{
	"id": "35cd016d-595a-4b88-a2d2-2cc9d7affe11",
	"created_at": "2026-04-10T03:22:13.857171Z",
	"updated_at": "2026-04-10T03:22:16.960272Z",
	"deleted_at": null,
	"sha1_hash": "d2bf02118e205c9fdc4799e97d5189187aa6cb5a",
	"title": "Typhon Reborn V2: Updated stealer features enhanced anti-analysis and evasion capabilities",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2871632,
	"plain_text": "Typhon Reborn V2: Updated stealer features enhanced anti-analysis and evasion capabilities\r\nBy Edmund Brumaghin\r\nPublished: 2023-04-04 · Archived: 2026-04-10 03:05:01 UTC\r\nThe developer of the Typhon Reborn information stealer released version 2 (V2) in January, which\r\nincluded significant updates to its codebase and improved capabilities.\r\nMost notably, the new version features additional anti-analysis and anti-virtual machine (VM) capabilities\r\nto evade detection and make analysis more difficult.\r\nWe assess Typhon Reborn 2 will likely appear in future attacks, as we have already observed samples in the\r\nwild and multiple purchases of the malware.\r\nThe stealer is currently offered on underground forums for $59 per month but also offers a lifetime\r\nsubscription for $540, which is inexpensive compared to competing infostealers.\r\nThe stealer can harvest and exfiltrate sensitive information and uses the Telegram API to send stolen data\r\nto attackers.\r\nTyphon Reborn V2 release\r\nTyphon is an information stealer first publicly reported in mid-2022. It steals sensitive information, such as\r\ncryptocurrency wallet data, from a variety of applications and uses a “file grabber” to collect a predefined list of\r\nfile types, then exfiltrates them via Telegram. Since its initial arrival, it has undergone continuous development,\r\nwith Typhon Reborn being released just several months later in late 2022. The malware’s developer announced the\r\nrelease of Typhon Reborn V2 on Jan. 31, 2023 on the popular Russian language dark web forum XSS. Samples\r\nuploaded to public repositories indicate that the new version of Typhon Reborn has been in the wild since\r\nDecember 2022.\r\nhttps://blog.talosintelligence.com/typhon-reborn-v2-features-enhanced-anti-analysis/\r\nPage 1 of 18\n\nPost announcing Typhon Reborn V2 release.\r\nIn the latest version, the malware developer claimed to have refactored the codebase and significantly improved\r\nexisting capabilities present within the malware, which Cisco Talos independently confirmed. It is available for\r\n$59 per month or a lifetime subscription for $540, which is inexpensive compared to competing infostealers.\r\nAnalysis of the cryptocurrency wallet from which the attacker collects payments suggests that multiple\r\nadversaries have purchased access to the stealer, making it likely that it will be used in attacks moving forward.\r\nNotable changes in Typhon Reborn V2\r\nThe code in Version 2 of Typhon Reborn was heavily modified compared to Version 1, based on our analysis.\r\nhttps://blog.talosintelligence.com/typhon-reborn-v2-features-enhanced-anti-analysis/\r\nPage 2 of 18\n\nCode changes between Typhon Reborn V1 and V2.\r\nFor example, Version 2 has significantly more anti-analysis and anti-virtualization capabilities, as evidenced by\r\ncomparing the anti-analysis routines present in each version. For example, the developer made several changes to\r\nthe logic that prevents the malware from infecting systems that match predefined criteria. That includes heavily\r\nexpanding this list of criteria to include present usernames, CPUIDs, applications and processes present on the\r\nsystem, debugger/emulation checks, and geolocation data for countries that attackers may wish to avoid.\r\nhttps://blog.talosintelligence.com/typhon-reborn-v2-features-enhanced-anti-analysis/\r\nPage 3 of 18\n\nAnti-analysis routine comparison between Typhon Reborn versions.\r\nFinally, in Typhon Reborn V2 samples that we analyzed, the developer appeared to have removed the functionality\r\nthat establishes persistence across reboots. Instead, V2 simply terminates itself after data exfiltration.\r\nDissecting Typhon Reborn V2\r\nIn Typhon Reborn V2, the malware complicates analysis via string obfuscation by using Base64 encoding and\r\napplying the XOR function to various strings. During execution, the malware decodes the Base64, generating a\r\nUTF-8 character-encoded string that is then deobfuscated using an XOR key stored in the malware’s configuration\r\nor hard-coded into DecryptString() . The XOR key used is based on the mode passed when the function is\r\ncalled each time. The resulting string is then decoded from Base64 again, creating a plain text string to continue\r\nthe operation.