, GPU cache data, local storage data, platform notifications data,\r\nsession storage data, site characteristics database data, storage data, and sync data.\r\nThe FindFirstFileW API is a function in the Windows operating system that allows a program to search for a file\r\nin a directory or subdirectory. It can be used to enumerate all the files in a directory, including hidden files.\r\nhttps://www.uptycs.com/blog/titan-stealer-telegram-malware-campaign\r\nPage 3 of 12\n\nMalware can use the FindFirstFileW API to search for specific files or directories on the system, such as the\r\ndirectories where browsers are installed.\r\nFigure 7 -  Enumerated folder shown in the Uptycs UI\r\nThe malware targets specific browser directories on a system to identify and potentially attack the installed\r\nbrowsers.\r\n%USERPROFILE%\\AppData\\Local\\Google\\Chrome\\\r\n%USERPROFILE%\\AppData\\Local\\Chromium\\\r\n%USERPROFILE%\\AppData\\Local\\Yandex\\YandexBrowser\\\r\n%USERPROFILE%\\AppData\\Roaming\\Opera Software\\Opera Stable\\\r\n%USERPROFILE%\\AppData\\Local\\BraveSoftware\r\n%USERPROFILE%\\AppData\\Local\\Vivaldi\\\r\n%USERPROFILE%\\AppData\\Local\\Microsoft\\Edge\\\r\nhttps://www.uptycs.com/blog/titan-stealer-telegram-malware-campaign\r\nPage 4 of 12\n\n%USERPROFILE%\\AppData\\Local\\7Star\\7Star\\\r\n%USERPROFILE%\\AppData\\Local\\Iridium\\\r\n%USERPROFILE%\\AppData\\Local\\CentBrowser\\\r\n%USERPROFILE%\\AppData\\Local\\Kometa\\\r\n%USERPROFILE%\\AppData\\Local\\Elements Browser\\\r\n%USERPROFILE%\\AppData\\Local\\Epic Privacy Browser\\\r\n%USERPROFILE%\\AppData\\Local\\uCozMedia\\Uran\\\r\n%USERPROFILE%\\AppData\\Local\\Coowon\\Coowon\\\r\n%USERPROFILE%\\AppData\\Local\\liebao\\\r\n%USERPROFILE%\\AppData\\Local\\QIP Surf\\\r\n%USERPROFILE%\\AppData\\Local\\Orbitum\\\r\n%USERPROFILE%\\AppData\\Local\\Amigo\\User\\\r\n%USERPROFILE%\\AppData\\Local\\Torch\\\r\n%USERPROFILE%\\AppData\\Local\\Comodo\\\r\n%USERPROFILE%\\AppData\\Local\\360Browser\\Browser\\\r\nhttps://www.uptycs.com/blog/titan-stealer-telegram-malware-campaign\r\nPage 5 of 12\n\n%USERPROFILE%\\AppData\\Local\\Maxthon3\\\r\n%USERPROFILE%\\AppData\\Local\\Nichrome\\\r\n%USERPROFILE%\\AppData\\Local\\CocCoc\\Browser\\\r\n%USERPROFILE%\\AppData\\Roaming\\Mozilla\\Firefox\\\r\nCrypto Wallet\r\nTitan Stealer targets the following cryptocurrency wallets and collects information from them, sending it to the\r\nattacker's server.\r\nEdge Wallet\r\nCoinomi\r\nEthereum\r\nZcash\r\nArmory\r\nbytecoin\r\nSensitive Information\r\nTelegram - Reading data from telegram desktop app\r\nFilezilla - Reading FTP clients details\r\nThe malware collects various types of logs from the infected machine, including browser information such as\r\ncredentials, cookies, and history, as well as data from crypto wallets and FTP clients. Titan Stealer transmits\r\ninformation to a command and control server using base64 encoded archive file formats as shown in Figure 8\r\nbelow.\r\nhttps://www.uptycs.com/blog/titan-stealer-telegram-malware-campaign\r\nPage 6 of 12\n\nFigure 8 - Sending data to C2\r\nTitan Stealer OSINT\r\nThreat actor is advertising and selling Titan Stealer through a Russian-based Telegram channel\r\n(https[:]//t.me/titan_stealer). The author shares updates and bug fixes frequently as shown in Figure 9. This may be\r\na sign that they are actively maintaining and distributing the malware.\r\nFigure 9 - Telegram channel\r\nThe threat actor has access to a separate panel that allows them to view the login activities and other data of a\r\nvictim. This type of activity is often associated with cybercrime and can have serious consequences for both the\r\nvictim and the attacker.