{ "id": "7537dd40-335c-43b1-8f6f-97b736266e5a", "created_at": "2026-04-06T00:21:39.393551Z", "updated_at": "2026-04-10T03:37:08.632486Z", "deleted_at": null, "sha1_hash": "eafcc6e472bceec12f64b325bd9ce261b94cdcdb", "title": "Inside Valkyrie Stealer Features, Evasion \u0026 Operator Profile", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4495777, "plain_text": "Inside Valkyrie Stealer Features, Evasion \u0026 Operator Profile\r\nBy m.farghaly\r\nPublished: 2025-11-25 · Archived: 2026-04-05 13:15:45 UTC\r\nWhat Is Valkyrie Stealer?\r\nValkyrie Stealer is a C++ infostealer designed to collect credentials, system information, browser data, messaging-app\r\nsessions, and other user assets from Windows systems. It features a modular architecture, encrypted exfiltration, and evasion\r\ntechniques to avoid detection in analysis environments.\r\nAll collected data is accessible through a web-based control panel, where users of the stealer can manage infections and\r\nstolen data.\r\nStealer Capabilities and Functionality\r\nValkyrie Stealer is a multi-stage, modular data-theft framework designed to harvest a wide range of sensitive information\r\nfrom compromised Windows systems. Its capabilities span environment reconnaissance, credential harvesting, browser data\r\nextraction, messaging-app session theft, game-account data collection, cryptocurrency-wallet theft, screenshot capture, and\r\nmulti-layered exfiltration with encryption.\r\nPacking \u0026 Protection\r\nThe main executable is protected with Themida, which provides heavy anti-debugging, anti-tampering, and import-table\r\nobfuscation.\r\nhttps://www.dexpose.io/inside-valkyrie-stealer-capabilities-evasion-techniques-and-operator-profile/\r\nPage 1 of 27\n\nPayload Encryption\r\nThe browser-stealing payload DLL is embedded and encrypted using ChaCha20 encryption routine and later decrypted at\r\nruntime for reflective loading.\r\nAnti-VM Techniques\r\nBefore execution, Valkyrie performs numerous checks to detect virtualization, sandboxes, analysis tools, and low-resource\r\nsystems. This includes process checks, registry inspection, hardware/resource validation, blacklist comparisons\r\n(MAC/IP/HWID), screen resolution checks, and a 3-minute watchdog timer.\r\nBrowser Data Theft\r\nThe injected payload targets Chromium-based browsers (Chrome, Edge, Brave) by recovering the AES master key and\r\nparsing profile databases using internal SQLite engine.\r\nDiscord and Telegram Theft\r\nValkyrie Stealer targets both Discord and Telegram, including Discord Stable, Canary, and PTB, as well as browser-based\r\nDiscord sessions.\r\nGame Account Harvesting\r\nValkyrie targets a large list of supported games and launchers.\r\nCryptocurrency Wallet Theft\r\nIt targets several desktop and browser wallets such as MetaMask, Exodus, Atomic Wallet and Electrum.\r\nSystem Profiling \u0026 Screenshot Capture\r\nThe malware collects detailed system information (hardware, OS version, disk, RAM, network data, etc.,) and captures a\r\nfull-screen desktop screenshot\r\nData Packaging, Encryption \u0026 Exfiltration\r\nAll stolen data is compressed into a ZIP archive and encrypted using AES-GCM. For C2 resolution, Valkyrie dynamically\r\nretrieves its primary server from a Steam profile and uses a fallback domain if needed. Exfiltration occurs via an HTTP\r\nPOST request to /api/log with encrypted payloads and system metadata.\r\nOverview of the Developer Behind Valkyrie\r\nThe Valkyrie Stealer’s publicly identified developer, operating under the alias “Lawxsz”, maintains an active multi-platform\r\npresence including Telegram, Discord, Signal, GitHub, and YouTube, using these platforms for distribution, support,\r\nupdates, marketing, and customer communication. He is also publicly associated with the development of the Prysmax\r\nStealer, a malware-as-a-service product marketed under the name “Prysmax Software.”\r\nAccording to Cyfirma Report, Lawxsz has been active since at least late 2022. His early activity centered around developing\r\nand selling RATs and botnet services through Telegram before expanding into a full malware-as-a-service model with the\r\nlaunch of Prysmax Stealer in mid-2023.