Audi, a user on the XSS forum made a post about selling source code of an infostealer. The user has recently joined the forum, on 28 August 2024 to be more specific, and has only 2 posts so far. The reason for selling the source is simple. The user was contracted to code a stealer and control panel to be used as MaaS, by someone on another forum; however, the person who contracted audi got banned on that forum and never replied to the messages. Therefore, audi stated that considerable time and effort was spent on this project, and they’d like to monetize it somehow. And the easiest way is just to sell the source code, which the user estimated to be $1500. Preferred way of contacts is either PM on forum or on Telegram (@zerodebug).

Below I’ll paste the user’s machine translated (with minor tweaks from my side) posts, as well as some screenshots provided by user.

When I was looking at the screenshots of the panel, I noticed domain name: 0debug[.]cc. Tried to access the site, but nothing. Well, turns out that domain name hasn’t been bought yet, it’s up for grabs. Next, I decided to search the domain name in Censys and found the panel: http[:]//5.42.81.134/login.

Screenshot of the initial advertisement post on XSS forum (03.10.2024)

Translation of the initial post:

Let’s start with the stub: it’s written in C#, it weighs 210kb (in obfuscated format for user output); the libraries are all custom, it doesn’t use any third-party dependencies except net4. 0, which is on win7-win11 systems by default; it does not load anything, works with the panel in a single request; log is collected in memory and sent to the server in base64; searches for all browsers on the device on chromium and gecko bases and grabs cookies, passwords, cards, extensions; collects VPN profiles from openvpn and wireshark; collects steam session (ssfn and configuration for checking accounts), telegram session and discord token; google authorization tokens (only from google chrome browser); files from desktop; all information about computer (user, hardware, network data); screenshot and cryptocurrencies (also collected from chromium and gecko browsers). Stealer is updated for v128+ and works with the latest version of the chromium engine. There is no Yandex browser collection due to the fact that the project was to be with strictest geoblock on targeting CIS countries on my initiative.

Let’s move on to the panel: the panel is written in php, the front end in bootstrap. The panel is protected against sql injections and xss exploits. It supports user registration and issuing subscriptions to users. The concept works like this: a customer buys a subscription to the stealer from you, you issue him a subscription through the database, he can use the stealer until the subscription expires. You can see screenshots of the panel in the spoiler. User builds are built using mono directly on the ubuntu server via a self-written builder. Stealer is written according to the canon of beautiful code, optimized and knocks great. The whole project is put on a single linux server with ubuntu installed on it.

Images depict the panel. Images are taken from the XSS forum

About the cost of the code: i don’t know how much it can cost, so i am waiting for your offers in private forum messages and in telegram. One time sale is possible with a good suggested buyout price. If you have any suggestions for cooperation, I am waiting for your message.

The project is not finished in some places, because some functions had to be agreed with the customer. So, after I find a buyer for these sources, I can complete missing functions based on an agreement with a new customer. It is possible to finalize the panel at your request, but for an additional price. I can also participate in the support of the project for a long term for a fixed salary.

Screenshot of the follow-up post on XSS forum (05.10.2024)

Translation of the follow-up post

Tonight I finished the whole project for stable work. Now the project is fully working and ready for sale and realization. You can buy the source code and start selling your stealer on forums. I will answer once again publicly to the questions that are most often asked: there is no admin panel, subscriptions are issued through the database; stealer is updated for the latest update chromium browsers (v129.0.* supported)

What can I add more? I can bind to the panel API of some crypto-service, so that builds will be issued crypto-scripted at the request of your clients, but I will notify you that additional source code or development of some of your features or ideas will cost an additional price. If you have any questions about the implementation of your feature before buying, I am waiting for you in private messages, we will evaluate the scope. But in any case, the project is ready to go at this stage.

Due to the fact that the source code is done and ready to work, the cost is increased to 1500$.