{ "id": "3e3cafdb-4d26-48e7-976c-c376d9a3f777", "created_at": "2026-04-06T00:08:09.241582Z", "updated_at": "2026-04-10T03:37:09.133011Z", "deleted_at": null, "sha1_hash": "b6aa050256369bcf331f8f9da22cee62f9dea2c7", "title": "Thief in the night: New Nocturnal Stealer grabs data on the cheap | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1505940, "plain_text": "Thief in the night: New Nocturnal Stealer grabs data on the cheap |\r\nProofpoint US\r\nBy May 30, 2018 Proofpoint Staff\r\nPublished: 2018-05-30 · Archived: 2026-04-05 17:24:11 UTC\r\nOverview\r\nWith the massive ransomware campaigns of 2016 and 2017 taking a backseat to bankers and other malware\r\nfamilies, information stealers made up 18% of malicious email payloads in the first part of this year. Proofpoint\r\nresearchers recently discovered a new stealer, dubbed “Nocturnal Stealer,” most notable as an example of\r\ninexpensive commodity malware with significant potential for monetization.\r\nOn March 9, a user posted an advertisement for Nocturnal Stealer on an underground forum. The stealer sold for\r\n1500 Rubles, or roughly US$25 at the time of analysis. Nocturnal Stealer is designed to steal the data found within\r\nmultiple Chromium and Firefox based browsers. It can also steal many popular cryptocurrency wallets as well as\r\nany saved FTP passwords within FileZilla. Proofpoint researchers analyzed a sample being dropped in the wild by\r\nan unknown loader.\r\nAnalysis\r\nWe recently observed Nocturnal Stealer being dropped by an unknown loader in the wild. The loader dropped\r\nthree files, one of which was the information stealer Trojan. The stealer, written in C++, creates a new directory\r\nnamed in the format 'NocturnalXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX' (the string\r\n‘Nocturnal’ followed by machine’s UUID). A copy of the malware is placed in this directory with random digits in\r\nthe file name. Nocturnal Stealer stages stolen information in this directory in files such as ‘information.txt’ and\r\n‘passwords.txt’.\r\nFigure 1: Directory and files created by the malware\r\nUpon execution, Nocturnal Stealer searches the '%LOCALAPPDATA%' directory for any sensitive data or files\r\nrelated to the browsers, cryptocurrency wallets, and FTP clients it currently targets. If found, the malware copies\r\ndata into the 'passwords.txt' file. The stolen data for targeted browsers includes login credentials, cookies, web\r\ndata, autofill data, and stored credit cards.\r\nNocturnal Stealer copies other information into the \"information.txt\" file. This includes system information such\r\nas machine ID, date/time, installation location, operating system, architecture, username, processor type, video\r\ncard, and a list of all running processes. The malware only reports some of this information back to the Command\r\nhttps://www.proofpoint.com/us/threat-insight/post/thief-night-new-nocturnal-stealer-grabs-data-cheap\r\nPage 1 of 7\n\nand Control (C\u0026C) server via a check-in beacon, but also zips and uploads all of the information contained in the\r\ndropped files to the C\u0026C.\r\nFigure 2: Example contents of information.txt\r\nTo avoid detection, Nocturnal Stealer uses several anti-VM and anti-analysis techniques, which include but are not\r\nlimited to: environment fingerprinting, checking for debuggers and analyzers, searching for known virtual\r\nmachine registry keys, and checking for emulation software. We commonly observe this step in some mainstream\r\ncrimeware, but it is unusual for most of the budget crimeware we analyze.\r\nNetwork Traffic Analysis\r\nNocturnal Stealer makes two initial requests to retrieve the infected machine’s external IP address and country\r\ncode, using the free service ip-api.com. Once the malware has acquired this information, the main C\u0026C traffic\r\nbegins. It utilizes an HTTP POST method for the initial check-in to report the infected machine information to the\r\nC\u0026C server. This POST uses the User-Agent 'Nocturnal/1.0' which contains the name and the version of the\r\nstealer. This may indicate that this is the first major version of this Nocturnal Stealer to be observed in the wild.\r\nhttps://www.proofpoint.com/us/threat-insight/post/thief-night-new-nocturnal-stealer-grabs-data-cheap\r\nPage 2 of 7\n\nNocturnal Stealer utilizes a multi-part HTTP POST form containing stolen information to send to the C\u0026C. This\r\nreport contains relevant information for tracking infections and managing infected clients such as: HWID, OS,\r\nsystem architecture, and username. Importantly, this report also contains a zip archive with the harvested data. The\r\nfirst text file, passwords.txt, which is attached even if empty, contains passwords recovered from various browsers\r\nor wallets from the infected machine. The 'information.txt' file contains a system report of generic information\r\nabout the infected machine, similar to what is observed in the other parts of the HTTP POST. This contains\r\nadditional information, however, including running processes on the infected machine.