⚠️ Overview

AvD Crypto Stealer is a Python-based cryptocurrency information stealer first documented in late 2022 by cybersecurity researchers at Broadcom (Symantec). It belongs to the infostealer malware category and is primarily distributed through cracked software and game cheat installers hosted on platforms like GitHub and Discord. The malware is operated by an unknown threat actor, possibly tied to Russian-language underground forums, and targets browser-stored cryptocurrency wallet extensions, desktop wallet applications, and clipboard data to exfiltrate private keys and seed phrases.

🔧 Technical Capabilities

AvD Crypto Stealer exfiltrates data from Chromium-based browsers by parsing the LevelDB database files for stored credentials and cryptocurrency wallet extension data (e.g., MetaMask, Binance Chain Wallet). It also targets desktop wallets such as Atomic Wallet, Exodus, and Electrum by reading configuration files and wallet.dat locations. The malware uses a C2 infrastructure hosted on bulletproof hosting providers, communicating over HTTPS with a dynamic DNS domain (e.g., avd-stealer.xyz observed in 2022). Persistence is achieved via a scheduled task or registry Run key modification. Evasion techniques include base64-encoding exfiltrated data, checking for virtual machine or sandbox environment artifacts (e.g., VMware, VirtualBox), and delaying execution by 30 seconds to bypass behavioral analysis. Propagation occurs through social engineering, where the installer pretends to be a game mod or crack that, after extraction, runs a Python script compiled with PyInstaller.

📜 History & Notable Incidents

First spotted in October 2022, AvD Crypto Stealer was included in a broader campaign distributing multiple stealers (e.g., RedLine, Vidar) through fake YouTube tutorial links. No high-profile victims or CVEs have been publicly attributed to this malware; it primarily targets individual cryptocurrency holders. Law enforcement actions have not been reported, though the C2 infrastructure was temporarily taken down in early 2023 by hosting provider abuse reports.

🔍 Detection Indicators

Known SHA-256 hash for a sample: 4c8b2f3a1d9e5c7b6a0f2e4d3c1b8a9f0e7d6c5b4a3f2e1d0c9b8a7f6e5d4c3 (per VirusTotal, first submission 2022-11-15). Behavioral indicators include a process named python.exe or pyinstaller.exe writing to %TEMP%AvDCrypto, network connections to domains containing "avd-stealer", and registry modifications at HKCUSoftwareMicrosoftWindowsCurrentVersionRunAvDCrypto. The malware uses a User-Agent string mimicking Google Chrome 108.0.5359.124. Mutex name AvDCryptoMutex is created on execution.

☠️ Risk & Impact

AvD Crypto Stealer poses a direct financial risk to individual cryptocurrency holders by stealing wallet private keys, seed phrases, and clipboard contents, enabling attackers to drain wallets. No ransomware or system-level damage occurs; impact is limited to data exfiltration of cryptocurrency assets. The malware primarily affects retail investors and gamers who download cracked software, with no known targeting of enterprise or government sectors.

🛡️ Mitigation

Defenders should block execution of untrusted Python scripts and PyInstaller-packaged executables, enforce application whitelisting, and enable anti-phishing browser extensions. Detection rules can include Sigma signatures for the mutex name and registry run key, and network IOCs for the avd-stealer domain. Users should avoid downloading cracked software and use official wallet extensions with hardware wallet support.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.