\r\nTelegram Channels \u0026 Community\r\nTelegram is used by Lawxsz for sales, customer support, announcements, and community updates, with multiple dedicated\r\nchannels serving specific operational roles such as direct communication, product updates, development progress,\r\ninfrastructure notices, and marketing showcases.\r\nLawxsz’s Personal Telegram\r\nHis primary personal account used for direct customer communication, private sales negotiations, and one-to-one support.\r\nhttps://www.dexpose.io/inside-valkyrie-stealer-capabilities-evasion-techniques-and-operator-profile/\r\nPage 2 of 27\n\nPrysmax Software [2025] Channel\r\nMain customer-facing update channel for Prysmax Software. Used to announce official version updates, feature additions,\r\nperformance improvements, and operational enhancements.\r\nhttps://www.dexpose.io/inside-valkyrie-stealer-capabilities-evasion-techniques-and-operator-profile/\r\nPage 3 of 27\n\nLawxsz Dev Channel\r\nUsed to publish development updates and actor’s ongoing malware and tooling projects.\r\nhttps://www.dexpose.io/inside-valkyrie-stealer-capabilities-evasion-techniques-and-operator-profile/\r\nPage 4 of 27\n\nPrysmax Software\r\nActs as the infrastructure and migration alert channel. Used for posting channel-move notifications, alternate links, and\r\navailability information.\r\nhttps://www.dexpose.io/inside-valkyrie-stealer-capabilities-evasion-techniques-and-operator-profile/\r\nPage 5 of 27\n\nPrysmax Showcase\r\nMarketing and demonstration channel used to showcase video demonstrations, proof-of-capability content, and feature\r\nhighlights for marketing purposes.\r\nGitHub Activity\r\nhttps://www.dexpose.io/inside-valkyrie-stealer-capabilities-evasion-techniques-and-operator-profile/\r\nPage 6 of 27\n\nThe actor is highly active in the development and distribution of offensive security tools. Their GitHub profile serves as a\r\ncentral repository for open-source malware and a wide range of offensive tooling\r\nThe actor’s repositories focus on offensive tooling such as Python-based stealers, keyloggers, wallet extractors,\r\nTelegram/Discord exfiltration tools, antivirus-evasion scripts, VM-detection utilities, phishing kits, and RAT builders.\r\nYouTube Presence\r\nLawxsz uses YouTube as a marketing and “proof-of-concept” platform to demonstrate the capabilities of his malware\r\nprojects.\r\nThe channel serves as a public showcase where he demonstrate his stealer’s capabilities, posting short clips highlighting its\r\nability to evade AVs and remain FUD on VirusTotal to attract buyers and reinforce the credibility of his tools.\r\nValkyrie_all channel has the official announcement for the Valkyrie Stealer family.\r\nPrysmax Software channel focuses on showcasing the operational effectiveness of the Prysmax malware suite to potential\r\nbuyers. The content provides proof-of-concept demonstrations of its evasion capabilities\r\nhttps://www.dexpose.io/inside-valkyrie-stealer-capabilities-evasion-techniques-and-operator-profile/\r\nPage 7 of 27\n\nAdditional Contact Methods\r\nIn addition to the actor’s publicly listed YouTube, GitHub, and Telegram channels, he also provided several alternative\r\ncontact methods for direct communication. These include:\r\nSession: 0586a4a58c17370c9b48d06d3f6ea525f257c5f3e750d7bdbb9fd265dce6bce140\r\nDiscord: lawxszoficialx12\r\nSignal: lawxsz.01\r\nSignal Group:\r\nhxxps[://]signal[.]group/#CjQKIOYshgWCkhcqRgqdNDXvu9hW5V6bcGikvnpwWiBC8uvPEhDxK9NggZS8RpSRePJgui\r\nWebsite: hxxps[://]prysmax[.]site\r\nActor Claims \u0026 Intent\r\nDuring direct communication with the actor, he claimed to be developing a new sideloading-based crypter designed to\r\nleverage EV code-signing certificates to remain fully undetectable by SmartScreen, web browsers, and EDR/AV solutions.\r\nHe additionally stated that the lifetime version of the stealer, bundled with limited access to the crypter, is priced at\r\n$400, and that this package includes remote access capabilities. According to the actor, the crypter is optional but\r\nstrongly recommended for professional or large-scale campaigns.\r\nNote: These claims have not been independently verified, but they offer useful context around the actor’s development plans\r\nand intended capabilities.