{
	"id": "bd2e3ff3-6089-4938-82e3-ed958aa83709",
	"created_at": "2026-04-06T00:10:23.036367Z",
	"updated_at": "2026-04-10T03:21:17.226918Z",
	"deleted_at": null,
	"sha1_hash": "b6d873fd2cd05916657a9352a8ed40dada5fff2e",
	"title": "Detecting and Fingerprinting Infostealer Malware-as-a-Service platforms",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1443094,
	"plain_text": "Detecting and Fingerprinting Infostealer Malware-as-a-Service\r\nplatforms\r\nBy BushidoToken\r\nPublished: 2022-11-26 · Archived: 2026-04-05 15:14:28 UTC\r\n \r\nCyber threat intelligence largely involves the tracking and studying of the adversaries outside of your network.\r\nGaining counterintelligence about your adversaries' capabilities and weaponry is one of the final building blocks\r\nfor managing a strong cyber defense. In the pursuit of performing this duty, I have been studying how to discover\r\nadversary infrastructure on the internet. One good way of doing this has been via leveraging the scan data\r\navailable through the popular Shodan search engine. If you've not used it before, Shodan periodically scans the\r\nentire internet and makes it available for users to query through. It is often used to monitor networks, look for\r\nvulnerabilities, and ensure the security of an organization's perimeter. \r\nBut we can also use Shodan for tracking the adversaries. Through the process of fingerprinting - that is to identify\r\nunique attributes of IPs on the internet - we can find command and control (C2) servers and login panels\r\nbelonging to cybercriminals online. Through this process, I was able to identify dozens of infostealer control panel\r\nlogin pages, as well as three infostealer malware families, called Titan Stealer, Patriot Stealer, and Raxnet Stealer,\r\nthat have not yet been reported elsewhere online (as far as I could tell).\r\nhttps://blog.bushidotoken.net/2022/11/detecting-and-fingerprinting.html\r\nPage 1 of 8\n\nIt all started by searching http.html:\"stealer\" in Shodan. This revealed several login pages for known and\r\nunknown infostealer malware. I have since created a page on my GitHub repo to share some Shodan dorks that\r\nhelp reveal adversary infrastructure.\r\nMisha, Collector, and Titan Stealer\r\nThe above Shodan dork revealed dozens of IPs, which if investigated were found to be login panels for infostealer\r\nmalware families. Misha Stealer and Collector Stealer are two semi well-known malware families. The \"Titan\r\nStealer\" panel appears to be new with apparently no references online, vendor reports, or social media mentions\r\nby other researchers. Looks like one we should track in my books. \r\nGrand Misha (aka Misha Stealer)\r\nShodan Dork \r\nhttp.title:\"misha\" http.component:\"UIKit\"\r\nURLscan Query\r\nhttps://urlscan.io/search/#filename:%22misha.css%22\r\nhttps://urlscan.io/search/#task.tags:%22misha%22\r\nCollector Stealer\r\nhttps://blog.bushidotoken.net/2022/11/detecting-and-fingerprinting.html\r\nPage 2 of 8\n\nShodan Dork \r\nhttp.html:\"Collector Stealer\"\r\nhttp.html:\"getmineteam\"\r\nURLscan Query\r\nhttps://urlscan.io/search/#task.tags:%22collector%22\r\nTitan Stealer\r\nShodan Dork\r\nhttp.html:\"Titan Stealer\" \r\nURLscan Query\r\nhttps://urlscan.io/result/daca0fcd-bbc9-48c8-810d-89fee466b639\r\nPatriot Stealer\r\nThe same Shodan Dork http.html:\"stealer\" also revealed an unreported and new Malware-as-a-Service (MaaS)\r\nplatform marketing itself as \"Patriot Stealer\". The paid version of the infostealer malware is reportedly capable of\r\nstealing \"passwords, cookies, Autofilldata, Telegram session, Persistence\" and if you want to buy it you should\r\nspeak to \"@kastr3\" on Telegram. Interestingly, the malware leverages Discord webhooks to report to the operator\r\nwhen a victim has been infected and data has successfully been stolen. \r\nFrom the Discord language setting in the screenshot on the website and from the description of the group's\r\nTelegram channel it appears the developer(s) of the Patriot Stealer are Spanish-speaking threat actors.\r\nPatriot Stealer\r\nShodan Dork\r\nhttp.favicon.hash:274603478\r\nhttp.html:\"patriotstealer\"\r\nURLscan Query\r\nhttps://urlscan.io/result/43a51776-e283-4522-ab29-ea5c7efc174a/ \r\nTelegram Channel\r\nhxxps://t.me/patriotstealer\r\nhttps://blog.bushidotoken.net/2022/11/detecting-and-fingerprinting.html\r\nPage 3 of 8\n\nRAXNET Bitcoin Stealer\r\nAgain, the trusty Shodan Dork http.html:\"stealer\" uncovered another new and unreported infostealer malware\r\ncalled \"RAXNET Bitcoin Stealer\" that targets cryptocurrency users by replacing destination wallet addresses with\r\nthe cybercriminal's own wallet addresses. The main features of this Malware-as-a-Service (MaaS) allegedly\r\nincludes \"Fully Undetectable, AV-bypass, Private Key Stealer, Online Logs Panel\" and has several pricing models\r\nfrom $80 to $150, including \"similarity mode\" and the \"builder\" of the malware. The MaaS operators also offer\r\n\"spreading methods\" for $75. Other notable services related to this MaaS were \"resell rights\", \"full video\r\ntutorials\", \"24/7 support\", and a \"refund policy.\"\r\nhttps://blog.bushidotoken.net/2022/11/detecting-and-fingerprinting.html\r\nPage 4 of 8\n\nRAXNET Bitcoin Stealer\r\nShodan Dork\r\nhttp.favicon.hash:-1236243965\r\nURLscan Query\r\nhttps://urlscan.io/result/c4f7f543-46f5-4051-b3cb-3699d4b99c5c/\r\nDomain\r\ncryptohax[.]net\r\nTelegram\r\n@PureTX (hxxps://t.me/PureTX)\r\nE-mail\r\npunity@protonmail.com\r\nYouTube\r\nhttps://www.youtube.com/@bitstorm101 (Joined 17 Nov 2022)\r\nhttps://www.youtube.com/@punxi49 (Joined 21 Jun 2020)\r\nhttps://www.youtube.com/watch?v=oNGIubac9sk (video tutorial)\r\nhttps://www.youtube.com/watch?v=D9iT4VJev28 (video tutorial)\r\nhttps://blog.bushidotoken.net/2022/11/detecting-and-fingerprinting.html\r\nPage 5 of 8\n\nhttps://blog.bushidotoken.net/2022/11/detecting-and-fingerprinting.html\r\nPage 6 of 8\n\nAnalysis\r\nThe cybercriminal underground continues to evolve, and Malware-as-a-Service (MaaS) offerings have been a\r\nsignificant contributing factor for an increase in cybercrime. Aspiring cybercriminals no longer require the\r\ntechnical skills to perform such attacks, but as little as $150 dollars to run a malware campaign with a multi-https://blog.bushidotoken.net/2022/11/detecting-and-fingerprinting.html\r\nPage 7 of 8\n\nfeatured cybercrime tool allegedly with \"24/7 support\" from English- and Spanish-speaking malware developers\r\nas part of the as-a-Service business model.\r\nThis research also highlights that the infrastructure of cybercriminals often includes several common\r\ndenominators, such as email addresses and Telegram channels to communicate with customers, websites and\r\nYouTube channels to advertise products, as well as cryptocurrency wallets to receive payments.\r\nStealing credentials on a wide scale can be useful for a plethora of attacks. The threat actor who actually stole the\r\ncredentials is also not always going to be the one who leverages them. This is due to the growing popularity of\r\nselling stolen credentials on cybercrime forums and marketplaces.\r\nSource: https://blog.bushidotoken.net/2022/11/detecting-and-fingerprinting.html\r\nhttps://blog.bushidotoken.net/2022/11/detecting-and-fingerprinting.html\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.bushidotoken.net/2022/11/detecting-and-fingerprinting.html"
	],
	"report_names": [
		"detecting-and-fingerprinting.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434223,
	"ts_updated_at": 1775791277,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b6d873fd2cd05916657a9352a8ed40dada5fff2e.pdf",
		"text": "https://archive.orkl.eu/b6d873fd2cd05916657a9352a8ed40dada5fff2e.txt",
		"img": "https://archive.orkl.eu/b6d873fd2cd05916657a9352a8ed40dada5fff2e.jpg"
	}
}