{
	"id": "ab852e35-9689-4378-b3e2-97b1d8d79ad5",
	"created_at": "2026-04-10T03:20:05.235718Z",
	"updated_at": "2026-04-10T13:12:47.838337Z",
	"deleted_at": null,
	"sha1_hash": "fed4194ad1552f6392c1970f020e2513d3a0ce57",
	"title": "New KPOT v2.0 stealer brings zero persistence and in-memory features to silently steal credentials | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1200544,
	"plain_text": "New KPOT v2.0 stealer brings zero persistence and in-memory features\r\nto silently steal credentials | Proofpoint US\r\nBy May 09, 2019 Dennis Schwarz and the Proofpoint Threat Insight Team\r\nPublished: 2019-05-09 · Archived: 2026-04-10 02:35:59 UTC\r\nOverview\r\nKPOT Stealer is a “stealer” malware that focuses on exfiltrating account information and other data from web browsers,\r\ninstant messengers, email, VPN, RDP, FTP, cryptocurrency, and gaming software.\r\nProofpoint researchers started seeing KPOT Stealer distributed via email campaigns and exploit kits in August 2018 (Figure\r\n1). In addition, colleagues at Flashpoint Intel observed the malware targeting users of the Jaxx cryptocurrency wallet in\r\nSeptember 2018 [8].\r\nFigure 1: Exploit kit campaigns distributing KPOT Stealer, November 2018 to May 2019\r\nRecently, actors began delivering a newer version of the malware; this post analyzes one of those campaigns along with the\r\nmalware itself. This newer version is commercially available as “KPOT v2.0” on various underground hacking forums for\r\naround $100 USD (Figure 2).\r\nFigure 2: Portion of a Russian forum advertisement describing changes in KPOT v2.0 and its price (Google translation)\r\nCampaign Analysis\r\nKPOT has been observed in a variety of email campaigns. For example, the following message shared tactics, techniques,\r\nand procedures (TTPs) with campaigns delivering another malware family, Agent Tesla, from similar documents and the\r\nsame payload domain.\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-kpot-v20-stealer-brings-zero-persistence-and-memory-features-silently-steal\r\nPage 1 of 8\n\nFigure 3: Email message for the KPOT campaign\r\nFrom: Fernandes \u003cwebmaster@henrynet.ca\u003e\r\nSubject: Due payment-Bank transfer\r\nDate: Tue, 30 Apr 2019\r\nAttachment: \"Bank transfer copy.doc\"\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-kpot-v20-stealer-brings-zero-persistence-and-memory-features-silently-steal\r\nPage 2 of 8\n\nFigure 4: RTF document attachment containing the CVE-2017-11882 exploit (aka Equation Editor)\r\nIn this example, the attachment was an LCG Kit [6] variant RTF document which uses Equation Editor exploit CVE-2017-\r\n11882 to download an intermediate downloader via a bit.ly link:\r\nhxxps://bit[.]ly/2GK79A4 -\u003e hxxp://internetowe[.]center/get/udeme.png\r\nThe downloader, in turn, fetches parts of a PowerShell script that includes the Base64-encoded payload from the various\r\npaste.ee links:\r\nhxxps://paste[.]ee/r/BZVbl (PowerShell script segment including an accompanying binary used for reflective DLL\r\nhxxps://paste[.]ee/r/mbQ6R (base64-encoded payload)\r\nhxxps://paste[.]ee/r/OsQra (tail of the PowerShell script)\r\nThe payload is KPOT Stealer with configuration:\r\nC2: hxxp://5.188.60[.]131/a6Y5Qy3cF1sOmOKQ/gate.php\r\nXOR key: Adx1zBXByhrzmq1e\r\nMalware Analysis\r\nKPOT Stealer is a “stealer” malware written in C/C++ that focuses on stealing account information and other data from\r\nvarious software applications and services. Its name is based on the command and control (C\u0026C) panel used in earlier\r\nversions of the malware (Figure 5):\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-kpot-v20-stealer-brings-zero-persistence-and-memory-features-silently-steal\r\nPage 3 of 8\n\nFigure 5: Old KPOT C\u0026C panel login\r\nA screenshot of the C\u0026C panel login for the newer version analyzed in this post is available in Figure 6. As can been seen,\r\nthe self-identifying mark has been removed.\r\nFigure 6: New C\u0026C panel login\r\nStrings\r\nMost of the malware’s important strings are encrypted. Each encrypted string is stored in an array of 8-byte structures where\r\neach structure contains:\r\nXOR key (WORD)\r\nString length (WORD)\r\nPointer to encrypted string (DWORD)\r\nEach encrypted string can be decrypted by XORing it with its XOR key. [1] is an IDA Python snippet that can be used to\r\ndecrypt the strings in the analyzed sample and [2] contains a list of the decrypted strings.