\r\nString deobfuscation functionality.\r\nThe malware’s operations are determined by a series of parameters stored in the malware’s configuration that\r\ndictate what information should be collected, keys used for string deobfuscation and geolocations where the\r\nmalware should not execute.\r\nTyphon Reborn V2 configuration parameters.\r\nAnti-analysis and sandbox evasion\r\nhttps://blog.talosintelligence.com/typhon-reborn-v2-features-enhanced-anti-analysis/\r\nPage 4 of 18\n\nWhen Typhon Reborn V2’s main() method is executed, it checks the malware configuration to determine if anti-analysis has been enabled. If it is enabled, the malware will attempt to conduct a series of anti-analysis checks to\r\ndetermine if it is being executed in an analysis or sandbox environment.\r\nAnti-analysis checks.\r\nIf any of the checks fail, the malware will call a SelfRemove() class, creating a batch file in the temp directory\r\nwith the following contents.\r\nchcp 65001\r\nTaskKill /F /IM [MALWARE_PID]\r\nTimeout /T 2 /Nobreak\r\nThis batch file is then executed via the Windows command processor, thus terminating the malware’s execution.\r\nSelf-removal functionality.\r\nThe overall execution flow of the various anti-analysis checks is shown below.\r\nhttps://blog.talosintelligence.com/typhon-reborn-v2-features-enhanced-anti-analysis/\r\nPage 5 of 18\n\nhttps://blog.talosintelligence.com/typhon-reborn-v2-features-enhanced-anti-analysis/\r\nPage 6 of 18\n\nAnti-analysis process flow.\r\nThe malware uses Windows Management Instrumentation (WMI) to retrieve information about the Graphics\r\nProcessing Unit (GPU) on the system.\r\nSELECT * FROM Win32_VideoController\r\nIt then checks the returned value to determine if it contains the string vmware svga.\r\nThen, it makes an HTTP request to the following URL to determine if the system is located in a network\r\nassociated with a hosting provider, colocation facility, or data center environment. The API returns either a “True”\r\nor “False” response based on the location of the system which is used to determine the type of environment in\r\nwhich the system is located.\r\nhxxp://ip-api[.]com/line/?fields=hosting\r\nThen, it checks for the presence of the following DLLs associated with common security products that may be\r\ninstalled.\r\nSbieDLL.dll (Sandboxie)\r\nSxIn.dll (360 Total Security)\r\nSf2.dll (Avast)\r\nSnxhk.dll (Avast)\r\ncmdvrt32.dll (Comodo Internet Security)\r\nhttps://blog.talosintelligence.com/typhon-reborn-v2-features-enhanced-anti-analysis/\r\nPage 7 of 18\n\nIt also retrieves the system manufacturer and model via WMI using the following query:\r\nSelect * from Win32_ComputerSystem\r\nThe retrieved information is checked to determine if it contains the following hypervisor-related strings.\r\nVIRTUAL\r\nvmware\r\nVirtualBox\r\nThe malware also uses WMI to collect information about the system’s video controller.\r\nSELECT * FROM Win32_VideoController\r\nThis information is then checked to determine if it contains the strings VMware or VBox.\r\nNext, the malware uses CheckRemoteDebuggerPresent to determine if the process is being debugged.\r\nThe malware then obtains the current system time, initiates a short (10ms) sleep, then obtains the system time\r\nagain. It compares the delta between the two times to what is expected during normal operations to determine if\r\nthe process is being run in a debugging session.\r\nThe command line argument used to initially launch the malware is then obtained to determine if the sample was\r\nexecuted using the file name detonate.exe or if the argument -–detonate was passed when initiating\r\nexecution.\r\nThe malware also checks the Windows Registry ( SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall ) to\r\ndetermine if any subkeys reference the following common analysis tools:\r\ndnSpy PDFStreamDumper Ghidra\r\nWireshark Autoruns x64dbg\r\nHashCalc Process Hacker\r\nFileInsight Process Monitor\r\nNext, WMI is queried to obtain the ProcessorId (CPUID) for the system using the following query.\r\nSelect ProcessorId From Win32_Processor\r\nThe CPUID is then checked against the following list of CPUIDs under which the malware will not execute:\r\nhttps://blog.talosintelligence.com/typhon-reborn-v2-features-enhanced-anti-analysis/\r\nPage 8 of 18\n\n4AB2DFCCF4\r\nBFEBFBFF000906E9\r\n078BFBFF000506E3\r\n078BFBFF00000F61\r\n178BFBFF00830F10\r\n0F8BFBFF000306C1\r\nThe malware also determines the user account context under which the malware is executing and will terminate if\r\nthe username matches the following values:\r\nIT-ADMIN sand box Abby\r\nPaul Jones maltest WDAGUtilityAccount\r\nWALKER malware Frank\r\nSandbox virus fred\r\ntimmy John Doe JOHN-PC\r\ntim Emily Lisa\r\nvboxuser CurrentUser John\r\nsandbox test\r\nPeter Wilson TVM\r\nThe malware then obtains the list of currently running processes on the system and checks the executable path\r\nassociated with them against the following list of executable file names associated with common analysis tools.