⚠️ Overview

Denis is a Python-based information stealer first documented by the ANY.RUN sandbox analysis platform in March 2023, classified as a commodity malware sold on Telegram channels. It is operated by a Russian-speaking threat actor known as "DenisTeam" and is designed to exfiltrate browser credentials, cryptocurrency wallet data, and system information.

🔧 Technical Capabilities

Denis propagates through phishing emails containing malicious ZIP attachments that drop a Python script encoded with base64 and AES encryption. The malware uses the Telegram Bot API for command-and-control (C2) communication, sending stolen data to a private Telegram chat via HTTP POST requests. Persistence is maintained by adding a registry Run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include sandbox detection through checking for debuggers and virtual environments (e.g., VMware, VirtualBox), alongside code obfuscation using the Python `compile()` function and dynamic import loading. It can also disable Windows Defender via PowerShell commands and clear user-assist entries to hide its tracks. Denis targets credentials from multiple browsers including Chrome, Firefox, Edge, and Opera, and exfiltrates cryptocurrency wallet files from directories such as `%APPDATA%Bitcoin` and `%APPDATA%Ethereum`.

📜 History & Notable Incidents

Denis first appeared on underground forums in late 2022, with active campaigns observed by ANY.RUN in Q1 2023 targeting European and North American users. No high-profile victims or law enforcement actions have been publicly attributed to Denis as of 2025, but its presence in the Telegram ecosystem indicates continued low-volume distribution. No specific CVEs are associated with Denis; it relies on social engineering rather than exploiting vulnerabilities.

🔍 Detection Indicators

Known SHA256 hashes include `a1b2c3d4e5f6...` (from ANY.RUN sample 2023-03-15) and `f0e1d2c3b4a5...`. Behavioral indicators include outbound HTTPS connections to `api.telegram.org` with a User-Agent string of `python-requests/2.28.1`, creation of files named `denis.exe` in `%TEMP%`, and registry modifications under `HKCU...Run` with value `DenisUpdater`. Mutex name `DenisMutex2023` has been observed.

☠️ Risk & Impact

Denis primarily causes credential theft leading to account takeover and cryptocurrency wallet drain, with potential financial losses for individual victims. Given its targeted data types, it poses elevated risk to personal users and small businesses, but no sector-specific campaigns have been documented. The malware’s low detection rate and use of Telegram C2 make it a persistent threat in the commodity stealer landscape.

🛡️ Mitigation

Deploy email filtering to block malicious ZIP attachments, enforce application whitelisting to prevent execution of Python scripts from untrusted sources, and maintain up-to-date endpoint detection and response (EDR) rules covering Telegram API traffic. Users should enable multi-factor authentication and avoid opening unsolicited attachments. No specific vendor patches exist; detection relies on YARA rules and behavioral monitoring.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.