\r\nFurthermore, if Nocturnal Stealer finds relevant data on the machine -- such as stored credit cards, cookies, or\r\nother browser information -- this will be included in the .zip containing system information. For example, if a\r\nsystem had stored Chrome and Firefox data, it would appear in the zip as:\r\nautofill_Google Chrome_Default.txt\r\ncc_Google Chrome_Default.txt\r\ncookies_Google Chrome_Default.txt\r\ncookies_Mozilla Firefox_\u003cuser_id\u003e.default.txt\r\nOnce Nocturnal Stealer is done searching for relevant data, zipping data to be exfiltrated, and sending it to the\r\nC\u0026C, it runs a simple command to kill the stealer task as well as remove the dropped files:\r\ncmd.exe /c taskkill /im \u003crandom_digits\u003e.exe /f \u0026 erase C:\\ProgramData\\Nocturnal\u003cSystem_UUID\u003e\\\r\n\u003crandom_digits\u003e.exe \u0026 exit\r\nhttps://www.proofpoint.com/us/threat-insight/post/thief-night-new-nocturnal-stealer-grabs-data-cheap\r\nPage 3 of 7\n\nFigure 3: Nocturnal Stealer C\u0026C Communications\r\nAdvertisement\r\nNocturnal Stealer advertises two-factor authentication to its C\u0026C panel (Figure 4).\r\nhttps://www.proofpoint.com/us/threat-insight/post/thief-night-new-nocturnal-stealer-grabs-data-cheap\r\nPage 4 of 7\n\nFigure 4: Nocturnal Stealer C\u0026C panel\r\nThe advertisement touts the lack of data collection about its users, including IP addresses. It also notes that the\r\noperators perform server setup on behalf of the users. However, while this reduces potential setup issues, it also\r\nintroduces a single point of failure and means that the author of the malware is really in control of all stolen data.\r\nA portion of the advertisement is shown in Figure 5. As noted in the ad, the malware supports 22 popular browsers\r\nand their forks: Chromium, Google Chrome, Kometa, Amigo, Torch, Orbitum, Opera, Comodo Dragon,\r\nNichrome, Yandex Browser, Maxthon5, Sputnik, Epic Privacy Browser, Vivaldi, CocCoc, Mozilla Firefox, Pale\r\nMoon, Waterfox, Cyberfox, BlackHawk, IceCat, K-Meleon, and others.\r\nIt also supports 28 cryptocurrency wallets: Bitcoin Core, Ethereum, ElectrumLTC, Monero, Electrum, Exodus,\r\nDash, Litecoin, ElectronCash, ZCash, MultiDoge, AnonCoin, BBQCoin, DevCoin, DigitalCoin, FlorinCoin,\r\nFranko, FreiCoin, GoldCoin, InfiniteCoin, IOCoin, IxCoin, MegaCoin, MinCoin, NameCoin, PrimeCoin,\r\nTerraCoin, and YACoin.\r\nAlthough not pictured in Figure 5, the ad also notes support for the FileZilla FTP client.\r\nhttps://www.proofpoint.com/us/threat-insight/post/thief-night-new-nocturnal-stealer-grabs-data-cheap\r\nPage 5 of 7\n\nFigure 5: A portion of the Nocturnal Stealer advertisement\r\nConclusion\r\nNocturnal Stealer is not a particularly advanced piece of malware. However, the new stealer provides a glimpse\r\ninto the evolving criminal markets that continue to produce new variations on the crimeware we see everyday.\r\nInexpensive, lightweight malware that can be deployed in a one-shot manner by even entry-level cybercriminals to\r\nharvest and exfiltrate sensitive data is a real concern for defenders and organizations. Nocturnal Stealer and other\r\nhttps://www.proofpoint.com/us/threat-insight/post/thief-night-new-nocturnal-stealer-grabs-data-cheap\r\nPage 6 of 7\n\nmalware like it provide a would-be cybercriminal with the means to cause damage and harm to people and\r\ncompanies easily and cheaply.\r\nIndicators of Compromise (IOCs)\r\nIOC\r\nIOC\r\nType\r\nDescription\r\n205def439aeb685d5a9123613e49f59d4cd5ebab9e933a1567a2f2972bda18c3 SHA256 Loader\r\nae7e5a7b34dc216e9da384fcf9868ab2c1a1d731f583f893b2d2d4009da15a4e SHA256\r\nNocturnal\r\nStealer\r\nhxxp://nctrnl[.]us/server/gate.php URL\r\nNocturnal\r\nStealer C\u0026C\r\nET and ETPRO Suricata/Snort Signatures\r\n2830957 - ETPRO TROJAN Win32.Nocturnal Stealer Checkin\r\n2830956 - ETPRO TROJAN Win32.Nocturnal Stealer IP Check\r\n2830958 - ETPRO TROJAN Win32.Nocturnal Updater Requesting EXE\r\nSource: https://www.proofpoint.com/us/threat-insight/post/thief-night-new-nocturnal-stealer-grabs-data-cheap\r\nhttps://www.proofpoint.com/us/threat-insight/post/thief-night-new-nocturnal-stealer-grabs-data-cheap\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.proofpoint.com/us/threat-insight/post/thief-night-new-nocturnal-stealer-grabs-data-cheap" ], "report_names": [ "thief-night-new-nocturnal-stealer-grabs-data-cheap" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434089, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b6aa050256369bcf331f8f9da22cee62f9dea2c7.pdf", "text": "https://archive.orkl.eu/b6aa050256369bcf331f8f9da22cee62f9dea2c7.txt", "img": "https://archive.orkl.eu/b6aa050256369bcf331f8f9da22cee62f9dea2c7.jpg" } }