{
	"id": "f049fe16-006c-42fa-9ab2-2fa003cbfd23",
	"created_at": "2026-04-06T00:13:05.429849Z",
	"updated_at": "2026-04-10T03:21:16.089913Z",
	"deleted_at": null,
	"sha1_hash": "e76ac447bcf7f67ad127e582264b2f53468fbad1",
	"title": "Immortal Information Stealer | Zscaler Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 538401,
	"plain_text": "Immortal Information Stealer | Zscaler Blog\r\nBy Rajdeepsinh Dodia, Uday Pratap Singh\r\nPublished: 2019-03-15 · Archived: 2026-04-05 20:49:06 UTC\r\nRecently, the Zscaler ThreatLabZ team came across new information-stealer malware called Immortal, which is\r\nwritten in .NET and designed to steal sensitive information from an infected machine. The Immortal stealer is sold\r\non the dark web with different build-based subscriptions. This blog provides an analysis of the data Immortal\r\nsteals from browsers, the files it steals (and the applications it steals from), and what it does with the stolen data.\r\nImmortal starts its infection by creating a directory with a random name in a temp folder. Next, it creates a\r\npassword.log file in \"\\%Temp%\\{Random_DirName}\\password.log”.\r\nImmortal writes the malware name, author’s name, and telegram address of the author in a password.log file.\r\nDate: Current date and time  “MM/dd/yyyy HH:mm:ss”\r\nWindows Username: Username\r\nHWID: MachineGuid\r\nSystem: Operating system name\r\nBrowser info stealing\r\nImmortal steals data from 24 browsers. It steals stored credentials, cookies, credit card data, and autofill data from\r\nthe targeted browsers.\r\nWhen the user saves a username and password in the targeted browser, it stores the data in a “Login Data” file in\r\nan SQLite database format, and the browser-stored cookie information in the “Cookies” file. It also stores autofill\r\ndata, credit card data, and other web information in the “Web Data” file. Below are the file paths for those files:\r\n“\\%AppData%\\Local\\{Browser}\\User Data\\Default\\Login Data”\r\n“\\%AppData%\\Local\\{Browser}\\User Data\\Default\\Web Data”\r\n“\\%AppData%\\Local\\{Browser}\\User Data\\Default\\Cookies”\r\nList of targeted browsers:\r\nhttps://www.zscaler.com/blogs/research/immortal-information-stealer\r\nPage 1 of 10\n\nChrome\r\nYandex\r\nOrbitum\r\nOpera\r\nAmigo\r\nCentBrowser\r\nTorch\r\nComodo\r\nGo!\r\nChromePlus\r\nUran\r\nBlackHawk\r\nCoolNovo\r\nAcWebBrowser\r\nEpic Browser\r\nBaidu Spark\r\nRockmelt\r\nSleipnir\r\nSRWare Iron\r\nTitan Browser\r\nFlock\r\nVivaldi\r\nSputnik\r\nMaxthon\r\nCredential stealing\r\nThe malware fetches credentials from the “Login Data” file and stores them in the password.log file as per the\r\nformat below: Path: ” \\%Temp%\\{Random_DirName}\\password.log”.\r\nSiteUrl: Website URL\r\nLogin: Username\r\nPassword: Password\r\nProgram: Targeted browser\r\nCookie stealing\r\nhttps://www.zscaler.com/blogs/research/immortal-information-stealer\r\nPage 2 of 10\n\nImmortal fetches cookie data from the cookies file and stores it in {Browsername}_cookies.txt file.\r\nPath: “\\%Temp%\\{Random_DirName}\\Cookies\\{Browsername_cookies.txt}\". The format is shown below.\r\nCredit card data\r\nImmortal fetches credit card data from the “Web Data” file and stores it in the {Browsername}_CC.txt file.\r\nPath: “\\%AppData%\\{Random_DirName}\\CC\\{Browsername_CC.txt}”. The format is shown below.\r\nhttps://www.zscaler.com/blogs/research/immortal-information-stealer\r\nPage 3 of 10\n\nAutofill data\r\nThe autofill feature of a browser allows the user to store commonly entered information in web forms. This\r\ninformation might include username, email, password, address, and credit card information. So, when the user\r\nopens a web page, it will automatically fill in the information already saved by the browser. The autofill\r\ninformation is stored in the “Web Data” file.\r\nImmortal fetches autofill data from the “Web Data” file and stores it in the {Autofill}_CC.txt file.\r\nPath: “\\%AppData%\\{Random_DirName}\\Autofill\\{Browsername_Autofill.txt}”. The format is shown below.\r\nFile stealing\r\nhttps://www.zscaler.com/blogs/research/immortal-information-stealer\r\nPage 4 of 10\n\nImmortal steals files from many different applications. The details are below.