\r\nWindows API Calls\r\nKPOT Stealer resolves most of the Windows API functions it uses at runtime by hash. The hashing algorithm used is known\r\nas MurmurHash [3] and it is seeded with 0x5BCFB733 in the analyzed sample. The following table contains a list of some\r\nof the hashes used and their corresponding Windows API name:\r\n0xEC595E53 GetModuleFileNameW\r\n0x68CCF342 CreateStreamOnHGlobal\r\n0xCF724FBB GetVolumeInformationW\r\n0xB6B1AD4A InternetOpenW\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-kpot-v20-stealer-brings-zero-persistence-and-memory-features-silently-steal\r\nPage 4 of 8\n\n0x6EAB51D socket\r\nCommand and Control\r\nKPOT uses HTTP for command and control. The URL components are stored as encrypted strings. In the analyzed sample\r\nthe URL was “hxxp://bendes[.]co[.]uk/lmpUNlwDfoybeulu/gate.php”. The malware also has support for .bit C\u0026C domains\r\nwhich are becoming more prevalent.\r\nTwo types of requests are sent to the C\u0026C server. The first request is a GET request (Figure 7):\r\nFigure 7: GET request to C\u0026C server\r\nThe response from the C\u0026C is base64 encoded and XOR’d with a hardcoded key that is stored as an encrypted string. In the\r\nanalyzed sample, the key was “4p81GSwBwRrAhCYK”. An example of the plaintext response looks like:\r\n1111111111111100__DELIMM__A.B.C.D__DELIMM__appdata__GRABBER__*.log,*.txt,__GRABBER__%appdata%__GRABBER__0__GRABBER\r\nThe data is delimited by “__DELIMM__” and can be split into the following types of data:\r\n1. A bit string indicating what commands to run\r\n2. The external IP address of the victim\r\n3. “GRABBER rules” specifying what files to search for and exfiltrate\r\nBefore any commands are run, the malware checks to see if the victim is located in any of the Commonwealth of\r\nIndependent States (CIS) [5]. If it is, the malware exits without further action. The specific languages it checks for can be\r\nseen in Figure 8:\r\nFigure 8: Commonwealth of Independent States (CIS) country check\r\nThis type of country check is common because threat actors have used the avoidance of CIS countries as a successful legal\r\ndefense [7].\r\nAfter the commands are run, a POST request is sent to the C\u0026C (Figure 9):\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-kpot-v20-stealer-brings-zero-persistence-and-memory-features-silently-steal\r\nPage 5 of 8\n\nFigure 9: POST request to C\u0026C server\r\nThe POST data is XOR encrypted with the hardcoded XOR key used in the GET response above and once decrypted\r\ncontains various data organized into sections. Each section has a start delimiter like “FFFILEE:” or “SYSINFORMATION:”\r\nand an end delimiter like “_FFFILEE_” or “_SYSINFORMATION_”. Sections include:\r\n62-byte structure containing:\r\nIs process token elevated\r\nProcess integrity level\r\nWindows version\r\nLocale\r\nBot ID\r\nAdditional system information including:\r\nWindows version\r\nMachine GUID\r\nExternal IP\r\nCPU\r\nRAM\r\nScreen\r\nComputer name\r\nUser name\r\nLocal time\r\nGPU\r\nKeyboard layouts\r\nInstalled software\r\nCommand outputs\r\nExfiltrated files\r\nCommands and Functionality\r\nThe first component of the GET response above is a 16 digit bit string, e.g. “1111111111111100”. Each “1” turns on some\r\ncommand functionality while each “0” turns it off. Conveniently the C\u0026C panel provides an accessible config file that\r\nprovides a mapping between the bit string and the command names (Figure 10). This feature was also highlighted in an\r\nearlier version by a security researcher on Twitter [4].\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-kpot-v20-stealer-brings-zero-persistence-and-memory-features-silently-steal\r\nPage 6 of 8\n\nFigure 10: Command bit string to command name mapping\r\nThe commands provide the following functionality:\r\nSteal cookies, passwords, and autofill data from Chrome\r\nSteal cookies, passwords, and autofill data from Firefox\r\nSteal cookies from Internet Explorer\r\nSteal various cryptocurrency files\r\nSteal Skype accounts\r\nSteal Telegram accounts\r\nSteal Discord accounts\r\nSteal Battle.net accounts\r\nSteal Internet Explorer passwords\r\nSteal Steam accounts\r\nTake a screenshot\r\nSteal various FTP client accounts\r\nSteal various Windows credentials\r\nSteal various Jabber client accounts\r\nRemove self\r\nWasn't able to find code referencing the last command bit\r\nAlthough there aren’t specific command bits controlling the functionality, the malware also looks for and attempts to steal\r\nuser accounts from various VPN providers, RDP configuration files, and Microsoft Outlook accounts.