{ "id": "9b3ff511-4b6d-48e6-ab90-9b5198e41293", "created_at": "2026-04-06T01:32:29.361299Z", "updated_at": "2026-04-10T03:37:09.43889Z", "deleted_at": null, "sha1_hash": "bd8ab07c8c7cd2b4142aa6ed2accee1161f39f23", "title": "Meet Oski Stealer: An In-depth Analysis of the Popular Credential Stealer", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2278583, "plain_text": "Meet Oski Stealer: An In-depth Analysis of the Popular Credential\r\nStealer\r\nBy Ben Cohen\r\nPublished: 2021-01-07 · Archived: 2026-04-06 00:29:13 UTC\r\nMeet Oski Stealer: An In-depth Analysis of the Popular Credential Stealer\r\nCredential theft malware continues to be one of the most prevalent types of malware used in cyber attacks. The\r\nmain objective of nearly all credential theft malware is to gather as much confidential and sensitive information,\r\nlike user credentials and financial information, as possible.\r\nThe Oski stealer is a malicious information stealer, which was first introduced in November 2019. As the name\r\nimplies, the Oski stealer steals personal and sensitive information from its target. “Oski” is derived from an old\r\nNordic word meaning Viking warrior, which is quite fitting considering this popular info-stealer is extremely\r\neffective at pillaging privileged information from its victims.\r\nIn this blog, we provide an in-depth analysis of an Oski stealer sample.\r\nBackground\r\nAs noted above, the Oski stealer is a classic information stealer that is being sold on Russian underground hacking\r\nforums at a low price of $70-$100.\r\nhttps://www.cyberark.com/resources/threat-research-blog/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer\r\nPage 1 of 26\n\nFigure 1: Forum thread for selling Oski Stealer\r\nThe stealer is written in C++ and has all the typical features of credential theft malware. Oski targets sensitive\r\ninformation including:\r\nLogin credentials from different applications\r\nBrowser information (cookies, autofill data and credit cards)\r\nCrypto wallets\r\nSystem information\r\nScreenshots\r\nDifferent user files\r\nBeyond these, the stealer can function as a Downloader to download a second-stage malware.\r\nEvery infection involving three parties:\r\n1. Malware authors\r\n2. Malware customers\r\n3. Malware victims\r\nThe “customers,” also known as the attackers, contact Oski authors on underground forums to purchase the\r\nmalware and, once purchased, they configure it and distribute it to their victims.\r\nOski has a very strong reputation within the underground community, with many of its “customers” regularly\r\nproviding positive feedback and reviews about the functionality of the malware.\r\nAnd, even we have to admit that Oski’s functionality works pretty well. From setting up and checking the\r\nenvironment to stealing information by application type, Oski’s code is written with purpose and care. The code is\r\nneat and clean, without any presence of useless code lines, however it does lack sophisticated anti-analysis tricks\r\nlike anti-debugging and dynamic anti-analysis tricks.\r\nhttps://www.cyberark.com/resources/threat-research-blog/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer\r\nPage 2 of 26\n\nFigure 2: Malware Flow\r\nIn-depth Analysis\r\nThe sample of Oski stealer analyzed in this blog post is:\r\naa33731aa48e2ea6d1eaab7c425f9001182c0e73e0226eb01145d6b78d7cb9eb.\r\nAs soon as we opened the Oski stealer sample in IDA, we noticed that it was packed. In our case, the packer used\r\na self-injection technique to pack Oski’s payload. It then unpacks the payload and writes it to a new memory\r\nregion – making it easy to notice the new memory region and dump it from memory.\r\nhttps://www.cyberark.com/resources/threat-research-blog/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer\r\nPage 3 of 26\n\nLooking at the TimeDataStamp from the file header of the unpacked PE reveals the compilation time –\r\n0x5EDFAA70 (compiled on 9 Jun 2020). The latest version for Oski stealer v9.1 was released on 19 June 2020,\r\nand version v9 was released on 3 Jun 2020, which means that our sample of Oski is Oski stealer v9.