A brief look at all things infostealers for the week 52, 2025 (22.12.2025–28.12.2025). Updates in MioLab and Misericorde stealers. Grabbed some numbers from marketplaces and few interesting news/articles for you to read.
Uh-huh, the last week of the year 2025! Thanks to all the humans who visited my blog. I hope, my low quality/effort blog posts were somewhat useful to you.
I probably could have written some sort of an end-of-year recap type post, but in that case, it wouldn’t be a low quality/effort blogging, would it be? 😉
Anyhoo. Stay safe, hugs, and see you in the next year!
Infostealer Updates
MioLab Stealer
Now we will be writing about updates in this channel.
Some people had problems installing ClickFix scripts, so we created a 1-click utility that will make your life easier.
You just enter your server data and you’ll get the command without leaving the panel.
Since the release of the MacOS product, we’ve made a lot of different updates that we didn’t write about.
- Fixed the note grabber.
- Made a correct grab of Google tokens.
- Added several desktop wallets.
- Updated the panel design and the view of the logs.
- Added even more customization options to the .dmg builds, now you can disable the fake error.
- Recompiled the Ledger & Trezor modules taking into account the new updates, making them “universal”.
- Fixed the product’s compatibility with very old versions of MacOS.
In the New Year, we’re expecting many more updates and a couple of new products.
Screenshot taken from MioLab Products Telegram channel
Misericorde Stealer
Version 1.0.1 has just been released.
The list of changes:
- Added the possibility of flexible configuration for Filegrabber, the ability to specify your own unique paths, depth, file extensions, minimum and maximum file weights.
- Google Token Refresh has been added, now you can restore Google Tokens and update gmail cookies directly on the dashboard, there is support for SOCKS5 proxy(DEBUG tab has been moved to the settings section)
- Sorter functionality has been added to LOGS tab, now you can sort the queries you need without leaving the panel – The ability to sort Cookies by domain, passwords by domain, collect Telegram tdata, Google Tokens, Steam Tokens, Wallets(including paswords from the log)/
- New buttons have been added for interacting with logs, now you can open the log of interest directly from the panel, or delete it.
- Now the panel supports the API, you can integrate the panel into your projects.
With our API, you can get global panel statistics, get information about the latest logs, download logs, generate a client file.
~API documentation is attached with the panel~
Screenshot taken from BHF forum
Version 1.0.2 has just been released.
The list of changes:
Panel changes:
- Added the function to sort Discord tokens via SORTER in logs tab
- Added the function to connect your local API server for telegram (Allows panels to send archives weighing more than 50MB directly to your channel)
- Added a feature for customizing telegram notifications, now you can customize your notification when sending it to your channel.
Client changes:
- Fixed discord tokens grab
- Fixed IP address parsing, added additional IP api services to get a valid IP address (0.0.0.0 archives should no longer be available)
- Fixed errors that occur when the client is crypted, now the client configuration will not be lost when file is crypted. If you still have any problems with the file crypt, please let us know what exactly is going wrong.
Screenshot taken from BHF forum
Marketplace Updates
This section provides some numbers taken from the marketplaces, which include numbers of victims based on stealers, top 5 countries, the victim numbers in the countries of the Nordic region. In addition, see the CryptPad spreadsheet for all more broad numbers.
Marketplace Updates Spreadsheet
Russian Market
Stealers by number of victims
| Stealer name | Number of victims |
|---|---|
| Lumma | 7,013,106 |
| Vidar | 877,707 |
| RisePro | 145,530 |
| StealC | 806,406 |
| RedLine | 192,119 |
| Acreed | 837,757 |
| Raccoon | 5,078 |
| Rhadamanthys | 508,290 |
Top 5 countries by number of victims
| Country | Number of victims |
|---|---|
| India | 1,205,805 |
| Brazil | 744,170 |
| Indonesia | 566,466 |
| Egypt | 489,378 |
| Pakistan | 416,688 |
Nordic region countries
| Country | Number of victims |
|---|---|
| Sweden | 22,726 |
| Denmark | 12,407 |
| Norway | 10,210 |
| Finland | 8,349 |
| Iceland | 1,131 |
| Greenland | 155 |
| Faroe | 111 |
| Åland | 24 |
Exodus Market
Stealers by number of victims
| Stealer name | Number of victims |
|---|---|
| Lumma | 6,663 |
| Rhadamanthys | 6,443 |
| RedLine | 3 |
| StealC | 9,608 |
| Vidar | 6,420 |
Top 5 countries by number of victims
| Country | Number of victims |
|---|---|
| India | 3,905 |
| Brazil | 2,016 |
| Turkey | 1,772 |
| USA | 1,757 |
| Bangladesh | 1,657 |
Nordic region countries
| Country | Number of victims |
|---|---|
| Sweden | 92 |
| Denmark | 42 |
| Norway | 44 |
| Finland | 33 |
| Iceland | 4 |
Articles/News
From ClickFix to code signed: the quiet shift of MacSync Stealer malware
- https://www.jamf.com/blog/macsync-stealer-evolution-code-signed-swift-malware-analysis/
DriverFixer0428 macOS Credential Stealer
- https://www.lunchm0n3y.com/blogs-1/driverfixer0428-macos-credential-stealer