October 2, 2023

Researchers have spotted new malware strain dubbed as SapphireStealer, an open source .NET-based information stealing malware that has been observed to be used by threat groups, with various customization.

The malware is designed to obtain sensitive information, including credentials that are often resold to other threat actors who leverage access for additional attacks like cyberespionage or ransomware.

Like other stealer malware that has been appearing more frequently on the dark web, SapphireStealer has the ability to collect host information, browser data, files, screenshots, and exfiltrate the information in a ZIP file using SMTP.

The malware looks for processes associated with Chrome, Yandex, Edge, and Opera browsers to kill them. The malware also checks for various browser database file directories for credential databases associated with 16 browsers, including Chrome, Microsoft Edge, Brave Browser, Opera, Comodo, and Yandex.


Since its source code was made available for free in late December 2022, threat actors have been able to play with the malware and make it more difficult to spot. This includes the addition of adaptable data exfiltration techniques via the Telegram API or a webhook for Discord.

The creator of the malware has also made available a .NET malware downloader with the codename FUD-Loader, which enables the retrieval of additional binary payloads from distribution servers under the control of the attacker.

Researchers have observed the malware downloader being used in the wild to deliver remote administration tools like DCRat, njRAT, Agent Tesla, and Dark Comet. The malware is currently being offered for sale for $50 a month (no lifetime license) on several dark web forums and a Telegram channel.


This research was documented by researchers from Cisco Talos.

Indicators of Compromise

  • f70651906b9cbf25b3db874e969af7a14caac21bf1db328e4664db54566a15b0
  • 8749bc50fc2b1f0a5f7a1c3c1a3132c45c30ba7dc7a849523bb42cf617fc4a65
  • 94107e993c42fc6e0634be29191410b50c076e129260d23351baa9f6dc7c883e
  • 53c1fca1263a535ac740916a24b28807246a204c6fa22b7374dc17fe913375d4
  • 2c1c171db85455aa2676e02693c8a9b7d62055fee843a17097dba29915637acf
  • 0e27b766a44e3524aee546e3279bcbca22255fa7171b8c6013efa7708e37c633
  • db94c26dc522719a77f7585bff8884400f389dab012a880734bd9dbc3e52d93c
  • e97941f812323e05ba4e83b138e8bb794b88efcd56980d07313b5acc965b2661
  • 4ed3e2b343a8bff981a139af0f871bbe76e3e93ac0d6ad4c16acbb1ec0a74bff
  • 40c2f1ee94d5f5283af9b6f7c660aba3921138fc1fcc66dab2489fc9e421589a
  • e596b3f12b96bf5526285df19dc9674aaaafeb8375eeac4face8eb4285c63e3b
  • 920a9ec15ffeb5ad880c9368238c3b1ab189d429bd3ef99ac9ab16615eeacedf
  • d6900deab788bec8bd5343a64423ebea6b323603c10b3cca03c08ebe0774bb5a
  • 5d0719c5e29e96b81ec8198e8bba5d531a2dc433c3107be6263dee33b54d578a
  • b4872f6bb69b449b9c13ac694a8e54a22dce012cba48a5e8bce0607690d08254
  • 0cd26bb7a3a873d60a150ad2e776a37de07f1317639d75f3a0df4939982ac0bf
  • 4966faf9e999db2f059162a8d1e17c44d8f77697ec268ff55f2f4efdb96797a8
  • d453919141d456afce8476b4af9082b4af8d4c644e8468aa62259d704c22e074
  • a00f787d5990ee8303bfd5cdc8eda650317434482e6f82cc53dfcf565006896d
  • 7392019700b493b87ba4a53cc25e7cc639ce58da390b1b3780eaf8ee0889dcf3
  • portfolio-roman.ml
  • https://portfolio-roman.ml/img/new_game.exe
  • https://discord.com/api/webhooks/1123664977618817094/La_3GaXooH42oGRiy8o7sazh1Cg0V_mzkH67VryfSB1MCOlYee1_JPMCNsfOTji7J9jO

5 thoughts on “SapphireStealer Infostealer malware into limelight

Leave a Reply

%d bloggers like this: