{ "id": "ecc28c88-17b9-4b10-b397-aba471034fc4", "created_at": "2026-04-06T00:13:16.142416Z", "updated_at": "2026-04-10T03:36:47.892448Z", "deleted_at": null, "sha1_hash": "dc071a987c7e9b22ce0d8e8fbfa645a94446cbc7", "title": "TMPN (Skuld) Stealer: The dark side of open source", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 77253, "plain_text": "TMPN (Skuld) Stealer: The dark side of open source\r\nArchived: 2026-04-05 14:42:09 UTC\r\nSummary\r\nTMPN Stealer is based on the open-source project ‘Skuld stealer’\r\nUses Discord webhooks for communications\r\nInjects JS payload to Discord\r\nSteals browsers and cryptocurrency wallet data\r\nSteals local files and system information\r\nIntroduction\r\nSkuld, also known as TMPN Stealer, is an information-stealing malware written in Golang (Go) that emerged in May 2023.\r\nIts developer, identified as \"Deathined,\" appears to be a newcomer in the malware development scene, utilizing open-source\r\nprojects as inspiration for Skuld's functionality. The malware is distributed through various means, including malicious links\r\nand compromised websites, aiming to infect systems globally.\r\nTechnical details\r\nOverview\r\nThe analyzed sample is written in Go and has a fake compilation timestamp. The file size is 14.4 MB and is normal for\r\nprograms that are written in Go.\r\nGitHub contains a page that probably contained TMPN stealer source code, but it is no longer\r\navailable: https://github.com/DextenXD/TMPN-Stealer\r\nWhile this page is unavailable, during analysis, we discovered a link in the code that leads to another project: Skuld Stealer.\r\nIt is an open-source project that demonstrates a Discord-oriented stealer. Even the description is similar to the TMPN one:\r\nConfiguration\r\nAt the start of execution, Skuld loads configuration to the memory, which contains multiple strings. The first one is\r\n‘webhook’, and the second one contains the URL:\r\nhxxps://discord.com/api/webhooks/1272963856322527274/PGGfe9V7To17wrSy0T7qE8EpNjFXfms2KY4A421gXmXwMcrPdaeG0Z3DB2\r\nThis refers to Discord webhooks, a low-effort way to post messages to channels in Discord. This mechanism is very useful\r\nto organize control, due to webhooks not requiring a bot user or authentication to use.\r\nThe next string that is loaded to the memory points to the BTC wallet:\r\nIn fact, the source code supports multiple cryptocurrency wallets:\r\nPreparation\r\nBefore executing the main payload, Skuld makes some preparations:\r\n First, Skuld checks if it is already running by checking the specific mutex name:\r\nNext, it calls the UAC Bypass function. Here it checks if the process is elevated or whether it can it be elevated, and then\r\nfinally calls the elevation function. This function sets the malware path to the fodhelper.exe utility registry key:\r\nhttps://www.acronis.com/en-sg/cyber-protection-center/posts/tmpn-skuld-stealer-the-dark-side-of-open-source\r\nPage 1 of 4\n\nHKCU\\\\Software\\\\Classes\\\\ms-settings\\\\shell\\\\open\\\\command\\\\DelegateExecute\r\nThis will cause a fodhelper.exe to pop the UAC window, but since the registry key has been changed, upon accepting\r\nnotification, it will execute a sample with elevated permissions. The old process then will clear the Fodhelper registry key\r\nand terminate.\r\nTo hide itself from user eyes, Skuld uses an ‘attrib +h +s’ command, which will give sample ‘hidden’ and ‘system’\r\nattributes. Additionally, it uses the ‘GetConsoleWindow’ function to obtain the current window descriptor and the\r\n‘ShowWindow’ function to set the window show state to ‘Hidden’.\r\nIt adds a registry key to ‘Software\\Microsoft\\Windows\\CurrentVersion\\Run’ to persist on the victim's systems. The key\r\nname will be ‘Realtek HD Audio Universal Service’ and have the next value:\r\n'%APPDATA%\\Microsoft\\Protect\\SecurityHealthSystray.exe'. After this, it will check for file existence in this path. If it\r\ndoes not exist, it will copy itself there.\r\nNext, Skuld checks if the sample is running on a Virtual Machine. To do this it checks the hostname, username, MAC\r\naddress, IP address and HWID, and compares it with its own saved lists. If any string matches, it will terminate execution.\r\nNext, it checks if any debugger is attached to the process.