\r\nBefore diving into the stealer’s capabilities, it’s important to note that the malware uses two obfuscation\r\ntechniques:\r\nStrings encryption\r\nDynamic loading of DLLs and functions\r\nTo be able to start reverse-engineering the sample statically, we have to decrypt the strings and resolve the loaded\r\nfunctions and DLLs.\r\nStrings Setup\r\nThe first function Oski calls from Main is stringsSetup – the function responsible for decrypting all the strings for\r\nthe malware and saving them in memory. The function holds several Base64 strings and a decryption key.\r\nhttps://www.cyberark.com/resources/threat-research-blog/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer\r\nPage 4 of 26\n\nFigure 3: stringSetup function\r\nThe function decryptB64 (figure 3) gets the decryption key (which in our case is 110151472500104935) and the\r\nbase64 string.\r\ndecryptB64 decodes the base64 string and decrypts the decoded information by using RC4. Finally, the function\r\nreturns the decrypted string to the string’s setup function, which saved the decrypted string within memory (Figure\r\n3).\r\nTIP: RC4 is a pretty common cipher that’s used by malware developers. When trying to figure out which\r\ndecryption/encryption routine is used in malware, the standard process we tend to follow is to first start by finding\r\nany constant (“magic”) values to help reveal the decryption/encryption routine. For RC4, there are no constant\r\nvalues –  in fact, it’s the most popular algorithm that doesn’t use constant values.\r\nFunction Setup\r\nhttps://www.cyberark.com/resources/threat-research-blog/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer\r\nPage 5 of 26\n\nThe second function Oski calls for after setting up all the strings in memory is procsSetup, which is responsible\r\nfor loading different DLLs, resolving function addresses and saving the addresses within memory.\r\nThe names of the functions and DLLs are encrypted, therefore we must first decrypt the strings and then we will\r\nbe able to determine which functions and DLLs are loaded.\r\nOski gets the address for the functions LoadLibraryA and GetProcAddress from memory. This part of the code is\r\nwritten as a Position-Independent code (PIC).\r\nThere are two operations Oski performs in order to get the functions from memory:\r\nFind the base address of dll from the PEB structure of the process\r\nResolve the address of the functions from the export table of kernel32.dll by parsing the PE within memory\r\nThe next part describes these methods and how Oski stealer implemented them.\r\nIf you are already familiar with these techniques, you can skip ahead to Back to Functions Setup\u003e.\r\nFind kernel32.dll\r\nIn x86 programs, the FS segment register holds the Thread Information Block (_TEB struct) for the current thread.\r\nThe _TEB structure holds a pointer within offset 0x30 to the Process Environment Block (_PEB), which contains\r\ninformation about the running process in the form of several data structures and many different fields.\r\nOne of those structures is a pointer to _PEB_LDR_DATA within offset 0x0c from the start of the PEB.\r\nThe _PEB_LDR_DATA struct provides information about the DLLs that are loaded into the process.\r\nFigure 4: _PEB_LDR_DATA structure\r\nThe _PEB_LDR_DATA holds 3 pointers to 3 doubly linked lists – InLoadOrderModuleList,\r\nInMemoryOrderModuleList and InInitializationOrderModuleList. All provide information about the loaded DLLs\r\nin the process, however the second and the third lists are good for finding the desired DLL.\r\nThe list InMemoryOrderModuleList holds the DLLs loaded by the process sorted by their order in memory, and\r\nthe list InInitializationOrderModuleList holds the DLLs by their order of initialization.\r\nThe entry within all three lists is LDR module (_LDR_DATA_TABLE_ENTRY) for the current DLL in the list.\r\nhttps://www.cyberark.com/resources/threat-research-blog/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer\r\nPage 6 of 26\n\nFigure 5: _LDR_DATA_TABLE_ENTRY structure\r\nThe _LDR_DATA_TABLE_ENTRY contains information about the loaded DLL. From offset 0x18 from the\r\naddress of _LDR_DATA_TABLE_ENTRY, we can obtain the DllBase, which is a pointer to the DLL base\r\naddress in memory.\r\nAfter explaining the theory for getting the modules base address independently, we will check how Oski\r\nimplements this technique.\r\nFigure 6: Oski function for getting kernel32.dll base address\r\nOski gets the base address of kernel32.dll from memory, which is the third entry within the LIST_ENTRY in\r\nInLoadOrderModuleList (The first entry is a pointer for the executable and the second is for ntdll.dll).\r\nOski’s next steps are to get the address of LoadLibraryA and GetProcAddress; both functions are exported by\r\nkernel32.dll.\r\nhttps://www.cyberark.com/resources/threat-research-blog/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer\r\nPage 7 of 26\n\nFind Exported Functions\r\nOnce Oski gets the base address of kernel32.dll, it parses the PE file and loops over the exported functions of the\r\nDLL to get the address of the desired functions.\r\nTo do so, it needs to traverse serval headers of the DLL.\r\nhttps://www.cyberark.com/resources/threat-research-blog/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer\r\nPage 8 of 26\n\nhttps://www.cyberark.com/resources/threat-research-blog/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer\r\nPage 9 of 26\n\nFigure 7: how to get the EXPORT_DIRECTORY\r\nAfter getting the Export Table, Oski must find the desired function by looking for the function name. The process\r\nis as follows:\r\nThe AddressOfNames is a pointer to an array of the exported functions names, so Oski loops through the\r\narray and compares each function name to the desired function, while counting the position of the string in\r\nthe array.\r\nOski gets the ordinal number for the function from the Ordinal Table. Each entry in the table is 2 bytes,\r\ntherefore, it must multiply the position of the function name by 2.\r\nFinally, Oski calculates the address for the function from the Address Table. Each entry in the table is 4\r\nbytes, therefore, it must multiply the ordinal number by 4.\r\nBack to Functions Setup\r\nOski uses a function that implements this technique for getting the function’s address from memory. The function\r\nGetProcAddrPIC (figure 8) gets a pointer to the DLL base address and a name for an exported function.\r\nFigure 8: Oski get the address for LoadLibraryA and GetProcAddress\r\nFinally, after getting the address of those APIs, Oski can start loading DLLs and resolving function addresses. As\r\nwe mentioned earlier, all the strings are encrypted, so we have to decrypt them first to be able to understand\r\nstatically which functions and DLLs Oski uses.\r\nGetProcAddress and LoadLibraryA are being called many times in order to load different DLLs and resolve\r\nfunctions.\r\nTo make our analysis easier, we made an IDA Python script that automates Oski setup stages and deobfuscates the\r\ncode.\r\nOski Deobfuscator: An IDA Python Script\r\nThe script automates all the analysis of the setup stages for Oski stealer (v9+) and defeats its obfuscation to make\r\nthe static analysis easier and more convenient.\r\nStrings Setup\r\nhttps://www.cyberark.com/resources/threat-research-blog/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer\r\nPage 10 of 26\n\nFind the decryption key\r\nDecrypt all the strings (B64, RC4)\r\nGive meaningful names (IDA)\r\nAdd comments with the full decrypted string\r\nFunctions Setup\r\nFind LoadLibraryA and GetProcAddress\r\nResolve the loaded DLLs and functions\r\nGive meaningful names to functions and DLLs (IDA)\r\nFigure 9: Before and after using oski_ida.py\r\nThe script decrypted 380 strings, resolved 107 functions, and 11 DLLs.\r\nIn addition, the script dumps the addresses and the full decrypted strings to a JSON file.\r\nYou can find the script oski_ida.py on our repo\r\nFinally, after setting up the names for the strings and functions, we can move to analyzing the sample statically.\r\nEnvironment Checks\r\nCIS Check\r\nOski checks the user language to determine if it’s part of the Commonwealth of Independent States (CIS)\r\nhttps://www.cyberark.com/resources/threat-research-blog/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer\r\nPage 11 of 26\n\ncountries. This behavior is popular, especially within crimeware tools that are sold on Russian underground\r\nforums.\r\nFigure 10: cisDetection function\r\nOski gets the user language ID by using GetUserDefaultLangID and it compares the user language ID to:\r\n0x423\r\nLanguage ID Language-tag Location\r\n0x43F kk-KZ Kazakhstan\r\n0x443 Us-Latb-US Uzbekistan\r\n0x82C Az-Cyrl-AZ Azerbaijan\r\n0x419 Ru-RU Russia\r\n0x422 uk-UA Ukraine\r\nBe-BY Belarus\r\nIf the user language ID matches one of the IDs above, the stealer will exit.\r\nAnti-Emulation Check\r\nThe second check is an anti-emulation check for Windows Defender Antivirus. The malware calls to\r\nGetComputerNameA and compares the computer name to HAL9TH. In addition, it checks if the username is\r\nJohnDoe by calling to GetUserNameA. Those two parameters are being used by the Windows Defender emulator.\r\nThe Stealer’s Main Functionality\r\nhttps://www.cyberark.com/resources/threat-research-blog/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer\r\nPage 12 of 26\n\nOski steals confidential and sensitive data from ~60 different applications, including browsers, email clients, and\r\ncrypto wallets. Among its stealing features, it can also function as a Grabber and Loader.\r\nBefore stealing credentials from different applications, Oski sets up its “working environment.” However, in order\r\nto steal data by different methods from different applications, Oski has to download serval DLLs.\r\nOski downloads 7 DLLs from the C\u0026C server and saves them in the ProgramData folder.\r\nsqlite3.dll\r\nfreebl3.dll\r\nmozglue.dll\r\nmsvcp140.dll\r\nnss3.dll\r\nsoftokn3.dll\r\nvcruntime140.dll\r\nFigure 11: Oski downloads dependencies (7 DLLs)\r\nEach DLL has its own URL address. In the Oski version we sampled, the URL for the DLL is the DLL’s name –\r\n evil.cc/sqlite3.dll.\r\nIn some other versions, Oski makes the requests to evil.cc/1.jpeg, evil.cc/2.jpeg and so on, to download the DLLs.\r\nhttps://www.cyberark.com/resources/threat-research-blog/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer\r\nPage 13 of 26\n\n(1.jpeg = sqlite3.dll, 2.jpeg = freebl3.dll, 3.jpeg = mozglue.dll, 4.jpeg = msvcp140.dll, 5.jpeg = nss3.dll, 6.jpeg =\r\nsoftokn3.dll, 7.jpeg = vcruntime140.dll)\r\nBecause Oski makes those seven requests to the C\u0026C server to download its dependencies, it is not very stealthy.\r\nOski creates its working folder which is named with a 15 digits randomly generated string within ProgramData\r\nlike C:\\ProgramData\\234378117851778, for example. This folder will contain all the stolen logs and data. In\r\naddition, it creates four folders inside the working folder:\r\nautofill – autofill data from browsers\r\ncc – credit card data\r\ncookies – browsers cookies\r\ncrypto – cryptocurrency wallets\r\nBrowsers and Email Clients\r\nOski steals login credentials, cookies, credit card and autofill information from 30+ different browsers using\r\nwell-known and familiar stealing methods.\r\nIt has four different methods to steal data from different types of browses, like Mozilla based applications, Opera,\r\nInternet Explorer and Chromium-based browsers.\r\nIt’s worth mentioning that Oski updated its stealing technique regarding Chromium-based browsers and now\r\nsupports the new method (v80+) by Chromium for encrypting credentials and cookies with a global AES key that\r\nis stored within %localappdata%\\Google\\Chrome\\User Data\\Local State and encrypted by using DPAPI. Prior to\r\nversion 80 of Chromium, the credentials and cookies were simply encrypted by DPAPI instead that AES key.