{
	"id": "1d37cc94-d852-4d7a-8fa2-81aeaf8b2719",
	"created_at": "2026-04-10T03:21:01.600856Z",
	"updated_at": "2026-04-10T03:22:19.118758Z",
	"deleted_at": null,
	"sha1_hash": "ca71a726f359361b16f4bd9211d59ad06b2cccf8",
	"title": "Creal: New Stealer Targets Crypto Users via Phishing",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1352442,
	"plain_text": "Creal: New Stealer Targets Crypto Users via Phishing\r\nBy cybleinc\r\nPublished: 2023-03-29 · Archived: 2026-04-10 02:55:28 UTC\r\nCyble Research \u0026 Intelligence labs analyzes Creal Stealer, an open-source stealer actively abused by TAs through\r\nphishing sites.\r\nOpen-Source Stealer Widely Abused by Threat Actors\r\nThe threat of InfoStealers is widespread and has been frequently employed by various Threat Actors (TA)s to launch\r\nattacks and make financial gains. Until now, the primary use of stealers by TAs has been to sell logs or to gain initial\r\nentry into a corporate network.\r\nRecently, however, TAs have started exploiting this type of malware to disseminate crypto scams through YouTube\r\nchannels. TAs successfully hacked a YouTube channel that had over 10 million subscribers and removed the original\r\ncontent of the channel, replacing it with two videos promoting cryptocurrency scams. According to reports, the TAs\r\ngained access to the YouTube account by stealing session cookies. It is believed that stealer malware might have\r\nbeen involved in the attack.\r\nSee Cyble in Action\r\nWorld's Best AI-Native Threat Intelligence\r\nRecently Cyble Research and Intelligence Labs (CRIL) discovered a phishing site mimicking a Cryptocurrency\r\nmining platform that was spreading Creal Stealer.\r\nThe figure below shows the phishing site.\r\nhttps://cyble.com/blog/creal-new-stealer-targeting-cryptocurrency-users-via-phishing-sites/\r\nPage 1 of 14\n\nFigure 1 – Phishing Site\r\nThis site was hosting the stealer payload on Dropbox at\r\nhxxps[:]//www[.]dropbox[.]com/s/dl/x4vgcaac6hcdgla/kryptex-setup-4.25.7[.]zip.\r\nThe stealer binary (SHA 256: f3197e998822bc45cb9f42c8b153c59573aad409da01ac139b7edd8877600511) is\r\ncompiled using PyInstaller indicating that the stealer is coded in Python.\r\nhttps://cyble.com/blog/creal-new-stealer-targeting-cryptocurrency-users-via-phishing-sites/\r\nPage 2 of 14\n\nFigure 2 – File Details\r\nAfter extracting the contents of the PyInstaller compiled file, we spotted a PYC file dubbed ‘Creal’.\r\nThe figure below shows the extracted files.\r\nhttps://cyble.com/blog/creal-new-stealer-targeting-cryptocurrency-users-via-phishing-sites/\r\nPage 3 of 14\n\nFigure 3 – Creal Stealer PYC File\r\nFurther investigation revealed that this stealer’s source code and builder were also available on a GitHub repository.\r\nThe figure below shows the Creal Stealer GitHub repository.\r\nFigure 4 – Creal Stealer GitHub Repo\r\nWe have also observed nearly 50 samples in the wild, indicating that the TAs were actively utilizing the Open-Source code to infect unsuspecting users.