\r\nFinally, it tries to evade antivirus software. Here, it excludes its own path from Microsoft Windows Defender scanning and\r\nuses PowerShell commands to disable it:\r\npowershell\", \"Set-MpPreference\", \"-DisableIntrusionPreventionSystem\", \"$true\", \"-DisableIOAVProtection\", \"$true\",\r\n\"-DisableRealtimeMonitoring\", \"$true\", \"-DisableScriptScanning\", \"$true\", \"-EnableControlledFolderAccess\",\r\n\"Disabled\", \"-EnableNetworkProtection\", \"AuditMode\", \"-Force\", \"-MAPSReporting\", \"Disabled\", \"-\r\nSubmitSamplesConsent\", \"NeverSend\"\r\npowershell\", \"Set-MpPreference\", \"-SubmitSamplesConsent\", \"2\r\n\"%s\\\\Windows Defender\\\\MpCmdRun.exe\", os.Getenv(\"ProgramFiles\")), \"-RemoveDefinitions\", \"-All\r\nThe last step of this function is to block connection to the following sites:\r\n\"virustotal.com\", \"avast.com\",        “totalav.com\", \"scanguard.com\", \"totaladblock.com\", \"pcprotect.com\",\r\n\"mcafee.com\", \"bitdefender.com\", \"us.norton.com\", \"avg.com\", \"malwarebytes.com\", \"pandasecurity.com\",\r\n\"avira.com\", \"norton.com\", \"eset.com\", \"zillya.com\", \"kaspersky.com\", \"usa.kaspersky.com\", \"sophos.com\",\r\n\"home.sophos.com\", \"adaware.com\", \"bullguard.com\", \"clamav.net\", \"drweb.com\", \"emsisoft.com\", \"f-secure.com\", \"zonealarm.com\", \"trendmicro.com\", \"ccleaner.com\"\r\nDiscord injection\r\nUpon entering the injection function, Skuld first calls two bypass functions. The first is used to bypass BetterDiscord, which\r\nis a Discord client modification. Besides different plugins, emotes and developer tools, it also contains security\r\nenhancement. To perform a bypass, it searches and opens a ‘AppData\\Roaming\\BetterDiscord\\data\\betterdiscord.asar’ file\r\nand replaces all existing ‘api/webhooks’ strings with ‘ByHackirby’.\r\nIt then tries to bypass the Discord Token Protector. First, it checks if this module is presented on the system. If yes, it opens\r\na \"AppData\\Roaming\\DiscordTokenProtector\\config.json\" file and changes the next values:\r\n\"auto_start\" = false\r\n\"auto_start_discord\" = false\r\n\"integrity\" = false\r\n\"integrity_allowbetterdiscord\" = false\r\n\"integrity_checkexecutable\" = false\r\nhttps://www.acronis.com/en-sg/cyber-protection-center/posts/tmpn-skuld-stealer-the-dark-side-of-open-source\r\nPage 2 of 4\n\n\"integrity_checkhash\" = false\r\n\"integrity_checkmodule\" = false\r\n\"integrity_checkscripts\" = false\r\n\"integrity_checkresource\" = false\r\n\"integrity_redownloadhashes\" = false\r\n\"iterations_iv\" = 364\r\n\"iterations_key\" = 457\r\n\"version\" = 69420\r\nIt then calls an injection function. First, it checks the presence of Discord on the PC, loading multiplied data blocks and\r\ntaking some data from them. It then joins all taken data and passes it to the ‘filepath.Glob’ function as a search filter.\r\nNext, it downloads the file ‘injection.js’ from Skuld Github. The file name will be changed to ‘coreinedex.js’ and written to\r\nthe previously found Discord path. This script will set up hooks and intercept such data as login, register and 2FA requests,\r\nPayPal credits and email / password changes. When any info is captured, it will send the result in JSON format to the server.\r\nCryptocurrency wallets injection\r\nThe injection targets two cryptocurrency wallets: Exodus and Atomic. The point of this technique is to download and save\r\nfiles with the ‘.asar’ extension, which is an archive that is used by cryptocurrency wallets, but contains attacker data.\r\nSystem information discovery\r\nAfter both injections are done, Skuld starts obtaining system information. Here, it calls a number of functions to obtain such\r\ninformation as CPU, disks, GPU, Network, OS, Windows license keys, RAM and others.\r\nAll this data will be saved in JSON format and sent to the server. Besides raw data, it appends a link to the picture to the\r\n‘avatar_url’ field. This avatar is probably used in the attacker Discord bot.\r\nBrowsers\r\nThe browser’s function targets two types of browsers and depends on their engine — Chromium or Gecko based. Both of\r\nthese functions have different saved browser names and paths. Functions that extract data, such as logins, cookies, credit\r\ncards, downloads and history, are the same for all browsers.\r\nDiscord tokens\r\nTo get Discord tokens, Skuld again checks browsers and searches particular strings in their databases. Then, results are\r\npassed to the function that will interact with the Discord API and check if the found tokens are valid. All results are saved in\r\nJSON format and sent to the server.