\r\nKPOT Stealer also has the ability to search for and exfiltrate arbitrary files. “Rules” specifying what files to search for can\r\nbe delivered in the above GET response. Each rule has five components delimited by \"__GRABBER__\". The components\r\ninclude:\r\n1. Rule name\r\n2. File mask (comma separated)\r\n3. Search path\r\n4. Minimum file size\r\n5. Maximum file size\r\nAn example rule split up into its components looks like:\r\n['appdata', '*.log,*.txt,', '%appdata%', '0', '1024']\r\nThis rule is called “appdata” and looks for any “.log” or “.txt” files in “%APPDATA” that are between 0 and 1024 bytes.\r\nThe analyzed sample lacks a persistence mechanism. The malware queries its C\u0026C server for the commands it should\r\nexecute, executes the commands, delivers the results to the C\u0026C, and then exits. This has been seen in other stealer malware\r\nsuch as Pony since it lowers their chance of being detected.\r\nConclusion\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-kpot-v20-stealer-brings-zero-persistence-and-memory-features-silently-steal\r\nPage 7 of 8\n\nClient desktop operating systems running many types of applications, such as web browsers, instant messengers, email,\r\nVPN, RDP, FTP, cryptocurrency, and gaming software are increasingly being targeted for credential and other data theft by\r\nrelatively quiet off-the-shelf malware such as KPOT Stealer through email campaigns (and more infrequently, exploit kits).\r\nThe commercial nature of these tools means that sophisticated capabilities are accessible to even technically unskilled\r\ncriminals and highlight the ease with which threat actors can get started and change tools and tactics. We advise our\r\ncustomers to remain vigilant in terms of securing their client systems with the latest vendor patches, platform updates, and\r\nimproving general awareness of social engineering techniques within their respective user populations.\r\nReferences\r\n[1] https://github.com/EmergingThreats/threatresearch/blob/master/kpot_stealer/decrypt_str.py\r\n[2] https://github.com/EmergingThreats/threatresearch/blob/master/kpot_stealer/plaintext_strings.txt\r\n[3] https://en.wikipedia.org/wiki/MurmurHash\r\n[4] https://twitter.com/sysopfb/status/1035177455667957760\r\n[5] https://en.wikipedia.org/wiki/Commonwealth_of_Independent_States\r\n[6] https://www.proofpoint.com/us/threat-insight/post/lcg-kit-sophisticated-builder-malicious-microsoft-office-documents\r\n[7] https://www.recordedfuture.com/ar3s-prison-release/\r\n[8] https://www.flashpoint-intel.com/blog/malware-campaign-targets-jaxx-cryptocurrency-wallet-users/\r\nIndicators of Compromise\r\n67f8302a2fd28d15f62d6d20d748bfe350334e5353cbdef112bd1f8231b5599d SHA256\r\nKPOT Stealer (Malware\r\nAnalysis)\r\n1f2852eeb1008b60d798f0cbcf09751e26e7980b435635bbef568402b3f82504 SHA256\r\nKPOT Stealer (Campaign\r\nAnalysis)\r\n36dcd40aee6a42b8733ec3390501502824f570a23640c2c78a788805164f77ce SHA256\r\nIntermediate downloader\r\n(Campaign Analysis)\r\nhxxp://bendes.co[.uk/lmpUNlwDfoybeulu/gate.php URL\r\nKPOT Stealer C\u0026C URL\r\n(Malware Analysis)\r\nhxxp://5.188.60[.]131/a6Y5Qy3cF1sOmOKQ/gate.php URL\r\nKPOT Stealer C\u0026C URL\r\n(Campaign Analysis)\r\nSource: https://www.proofpoint.com/us/threat-insight/post/new-kpot-v20-stealer-brings-zero-persistence-and-memory-features-silently-steal\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-kpot-v20-stealer-brings-zero-persistence-and-memory-features-silently-steal\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.proofpoint.com/us/threat-insight/post/new-kpot-v20-stealer-brings-zero-persistence-and-memory-features-silently-steal"
	],
	"report_names": [
		"new-kpot-v20-stealer-brings-zero-persistence-and-memory-features-silently-steal"
	],
	"threat_actors": [],
	"ts_created_at": 1775791205,
	"ts_updated_at": 1775826767,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fed4194ad1552f6392c1970f020e2513d3a0ce57.pdf",
		"text": "https://archive.orkl.eu/fed4194ad1552f6392c1970f020e2513d3a0ce57.txt",
		"img": "https://archive.orkl.eu/fed4194ad1552f6392c1970f020e2513d3a0ce57.jpg"
	}
}