\r\nTechnical Analysis\r\nEnvironment Checks\r\nhttps://cyble.com/blog/creal-new-stealer-targeting-cryptocurrency-users-via-phishing-sites/\r\nPage 4 of 14\n\nDuring the initial execution, the stealer identifies whether it is being run in a controlled environment. It checks if the\r\nvictim’s username (obtained via the getpass.getuser() function) is present in a list called ‘blacklistUsers’.\r\nThe table below contains the blacklisted usernames. If a username is found in this list, then the stealer will\r\nimmediately terminate its execution using the os._exit(0) function.\r\nThe table below contains the blacklisted usernames.\r\nWDAGUtilityAccount Lisa 3u2v9m8 Lucas\r\nAbby John Julia mike\r\nhmarc george HEUeRzl PateX\r\npatex PxmdUOpVyx fred h7dk1xPr\r\nRDhJ0CNFevzX 8VizSM server Louise\r\nkEecfMwgj w0fjuOVmCcP5A BvJChRPnsxn User01\r\nFrank lmVwjj9b Harry Johnson test\r\n8Nl0ColNQ5bq PqONjHVwexsS SqgFOf3G RGzcBUyrznReg\r\nAfter this, the stealer defines a list named “blacklistUsername” and then gets the hostname of the victim’s machine\r\nusing the socket.gethostname() method. The script proceeds to verify if the obtained hostname matches any of the\r\nnames in the “blacklistUsername” list.\r\nIf a match is discovered, the script promptly terminates itself by executing the os._exit(0) function.\r\nThe table below shows the hardcoded blacklisted hostnames present in the stealer binary.\r\nBEE7370C-8C0C-4\r\nLISA-PC\r\nDESKTOP-7XC6GEZ\r\nSERVER-PC ACEPC\r\nDESKTOP-NAKFFMT\r\nJOHN-PC\r\nDESKTOP-5OV9S0O\r\nTIQIYLA9TW5M MIKE-PC\r\nWIN-5E07COS9ALRDESKTOP-B0T93D6\r\nQarZhrdBpj\r\nDESKTOP-KALVINODESKTOP-IAPKN1P\r\nB30F0242-\r\n1C6A-4\r\nDESKTOP-1PYKP29\r\nORELEEPC COMPNAME_4047\r\nDESKTOP-NTU7VUO\r\nDESKTOP-VRSQLAGDESKTOP-1Y2433R\r\nARCHIBALDPC\r\nDESKTOP-19OLLTD\r\nLOUISE-PC\r\nQ9IATRKPRH WILEYPC JULIA-PC\r\nDESKTOP-DE369SE\r\nT00917\r\nhttps://cyble.com/blog/creal-new-stealer-targeting-cryptocurrency-users-via-phishing-sites/\r\nPage 5 of 14\n\nXC64ZB WORK d1bnJkfVlH EA8C2E2A-D017-4 test42]\r\nDESKTOP-D019GDM6C4E733F-C2D9-4\r\nNETTYPC AIDANPC\r\nDESKTOP-WI8CLETRALPHS-PCDESKTOP-BUGIO\r\nLUCAS-PC\r\nSERVER1\r\nDESKTOP-WG3MYJSDESKTOP-CBGPFEE\r\nMARCI-PC\r\nNow the stealer checks if the MAC address of the victim’s machine is present in the blacklist of MAC addresses\r\ndefined in a list named BLACKLIST1. It initially retrieves the machine’s MAC address using the getnode() function\r\nfrom the uuid module and then checks whether the victim’s MAC address is present in BLACKLIST1.\r\nIf it is present, the os._exit(0) function is called, which immediately exits the stealer.\r\nThe table below contains the MAC addresses present in BLACKLIST1.\r\n00:15:5d:00:07:34 00:25:90:36:f0:3b 00:50:56:a0:cd:a8 7e:05:a3:62:9c:4d\r\n00:e0:4c:b8:7a:58 00:1b:21:13:21:26 00:50:56:b3:fa:23 52:54:00:b3:e4:71\r\n00:0c:29:2c:c1:21 00:50:56:b3:50:de 52:54:00:a0:41:92 90:48:9a:9d:d5:24\r\n00:25:90:65:39:e4 00:1b:21:13:32:51 00:50:56:b3:f6:57 00:50:56:b3:3b:a6\r\nc8:9f:1d:b6:58:e4 a6:24:aa:ae:e6:12 00:e0:4c:56:42:97 92:4c:a8:23:fc:2e\r\n00:25:90:36:65:0c 08:00:27:45:13:10 ca:4d:4b:ca:18:cc 5a:e2:a6:a4:44:db\r\n00:15:5d:00:00:f3 00:1b:21:13:26:44 f6:a5:41:31:b2:78 00:50:56:ae:6f:54\r\n2e:b8:24:4d:f7:de 3c:ec:ef:43:fe:de d6:03:e4:ab:77:8e 42:01:0a:96:00:33\r\n00:15:5d:13:6d:0c d4:81:d7:ed:25:54 00:50:56:ae:b2:b0 00:50:56:97:a1:f8\r\n00:50:56:a0:dd:00 00:25:90:36:65:38 