\r\nhttps://www.dexpose.io/inside-valkyrie-stealer-capabilities-evasion-techniques-and-operator-profile/\r\nPage 8 of 27\n\nThemida Protection Layer\r\nValkyrie Stealer is protected with Themida/WinLicense v2.x, a commercial software protector designed to prevent reverse\r\nengineering and analysis. It encrypts and compresses the binary, import table obfuscation, polymorphism, and implements\r\nextensive anti-debugging techniques.\r\nThe imports table only contains one API:\r\nThere are several ways to remove themida protection layer, the most common way is to allow the malware to fully unpack\r\nitself in memory, then dump the real executable using tools like scylla or pe-sieve.\r\nIn this analysis I will use Unlicense tool. Unlicense is a dynamic unpacker and import fixer for Themida/WinLicense 2.x\r\nand 3.x.\r\nEvasion Techniques\r\nValkyrie Stealer employs a series of anti-VM and anti-analysis techniques designed to detect virtualized or sandboxed\r\nenvironments before execution to evade execution in controlled environments.\r\nWatchdog Timer (3-Minute Hard Kill)\r\nValkyrie Stealer uses a watchdog thread that forcefully terminates the process if execution takes longer than three minutes.\r\n(e.g., due to debugging).\r\nFirst it reads the high-resolution performance counter and converts it into a monotonic nanosecond timestamp. Then adds\r\n180000000000 (180 billion ns = 180 seconds = 3 minutes) to set the deadline.\r\nThe watchdog waits in a loop using Sleep(), recalculating the time until the target deadline is reached. Once the three-minute\r\ndeadline expires, the watchdog logs a hard-kill message and forcibly terminates the process using TerminateProcess().\r\nhttps://www.dexpose.io/inside-valkyrie-stealer-capabilities-evasion-techniques-and-operator-profile/\r\nPage 9 of 27\n\nInitialize Anti-VM Indicators\r\nNext it builds an anti-VM, anti-sandbox, anti-debugger signature table and stores it inside the object at a1. It fills the\r\nstructure with strings and signatures matching popular virtualization platforms, sandbox environments, and debugging tools.\r\nThese signatures are later used to detect analysis environments at runtime.\r\nAnti-VM Strings and Signatures:\r\nollydbg\r\nidaq\r\nida64\r\nwindbg\r\nx32dbg\r\nx64dbg\r\nghidra\r\ncheatengine\r\ndnspy\r\nimmunity\r\npestudio\r\ndumpcap\r\nprocmon\r\nregmon\r\nfilemon\r\nprocesshacker\r\ntcpview\r\nfiddler\r\nhttps://www.dexpose.io/inside-valkyrie-stealer-capabilities-evasion-techniques-and-operator-profile/\r\nPage 10 of 27\n\nvolatility\r\napimonitor\r\nwireshark\r\nvmsrvc\r\nvmusrv\r\ndf5serv\r\ntrio\r\ntqos\r\nvmtoolsd\r\nvboxtray\r\nkvmsrvc\r\nxenservice\r\nvboxservice\r\nvmware\r\nanyrun\r\ntriage\r\ncuckoo\r\nsample\r\nsandboxie\r\nqemud\r\nxen\r\nSOFTWARE\\Oracle\\VirtualBox Guest Additions\r\nSOFTWARE\\VMware, Inc.\\VMware Tools\r\nSYSTEM\\ControlSet001\\Services\\VBoxGuest\r\nSYSTEM\\ControlSet001\\Services\\VBoxMouse\r\nSYSTEM\\ControlSet001\\Services\\VBoxService\r\nSYSTEM\\ControlSet001\\Services\\VBoxSF\r\nSYSTEM\\ControlSet001\\Services\\VBoxVideo\r\nHARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0\r\nHARDWARE\\Description\\System\r\nCheck Processes for VM environment\r\nValkyrie performs process-based VM detection by enumerating all running processes using CreateToolhelp32Snapshot,\r\nfollowed by Process32First and Process32Next to iterate through all running processes. It then checks each process name\r\nagainst two signature lists stored inside a1:\r\nList 1 (a1 + 8 → a1 + 16): sandbox / VM processes\r\nList 2 (a1 + 32 → a1 + 40): debugger / analysis tools\r\nIf any match is found, it returns 1, indicating a VM/analysis environment.\r\nCheck Registries for VM environment\r\nNext Valkyrie iterates over a hardcoded list of registry paths stored between a1 + 56 and a1 + 64. It attempts to open every\r\nkey in the list under HKEY_LOCAL_MACHINE using RegOpenKeyExA, and if the key exists, it queries specific values\r\n(Identifier \u0026 SystemProductName) to retrieve identifying strings.