Dolphin Loader A few days ago I was looking at the sample from Dolphin Loader and couldn’t understand for awhile how it was able to retrieve the final payload because the payload was not able to fully complete the execution chain. Recently someone sent me a fresh working sample, so I had a little “hell yeah!” moment. Before looking into the abuse of ITarian RMM software, we should talk a little bit about Dolphin Loader. Dolphin Loader is a new Malware-as-a-Service loader that first went...| RussianPanda Research Blog
Case Study The GlorySprout ads surfaced on the XSS forum at the beginning of March 2024 (the name makes me think of beansprout; perhaps the seller behind the stealer is a vegetarian). The stealer, developed in C++, is available for purchase at $300, offering lifetime access and 20 days of crypting service, which encrypts the stealer’s payload to evade detection. Similar to other stealers, it includes a pre-built loader, Anti-CIS execution, and a Grabber module (which is non-functional). Whi...| RussianPanda Research Blog
Case Study Atomic Stealer is known to be the first stealer for MacOS devices, it first appeared on Russian hacking in March, 2023. For 3000$ per month, the user gets the access to the panel. The user provides Telegram Bot ID and build ID to the seller and the user receives the build. The stealer allegedly has the following functionalities and features: Login Keychain dump Extract system information FileGrabber (from Desktop, Documents) MacOS Password retrieval Convenient web panel MetaMask br...| RussianPanda Research Blog
Stealer’s World of Drama Previously, I wrote a blog going through some of MetaStealer’s functionalities and did a brief comparison with Redline since they are both very similar but, at the same time, different. You might say that all stealers are the same because they have one purpose - to steal. However, each of them is somewhat different from the others, even if they borrowed the code from their predecessors. Every stealer tries to be better than the other one despite having similar cod...| RussianPanda Research Blog
Case Study Pure Logs Stealer first appeared on hacking forums at the end of October 2022. The stealer is developed by a malware developer going under the alias PureCoder. The malware developer is also behind in developing the products shown above, such as Pure Miner, Pure Crypter, Pure hVNC, Blue Loader, and other products, including HWID reset, Discord DM Worm, and Pure Clipper. The malware developer periodically pushes updates to their products. The The view of the File Grabber panel: The v...| RussianPanda Research Blog
Case Study MetaStealer made its debut on Russian hacking forums on March 7, 2022. The stealer is said to incorporate the functionality, code, and panel of Redline Stealer. The developer claims to have improved the stub of the payload. It is priced at $150 per month, mirroring the price of Redline Stealer. Note: Some samples of MetaStealer have been found in sandbox platforms like Triage, Joe Sandbox, Any.run and classified as Redline or “another” MetaStealer” that appears to be written ...| RussianPanda Research Blog
Case Study WhiteSnake Stealer first appeared on hacking forums at the beginning of February 2022. The stealer collects data from various browsers such as Firefox, Chrome, Chromium, Edge, Brave, Vivaldi, CocCoc, and CentBrowser. Besides browsing data, it also collects data from Thunderbird, OBS-Studio, FileZilla, Snowflake-SSH, Steam, Signal, Telegram, Discord, Pidgin, Authy, WinAuth, Outlook, Foxmail, The Bat!, CoreFTP, WinSCP, AzireVPN, WindscribeVPN. The following are crypto wallets collect...| RussianPanda Research Blog