All things infostealers. Week 40, 2024


A brief look at all things infostealers for the week 40, 2024 (30.09.2024–06.10.2024). Includes an update on Lumar and XFiles stealers, source code sale of a stealer, emergence of a new logs market, and finally, a news article on AI ‘Nudify’ site, which lead to RedLine infections.

XFiles Update 3.10.0

Note: The update post is copy-pasted as is from the XSS forum

Added decryption of new Google Chrome cookies!

Almost silent decryption of new cookies, bypass of admin rights is used, the build does not moved into the folder with the installed Google Chrome as in many other stealers!
Updated the Panel
Optimized the build, minimized unnecessary network activity from the build.

Support for decryption only for new builds, for this in the old config you need to click on the button to switch to the new version and create a build.

Decryption of new Brave Cookies is also available.
Thanks to decryption, the stealer collects cvc in the same way.
Updated proxies (every 24 hours.)
The Tester subscription is no longer available.
Improved crypt stub – subscription cost is $ 250 per month.

Screenshot from XSS forum

Lumar Update

Note: The update post is copy-pasted as is from the XSS forum

Added new extensions to the file grabber (txt, doc, pdf, rdp).
Added collection of files from the Documents directory (in the log: Files/Documents).
General placeholders replaced.
Fixed an issue where cookies were sometimes not grabbed when Chrome was running. Now it works well whether Chrome is running or not (you need to download the latest build).
Added collection of extensions from several password/note managers to the collector, located in the
ManagersExtensions folder. The list will be expanded.
Added a brute.txt file in the log containing all passwords from the log for brute force attacks.
The format of passwords.txt has become more readable, with double line breaks added.
Also, each folder now contains a root.txt file that includes the original path from which the data was collected.
Added new wallets (desktop, browser), constantly expanding the list.

Screenshot from XSS forum

0debug’s Stealer

A user on the XSS forum made a post about selling source code of an infostealer. I wrote a post about it. Click-click.

Exodus Market

A new logs marketplace emerged. Well, they were active for some time, it seems, but I just discovered them, when they made an announcement post on the XSS forum. I’ll do a brief review of the market later one. Here’s a screenshot for now:

Articles/News

A Network of AI ‘Nudify’ Sites Are a Front for Notorious Russian Hackers:

  • https://www.404media.co/a-network-of-ai-nudify-sites-are-a-front-for-notorious-russian-hackers-2/