Ddos 
Image: Cyfirma
Cyfirma’s Threat Intelligence team has released a technical analysis of Inf0s3c Stealer, a Python-based information grabber designed to exfiltrate sensitive user and system data from Windows machines. The malware demonstrates modular design, persistence, and stealthy exfiltration, aligning it with other advanced info-stealer families.
According to the report, “Inf0s3c Stealer, a Python-based grabber designed to collect system information and user data… systematically collects system details, including host identifiers, CPU information, and network configuration, and captures screenshots.”
The stealer builds a detailed profile of the victim’s machine, gathering:
- System identifiers (hostnames, CPU info, MAC addresses)
- Running process lists
- Directory structures (Desktop, Documents, Pictures, Downloads, etc.)
- Screenshots and webcam images
It then compiles the data into a password-protected archive before sending it to an attacker-controlled channel.
Beyond reconnaissance, Inf0s3c aggressively steals sensitive data. The analysis states: “Inf0s3c Stealer collects… passwords, cookies, autofill data, browsing history, wallets, Discord tokens, and Telegram data.”
It also targets gaming-related accounts like Roblox, Minecraft, and Epic Games sessions—suggesting its appeal to cybercriminals seeking monetizable digital assets.
Persistence is ensured through techniques such as:
- Copying itself into the Windows Startup folder
- Bypassing User Account Control (UAC)
- Injecting into Discord processes for persistence and token theft
The stealer includes anti-VM checks to avoid sandbox analysis and even blocks access to antivirus-related domains. It can also delete itself (“melt”) after execution to erase traces.
As Cyfirma notes: “The presence of obfuscation and modular code highlights the emphasis on evasion and adaptability.”
Once execution begins, Inf0s3c silently invokes PowerShell commands to gather system information, then organizes the results into structured directories under %temp%.
The report confirms that exfiltration is automated: “The results, delivered via Discord, include a RAR archive named Blank-WDAGUtilityAccount.rar containing the stolen data.”
This method leverages Discord as both a command-and-control (C2) channel and a data drop site, a tactic increasingly observed in modern malware campaigns.
Interestingly, Cyfirma analysts found strong overlaps with other publicly available stealer families: “The techniques and structure observed… closely align with publicly available projects shared by the same developer, including both the Blank Grabber and Umbral-Stealer.”
This points to either shared authorship or code reuse across the malware ecosystem, accelerating development and distribution.
Inf0s3c Stealer demonstrates how modern info-stealers combine reconnaissance, credential theft, and anti-detection features to maximize impact. Its broad targeting scope—ranging from passwords and tokens to gaming accounts—illustrates the commodification of stolen digital identities.
As Cyfirma concludes: “This analysis underscores the importance of continuous monitoring, timely threat intelligence, and comprehensive endpoint defenses to detect and respond to such evolving malware threats.”
Related Posts:
- Warning: Discord’s API Exploited for Malicious Takeover
- Malicious PyPI Package Targets Discord Developers with Token Theft and Backdoor Exploit
- Malicious PyPI Packages Expose User Credentials
- Cybercriminals Turn Discord into Malware Playground with Lumma Stealer
- Russia Bans Discord Over Illegal Content Concerns
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