00:50:56:b3:94:cb 5e:86:e4:3d:0d:f6\r\n00:15:5d:13:66:ca 00:03:47:63:8b:de 42:01:0a:8e:00:22 00:50:56:b3:ea:ee\r\n56:e8:92:2e:76:0d 00:15:5d:00:05:8d 00:50:56:b3:4c:bf 3e:53:81:b7:01:13\r\nac:1f:6b:d0:48:fe 00:0c:29:52:52:50 00:50:56:b3:09:9e 00:50:56:97:ec:f2\r\n00:e0:4c:94:1f:20 00:50:56:b3:42:33 00:50:56:b3:38:88 00:e0:4c:b3:5a:2a\r\n00:15:5d:00:05:d5 3c:ec:ef:44:01:0c 00:50:56:a0:d0:fa 12:f8:87:ab:13:ec\r\n00:e0:4c:4b:4a:40 06:75:91:59:3e:02 00:50:56:b3:91:c8 00:50:56:a0:38:06\r\nhttps://cyble.com/blog/creal-new-stealer-targeting-cryptocurrency-users-via-phishing-sites/\r\nPage 6 of 14\n\n42:01:0a:8a:00:22 42:01:0a:8a:00:33 3e:c1:fd:f1:bf:71 2e:62:e8:47:14:49\r\n00:1b:21:13:15:20 ea:f6:f1:a2:33:76 00:50:56:a0:6d:86 00:0d:3a:d2:4f:1f\r\n00:15:5d:00:06:43 ac:1f:6b:d0:4d:98 00:50:56:a0:af:75 60:02:92:66:10:79\r\n00:15:5d:1e:01:c8 1e:6c:34:93:68:64 00:50:56:b3:dd:03 00:50:56:a0:d7:38\r\n00:50:56:b3:38:68 00:50:56:a0:61:aa c2:ee:af:fd:29:21 be:00:e5:c5:0c:e5\r\n60:02:92:3d:f1:69 42:01:0a:96:00:22 00:50:56:b3:ee:e1 00:50:56:a0:59:10\r\n00:e0:4c:7b:7b:86 00:50:56:b3:21:29 00:50:56:a0:84:88 00:50:56:a0:06:8d\r\n00:e0:4c:46:cf:01 00:15:5d:00:00:b3 00:1b:21:13:32:20 00:e0:4c:cb:62:08\r\n42:85:07:f4:83:d0 96:2b:e9:43:96:76 3c:ec:ef:44:00:d0 4e:81:81:8e:22:4e\r\n56:b0:6f:ca:0a:e7 b4:a9:5a:b1:c6:fd 00:50:56:ae:e5:d5 08:00:27:3a:28:73\r\n12:1b:9e:3c:a6:2c d4:81:d7:87:05:ab 00:50:56:97:f6:c8 00:15:5d:00:00:c3\r\n00:15:5d:00:1c:9a ac:1f:6b:d0:49:86 52:54:00:ab:de:59 00:50:56:a0:45:03\r\n00:15:5d:00:1a:b9 52:54:00:8b:a6:08 00:50:56:b3:9e:9e 12:8a:5c:2a:65:d1\r\nb6:ed:9d:27:f4:fa 00:0c:29:05:d8:6e 00:50:56:a0:39:18 16:ef:22:04:af:76\r\n00:15:5d:00:01:81 00:23:cd:ff:94:f0 32:11:4d:d0:4a:9e 00:15:5d:23:4c:ad\r\n4e:79:c0:d9:af:c3 00:e0:4c:d6:86:77 00:50:56:b3:d0:a7 1a:6c:62:60:3b:f4\r\n00:15:5d:b6:e0:cc 3c:ec:ef:44:01:aa 94:de:80:de:1a:35 00:15:5d:00:00:1d\r\n00:15:5d:00:02:26 00:15:5d:23:4c:a3 00:50:56:ae:5d:ea 00:e0:4c:44:76:54\r\n00:50:56:b3:05:b4 00:1b:21:13:33:55 00:50:56:b3:14:59 ac:1f:6b:d0:4d:e4\r\n1c:99:57:1c:ad:e4 00:15:5d:00:00:a4 ea:02:75:3c:90:9f 52:54:00:3b:78:24\r\nAfterward, the stealer checks if the victim’s public IP address is present in a blacklist called “sblacklist”. It first uses\r\nthe subprocess module to run a curl command to retrieve the device’s public IP address. It then checks if this IP\r\naddress is present in the blacklist. The stealer exits the program if the IP is found in the blacklist.\r\nThe table below contains the IP addresses in “sblacklist”.\r\n88.132.231.71 188.105.91.116 109.74.154.92 95.25.81.24\r\n207.102.138.83 34.105.183.68 213.33.142.50 92.211.52.62\r\n174.7.32.199 92.211.55.199 109.74.154.91 88.132.227.238\r\nhttps://cyble.com/blog/creal-new-stealer-targeting-cryptocurrency-users-via-phishing-sites/\r\nPage 7 of 14\n\n204.101.161.32 79.104.209.33 93.216.75.209 35.199.6.13\r\n207.102.138.93 95.25.204.90 192.87.28.103 80.211.0.97\r\n78.139.8.50 34.145.89.174 88.132.226.203 34.85.253.170\r\n20.99.160.173 109.74.154.90 195.181.175.105 23.128.248.46\r\n88.153.199.169 109.145.173.169 88.132.225.100 35.229.69.227\r\n84.147.62.12 34.141.146.114 92.211.192.144 34.138.96.23\r\n194.154.78.160 212.119.227.151 34.83.46.130 