\r\nhttps://www.uptycs.com/blog/titan-stealer-telegram-malware-campaign\r\nPage 7 of 12\n\nFigure 10 - Login panel of Titan Stealer\r\nFigure 11 - Titan Stealer Dashboard\r\nA Shodan query could be used to identify and track the activity of the Titan Stealer as shown in Figure 12.\r\nShodan Query: http.html:\"Titan Stealer\"\r\nhttps://www.uptycs.com/blog/titan-stealer-telegram-malware-campaign\r\nPage 8 of 12\n\nFigure 12 - Shodan query\r\nConclusion: Detect \u0026 Block Titan Stealer Attacks\r\nTo defend against malware attacks like the Titan Stealer, it is recommended to:\r\nUpdate passwords regularly to reduce the risk of a large-scale attack\r\nAvoid downloading applications from untrusted sites\r\nAvoid clicking on URLs or attachments in spam emails\r\nEnterprises should also implement tight security controls and multi-layered visibility and security solutions to\r\nidentify and detect such malware. For example, Uptycs’ EDR (Endpoint Detection and Response) correlation\r\nengine is able to detect the Titan Stealer's activity by using behavioral rules and YARA process scanning\r\ncapabilities.\r\nUptycs EDR Detection\r\nUptycs EDR customers can easily scan for Titan Stealer since Uptycs EDR is armed with YARA process scanning\r\nand advanced detections. Additionally, Uptycs EDR contextual detection provides important details about the\r\nidentified malware. Users can navigate to the toolkit data section in the detection alert and click on the name to\r\nfind out the behavior as shown below (Figure 13 \u0026 14).\r\nhttps://www.uptycs.com/blog/titan-stealer-telegram-malware-campaign\r\nPage 9 of 12\n\nFigure 13 - Process tree for the malware in an Uptycs EDR detection\r\nFigure 14 - Uptycs EDR detection UI showing Titan Stealer YARA rule match\r\nMITRE ATT\u0026CK Techniques for Titan Stealer\r\nTactic Technique ID Technique Name\r\nDefense Evasion T1055.012 Process Hollowing\r\nDiscovery T1083 File and Directory Discovery\r\nDiscovery T1082 System Information Discovery\r\nExfiltration T1041 Exfiltration Over C2 Channel\r\nIOCs\r\nFile name Md5 hash\r\nhttps://www.uptycs.com/blog/titan-stealer-telegram-malware-campaign\r\nPage 10 of 12\n\nStage 1 e7f46144892fe5bdef99bdf819d1b9a6\r\nStage 2 b10337ef60818440d1f4068625adfaa2\r\nRelated Hashes:\r\nMd5 hashes File Type\r\n82040e02a2c16b12957659e1356a5e19 Executable\r\n1af2037acbabfe804a522a5c4dd5a4ce Executable\r\n01e2a830989de3a870e4a2dac876487a Executable\r\na98e68c19c2bafe9e77d1c00f9aa7e2c Executable\r\n7f46e8449ca0e20bfd2b288ee6f4e0d1 Executable\r\n78601b24a38dd39749db81a3dcba52bd Executable\r\nb0604627aa5e471352c0c32865177f7a Executable\r\n1dbe3fd4743f62425378b840315da3b7 Executable\r\n5e79869f7f8ba836896082645e7ea797 Executable\r\n2815dee54a6b81eb32c95d42afae25d2 Executable\r\n82040e02a2c16b12957659e1356a5e19 Executable\r\nhttps://www.uptycs.com/blog/titan-stealer-telegram-malware-campaign\r\nPage 11 of 12\n\nDomain/URL:\r\nhttp[:]//77.73.133.88[:]5000\r\nhttp[:]//77.73.133.88[:]5000/sendlog\r\nSource: https://www.uptycs.com/blog/titan-stealer-telegram-malware-campaign\r\nhttps://www.uptycs.com/blog/titan-stealer-telegram-malware-campaign\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.uptycs.com/blog/titan-stealer-telegram-malware-campaign" ], "report_names": [ "titan-stealer-telegram-malware-campaign" ], "threat_actors": [ { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-10T02:00:03.148052Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-10T02:00:04.732992Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434254, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b3c727ce6207aa4211611a320fd44bfb07d821f7.pdf", "text": "https://archive.orkl.eu/b3c727ce6207aa4211611a320fd44bfb07d821f7.txt", "img": "https://archive.orkl.eu/b3c727ce6207aa4211611a320fd44bfb07d821f7.jpg" } }