\r\nhttps://www.dexpose.io/inside-valkyrie-stealer-capabilities-evasion-techniques-and-operator-profile/\r\nPage 11 of 27\n\nThese values are then converted to lowercase and compared to “vbox”, “virtual”, “vmware”, “qemu”, and “xen”. If any\r\nqueried value contains one of the VM-related substrings, the malware raises a VM detection flag, records the corresponding\r\nartifact and return 1\r\nScreen resolution check\r\nNext, it checks the screen resolution using GetSystemMetrics, If the display width is below 800 pixels or the height is\r\nbelow 600 pixels, it logs “Small screen: \u003cwidth\u003e x \u003cheight\u003e”\r\nTriage wallpaper detection\r\nThe function uses SystemParametersInfoA and GetFileAttributesExA to retrieve the current wallpaper and read its file\r\nmetadata. From the resulting WIN32_FILE_ATTRIBUTE_DATA structure, the malware reconstructs the wallpaper’s file\r\nsize by combining nFileSizeHigh and nFileSizeLow, and then compares the 64-bit value against the constant 0x60EB.\r\nDuring testing, the default Triage wallpaper was found to be 24811 bytes (0x60EB), confirming that the malware\r\nspecifically fingerprints Triage environments through this file-size signature.\r\nhttps://www.dexpose.io/inside-valkyrie-stealer-capabilities-evasion-techniques-and-operator-profile/\r\nPage 12 of 27\n\nCPU core count \u0026 RAM check\r\nNext it checks the system hardware to detect low-resource sandbox environments. It first retrieves the CPU core count using\r\nGetSystemInfo; if the system reports fewer than two cores, it logs “Low CPU Cores”. It then calls GlobalMemoryStatusEx\r\nto obtain the amount of physical RAM. If the total memory is below 2048 MB (2 GB), the malware logs “Low RAM”\r\nNext Valkyrie downloads three files from Lawxsz/vm-blacklist repository\r\nhxxps[://]raw[.]githubusercontent[.]com/Lawxsz/vm-blacklist/main/mac[.]txt\r\nhxxps[://]raw[.]githubusercontent[.]com/Lawxsz/vm-blacklist/main/ips[.]txt\r\nhxxps[://]raw[.]githubusercontent[.]com/Lawxsz/vm-blacklist/main/hwid[.]txt\r\nhttps://www.dexpose.io/inside-valkyrie-stealer-capabilities-evasion-techniques-and-operator-profile/\r\nPage 13 of 27\n\nThese lists, maintained by Lawxsz (the malware author), are used as part of Valkyrie’s virtual machine and sandbox-detection system, allowing the malware to identify whether it is running inside an analysis environment, cloud provider, or\r\nany other system that Lawxsz intends to exclude from infection.\r\nhttps://www.dexpose.io/inside-valkyrie-stealer-capabilities-evasion-techniques-and-operator-profile/\r\nPage 14 of 27\n\nFirst it enumerates all network adapters via GetAdaptersInfo, normalizes each adapter’s MAC address, and compares it\nagainst the blacklist. Next it obtains its external IP by querying https://api.ipify.org, then compares the result against the\ndownloaded ips.txt blacklist.\nIf both the MAC and IP checks pass, the malware performs a final hardware-based validation.\nIt runs:\nwmic csproduct get uuid\nand the resulting UUID is extracted and compared against the downloaded hwid.txt blacklist.\nBrowser-Stealing Payload\nValkyrie contains a browser detection routine designed to discover installed Chromium-based browsers by inspecting their\nregistry installation paths. It first prepares an internal list of browser signatures (Chrome, Edge, Brave) containing both the\ndisplay name and expected executable name.\nFor each browser it it queries two known App Paths registry locations:\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\ HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\App Paths\\ By opening the corresponding key and attempting to query it, which contains the full path of the browser’s executable. If\nnone of the targeted browsers are found, the stealer skips the browser-extraction routine.\nValkyrie browser data extraction is carried out by a payload DLL embedded in resources, It starts loading DLL from\nembedded resource using\nFindResourceW(ModuleHandleA, Name, 0xA);\nLoadResource();\nLockResource();\nSizeofResource();\nhttps://www.dexpose.io/inside-valkyrie-stealer-capabilities-evasion-techniques-and-operator-profile/\nPage 15 of 27\n\nBefore the DLL can be reflectively loaded into memory, Valkyrie decrypts it using a ChaCha20 encryption routine.\r\nThe key bytes are taken directly from the memory region beginning at qword_7FF7C7A56048.\r\nThat region consists of four consecutive qwords stored in little-endian, forming a 32-byte key:\r\n4D9F8B73 6455271B\r\n4677798C 677D4A58\r\n95CD5754 0C4E6BBE\r\n947C6647 217EDE18\r\nThe nonce is formed from the next qwords (qword_7FF7C7A56068):\r\nthe full 8 bytes of 0x544A2D8D6278514A, and\r\nthe lower 4 bytes of 0x503CE588\r\nproducing a standard 12-byte IETF ChaCha20 nonce. (The final qword, 0x0, is not used.)