Cyber Stealer: New Infostealer-Botnet Hybrid Offers Full Digital Plunder as a Service
Ddos 
Dashboard of administration panel | Image: eSentire Threat Response Unit
The eSentireβs Threat Response Unit (TRU) has uncovered a rapidly evolving malware platform called Cyber Stealerβa full-fledged infostealer-botnet hybrid that fuses advanced data theft, remote control, cryptocurrency mining, and denial-of-service attack capabilities into a single, scalable toolkit.
βCyber Stealer represents a new and actively developing threat… based on user feedback from hacking forums, indicating an agile development process,β says eSentire.
Cyber Stealer is operated under a tiered subscription model and is sold via the threat actor βCyber Productsβ on Hackforums and Telegram:
- Regular License ($99β$1,499): Basic stealer and loader.
- Premium License ($150β$1,999): Adds crypto clipper, reverse proxy, and remote shell.
- VIP Full Package ($299β$2,999): Unlocks DDoS, DNS poisoning, XMR mining, and an EV-signed binary to bypass Windows SmartScreen.
The flexibility of pricing and licensing periods, ranging from weekly to lifetime, reflects its role as a commercial-grade cybercrime toolkit.
Cyber Stealerβs arsenal includes modules targeting virtually every facet of a victimβs digital life:
Credential and Data Theft
- Browsers: Steals saved passwords, cookies, credit cards, autofill, and history from Chrome, Firefox, Edge, Brave, and more.
- Cryptocurrency: Targets over 30 desktop and browser-based wallets, and leading exchanges like Binance, Kraken, and Coinbase.
- Communication Apps: Extracts session data from Telegram, Discord, Signal, Skype, WhatsApp, and Teams.
- Gaming Clients: Steam, Riot, Epic, Minecraft, Roblox.
- VPNs & RMMs: NordVPN, OpenVPN, TeamViewer, AnyDesk, RDP, SSH.
- Password Managers: 1Password, LastPass, KeePass, Bitwarden, Dashlane.
- Cloud Services: Google Drive, Dropbox, OneDrive, iCloud, MEGA, pCloud.
βThe malware compresses stolen data into a zip archive and sends it to the Command & Control (C2) server via HTTP POST requests, including detailed statistics about the types and quantities of stolen data,β eSentire explains.
Botnet Control & Weaponization
Once deployed, Cyber Stealer transforms the infected device into a fully functional bot. The malware:
- Runs keyloggers and screenshot capture
- Executes commands via remote shell
- Harvests files from Desktop, Downloads, OneDrive
- Downloads and runs payloads
- Performs DNS poisoning by modifying hosts file
- Silently mines Monero based on system profiling
- Replaces copied crypto addresses with attackerβs wallet using a clipper module
- Launches DDoS attacks (TCP, UDP, SYN, Slowloris, etc.)
βThe malware maintains regular communication with its C2 server… including heartbeat checks, XMR miner configuration, task checks, configuration updates, and data exfiltration,β the report writes.
Cyber Stealer uses aggressive anti-detection and persistence tactics:
- PowerShell commands to exclude C:\ from Windows Defender.
- Modifies the registry to disable system defenses.
- Deploys self-updating mechanisms to receive new tasks or payloads from the attacker.
It also generates unique Hardware IDs (HWIDs) for each infection using a combination of the processor ID, host name, and IP geolocation.
Cyber Stealerβs backend includes:
- Pastebin-based C2 URL resolution
- Detailed exfil reports via POST to paxrobot.digital
- Configurable keylogging and screenshot intervals
- Admin panel tools for DNS poisoning, clipper settings, reverse proxy setup, mining pools, and cookie conversion
eSentireβs report includes detailed breakdowns of:
- Decryption methods for Chrome (DPAPI, AES-GCM)
- Firefox decryption via nss3.dll and PK11SDR_Decrypt
- Malware methods used for credential theft from FileZilla, NordVPN, and Outlook
- SQLite database manipulation for harvesting autofill and credit card information
The βRunβ method is central to the malwareβs execution chain, combining evasion, theft, and persistence with system reconnaissance.
Cyber Stealer is managed via a rich web admin panel that allows threat actors to:
- View bots on a geo-mapped dashboard
- Launch live tasks (update/download-and-run)
- Configure mining, clipper, and DDoS settings
- Set up Telegram alert integration
- Review and download logs by victim device
Related Posts:
- SocGholish and RansomHub: Sophisticated Attack Campaign Targeting Corporate Networks
- eSentire Exposes Ongoing More_eggs Malware Campaign Targeting Job Seekers
- IBM Completes Acquisition of HashiCorp, Ushering in New Era of Hybrid Cloud Automation
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
