Do Son 
Image: Cyfirma
Cyfirmaβs Threat Intelligence team has released a technical analysis of Inf0s3c Stealer, a Python-based information grabber designed to exfiltrate sensitive user and system data from Windows machines. The malware demonstrates modular design, persistence, and stealthy exfiltration, aligning it with other advanced info-stealer families.
According to the report, βInf0s3c Stealer, a Python-based grabber designed to collect system information and user dataβ¦ systematically collects system details, including host identifiers, CPU information, and network configuration, and captures screenshots.β
The stealer builds a detailed profile of the victimβs machine, gathering:
- System identifiers (hostnames, CPU info, MAC addresses)
- Running process lists
- Directory structures (Desktop, Documents, Pictures, Downloads, etc.)
- Screenshots and webcam images
It then compiles the data into a password-protected archive before sending it to an attacker-controlled channel.
Beyond reconnaissance, Inf0s3c aggressively steals sensitive data. The analysis states: βInf0s3c Stealer collectsβ¦ passwords, cookies, autofill data, browsing history, wallets, Discord tokens, and Telegram data.β
It also targets gaming-related accounts like Roblox, Minecraft, and Epic Games sessionsβsuggesting its appeal to cybercriminals seeking monetizable digital assets.
Persistence is ensured through techniques such as:
- Copying itself into the Windows Startup folder
- Bypassing User Account Control (UAC)
- Injecting into Discord processes for persistence and token theft
The stealer includes anti-VM checks to avoid sandbox analysis and even blocks access to antivirus-related domains. It can also delete itself (βmeltβ) after execution to erase traces.
As Cyfirma notes: βThe presence of obfuscation and modular code highlights the emphasis on evasion and adaptability.β
Once execution begins, Inf0s3c silently invokes PowerShell commands to gather system information, then organizes the results into structured directories under %temp%.
The report confirms that exfiltration is automated: βThe results, delivered via Discord, include a RAR archive named Blank-WDAGUtilityAccount.rar containing the stolen data.β
This method leverages Discord as both a command-and-control (C2) channel and a data drop site, a tactic increasingly observed in modern malware campaigns.
Interestingly, Cyfirma analysts found strong overlaps with other publicly available stealer families: βThe techniques and structure observedβ¦ closely align with publicly available projects shared by the same developer, including both the Blank Grabber and Umbral-Stealer.β
This points to either shared authorship or code reuse across the malware ecosystem, accelerating development and distribution.
Inf0s3c Stealer demonstrates how modern info-stealers combine reconnaissance, credential theft, and anti-detection features to maximize impact. Its broad targeting scopeβranging from passwords and tokens to gaming accountsβillustrates the commodification of stolen digital identities.
As Cyfirma concludes: βThis analysis underscores the importance of continuous monitoring, timely threat intelligence, and comprehensive endpoint defenses to detect and respond to such evolving malware threats.β
Related Posts:
- Warning: Discord’s API Exploited for Malicious Takeover
- Malicious PyPI Package Targets Discord Developers with Token Theft and Backdoor Exploit
- Malicious PyPI Packages Expose User Credentials
- Cybercriminals Turn Discord into Malware Playground with Lumma Stealer
- Russia Bans Discord Over Illegal Content Concerns
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