192.211.110.74\r\n92.211.109.160 195.239.51.59 188.105.91.143 35.237.47.12\r\n195.74.76.222 192.40.57.234 34.85.243.241 87.166.50.213\r\n34.105.0.27 64.124.12.162 34.141.245.25 34.253.248.228\r\n195.239.51.3 34.142.74.220 178.239.165.70 212.119.227.167\r\n35.192.93.107 188.105.91.173 84.147.54.113 193.225.193.201\r\n34.145.195.58 34.105.72.241 193.128.114.45\r\nNow, the stealer checks if certain Python modules are installed, and if they are not, it attempts to install them using\r\npip. The modules to be checked and installed are defined in a nested list named “requirements”.\r\nThis list contains two strings: the name of the module to be checked and the name of the package that provides the\r\nmodule. Then it loops through each item in the requirements list and tries to import the module using the\r\n__import__ function.\r\nIf the import fails (which means the module is not installed), the code launches a subprocess to install the package\r\nusing pip by running the command executable -m pip install \u003cpackage_name\u003e.\r\nAfter launching the subprocess to install the package, the code sleeps for 3 seconds before moving on to the next\r\nitem in the requirements list. The purpose of this sleep period is to give the pip enough time to complete the\r\ninstallation before moving on to the next package.\r\nFigure 5 – Installing Modules\r\nPersistence\r\nhttps://cyble.com/blog/creal-new-stealer-targeting-cryptocurrency-users-via-phishing-sites/\r\nPage 8 of 14\n\nThe stealer achieves persistence by copying itself to\r\nAppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\ directory using the shutil.copyfileobj()\r\nfunction.\r\nThe figure below shows the persistence technique used in this stealer.\r\nFigure 6 – Establishing Persistence\r\nData Collection\r\nThe stealer defines and assigns values to global variables such as keyword, cookiWords, paswWords, CookiCount,\r\nP4sswCount, WalletsZip, GamingZip, and OtherZip.\r\nFigure 7 – Global Variables\r\nThe keyword variable contains certain names and their respective domain names that the stealer targets. Now, the\r\nstealer retrieves login credentials and cookies from the browsers based on the list of names mentioned in the table\r\nbelow.\r\nName Domain Name Domain\r\ncoinbase hxxps://coinbase.com minecraft hxxps://minecraft.net\r\nsellix hxxps://sellix.io paypal hxxps://paypal.com\r\ngmail hxxps://gmail.com origin hxxps://origin.com\r\nsteam hxxps://steam.com amazon hxxps://amazon.com\r\nDiscord hxxps://Discord.com ebay hxxps://ebay.com\r\nhttps://cyble.com/blog/creal-new-stealer-targeting-cryptocurrency-users-via-phishing-sites/\r\nPage 9 of 14\n\nriotgames hxxps://riotgames.com aliexpress hxxps://aliexpress.com\r\nyoutube hxxps://youtube.com playstation hxxps://playstation.com\r\ninstagram hxxps://instagram.com hbo hxxps://hbo.com\r\ntiktok hxxps://tiktok.com xbox hxxps://xbox.com\r\ntwitter hxxps://twitter.com binance hxxps://binance.com\r\nfacebook hxxps://facebook.com hotmail hxxps://hotmail.com\r\nepicgames hxxps://epicgames.com outlook hxxps://outlook.com\r\nspotify hxxps://spotify.com crunchyroll hxxps://crunchyroll.com\r\nyahoo hxxps://yahoo.com telegram hxxps://telegram.com\r\nroblox hxxps://roblox.com pornhub hxxps://pornhub.com\r\ntwitch hxxps://twitch.com disney hxxps://disney.com\r\nuber hxxps://uber.com expressvpn hxxps://expressvpn.com\r\nnetflix hxxps://netflix.com\r\nNow, the stealer creates multiple threads using the threading module in Python and initiates the data-stealing\r\nfunctionality in parallel.