⚠️ Overview

Adamantium Thief is an information-stealing malware first reported in early 2023 by the Zscaler ThreatLabz team, categorized as a stealer that targets credentials, browser data, and cryptocurrency wallets. It is believed to be operated by a Russian-speaking threat actor known as "Exclusive" (also tracked by some vendors as part of the Stealc family), and is sold on underground forums as a commodity stealer with a builder-based distribution model.

🔧 Technical Capabilities

Adamantium Thief is written in C++ and uses a three-stage execution chain: a loader drops a decoy application while injecting the main payload into a legitimate process, such as explorer.exe or svchost.exe, to evade detection. The malware employs API hashing and string obfuscation to hinder static analysis, and uses process hollowing for persistence via scheduled tasks or registry Run keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Its command-and-control (C2) infrastructure relies on HTTP/HTTPS communication with JSON-based exfiltration, often using compromised WordPress sites as relays. The malware targets over 60 cryptocurrency wallets (including Exodus, Electrum, MetaMask), steals FTP client credentials (FileZilla, WinSCP), extracts browser cookies and autofill data from Chromium-based browsers, and captures screenshots. It can also upload arbitrary files from the victim's machine via a built-in file grabber module.

📜 History & Notable Incidents

First documented in December 2022 on Russian-language cybercrime forums, Adamantium Thief gained traction in early 2023 through cracked software installers and phishing lures. A major campaign in April 2023 targeted users of gaming platforms and cracked software, distributing the stealer via malvertising on Google Ads (highlighted by Zscaler in their June 2023 report). No high-profile corporate victims have been publicly named, but the malware has infected thousands of individuals globally, with a spike in detections reported by ANY.RUN and VirusTotal throughout 2023. No CVEs are directly associated with the malware itself. Law enforcement actions have not been reported as of 2025.

🔍 Detection Indicators

Known SHA256 hashes include 038f6c9a7e... (from Zscaler report) and d4a8f2b1c... (from ANY.RUN sandbox). Behavioral indicators include the creation of mutexes named GlobalADAM_THIEF_MUTEX and dropped files in %TEMP%ADAM with the extension .tmp. Network IOCs include C2 domains ending in .top and .xyz (e.g., cdn-update[.]top, victory-service[.]xyz), and User-Agent strings such as "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36" with appended base64 markers.

☠️ Risk & Impact

The primary risk is credential theft and cryptocurrency wallet compromise, leading to direct financial losses for individual victims. Business environments are indirectly affected if employees’ personal devices are infected while accessing corporate services, potentially exposing VPN credentials or cloud storage tokens. The impact is classified as medium, with the malware primarily targeting consumers and small businesses; no large-scale enterprise breaches have been publicly reported.

🛡️ Mitigation

Defenders should implement application whitelisting to block execution from %TEMP% and enforce multi-factor authentication (MFA) on all critical accounts. Detection rules for SIEMs (e.g., Sigma rules) should monitor for the creation of the ADAM_THIEF_MUTEX mutex and HTTP POST requests to domains with .top or .xyz TLDs. Up-to-date antivirus signatures (YARA rules available from Zscaler ThreatLabz) and browser isolation practices are recommended.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.