\r\nFurthermore, Oski collects information about the connected Outlook accounts from the registry like passwords\r\nand confidential data about the IMAP and SMTP servers and it dumps all the data to file named outlook.txt.\r\nhttps://www.cyberark.com/resources/threat-research-blog/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer\r\nPage 14 of 26\n\nFigure 12: stealing data from Outlook registry profiles\r\nWe won’t cover Oski’s stealing techniques as they aren’t terribly innovative and have been reviewed many times,\r\nbut you can find an explanation about most of these techniques in this whitepaper on the Raccoon stealer.\r\nCryptocurrency Wallets\r\nOski also steals wallets and confidential files that are related to crypto wallet applications. It targets 28 crypto\r\nwallet applications, which store sensitive data in files. An example is the most known file-  wallet.dat which\r\ncontains the confidential data about the wallet including private keys, public keys, etc.\r\nThe stealer checks for the default wallet file location in AppData and copies it to the working folder.\r\nhttps://www.cyberark.com/resources/threat-research-blog/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer\r\nPage 15 of 26\n\nFigure 13: Oski stealing from crypto wallets apps\r\nThe configuration for this module:\r\nApp Name App Folder Regex (sensitive file)\r\nAnoncoin \\Anoncoin\\ *wal*.dat\r\nBBQCoin \\BBQCoin\\ *wal*.dat\r\nBitcoin \\Bitcoin\\ *wal*.dat\r\nhttps://www.cyberark.com/resources/threat-research-blog/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer\r\nPage 16 of 26\n\nDashCore \\DashCore\\ *wal*.dat\r\ndevcoin \\devcoin\\ *wal*.dat\r\ndigitalcoin \\digitalcoin\\ *wal*.dat\r\nElectronCash \\ElectronCash\\wallets\\ default_wallet\r\nElectrum \\Electrum\\wallets\\ default_wallet\r\nElectrum-LTC \\Electrum- LTC\\wallets\\ default_wallet\r\nEthereum \\Ethereum\\ keystore\r\nExodus \\Exodus\\\r\nexodus.conf.json\r\nwindow-state.json\r\nExodus \\Exodus\\exodus.wallet\\\r\npassphrase.json\r\nseed.seco\r\ninfo.seco\r\nFlorincoin \\Florincoin\\ *wal*.dat\r\nFranko \\Franko\\ *wal*.dat\r\nFreicoin \\Freicoin\\ *wal*.dat\r\nGoldCoinGLD \\GoldCoin (GLD)\\ *wal*.dat\r\nInfinitecoin \\Infinitecoin\\ *wal*.dat\r\nIOCoin \\IOCoin\\ *wal*.dat\r\nIxcoin \\Ixcoin\\ *wal*.dat\r\njaxx \\com.liberty.jaxx\\IndexedDB\\file__0.indexeddb.leveldb\\ *\r\nLitecoin \\Litecoin\\ *wal*.dat\r\nMegacoin \\Megacoin\\ *wal*.dat\r\nMincoin \\Mincoin\\ *wal*.dat\r\nMultiDoge \\MultiDoge\\ *wal*.dat\r\nNamecoin \\Namecoin\\ *wal*.dat\r\nPrimecoin \\Primecoin\\ *wal*.dat\r\nTerracoin \\Terracoin\\ *wal*.dat\r\nhttps://www.cyberark.com/resources/threat-research-blog/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer\r\nPage 17 of 26\n\nYACoin \\YACoin\\ *wal*.dat\r\nZcash \\Zcash\\ *wal*.dat\r\nCollect System Information\r\nSimilar to other classic stealers, Oski gathers information about the system and takes a screenshot of the user’s\r\ndesktop. It then writes the information to system.txt and saves the screenshot to screenshot.jpg.\r\nSystem\r\nWindows version, computer architecture, username, computer name, system language, Machine ID, GUID,\r\ndomain name and Workgroup name.\r\nHardware\r\nProcessor type, number of processors, video card type, display resolution, RAM size, and checks if the\r\ncomputer is a laptop or desktop. Oski checks if the computer is a laptop by calling to\r\nGetSystemPowerStatus – the function retrieves information about the power status of the system. The\r\nreturned struct contains a one-byte flag named batteryFlag, which can indicate if the system has a battery\r\nor not.\r\nhttps://www.cyberark.com/resources/threat-research-blog/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer\r\nPage 18 of 26\n\nFigure 14: checkLaptop function\r\nLocal time\r\nNetwork\r\nOski has hardcoded values for this section, so the log will always contain unknown values – IP: IP? and\r\nCountry: Country?