October 3, 2023

Mystic Stealer is an info stealer malware active since April 2023 and rented for $150/month, or $390/ quarter.

It currently targets 40 web browsers, 70 browser extensions, 21 applications for cryptocurrencies, 9 MFA and password management programs, 55 browser extensions for cryptocurrencies, Steam and Telegram credentials.

All Windows versions, from XP to 11, can be impacted by Mystic Stealer, which supports both 32-bit and 64-bit OS architectures. It has a small footprint on infected devices, operating directly in memory with no dependencies. This makes it harder to detect by antivirus software, and its anti-virtualization checks help the malware detect sandboxed environments.


The first version of this malware was quickly replaced by version 1.2 in May 2023. The creators keep a Telegram channel for conversations about features of the malware, developments, and other topics. Even feedback is received for improvements. Its origin is unknown, but the nature of targets indicates that it belongs to Soviet union

The 1.2 version features functionality that enables threat actors to retrieve more payloads from the C2 server. Furthermore, up to four C2 endpoints are configured for resilience and can be encrypted with a customized XTEA-based algorithm by the operator

Mystic Stealer starts by retaining data about OS and hardware, followed by a screenshot. The C2 server will receive all this information, based on which the cybercriminal decides future commands. The malware will proceed to target data stored in web browsers and applications.


  • Google Chrome, Mozilla Firefox, Microsoft Edge, Opera, Vivaldi, Brave-Browser,
  • Binance, Exodus, Bitcoin, Litecoin, Electrum,
  • Authy 2FA, Gauth Authenticator, EOS Authenticator,
  • LastPass: Free Password Manager, Trezor Password Manager, RoboForm Password Manager, Dashlane — Password Manager, NordPass Password Manager & Digital Vault, Browserpass, MYKI Password Manager & Authenticator.

1 thought on “Mystic Stealer Dissection

Leave a Reply

%d bloggers like this: