Ddos 
Image: Cyfirma
CYFIRMA has released a detailed threat intelligence assessment of XillenStealer, an emerging open-source, Python-based malware family that lowers the barrier to cybercrime. Publicly available on GitHub, the stealer is rapidly becoming a tool of choice for both novice and experienced threat actors.
According to CYFIRMA, “XillenStealer identifies it as an open-source, Python-based information stealer publicly available on GitHub. The malware is designed to harvest sensitive system and user data through modular scripts that utilize native libraries and Windows functions for reconnaissance and collection.”
Its core features include collecting host identifiers, hardware specifications, browser credentials, cryptocurrency wallets, and network configurations, while also taking screenshots for added intelligence gathering.
The malware is tied to a GitHub account named BengaminButton, with Russian-language code comments pointing toward a likely Russian-speaking developer.
One of XillenStealer’s most dangerous aspects is its built-in builder. CYFIRMA explains: “XillenStealer Builder V3.0 is a Python-based Tkinter GUI that enables operators to configure, compile, and manage customized stealer builds.”
The builder allows attackers to:
- Toggle modules for Discord, Steam, Telegram, and crypto wallets.
- Set up Telegram-based data exfiltration.
- Compile executables with PyInstaller and UPX.
- Apply anti-debugging and VM-detection safeguards.
As the report notes, “The builder lowers technical barriers, enabling even low-skilled actors to rapidly customize, compile, and deploy functional stealer malware.”
XillenStealer incorporates features typically seen in professional-grade malware:
- Anti-analysis & sandbox evasion through VM and debugger checks.
- Persistence by creating scheduled tasks (Windows) or cron jobs (Linux).
- Credential theft from Chromium- and Firefox-based browsers.
- Targeting of cryptocurrency wallets such as Exodus, AtomicWallet, and Electrum.
- Account hijacking via theft of Discord tokens, Steam credentials, and Telegram sessions.
CYFIRMA highlights how the malware “transmits the collected data via a Telegram bot, accompanied by both a report.txt and a report.html”, making the stolen information easily accessible for attackers.
The infrastructure behind XillenStealer appears linked to Russian-speaking groups. CYFIRMA attributes it to a group branding themselves as Xillen Killers, who not only develop malware but also run a broader underground marketplace offering DDoS services, exploit frameworks, and even penetration testing tools.
The report also notes the persona of the alleged developer: “The threat actor BengaminButton introduces themselves as a 15-year-old full-stack developer and penetration tester.”
With its modular design, stealthy techniques, and low barrier to entry, XillenStealer represents a significant escalation in the professionalization of cybercrime. Its availability on GitHub highlights the growing tension between open-source transparency and the ease with which adversaries can weaponize code.
Donate