A sophisticated new credential stealer disguised as a legitimate forensic toolkit has emerged on GitHub, targeting sensitive user data including VPN configurations, browser credentials, and cryptocurrency wallet information. The Octalyn Stealer, first identified in July 2025, presents itself as an educational research tool while functioning as a fully operational malware designed for large-scale data theft and exfiltration. Beyond financial data, the stealer comprehensively targets browser-stored information, extracting passwords, cookies, autofill data, and browsing history from Chrome, Edge, and Opera browsers. The stealer employs sophisticated browser data extraction techniques, particularly targeting Chrome’s cookie storage using the path "\\Google\\Chrome\\User Data\\Default\\Network\\Cookies". Upon execution, the malware leverages the Windows API function GetTempPathA to identify the system’s temporary directory, subsequently creating a working folder structure using the code pattern getenv("TEMP") + "\\Octalyn". Once deployed, the stealer operates with remarkable stealth, establishing persistence through multiple mechanisms and organizing stolen data into clearly structured directories for efficient processing. The stealer’s GitHub repository maintains the facade of a forensic research tool, complete with educational disclaimers, while containing all necessary components for unauthorized data harvesting. The malware decrypts stored cookies using Chrome’s local encryption keys, while similar procedures target Microsoft Edge and Opera browsers. The malware creates dedicated subdirectories for each cryptocurrency type, systematically harvesting wallet addresses, private keys, seed phrases, and configuration files. The malware employs a dual-language architecture combining C++ for its core payload with a Delphi-based builder interface, making it accessible to threat actors with varying technical expertise. The financial implications of Octalyn Stealer are particularly concerning, as it specifically targets cryptocurrency wallets across multiple platforms including Bitcoin, Ethereum, Litecoin, and Monero. Cyfirma researchers identified the malware during routine threat hunting activities, noting its unusual combination of legitimate presentation and malicious functionality. This methodical approach to data organization reflects the malware’s commercial-grade design, enabling efficient sorting and processing of stolen information. The dropper systematically extracts three embedded executables—TelegramBuild.exe, rvn.exe, and assembly.exe—into the temporary folder using a loop structure that calls ShellExecuteA in silent mode. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 16 Jul 2025 05:50:10 +0000