\r\nAs shown in the figure below, the malware iterates through a list of application paths, starts a thread for each path it\r\nencounters, and executes a specific function responsible for stealing data from the victim’s machine.\r\nFigure 8 – Multithreading\r\nThis stealer targets Chromium-based browsers, chat and gaming applications, cold crypto wallets, and browser\r\nextensions.\r\nThe figure below shows the applications targeted by Creal Stealer.\r\nhttps://cyble.com/blog/creal-new-stealer-targeting-cryptocurrency-users-via-phishing-sites/\r\nPage 10 of 14\n\nFigure 9 – Targeted Applications\r\nCreal stealer makes a GET request to hxxps[:]//api.ipify.org/ to identify the victim’s IP. Now it appends the IP\r\naddress to hxxps[:]//geolocation-db.com/jsonp/ and makes a GET request to fetch the victim’s geolocation details.\r\nAs shown in the figure below, these geolocation details are added to the variables and will be later sent to the TA’s\r\nDiscord channel.\r\nFigure 10 – Fetching Geoinformation\r\nTo store the stolen data, including cookies and passwords, this stealer employs a commonly used function called\r\nwr1tef0rf1l3 that writes the information into files for exfiltration. The wr1tef0rf1l3 function requires two arguments,\r\n“data” and “name”.\r\nThe “data” argument holds the stolen data that is to be saved, while the “name” argument specifies the desired\r\nfilename. These files are saved in the %temp% directory, and the file names are prefixed with the string “cr”, as\r\nshown below.\r\nFigure 11 – Writing Stolen Data\r\nhttps://cyble.com/blog/creal-new-stealer-targeting-cryptocurrency-users-via-phishing-sites/\r\nPage 11 of 14\n\nData Exfiltration\r\nCreal Stealer is capable of exfiltrating data using Discord Webhooks and multiple file-hosting \u0026 sharing platforms\r\nsuch as Anonfiles and Gofile. Prior to exfiltration, this stealer removes the file extensions of .txt files containing the\r\nstolen data and compresses these files using the zip file module.\r\nThe figure below shows Creal stealer’s file upload code.\r\nFigure 12 – Removes .txt Extension\r\nFinally, Creal Stealer makes a POST request using the urlopen() function to exfiltrate data using a Discord\r\nwebhook. This stealer uses a dictionary object containing HTTP request headers, as shown in the figure below.\r\nFigure 13 – Requesting Header\r\nThe figure below shows the data exfiltration using Discord webhooks.\r\nFigure 14 – Data Exfiltration via Discord\r\nConclusion\r\nCreal Stealer’s builder and source code are available on GitHub, which enables TAs to modify the code to suit their\r\nrequirements. This can result in the emergence of various stealers from Creal Stealer’s source code, posing a\r\nhttps://cyble.com/blog/creal-new-stealer-targeting-cryptocurrency-users-via-phishing-sites/\r\nPage 12 of 14\n\nsignificant threat to users. The trend of using open-source code in malware is increasing among cybercriminals,\r\nsince it allows them to create sophisticated and customized attacks with minimal expenses.