\r\nollydbg.exe idaq64.exe\r\nhttps://blog.talosintelligence.com/typhon-reborn-v2-features-enhanced-anti-analysis/\r\nPage 9 of 18\n\nprocesshacker.exe immunitydebugger.exe\r\ntcpview.exe wireshark.exe\r\nautoruns.exe dumpcap.exe\r\nde4dot.exe hookexplorer.exe\r\nilspy.exe lordpe.exe\r\ndnspy.exe petools.exe\r\nautorunsc.exe resourcehacker.exe\r\nfilemon.exe x32dbg.exe\r\nprocmon.exe x64dbg.exe\r\nregmon.exe fiddler.exe\r\nidaq.exe\r\nIt then attempts to test internet connectivity by making an HTTP request to http://www.google.com .\r\nThe malware again obtains the execution environment to determine if its filename matches the following list:\r\ndetonate\r\nvirus\r\ntest\r\nmalware\r\nmaltest\r\nNext, the malware checks the Programs subdirectory under the Windows Start Menu for the presence of the\r\nfollowing analysis tools:\r\nhttps://blog.talosintelligence.com/typhon-reborn-v2-features-enhanced-anti-analysis/\r\nPage 10 of 18\n\ndnspy x86dbg\r\ndetect it easy ghidra\r\ndie ida\r\nprocmon fiddler\r\nprocess monitor scylla\r\nprocess hacker winhex\r\nilspy hxd\r\nx64dbg de4dot\r\nIt then attempts to locate wine_get_unix_file_name to determine if Wine is being used in an analysis\r\nenvironment.\r\nNext, it checks the SYSTEM_CODEINTEGRITY_INFORMATION structure to determine if unsigned or test-signed drivers\r\nare allowed on the system ( CODEINTEGRITY_OPTION_ENABLED , CODEINTEGRITY_OPTION_TESTSIGN ).\r\nThe malware also checks the SYSTEM_KERNEL_DEBUGGER_INFORMATION structure to determine if kernel mode\r\ndebugging is enabled ( KernelDebuggerEnabled ).\r\nThen, the malware checks various system DLLs for the presence of instructions that may indicate that the\r\nenvironment is instrumented for analysis.\r\nThe malware also features two geolocation avoidance mechanisms. The first one allows for the specification of a\r\nlist of countries in the malware’s config that the attacker does not want to infect systems in. The malware uses the\r\nIP-API service to determine where the system is located and compares it against the user-supplied list.\r\nIP geolocation check.\r\nhttps://blog.talosintelligence.com/typhon-reborn-v2-features-enhanced-anti-analysis/\r\nPage 11 of 18\n\nIf the system is located in one of these countries, the malware calls the SelfRemove() functionality previously\r\ndescribed.\r\nThe malware also contains a RunAntiCIS() feature that specifically avoids infecting systems located in\r\nCommonwealth of Independent States (CIS) countries.\r\nCIS country avoidance.\r\nhttps://blog.talosintelligence.com/typhon-reborn-v2-features-enhanced-anti-analysis/\r\nPage 12 of 18\n\nSystem and network data collection\r\nIf the victim’s environment passes all the malware’s anti-analysis checks, Typhon Reborn V2 begins collecting\r\nand exfiltrating sensitive information. First, the malware creates a randomly named subdirectory under\r\n%LOCALAPPDATA% , then the malware begins generating stealer logs that will ultimately be staged in that\r\nsubdirectory for exfiltration.\r\nTo generate the logs, the malware retrieves survey information about the infected system and writes it to the\r\nstealer log. It collects a variety of system information including user data, system data and network information,\r\nusing various mechanisms such as WMI queries, environment variables, and registry keys. The malware uses\r\napi[.]ipify[.]org to obtain the public IP of the infected system. This information is saved in the malware’s\r\nworking directory ( UserData.txt ) along with a text file ( BuildID.txt ) containing the Telegram channel for the\r\nmalware’s developer. A list of installed software is also generated using WMI and saved\r\n( InstalledSoftwares.txt ). A list of hard drives present within the system is also saved ( Drive Info.txt ).\r\nThe malware also captures screenshots from infected systems saved in the same directory as the stealer logs.\r\nScreenshot capture.\r\nThe stealer also collects saved Wi-Fi network information and stores it ( Wifi Passwords.txt ) using the\r\nfollowing system commands:\r\ncmd.exe /C chcp 65001 \u0026\u0026 netsh wlan show profile | findstr All\r\ncmd.exe /C timeout /t 5 /nobreak \u003e nul \u0026\u0026 netsh wlan show profile name=\u003cPROFILE_NAME\u003e key=clear |\r\nfindstr Key\r\nIt also attempts to scan for available wireless networks and stores information about them ( Available\r\nNetworks.txt ).