\r\nhttps://www.cyberark.com/resources/threat-research-blog/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer\r\nPage 19 of 26\n\nFigure 15: Oski writes the useless values\r\nInstalled Software\r\nGet the installed applications on the machine and its version. Oski has a typo in this section, the title is\r\nInstalled Softwrare, instead of “Software,” so this typo is unique for Oski logs.\r\nhttps://www.cyberark.com/resources/threat-research-blog/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer\r\nPage 20 of 26\n\nFigure 16: Oski system log\r\nScreenshot\r\nGrabber Module\r\nOski also has a recursive grabber that collects particular files from the victim’s computer.\r\nThe module is configurable, allowing the attacker to decide whether to enable this module and if so, which files to\r\ncollect from the user.\r\nOski creates a POST request to main.php in the C\u0026C. In our case, the URL is\r\nhttp://sl9XA73g7u3EO07WT42n7f4vIn5fZH[.]biz/main.php. The response from the C\u0026C contains the\r\nconfiguration for the grabber.\r\nThe first part of the Grabber function is parsing the response data. The parsing function uses strtok function while\r\npassing the delimiter “;” and the response data from the C\u0026C.\r\nIt extracts the first three tokens from the configuration and passes them to the “main function” of the grabber.\r\nAfter the first three tokens, the parsing function takes the next three tokens, and so on.\r\nIn this way, we can figure out that the structure of the configuration has three parts (parameters) and that the\r\nconfiguration can hold several tasks.\r\nLet’s focus on mainGrabber function. This function gets three arguments, which are the three tokens from the\r\nconfiguration, each call to mainGrabber is called “task.”\r\nThe task structure has three fields (parameters):\r\n1. A name for the zip file – will contain all the stolen files that related to the current task. Oski concatenates to\r\nthis name an underscore at the beginning, so the name for the zip will be _%name%.zip.\r\n2. An environment variable name and folder name – a starting point for the recursiveGrabber.\r\n3. A regex list – contains multiply parameters that are separated by “,” each one of them is a regex that\r\nrepresents a file type.\r\nThe recursiveGrabber gets those three “task” parameters.\r\nhttps://www.cyberark.com/resources/threat-research-blog/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer\r\nPage 21 of 26\n\nFigure 17: calling to recursiveGrabber and loop of the regex list\r\nWhile doing this research, we extracted several configurations from other C\u0026Cs, so the grabber configuration\r\nlooks like:\r\nDocuments;USERPROFILE\\Documents;*.jpg,*.img,*.json,*.txt;\r\ndesktop;USERPROFILE\\Desktop;*.jpg,*.img,*.json,*.txt;\r\nFor this C\u0026C, the attacker created two tasks to collect jpg, img, json and txt files from the user Desktop and\r\nDocuments. Oski will save those files in 2 separate zip files named _Documents.zip and _deksop.zip.\r\nFrom reviewing the extracted configurations from other C\u0026C servers, we understand that other attackers have\r\nintents to collect different files, like 2fa files, wallet files from different locations or even personal documents.\r\nThe extracted configuration for other C\u0026C servers can be found in our IoCs page: IoCs.pdf\r\nDownloader\r\nAfter stealing the sensitive data from the user and grabbing the files, Oski adds the stolen files to a new zip file\r\nwhose name of the contains the 10 characters from the working folder name and an underscore at the beginning.\r\nhttps://www.cyberark.com/resources/threat-research-blog/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer\r\nPage 22 of 26\n\nFigure 18: zip file content\r\nAfter sending the zip file, the C\u0026C server should send within the response the domain for the downloader. The\r\nresponse might be empty if the feature isn’t enabled.