A brief look at all things infostealers for the week 35, 2025 (25.08.2025–31.08.2025). An update from AURA Stealer. Grabbed some numbers from marketplaces and some interesting news/articles.
Note: All the screenshots are taken from the XSS forum, unless otherwise stated.
Note: The update posts are copy-pasted as is (and machine-translated with DeepL.com if post wasn’t available in English, possibly with some minor edits by me).
Infostealer Updates
AURA Stealer
Major update
Wallets and 2FA have been added to the collection configuration:
Sticky Password Manager, Bitdefender SecurePass, ExpressVPN Password Manager, HaHa Wallet, Pelagus Wallet,Suku Wallet, Bitlight Wallet, Mango Wallet, OP Wallet, QSafe, Kalp Wallet, Wander Wallet, Mavryk Wallet, Naoris Protocol Wallet, eckoWALLET, AGNT Connect, Cosmostation Wallet, Wizz Wallet, Atomic Wallet, Crossmark Wallet, ION Wallet, HOT Wallet, Electrum-G.
Panel update:
- Added “Filters” page (Markers / Domain Detect):
- When creating a filter, you can specify the name, filter type (Cookies + Credits / Cookies / Credits), and a comma-separated list of domains to detect.
- Added filters will be displayed in the log if a match was found for the filter domains.
- The DomainDetect.txt file with the found filters is placed in the log archive.
- It is now possible to search logs by created filters.
- The standard message template in TG has been expanded. Now the message displays filters if the required domains were found.
- In the basic tariff, you can create up to 20 filters, in the advanced tariff, the number of filters is unlimited.
- Added “show duplicates” filtering for quick search and deletion of duplicates.
Build updated:
Changed how WinAPI works:
- Now WinAPI are obtained by hash. Strings with function names are not used.
- In places where WinAPI is called, their hashes are encrypted, so it is not possible to link the places where APIs are obtained and used by constants.
- WinAPI hashes are generated at compile time and are different for each build.
- Now the chain of connection and WinAPI calls in hash tables is as follows: Encrypted hash => PAGE_GUARD address => Real WinAPI address.
- During the initialization phase, two hash tables are created, the first: [key: API hash => value: PAGE_GUARD address], the second: [key: PAGE_GUARD address => value: encrypted WinAPI address].
- When WinAPI is called, its hash is decrypted and found in the first table. A call is made to the corresponding PAGE_GUARD address. VEH intercepts the exception and finds the encrypted address in the second hash table by the PAGE_GUARD address, decrypts the WinAPI address, performs an eip substitution, and the function is called.
WinAPI hidden in places where it was overlooked.
The grabber has been reworked from std::filesystem::recursive_directory_iterator to a self-written analogue, but working on NtApi.
Now the grabber:
- Works faster
- Consumes less memory
- Is more stealthy
Marketplace Updates
This section provides some numbers taken from the marketplaces, which include numbers of victims based on stealers, top 5 countries, the victim numbers in the countries of the Nordic region. In addition, see the CryptPad spreadsheet for all more broad numbers.
Marketplace Updates Spreadsheet
Russian Market
Stealers by number of victims
| Stealer name | Number of victims |
|---|---|
| Lumma | 6,890,010 |
| Vidar | 516,524 |
| RisePro | 145,563 |
| StealC | 732,215 |
| RedLine | 192,203 |
| Acreed | 439,577 |
| Racoon | 5,095 |
| Rhadamanthys | 101,471 |
Top 5 countries by number of victims
| Country | Number of victims |
|---|---|
| India | 1,043,228 |
| Brazil | 662,163 |
| Indonesia | 513,188 |
| Egypt | 445,579 |
| Pakistan | 385,134 |
Nordic region countries
| Country | Number of victims |
|---|---|
| Sweden | 17,874 |
| Denmark | 9,728 |
| Norway | 7,877 |
| Finland | 6,319 |
| Iceland | 917 |
| Greenland | 137 |
| Faroe | 90 |
| Åland | 21 |
Exodus Market
Stealers by number of victims
| Stealer name | Number of victims |
|---|---|
| Lumma | 475,365 |
| Rhadamanthys | 107,783 |
| RedLine | 35,139 |
| StealC | 26,716 |
| Vidar | 11,648 |
Top 5 countries by number of victims
| Country | Number of victims |
|---|---|
| India | 71,765 |
| Brazil | 50,469 |
| Indonesia | 37,176 |
| USA | 29,027 |
| Philippines | 24,793 |
Nordic region countries
| Country | Number of victims |
|---|---|
| Sweden | 1,915 |
| Denmark | 1,052 |
| Norway | 825 |
| Finland | 612 |
| Iceland | 85 |
Articles/News
TamperedChef infostealer delivered through fraudulent PDF Editor
- https://www.bleepingcomputer.com/news/security/tamperedchef-infostealer-delivered-through-fraudulent-pdf-editor/
Unveiling a python stealer – INF0S3C STEALER
- https://www.cyfirma.com/research/unveiling-a-python-stealer-inf0s3c-stealer/