\r\nOnce the key and nonce are assembled, they serve as input for the ChaCha20 block function. For each 64-byte block of the\r\npayload, the malware increments a block counter and calls this to generate a 64-byte keystream.\r\nThe ChaCha20 core is implemented manually inside the binary: it loads the standard constant “expand 32-byte k,” expands\r\nthe 256-bit key, combines it with the nonce and counter, and performs 20 rounds of ChaCha quarter-round operations. The\r\nfinal 64-byte state is then serialized to produce the keystream block.\r\nAfter generating the keystream, the malware applies it to the payload through a vectorized XOR routine. The operation is\r\noptimized using SSE instructions to process 64 bytes at a time, with a fallback to byte-wise XOR for short or partially\r\naligned regions.\r\nThe payload can be extracted from the resource section using a tool such as Resource Hacker.\r\nhttps://www.dexpose.io/inside-valkyrie-stealer-capabilities-evasion-techniques-and-operator-profile/\r\nPage 16 of 27\n\nOnce the payload is extracted, it needs to be decrypted. I I’ve written a script to perform the decryption.\r\n# python decrypt_payload.py PAYLOAD_DLL.bin\r\nimport sys\r\nfrom Crypto.Cipher import ChaCha20\r\nfrom pathlib import Path\r\nq0 = 0x4D9F8B736455271B\r\nq1 = 0x4677798C677D4A58\r\nq2 = 0x95CD57540C4E6BBE\r\nq3 = 0x947C6647217EDE18\r\nq4 = 0x544A2D8D6278514A\r\nq5 = 0x00000000503CE588\r\nq6 = 0x0\r\ndef qword_to_bytes_le(q):\r\n return q.to_bytes(8, 'little')\r\ndef build_key_and_nonce():\r\n key = b''.join(qword_to_bytes_le(q) for q in (q0, q1, q2, q3))\r\n q4_bytes = qword_to_bytes_le(q4)\r\n q5_bytes = qword_to_bytes_le(q5)\r\n nonce = q4_bytes + q5_bytes[:4]\r\n return key, nonce\r\ndef decrypt_file(input_path):\r\n data = Path(input_path).read_bytes()\r\n key, nonce = build_key_and_nonce()\r\n print(\"Key (hex):\", key.hex())\r\n print(\"Nonce (hex):\", nonce.hex())\r\n print(\"Resource size:\", len(data))\r\n # ChaCha20 IETF: 12-byte nonce, counter default 0\r\n cipher = ChaCha20.new(key=key, nonce=nonce)\r\nhttps://www.dexpose.io/inside-valkyrie-stealer-capabilities-evasion-techniques-and-operator-profile/\r\nPage 17 of 27\n\ndec = cipher.decrypt(data)\r\n outp = Path(\"payload_decrypted.dll\")\r\n outp.write_bytes(dec)\r\n print(\"Wrote decrypted file:\", outp)\r\n if dec[:2] == b'MZ':\r\n print(\"SUCCESS: decrypted file has 'MZ' header.\")\r\n e_lfanew = int.from_bytes(dec[0x3C:0x40], 'little')\r\n if e_lfanew + 4 \u003c len(dec) and dec[e_lfanew:e_lfanew+4] == b'PE\\x00\\x00':\r\n print(\"PE header found\")\r\n else:\r\n print(\"MZ present but PE header not found where expected.\")\r\n else:\r\n print(\"No MZ header found\")\r\nif __name__ == \"__main__\":\r\n if len(sys.argv) \u003c 2:\r\n print(\"Usage: python decrypt_chacha_exact.py PAYLOAD_DLL.bin\")\r\n sys.exit(1)\r\n decrypt_file(sys.argv[1])\r\nThen it parses the payload’s PE header, scans DLL exports for “ReflectiveLoader” and allocates memory inside the target\r\nbrowser’s process (e.g., chrome.exe) This injection is performed specifically to bypass App-Bound Encryption (ABE)\r\nby executing within the trusted application’s context. The decrypted DLL is injected with a named-pipe parameter used\r\nfor communication between the stealer and the injected payload.\r\nPayload Hash:\r\n5ddcf2c1bed21ccf60a5c9a42aafad7fd1e9596fee8f50bfa82b9d6ba23abb7e\r\nThe payload implements a complete browser-data extraction workflow that targets Chromium-based browsers profiles\r\nlocated under the user’s Local AppData directory.\r\nIt begins by resolving the Local AppData path using the SHGetKnownFolderPath API with the GUID F1B32785-6FBA-4FCF-9D55-7B8E7F157091, which corresponds to the path %USERPROFILE%\\AppData\\Local.\r\nhttps://www.dexpose.io/inside-valkyrie-stealer-capabilities-evasion-techniques-and-operator-profile/\r\nPage 18 of 27\n\nOnce this directory is resolved, the payload constructs the full filesystem path to the browser’s “Local State” file\r\nThis file contains the encrypted_key field, which is a DPAPI-protected blob that contains the AES key used by the browser\r\nto encrypt passwords, cookies, and other records.