New Stealthy Python Malware Leverages Discord to Steal Data From Windows Machines

Cybersecurity

A newly identified Python-based malware, named “Inf0s3c Stealer,” has emerged, demonstrating advanced capabilities in data exfiltration via Discord channels. This malware highlights an evolution in data theft tools, integrating traditional system reconnaissance with modern communication platforms to efficiently harvest sensitive information from compromised Windows systems.

Technical Specifications

Inf0s3c Stealer functions as a comprehensive data grabber, systematically collecting host identifiers, CPU information, network configurations, and user data from infected machines. Upon execution, it silently invokes multiple PowerShell commands through the Command Prompt to gather extensive system details, creating a detailed profile of the victim’s environment.

The malware targets a range of sensitive information, including:

• Discord accounts
• Browser credentials
• Cookies and browsing history
• Cryptocurrency wallets
• Wi-Fi passwords
• Gaming platform sessions from services like Steam, Epic Games, and Minecraft

Researchers have identified that the malware uses sophisticated packaging and obfuscation techniques, such as UPX compression and PyInstaller bundling, to evade detection. The 6.8MB executable maintains a high entropy value of 8.000, indicating heavy packing that obscures its true functionality from static analysis tools.

Data Exfiltration and Evasion

Inf0s3c Stealer’s primary innovation lies in its automated exfiltration mechanism through Discord channels, where it transmits collected data as compressed RAR archives labeled “Blank Grabber.” This approach leverages legitimate communication infrastructure to blend malicious traffic with normal user activity, reducing the likelihood of detection by network monitoring systems.

Advanced Persistence Mechanisms

The malware employs sophisticated persistence tactics to ensure long-term system compromise. It copies itself into the Windows Startup folder, disguised with a .scr extension to appear as a screensaver file. This technique is implemented through a function targeting the system-wide startup directory:

def PutInStartup() -> str:
    STARTUPDIR = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp"
    file, isExecutable = Utility.GetS()
    if isExecutable:
        out = os.path.join(STARTUPDIR, "{}.scr".format(Utility.GetRandomString(invisible=True)))
        os.makedirs(STARTUPDIR, exist_ok=True)
        try: shutil.copy(file, out)
        except Exception: return None
        return out

The malware includes anti-analysis features such as anti-VM checks and the ability to block antivirus-related websites. It can perform self-deletion after execution through a “melt” function, leaving minimal forensic traces. Additionally, Inf0s3c Stealer includes a “pump stub” feature designed to artificially inflate the file size, potentially bypassing size-based detection heuristics used by security solutions.