\r\nOski downloads the next malware from the given domain and executes it.\r\nThe stealer creates a random file name with a .exe extension and sets the stream Zone.Identifier of the file to\r\n[ZoneTransfer] ZoneId=2, which indicates that the file has been downloaded from a trusted site.\r\nhttps://www.cyberark.com/resources/threat-research-blog/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer\r\nPage 23 of 26\n\nFigure 19: Loader function\r\nSelf-Removal\r\nOski removes its traces from the machine and deletes all the files, logs, DLLs, etc. from the disk.\r\nIn addition, it creates a new process of cmd.exe while the parameters for cmd.exe are /c /taskkill /pid \u003cpid\u003e \u0026\r\nerase \u003cpath\u003e \u0026 RD /S /Q \u003cworking_folder\u003e\\* \u0026 exit to kill the malware process and delete other files.\r\nConclusion\r\nAlthough Oski stealer doesn’t target as many types of software as other stealers, it is still effective, continues to be\r\nupdated and improved and maintains a strong reputation in the underground community.\r\nhttps://www.cyberark.com/resources/threat-research-blog/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer\r\nPage 24 of 26\n\nThe unique characteristic of credential theft malware is that they don’t require any special permissions. Because of\r\nthis, they are a popular resource for attacks and ultimately can cause significant damage – especially as attackers\r\ncontinue to seek out privileged credentials and look for opportunities to escalate their privileges for massive data\r\ntheft or business disruption.\r\nTo combat against credential theft malware like Oski, we recommend the following:\r\nBe aware – avoiding clicking suspicious URLs, opening unknown attachments, or downloading and\r\nrunning unfamiliar applications.\r\nDeploy MFA – using multi-factor authentication where applicable.\r\nUse strong and unique passwords – don’t use the same passwords for all the services and replace them on\r\na regular cadence.\r\nLeverage credential protection solutions – A credential protection solution can defend against the\r\nfundamental nature of credential stealers and protect credentials from getting harvested by attackers.\r\nAppendix\r\nYARA Rule\r\nOski_Stealer.yara\r\nTargeted Applications\r\nBrowsers\r\nInternet Explorer\r\nGoogle Chrome, Chromium, Kometa, Amigo, Torch, Orbitum, Comodo Dragon, Nichrome, Maxthon, Sputnik,\r\nEpic Privacy Browser, Vivaldi, CocCoc Browser, Uran Browser, QIP Surf, Cent, Elements Browser, TorBro,\r\nMicrosoft Edge, CryptoTab, Brave\r\nOpera\r\nMozilla Firefox, Pale Moon, Waterfox, Cyberfox, BlackHawk, IceCat, KMeleon\r\nEmail Clients\r\nThunderbird\r\nOutlook\r\nCrypto Wallets\r\nAnoncoin, BBQCoin, Bitcoin, DashCore, ElectronCash, Electrum, Electrum-LTC, Ethereum, Exodus, Florincoin,\r\nFranko, Freicoin, GoldCoinGLD, IOCoin, Infinitecoin, Ixcoin, Litecoin, Megacoin, Mincoin, MultiDoge,\r\nNamecoin, Primecoin, Terracoin, YACoin, Zcash, devcoin, digitalcoin, jaxx\r\nIoCs\r\nIoCs.pdf\r\n[1] Basics of Windows shellcode writing\r\nhttps://www.cyberark.com/resources/threat-research-blog/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer\r\nPage 25 of 26\n\nSource: https://www.cyberark.com/resources/threat-research-blog/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer\r\nhttps://www.cyberark.com/resources/threat-research-blog/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer\r\nPage 26 of 26", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.cyberark.com/resources/threat-research-blog/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer" ], "report_names": [ "meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775439149, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bd8ab07c8c7cd2b4142aa6ed2accee1161f39f23.pdf", "text": "https://archive.orkl.eu/bd8ab07c8c7cd2b4142aa6ed2accee1161f39f23.txt", "img": "https://archive.orkl.eu/bd8ab07c8c7cd2b4142aa6ed2accee1161f39f23.jpg" } }