\r\nOur Recommendations: \r\nAvoid downloading applications from unknown sources. \r\nUse a reputed anti-virus and internet security software package on your connected devices, including PC,\r\nlaptop, and mobile.  \r\nUse strong passwords and enforce multi-factor authentication wherever possible.   \r\nUpdate your passwords periodically.  \r\nRefrain from opening untrusted links and email attachments without first verifying their authenticity.   \r\nBlock URLs that could be used to spread the malware, e.g., Torrent/Warez.  \r\nMonitor the beacon on the network level to block data exfiltration by malware or TAs.  \r\nEnable Data Loss Prevention (DLP) Solutions on employees’ systems.  \r\nMITRE ATT\u0026CK® Techniques\r\nTactic  \r\nTechnique\r\nID  \r\nTechnique Name  \r\nExecution    T1204   User Execution  \r\nPersistence  T1547.001 \r\nBoot or Logon Autostart Execution: Registry Run\r\nKeys / Startup Folder \r\nCredential Access  \r\nT1555  \r\nT1539\r\nT1528  \r\nCredentials from Password Stores  \r\nSteal Web Session Cookie  \r\nSteal Application Access Token  \r\nDiscovery  \r\nT1087  \r\nT1518  \r\nT1057  \r\nT1124  \r\nT1007  \r\nT1614  \r\nAccount Discovery  \r\nSoftware Discovery  \r\nProcess Discovery  \r\nSystem Time Discovery  \r\nSystem Service Discovery  \r\nSystem Location Discovery     \r\nCommand and\r\nControl  \r\nT1071 \r\nT1102\r\nApplication Layer Protocol  \r\nWeb Service\r\nExfiltration   T1041     Exfiltration Over C\u0026C Channel  \r\nIndicators of Compromise (IoCs):\r\nIndicators  \r\nIndicator\r\ntype  \r\nDescription  \r\nhttps://cyble.com/blog/creal-new-stealer-targeting-cryptocurrency-users-via-phishing-sites/\r\nPage 13 of 14\n\nbb2ca78ffff72d58599d66bf9b2f0ae6\r\n20dcb84660e5f79a98c190d3d455fce368d96f35\r\n4ee417cbefa1673d088a32df48b8182bdad244541e8dc02faf540b9aa483fdcb   \r\nMD5\r\nSHA1\r\nSHA256 \r\nCreal\r\nStealer\r\n929e6f2c8896059c72368915abcaefa2\r\n7122f0b88607061806fd62282e8b175ae28b7e29\r\nf3197e998822bc45cb9f42c8b153c59573aad409da01ac139b7edd8877600511 \r\nMD5\r\nSHA1\r\nSHA256 \r\nMalicious\r\nZip Archive \r\nhxxps[:]//www.dropbox[.]com/s/dl/x4vgcaac6hcdgla/kryptex-setup-4.25.7[.]zip \r\nURL \r\nMalicious\r\nURL\r\nkryptex[.]software URL\r\nMalicious\r\nURL\r\nSource: https://cyble.com/blog/creal-new-stealer-targeting-cryptocurrency-users-via-phishing-sites/\r\nhttps://cyble.com/blog/creal-new-stealer-targeting-cryptocurrency-users-via-phishing-sites/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://cyble.com/blog/creal-new-stealer-targeting-cryptocurrency-users-via-phishing-sites/"
	],
	"report_names": [
		"creal-new-stealer-targeting-cryptocurrency-users-via-phishing-sites"
	],
	"threat_actors": [],
	"ts_created_at": 1775791261,
	"ts_updated_at": 1775791339,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ca71a726f359361b16f4bd9211d59ad06b2cccf8.pdf",
		"text": "https://archive.orkl.eu/ca71a726f359361b16f4bd9211d59ad06b2cccf8.txt",
		"img": "https://archive.orkl.eu/ca71a726f359361b16f4bd9211d59ad06b2cccf8.jpg"
	}
}