\r\ncmd.exe /C timeout /t 5 /nobreak \u003e nul \u0026\u0026 netsh wlan show networks mode=bssid\r\nA list of currently running processes and process executable paths is collected and saved as well ( Running\r\nProcesses.txt ).\r\nhttps://blog.talosintelligence.com/typhon-reborn-v2-features-enhanced-anti-analysis/\r\nPage 13 of 18\n\nApplication data collection\r\nOnce basic system information has been collected and saved, the stealer begins iterating through specific\r\napplications and collecting data based on the malware’s configuration. The stealer currently supports collecting\r\npasswords, tokens, and other sensitive information from the applications shown below.\r\nTyphon Reborn V2 Application Support.\r\nGaming clients\r\nhttps://blog.talosintelligence.com/typhon-reborn-v2-features-enhanced-anti-analysis/\r\nPage 14 of 18\n\nTyphon Reborn V2 can steal data from additional applications, including various gaming clients. However, this\r\nfunctionality was never actually called from the main() method of the malware in the latest version analyzed.\r\nThe malware also contains a FileGrabber() feature that is used to collect and exfiltrate files of interest from\r\nvictim environments. It iterates through all drives detected on the system and attempts to determine whether any\r\nare removable storage devices, network storage locations or optical drives.\r\nDrive enumeration.\r\nEach drive that meets this criterion has its root directory added to a list of target directories. The malware then\r\niterates through all of the target directories, copying contents that match the parameters in the malware’s\r\nconfiguration to the malware’s working directory.\r\nThe two parameters Config.GrabberSize and Config.GrabberFileExtensions defined in the malware’s\r\nconfiguration determine the operation of the file collection capability.\r\nFile grabber configuration parameters.\r\nData exfiltration\r\nOnce the stealer has finished collecting information from infected systems, the data is stored in a compressed\r\narchive and exfiltrated via HTTPS using the Telegram API. First, the malware sends an overview log containing\r\nsurvey information and basic statistics related to the data collected.\r\nhttps://blog.talosintelligence.com/typhon-reborn-v2-features-enhanced-anti-analysis/\r\nPage 15 of 18\n\nStealer log transmission.\r\nThen, the malware sends another Telegram message containing the data being exfiltrated from the infected system.\r\nData exfiltration.\r\nOnce the data has been successfully transmitted to the attacker, the archive is then deleted from the infected\r\nsystem. The malware then calls SelfRemove.Remove() to terminate execution.\r\nCoverage\r\nhttps://blog.talosintelligence.com/typhon-reborn-v2-features-enhanced-anti-analysis/\r\nPage 16 of 18\n\nWays our customers can detect and block this threat are listed below.\r\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.\r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in\r\nthese attacks.\r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat.\r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products.\r\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them.\r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork.\r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nThe following Snort SIDs are applicable to this threat: 61532-61533, 300476.\r\nOrbital Queries\r\nCisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints\r\nare infected with this specific threat. For specific OSqueries on this threat, click here.\r\nIndicators of Compromise (IOCs)\r\nhttps://blog.talosintelligence.com/typhon-reborn-v2-features-enhanced-anti-analysis/\r\nPage 17 of 18\n\nIOCs for this research can also be found at our Github repository here\r\nSource: https://blog.talosintelligence.com/typhon-reborn-v2-features-enhanced-anti-analysis/\r\nhttps://blog.talosintelligence.com/typhon-reborn-v2-features-enhanced-anti-analysis/\r\nPage 18 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.talosintelligence.com/typhon-reborn-v2-features-enhanced-anti-analysis/"
	],
	"report_names": [
		"typhon-reborn-v2-features-enhanced-anti-analysis"
	],
	"threat_actors": [],
	"ts_created_at": 1775791333,
	"ts_updated_at": 1775791336,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d2bf02118e205c9fdc4799e97d5189187aa6cb5a.pdf",
		"text": "https://archive.orkl.eu/d2bf02118e205c9fdc4799e97d5189187aa6cb5a.txt",
		"img": "https://archive.orkl.eu/d2bf02118e205c9fdc4799e97d5189187aa6cb5a.jpg"
	}
}