\r\nAfter recovering the AES key, the malware enumerates all available browser profiles beneath the “User Data” directory. For\r\neach profile, it constructs paths to the browser’s SQLite databases.\r\nOnce a database path is built, the malware converts it into a special URI of the form file:\u003cpath\u003e?nolock=1.\r\nThe URI is passed into the malware’s internal SQLite engine—an embedded implementation compiled directly into the\r\npayload. As Valkyrie does not depend on the system’s sqlite3.dll. Instead, it includes a full SQLite implementation with its\r\nown collations, virtual table support, and initialization routines.\r\nAs each database opens, the malware iterates through its records and identifies fields that contain encrypted blobs. These\r\nblobs are decrypted using the AES key previously extracted from the browser’s Local State file.\r\nThe decrypted entries are transformed into JSON objects and then written to disk as .json files.\r\nThe loader reads status and progress messages from the named pipe in a loop using PeekNamedPipe and ReadFile. When\r\nthe payload sends its final completion message, the loader stops reading and terminates the injected process.\r\nValkyrie’s Reconnaissance Capabilities\r\nScreenshot Capture\r\nValkyrie captures a full-screen desktop image using standard GDI calls. It queries the screen size with GetSystemMetrics,\r\ncreates a compatible bitmap and device context, and uses BitBlt to copy the visible desktop into memory. The bitmap is then\r\nconverted into raw 24-bit pixel data via GetDIBits.\r\nhttps://www.dexpose.io/inside-valkyrie-stealer-capabilities-evasion-techniques-and-operator-profile/\r\nPage 19 of 27\n\nThe stealer builds the output path within the %TEMP%\\Valkyrie directory and writes the screenshot directly to disk. It\r\nmanually generates a minimal BMP structure, including the 'BM' header, the BITMAPINFOHEADER, and the pixel\r\nbuffer.\r\nThe final file is saved as: %TEMP%\\Valkyrie\\screenshot.bmp\r\nSystem Info\r\nNext the malware collect system information from the infected device:\r\nHost Name\r\nUsername\r\nHWID\r\nMAC Address\r\nCPU brand\r\nGPU adapters\r\nRAM\r\nFree Disk Space\r\nTotal Disk Space\r\nWindows version\r\nWindows build number\r\nIt adds them with a hardcoded build ID and timestamp the stealer’s JSON object alongside the collected data.\r\nProcess Enumeration\r\nhttps://www.dexpose.io/inside-valkyrie-stealer-capabilities-evasion-techniques-and-operator-profile/\r\nPage 20 of 27\n\nValkyrie enumerates running processes using CreateToolhelp32Snapshot, Process32FirstW, and Process32NextW.\r\nFor each process entry, it extracts the PID and executable name and stores both values into the output array. Each process\r\nrecord is written into a1 using a fixed stride of 65 elements.\r\nEach process entry is then converted into a formatted string of the form:\r\nchrome.exe (PID: 1234)\r\nexplorer.exe (PID: 1952)\r\nsvchost.exe (PID: 456)\r\nDetecting Antivirus\r\nValkyrie iterates through a hardcoded list of antivirus installation paths. For each entry, it checks whether the directory\r\nexists. If the path is present, the malware extracts and stores the corresponding AV name into output buffer\r\nNetwork Information Collection\r\nValkyrie retrieves the victim’s public IP and network metadata by sending an HTTPS GET request to\r\nhttps://ipwhois.app/json/. The returned JSON response is parsed and stored inside the malware’s final report under the\r\n“network” field. If an “ip” field is present, the malware logs the victim’s public IP address and includes this data in the\r\nexfiltrated profile.\r\nhttps://www.dexpose.io/inside-valkyrie-stealer-capabilities-evasion-techniques-and-operator-profile/\r\nPage 21 of 27\n\nDiscord and Telegram Theft\r\nValkyrie Stealer searches for and extracts Discord session data from all common locations. It targets both the standalone\r\nDiscord applications and the browser-based Discord sessions stored inside Chromium-based browsers.\r\nTargeted Clients:\r\nDiscord (Stable)\r\nDiscord Canary\r\nDiscord PTB (Public Test Build)\r\nChrome – Discord web sessions\r\nEdge – Discord web sessions\r\nBrave – Discord web sessions\r\nValkyrie iterates over all extracted Discord tokens and validates each one through the official users/@me API endpoint. For\r\nevery token that resolves to a real Discord profile, the stealer builds a structured object containing the victim’s username,\r\ndiscriminator, user ID, email, phone, and token.