{
	"id": "b09ae204-5507-432f-82ec-a6779c45cf1e",
	"created_at": "2026-04-06T00:09:22.650832Z",
	"updated_at": "2026-04-10T03:20:52.065799Z",
	"deleted_at": null,
	"sha1_hash": "b5fd5552e031ed55ced596e5702dcf5cb009a7fe",
	"title": "VILSA STEALER - CYFIRMA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2662087,
	"plain_text": "VILSA STEALER - CYFIRMA\r\nArchived: 2026-04-05 16:18:09 UTC\r\nPublished On : 2024-10-04\r\nEXECUTIVE SUMMARY\r\nCYFIRMA is committed to providing timely insights into emerging threats, including the newly identified “Vilsa\r\nStealer” found on GitHub. This sophisticated malware is notable for its speed and reliability in extracting\r\nsensitive data, such as browser credentials and tokens. With its user-friendly interface and robust security bypass\r\ncapabilities, the Vilsa Stealer stands out as a leading tool for discreet data collection.\r\nINTRODUCTION\r\nA new stealer known as “Vilsa” has been discovered on GitHub, which is both user-friendly and powerful,\r\nfeaturing advanced security bypass capabilities that make it a formidable tool for covert data collection. Stealers\r\nare a class of malware designed to target system and personal information, capable of extracting a broad range of\r\nsensitive data from applications on victims’ devices, obtaining information from web browsers, including\r\nbrowsing history, bookmarks, auto-fill data, cookies, passwords, and MetaMask. Additionally, they can harvest\r\nhttps://www.cyfirma.com/research/vilsa-stealer/\r\nPage 1 of 15\n\nlogin credentials, personally identifiable information, financial details, and other critical data from various\r\napplications.\r\nKEY FINDINGS\r\nSteals Discord info, browser data, cookies, passwords, crypto wallets, Steam, Telegram, and more.\r\nSupports major browsers and 40+ crypto wallets.\r\nThe language used is Python.\r\nAn encryption method is used to mask the runtime behavior of the malware.\r\nBEHAVIORAL ANALYSIS\r\nFile name VilsaStealer.exe\r\nFile Size 16.19MB\r\nFile Type Win32 EXE\r\nSigned Not signed\r\nMD5 Hash 2b4df2bc6507f4ba7c2700739da1415d\r\nSHA 256 f5c5845e5531ed7a9f39fd665fb712baa557799b4a6bd9e92c7ef76d43eb5064\r\nFirst seen wild September 2024\r\nSOURCE CODE ANALYSIS\r\nhttps://www.cyfirma.com/research/vilsa-stealer/\r\nPage 2 of 15\n\nBrowser Extensions:\r\nThe provided code is designed to target and steal cryptocurrency wallet information by exploiting browser\r\nextensions. It may specifically look for sensitive data associated with popular wallet extensions to extract valuable\r\ninformation.\r\nAdding into the Startup Folder:\r\nThis code checks if the script is running in a frozen state (such as when packaged with a tool such as PyInstaller).\r\nIts state determines the current file’s path and constructs the full path to the script and the startup folder for\r\nWindows. If the script is not already in the startup folder, it copies itself there, meaning that the script ensures it\r\nruns automatically every time the user starts their computer (making it persistent even after being closed). In\r\nsimple terms, the code sets up the script to launch on startup if it’s not already doing so.\r\nAnti Analysis Part:\r\nThe provided code defines a function called check_windows, which is designed to monitor open windows on a\r\nWindows system and terminate certain processes. It uses the Windows API to list all open windows and check\r\ntheir titles against a predefined list of names associated with debugging or reverse engineering tools, such as\r\n“process hacker” or “wireshark”.\r\nhttps://www.cyfirma.com/research/vilsa-stealer/\r\nPage 3 of 15\n\nIf a window title matches one from the list, the code retrieves the process ID of that window, attempts to open it,\r\nand then forcibly terminates it. This loop runs continuously, checking for these specific windows every half-second. If a matching process is found and terminated, the program triggers an exit function with a message\r\nindicating that a debugger was detected.\r\nANTI-VM:\r\nThe code defines two functions, check_registry, and check_dll, to detect if the system is running in a virtual\r\nmachine (VM).\r\nIn check_registry, it looks in the Windows registry for any subkeys that start with “VMWARE” under a specific\r\npath related to IDE devices. If it finds one, it triggers an exit function with a message indicating that a VM is\r\ndetected.\r\nIn check_dll, the function checks for the presence of specific DLL files (vmGuestLib.dll and vboxmrxnp.dll) that\r\nare commonly associated with virtual machines. If either file is found, it also calls the exit function with the same\r\nVM detection message.\r\nThese functions help identify if the program is running in a virtual environment by checking the registry and\r\nlooking for certain files, and if so, they will stop the program and alert the user.\r\nUsing GoFile API to upload and Send Data:\r\nThe function UP104D7060F113 uploads a file to a remote server using the GoFile API. First, it retrieves a list of\r\navailable servers from GoFile. If there are servers available, it selects the first one and constructs the upload URL,\r\nusing the curl command to upload the specified file, after which it returns the link to the file’s download page. If\r\nany errors occur during this process, it catches the exception, prints an error message, and returns False. In simple\r\nterms, this function uploads a file to a cloud service and gives you a link to access it.\r\nhttps://www.cyfirma.com/research/vilsa-stealer/\r\nPage 4 of 15\n\nRUN TIME ANALYSIS\r\nPersistence: By copying itself into the Startup folder, the malware ensures that it will be executed every time the\r\nsystem boots up or a user logs in. This allows the malware to maintain its presence on the system and continue to\r\ncarry out its malicious activities.\r\nAuto-execution: The Startup folder is a location where Windows automatically executes files and programs\r\nduring the startup process. By placing itself in this folder, the malware can automatically execute itself without the\r\nneed for user interaction.\r\nThe malware Copy the file Gruppe.py dropping in the App data folder.\r\nThe file, named Grupee.py, is dropped in the App Data directory, and its entire contents are encrypted. The data\r\ncan be decrypted using the appropriate key.\r\nhttps://www.cyfirma.com/research/vilsa-stealer/\r\nPage 5 of 15\n\nThe file was encrypted using the Fernet symmetric encryption method, so we developed software to decrypt it\r\nusing the secret key.\r\nAfter decrypting the file, we found various methods used by the developer to steal data, one of which involves\r\nTelegram. The telegram() function attempts to close any running instance of Telegram and identifies the path to its\r\ndata folder. If the folder exists, it removes any existing temporary folder and copies the Telegram data to this\r\ntemporary location. It then creates a ZIP file of the copied data and uploads it to a specified URL, including a user\r\nID in the request headers. Finally, the function deletes the ZIP file and the temporary folder. This process\r\neffectively collects and sends Telegram data from a user’s device to a remote server, raising serious privacy and\r\nsecurity concerns.\r\nhttps://www.cyfirma.com/research/vilsa-stealer/\r\nPage 6 of 15\n\nIt also creates folders to steal Firefox cookies and MetaMask data, as shown in the screenshot below.\r\nAfter decrypting the code, we found the URL hxxp://bundeskriminalamt[.]agency/pw (Fraudae stealer) which\r\ndirects to an online dashboard or interface utilized by the threat actor where the stolen data is uploaded.\r\nhttps://www.cyfirma.com/research/vilsa-stealer/\r\nPage 7 of 15\n\nWe determined that the developer has encrypted files, including one named hvnc.py, which is an additional\r\nmalware that drops into the startup folder, designed to provide remote access to a compromised system. It\r\ntypically enables an attacker to control the victim’s device without detection. This file often uses stealth\r\ntechniques to evade security measures and may be configured to launch at startup, ensuring persistent access.\r\nBy using the URL “hxxp://bundeskriminalamt[.]agency/hvnc,” we downloaded the hvnc.py file, which contained\r\na fully encrypted code.\r\nhttps://www.cyfirma.com/research/vilsa-stealer/\r\nPage 8 of 15\n\nWe decrypted the hvnc.py file using our Fernet symmetric Decryptor software.\r\nFirst, it attempts to bypass UAC permissions using SYSTEMROOT techniques. If that fails, it displays UAC\r\nprompts, requesting the user to grant it Administrator access.\r\nhttps://www.cyfirma.com/research/vilsa-stealer/\r\nPage 9 of 15\n\nIt also adds the C:\\ drive to Defender exclusions by using UAC permissions through PowerShell with the\r\ncommand Add-MpPreference -ExclusionPath ‘C:’. This prevents antivirus scanning and helps the malware\r\nremain undetected on the victim’s system for an extended period.\r\nAfterward, it attempts to download an executable malware from a specified URL, although this URL is currently\r\ninactive.\r\nAfter running the executable file, it effectively steals various types of sensitive information, including passwords,\r\ncookies, browser data, browsing history, and cryptocurrency wallet details. It is a powerful information stealer.\r\nEXTERNAL THREAT LANDSCAPE MANAGEMENT\r\nOur investigation revealed that the “Vilsa Stealer” was launched on GitHub in September 2024.\r\nhttps://www.cyfirma.com/research/vilsa-stealer/\r\nPage 10 of 15\n\nBased on our analysis, we discovered that the threat actor is using the URL\r\n“hxxp://bundeskriminalamt.agency/” to upload stolen data to a remote server which directs to an online\r\ndashboard or interface utilized by the threat actor. Based on our further research, this URL appears to be similar to\r\n1312 Stealer.\r\nThe associated IP address for this server is 83.136.208.208. With medium confidence, we can indicate the threat\r\nactor’s location.\r\nThe link redirects to a login page for a spyware panel, which then forwards to the contact details.\r\nhttps://www.cyfirma.com/research/vilsa-stealer/\r\nPage 11 of 15\n\nThe contact details for the panel can be found on a Telegram channel, which was created on September 26, 2024.\r\nIn the channel, the seller promotes access and provides contact information in order to purchase.\r\nhttps://www.cyfirma.com/research/vilsa-stealer/\r\nPage 12 of 15\n\nMITRE Framework\r\nTactic ID Technique\r\nExecution T1059 Command and Scripting Interpreter\r\nExecution T1129 Shared Modules\r\nPersistence T1574.002 Hijack Execution Flow: DLL Side-Loading\r\nDefense Evasion T1027.009 Obfuscated Files or Information: Embedded Payloads\r\nDefense Evasion T1036 Masquerading\r\nDefense Evasion T1070.006 Indicator Removal: Timestomp\r\nDefense Evasion T1140 Deobfuscate/Decode Files or Information\r\nDefense Evasion T1202 Indirect Command Execution\r\nDefense Evasion T1497.001 Virtualization/Sandbox Evasion: System Checks\r\nDiscovery T1057 Process Discovery\r\nDiscovery T1082 System Information Discovery\r\nDiscovery T1083 File and Directory Discovery\r\nDiscovery T1518.001 Software Discovery: Security Software Discovery\r\nCollection T1560 Archive Collected Data\r\nCommand and Control T1071 Application Layer Protocol\r\nCommand and Control T1573 Encrypted Channel\r\nExfiltration T1041 Exfiltration Over C2 Channel\r\nhttps://www.cyfirma.com/research/vilsa-stealer/\r\nPage 13 of 15\n\nImpact T1486 Data Encrypted for Impact\r\nDiamond Model\r\nCONCLUSION\r\nThe rise of “Vilsa Stealer” brings a new level of concern to data theft malware. This sophisticated tool effectively\r\ntargets sensitive information from various applications, using clever techniques to evade security measures and\r\nmaintain a foothold on compromised systems. Our findings show how it manipulates startup processes, employs\r\nanti-analysis tricks, and uploads stolen data to remote servers. The connections to organized cybercrime,\r\nparticularly through Telegram channels, emphasize the seriousness of this threat. To protect against “Vilsa Stealer”\r\nand similar malware, it’s crucial for individuals and organizations to stay alert, adopt strong cybersecurity\r\npractices, and prioritize proactive threat intelligence. Awareness and vigilance are key to navigating this evolving\r\nlandscape.\r\nRECOMMENDATIONS\r\nStrategic Recommendations\r\nStrengthen Threat Intelligence and Research: Establish a dedicated team to monitor and analyze emerging\r\nthreats like the “Vilsa Stealer.” This team should focus on tracking malware trends, threat actors, and new\r\ntechniques used in data theft.\r\nhttps://www.cyfirma.com/research/vilsa-stealer/\r\nPage 14 of 15\n\nDevelop an Integrated Cybersecurity Framework: Create a holistic cybersecurity strategy that encompasses\r\nprevention, detection, response, and recovery tailored to defend against advanced malware threats,\r\nparticularly data stealers.\r\nCollaborate with Cybersecurity Communities: Engage with cybersecurity organizations and communities\r\nto share insights and best practices regarding new threats and attack vectors, enhancing collective defense\r\nstrategies.\r\nManagement Recommendations\r\nAppoint a Cybersecurity Program Manager: Designate a cybersecurity leader responsible for overseeing\r\ninitiatives related to emerging threats like the “Vilsa Stealer,” ensuring resources are allocated effectively.\r\nEstablish Regular Review Mechanisms: Implement processes for periodic reviews of cybersecurity policies\r\nand protocols, particularly in response to the evolving landscape of threats posed by malware.\r\nInvest in Employee Training Programs: Prioritize cybersecurity awareness training that educates employees\r\non recognizing phishing attempts, suspicious links, and the risks associated with malware like “Vilsa\r\nStealer.”\r\nTactical Recommendations\r\nDeploy Advanced Endpoint Protection: Utilize endpoint detection and response (EDR) solutions to identify\r\nand respond to suspicious activities indicative of malware infections, such as “Vilsa Stealer.”\r\nImplement Application Whitelisting: Restrict software execution to only trusted applications, thereby\r\npreventing unauthorized malware from running on organizational systems.\r\nConduct Regular Penetration Testing: Perform simulated attacks to identify vulnerabilities that data stealers\r\nmight exploit, allowing for timely remediation of security gaps.\r\nEnhance Data Loss Prevention (DLP) Measures: Implement DLP tools to monitor and control sensitive\r\ndata transfers, helping to prevent unauthorized data exfiltration.\r\nEstablish Incident Response Protocols: Develop and regularly test incident response plans to ensure rapid\r\nand effective action in the event of a data breach or malware infection, specifically targeting scenarios\r\ninvolving sophisticated stealers.\r\nLIST OF IOCS\r\nNo Indicator Remarks\r\n1. 2b4df2bc6507f4ba7c2700739da1415d Block\r\n2. http://bundeskriminalamt.agency/ Block\r\n3. 83.136.208.208 Monitor\r\nSource: https://www.cyfirma.com/research/vilsa-stealer/\r\nhttps://www.cyfirma.com/research/vilsa-stealer/\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.cyfirma.com/research/vilsa-stealer/"
	],
	"report_names": [
		"vilsa-stealer"
	],
	"threat_actors": [],
	"ts_created_at": 1775434162,
	"ts_updated_at": 1775791252,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b5fd5552e031ed55ced596e5702dcf5cb009a7fe.pdf",
		"text": "https://archive.orkl.eu/b5fd5552e031ed55ced596e5702dcf5cb009a7fe.txt",
		"img": "https://archive.orkl.eu/b5fd5552e031ed55ced596e5702dcf5cb009a7fe.jpg"
	}
}