\r\nDiscord 2FA codes\r\nDiscord has a mechanism that is used in case a user loses access to the 2FA device. The file ‘discord_backup_codes.txt’\r\ncontains codes that can be used in such situations.\r\nSample will search this file in the next user folders: Desktop, Downloads, Documents, Videos, Pictures, Music, OneDrive.\r\nCommon files\r\nThis function will search for files with particular keywords in their names and extensions in the next folders: Desktop,\r\nDownloads, Documents, Videos, Pictures, Music, OneDrive. If both the keyword and extension are presented in the\r\nfilename, the file will be copied to the new folder.\r\nhttps://www.acronis.com/en-sg/cyber-protection-center/posts/tmpn-skuld-stealer-the-dark-side-of-open-source\r\nPage 3 of 4\n\nThis folder will then be archived with a password, which contains 16 random symbols. The archive will be uploaded to the\r\nserver alongside JSON data, which contains the archive server URL, password and archived file number. Here we can note\r\nthat the server link that was provided in the ‘Upload’ function matches the link from the source code:\r\n‘https://api.gofile.io/getServer ’. This link is invalid, meaning that this sample will collect data but not will not send it to the\r\nattacker.\r\nCryptocurrency wallets\r\nHere it has two different functions for this purpose. The first will search for cryptocurrency wallet files on the local system\r\nin the ‘%APPDATA%\\\\Roaming’ folder. All found files will be zipped to archive and sent to the server. The second will\r\ncheck for cryptocurrency wallet browser extensions and try to steal their profiles.\r\nGame session stealer\r\nTo steal game data, Skuld loads a list that contains six names: “Epic Games”, “Minecraft”, “Riot Games”, “Uplay”,\r\n“NationsGlory” and “Steam”. Each field contains additional values, which include file paths and filenames that must be\r\nsearched for. It will try to copy all files that are presented in this list to the temporary folder and exfiltrate them to the server\r\nas a zip archive.\r\nClipper\r\nFinally, it starts a clipper function. It uses multiple regex values to filter clipboard data. This regex targets different\r\ncryptocurrency wallet addresses, and if there is a match, it will replace this data with its own cryptocurrency wallet address.\r\nThe only attacker address that was spotted in the configuration is the BTC address.\r\nConclusion\r\nCompiled from open-source project Skuld, TMPN stealer has a BTC wallet address and Discord API link in its\r\nconfiguration. There is no additional information added to the source code, such as a server to upload files, meaning that this\r\nsample primarily targets Discord, injecting a JS payload to retrieve information such as emails, passwords and tokens.\r\nDiscord is a popular target not only because it is the most popular communication platform for gamers, but also because it\r\nhas popularity in the cryptocurrency community. It can even bypass some Discord plugins that are designed to enhance\r\nsecurity. It can also steal browser data and user files, which may contain any credentials, and upload them to the attacker.\r\nIoCs\r\nFiles\r\nloader.exe\r\n5a7e38a45533e0477c3868c49df16d307a3da80b97a27ac4261619ff31a219f8\r\nNetwork indicators\r\nhttps://raw.githubusercontent.com/hackirby/discord-injection/main/injection.js\r\nhttps://discord.com/api/webhooks/1272963856322527274/PGGfe9V7To17wrSy0T7qE8EpNjFXfms2KY4A421gXmXwMcrPdaeG0Z3DB\r\nhttps://i.redd.it/68p07sk4976z.jpg\r\nhttps://api.gofile.io/getServer\r\nSource: https://www.acronis.com/en-sg/cyber-protection-center/posts/tmpn-skuld-stealer-the-dark-side-of-open-source\r\nhttps://www.acronis.com/en-sg/cyber-protection-center/posts/tmpn-skuld-stealer-the-dark-side-of-open-source\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.acronis.com/en-sg/cyber-protection-center/posts/tmpn-skuld-stealer-the-dark-side-of-open-source" ], "report_names": [ "tmpn-skuld-stealer-the-dark-side-of-open-source" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434396, "ts_updated_at": 1775792207, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/dc071a987c7e9b22ce0d8e8fbfa645a94446cbc7.pdf", "text": "https://archive.orkl.eu/dc071a987c7e9b22ce0d8e8fbfa645a94446cbc7.txt", "img": "https://archive.orkl.eu/dc071a987c7e9b22ce0d8e8fbfa645a94446cbc7.jpg" } }