\r\nIt searches all known Telegram Desktop installation paths:\r\n%USERPROFILE%\\AppData\\Local\\Telegram Desktop\\tdata\r\nC:\\Program Files\\Telegram Desktop\\tdata\r\nC:\\Program Files (x86)\\Telegram Desktop\\tdata\r\n%USERPROFILE%\\AppData\\Roaming\\Telegram Desktop\\tdata\r\nInside tdata, the malware copies everything except:\r\n“emoji”\r\nuser_data\r\nuser_data#2\r\nuser_data#3\r\nuser_data#4\r\nuser_data#5\r\nEverything else is copied recursively to %TEMP%\\Valkyrie\\Apps\\Telegram\\\r\nGame Account \u0026 Configuration Theft\r\nhttps://www.dexpose.io/inside-valkyrie-stealer-capabilities-evasion-techniques-and-operator-profile/\r\nPage 22 of 27\n\nValkyrie includes a function for stealing game accounts and configuration files. The malware contains a hard-coded table at\r\noff_7FF7C7BB5B60, which defines every supported game, its installation path, and the files to steal.\r\nTargeted Games \u0026 Clients:\r\nMinecraft Java\r\nLunar Client\r\nEpic Games\r\nnet\r\nBadlion\r\nLeague of Legends\r\nValorant\r\nSteam\r\nGrowtopia\r\nUbisoft Connect\r\nRockstar Social Club\r\nGOG Galaxy\r\nEA Desktop\r\nCounter-Strike 2\r\nFortnite\r\nApex Legends\r\nDota 2\r\nGTA V\r\nRainbow Six Siege\r\nOverwatch\r\nPUBG\r\nRocket League\r\nPath of Exile\r\nTerraria\r\nThe files are copied to %TEMP%\\Valkyrie\\Games\\\u003cGameName\u003e\\\r\nWallets Theft\r\nValkyrie locates cryptocurrency wallets across browsers and desktop installations, copies the entire wallet directory to\r\n%TEMP%\\Valkyrie\\Wallets\\ and record the wallet names into the JSON output. The entire wallet-stealing routine runs under\r\na 31-second timeout, after which the malware stops the operation.\r\nhttps://www.dexpose.io/inside-valkyrie-stealer-capabilities-evasion-techniques-and-operator-profile/\r\nPage 23 of 27\n\nTargeted wallets:\r\nMetaMask (Browser-based Chrome)\r\nExodus (desktop)\r\nAtomic Wallet (desktop)\r\nElectrum (desktop)\r\nValkyrie’s binary also contains many additional wallet-related identifiers and extension IDs, but these entries are never\r\nreferenced.\r\nThey appear in the .rdata section but have no XREFs, meaning that this sample never attempts to scan or steal them.\r\nZIP Compression \u0026 Encryption\r\nValkyrie prepares all harvested data for exfiltration by packaging it into a single ZIP archive. it uses a primary-and-fallback\r\ncompression system, first attempting Minizip, then falling back to a PowerShell-based compressor if the first method failed.\r\nMinizip Compression\r\nValkyrie pack all harvested data into the final archive named Valkyrie.zip. The function enumerates all stolen directories,\r\nbefore adding a file, it execludes:\r\nFilename contains “.tmp” or “.lock”\r\nFilename contains the tilde (~) character\r\nFile with size \u003c= 20,971,519 bytes, ~21 MB\r\nhttps://www.dexpose.io/inside-valkyrie-stealer-capabilities-evasion-techniques-and-operator-profile/\r\nPage 24 of 27\n\nCompression runs inside a worker thread while the main thread enforces a 60 seconds timeout and monitors progress.\nSkipped files, added files, and errors are logged for the operator.\nThen it subtract how long Method 1 took from the global packaging time budget (60 seconds), If less than 50% time remains\nit skips Method 2 entirely.\nPowerShell Compression\nIf Minizip Compression fails and enough time remains, the malware tries PowerShell-based ZIP compressor by Building a\nPowerShell command:\npowershell.exe -NoProfile -ExecutionPolicy Bypass -Command \"\u0026 {\n$ErrorActionPreference='Stop';\n$source='C:\\Users\\admin\\AppData\\Local\\Temp\\Valkyrie';\n$dest='C:\\Users\\admin\\AppData\\Local\\Temp\\Valkyrie.zip';\nif(Test-Path $dest){Remove-Item $dest -Force};\nAdd-Type -A 'System.IO.Compression.FileSystem';\n[IO.Compression.ZipFile]::CreateFromDirectory($source,$dest,[IO.Compression.CompressionLevel]::Fastest,$false)\n}\"\nThen Valkyrie executes it via CreateProcessW with a 30-second timeout and then verifies the resulting archive.