\r\nMinecraft launchers\r\nThe malware steals user data files and sessions from Minecraft launcher applications. The malware copies those\r\napplications' files into “%Temp%\\{Random_DirName}\\Applications\\{AppName}\\”. The following is a list of the\r\napplications:\r\nMinecraftOnly\r\nMcSkill\r\nLavaCraft\r\nMinecraftLauncher\r\nVimeWorld\r\nRedServer\r\nSteam\r\nThe malware steals files for the Steam application. Steam is an application for playing, discussing, and creating\r\ngames. The files stolen by Immortal are as follows:\r\nSSFN (2 files)\r\nVDF files from the config folder\r\nConfig.vdf\r\nhttps://www.zscaler.com/blogs/research/immortal-information-stealer\r\nPage 5 of 10\n\nloginusers.vdf\r\nTelegram and Discord\r\nImmortal also steals session-related files from Telegram and Discord. Telegram is a cloud-based instant messaging\r\nand voice over IP service. Discord is the cross-platform voice and text chat application designed to help gamers\r\ntalk to each other in real time. Immortal copies those files into “%Temp%\\{Random_Name}\\Applications\\\r\n{AppName}\\”.\r\nFile Path:\r\n%AppData%\\Telegram Desktop\\tdata\\D877F783D5D3EF8C1\\\r\n%AppData%\\Telegram Desktop\\tdata\\D877F783D5D3EF8C1\\map0\r\n%AppData%\\Telegram Desktop\\tdata\\D877F783D5D3EF8C1\\map1\r\n%AppData%\\discord\\\\Local Storage\\\\https_discordapp.com_0.localstorage\r\nFileZilla\r\nImmortal steals files that contain FileZilla credentials. FileZilla is a known FTP tool used for file transfer. The\r\nmalware copies the below files into “\\%Temp%\\{Random_DirName}\\FileZilla\\”.\r\n\\%AppData%\\Filezilla\\recentservers.xml\r\n\\%AppData%\\Filezilla\\sitemanager.xml\r\nBitcoin-Qt wallet\r\nImmortal steals wallet.dat files from Bitcoin-Qt, a free and open-source Bitcoin wallet software. Below is a\r\nscreenshot of the code for fetching the wallet path from the registry. The malware copies the wallet.dat file in\r\nhttps://www.zscaler.com/blogs/research/immortal-information-stealer\r\nPage 6 of 10\n\n“%Temp%\\{Random_DirName}\\”.\r\nDesktop files\r\nImmortal also goes through every file in the desktop folder on the victim’s system. It steals extension files (listed\r\nbelow) and copies them into “%Temp%\\{Random_DirName}\\Files\\”.\r\nTxt\r\nLog\r\nDoc\r\nDocx\r\nsql\r\nScreenshot \u0026 Webcam\r\nImmortal takes a screenshot of the desktop of the infected system and saves it in “\\%AppData%\\\r\n{Random_DirName}\\desktop.jpg”. It also captures a webcam snapshot and saves in it “\\%AppData%\\\r\n{Random_DirName}\\CamPicture.jpg”.\r\n \r\nNetwork communication\r\nThe malware stores all the stolen data in the directory “\\%Temp%\\{Random_DirName}\\”. After that, it\r\ncompresses all the files in a ZIP archive and saves the compressed file in \\%Temp%\\{Random_filename}.zip.\r\nFurther, it sends {Random_filename}.zip to its command-and-control server as shown below. It also deletes the\r\n“\\%Temp%\\{Random_DirName}\\” before sending the ZIP file.\r\nUser = User name\r\nHwid = MachineGuid\r\nAt the time of analysis, the command \u0026 control panel for this stealer was live.\r\nhttps://www.zscaler.com/blogs/research/immortal-information-stealer\r\nPage 7 of 10\n\nWe found the Immortal stealer being advertised and sold with different build-based subscriptions. The following is\r\na screenshot of a page that describes all of Immortal's functionality and cost per build. A per-post price for one\r\nbuild is $30.\r\nhttps://www.zscaler.com/blogs/research/immortal-information-stealer\r\nPage 8 of 10\n\nIOCs\r\nMd5: 1719ff4ff267ef598a1dcee1d5b68667\r\nDownloading URL : www.appleidservice[.]jp/stealer/files/svhost.exe\r\nNetworkURL: www.appleidservice[.]jp/stealer/files/upload.php\r\nhttps://www.zscaler.com/blogs/research/immortal-information-stealer\r\nPage 9 of 10\n\nSource: https://www.zscaler.com/blogs/research/immortal-information-stealer\r\nhttps://www.zscaler.com/blogs/research/immortal-information-stealer\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.zscaler.com/blogs/research/immortal-information-stealer"
	],
	"report_names": [
		"immortal-information-stealer"
	],
	"threat_actors": [],
	"ts_created_at": 1775434385,
	"ts_updated_at": 1775791276,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e76ac447bcf7f67ad127e582264b2f53468fbad1.pdf",
		"text": "https://archive.orkl.eu/e76ac447bcf7f67ad127e582264b2f53468fbad1.txt",
		"img": "https://archive.orkl.eu/e76ac447bcf7f67ad127e582264b2f53468fbad1.jpg"
	}
}