\nValkyrie encrypts the final payload using its AES-GCM encryption routine. It first loads a hardcoded 32-byte key\n(80KyVLYNmTsjgfKq6oGoRybt8aw5hMYZ), creates an AES encryption context, and generates a 12-byte IV. The stolen\ndata is then fed into the AES-GCM routine, which produces the encrypted output (ciphertext), along with an authentication\ntag. The final blob consists of the IV, the ciphertext and the tag.\nExfiltration\nFor data exfiltration, Valkyrie Stealer relies on two Command-and-Control (C2) servers arranged in a primary–fallback\nconfiguration.\nTo obtain the primary C2 domain, Valkyrie sends an HTTP GET request to the following Steam profile:\nhttps://steamcommunity[.]com/profiles/76561199515014094/\nOnce the HTML content is retrieved, the malware extracts the username by using regex:(.*?) https://www.dexpose.io/inside-valkyrie-stealer-capabilities-evasion-techniques-and-operator-profile/\nPage 25 of 27\n\nThe extracted value is not an actual username, but an encrypted token. Valkyrie decrypts this token to obtain the real\r\nprimary C2 domain: lylred[.]space\r\nIf the Steam profile cannot be reached, Valkyrie falls back to a secondary C2 domain: thenewflights[.]xyz\r\nThe stealer sends the data to the C2 using an HTTP POST request to /api/log (the endpoint used for exfiltration) including a\r\n32-byte key in the X-API-Key header, and IV, the authentication tag IV, encrypted blob and a data_json field containing host\r\nreconnaissance profile.\r\nhttps://www.dexpose.io/inside-valkyrie-stealer-capabilities-evasion-techniques-and-operator-profile/\r\nPage 26 of 27\n\nConclusion\r\nValkyrie Stealer is a C++ infostealer that targets Chromium-based browsers, Discord variants, Telegram, cryptocurrency\r\nwallets, and a wide range of games and clients data. It also collects detailed system information including hardware, OS\r\nversion, disk and RAM details, network data, and installed AV products.\r\nValkyrie use Themida for protection, a ChaCha20-encrypted payload, reflective DLL loading, embedded SQLite, named-pipe IPC, AES-GCM data encryption, and multi-stage ZIP packaging. Its anti-VM subsystem combining signature matching,\r\nhardware checks, environment heuristics, blacklist lookups, and watchdog timers.\r\nIOCs\r\nValkyrie Stealer: 1e46af3ca215225eb82217aed0028cb46ac97fb5631fac9a96a1aa68cd9ce9d1\r\nPayload: 5ddcf2c1bed21ccf60a5c9a42aafad7fd1e9596fee8f50bfa82b9d6ba23abb7e\r\nlylred[.]space/api/log\r\nthenewflights[.]xyz/api/log\r\nhttps[:]//steamcommunity[.]com/profiles/76561199515014094/\r\nhttps://raw.githubusercontent.com/Lawxsz/vm-blacklist/main/mac.txt\r\nhttps://raw.githubusercontent.com/Lawxsz/vm-blacklist/main/ips.txt\r\nhttps://raw.githubusercontent.com/Lawxsz/vm-blacklist/main/hwid.txt\r\nTable of Contents\r\nWhat Is Valkyrie Stealer?\r\nStealer Capabilities and Functionality\r\nOverview of the Developer Behind Valkyrie\r\nThemida Protection Layer\r\nEvasion Techniques\r\nBrowser-Stealing Payload\r\nValkyrie’s Reconnaissance Capabilities\r\nDiscord and Telegram Theft\r\nGame Account \u0026 Configuration Theft\r\nWallets Theft\r\nZIP Compression \u0026 Encryption\r\nExfiltration\r\nConclusion\r\nIOCs\r\nSource: https://www.dexpose.io/inside-valkyrie-stealer-capabilities-evasion-techniques-and-operator-profile/\r\nhttps://www.dexpose.io/inside-valkyrie-stealer-capabilities-evasion-techniques-and-operator-profile/\r\nPage 27 of 27\n\nprint(\"Nonce print(\"Resource (hex):\", nonce.hex()) size:\", len(data)) \n# ChaCha20 IETF: 12-byte nonce, counter default 0\ncipher = ChaCha20.new(key=key, nonce=nonce) \n Page 17 of 27", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.dexpose.io/inside-valkyrie-stealer-capabilities-evasion-techniques-and-operator-profile/" ], "report_names": [ "inside-valkyrie-stealer-capabilities-evasion-techniques-and-operator-profile" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f9806b99-e392-46f1-9c13-885e376b239f", "created_at": "2023-01-06T13:46:39.431871Z", "updated_at": "2026-04-10T02:00:03.325163Z", "deleted_at": null, "main_name": "Watchdog", "aliases": [ "Thief Libra" ], "source_name": "MISPGALAXY:Watchdog", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434899, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/eafcc6e472bceec12f64b325bd9ce261b94cdcdb.pdf", "text": "https://archive.orkl.eu/eafcc6e472bceec12f64b325bd9ce261b94cdcdb.txt", "img": "https://archive.orkl.eu/eafcc6e472bceec12f64b325bd9ce261b94cdcdb.jpg" } }