⚠️ Overview

Eternity Stealer is an information-stealing malware written in Python, first documented by Cyble researchers in early 2022. It operates under a Malware-as-a-Service (MaaS) model, sold on Russian-language underground forums by the threat actor known as "Eternity Team." The stealer is part of a broader Eternity tool suite that also includes Eternity Ransomware, Eternity Miner, and an Eternity Clipper, all offered as separate subscriptions.

🔧 Technical Capabilities

Eternity Stealer targets over 20 Chromium-based browsers, extracting saved credentials, autofill data, and cookies. It also steals cryptocurrency wallets such as Exodus, Electrum, and Binance Chain, and harvests Discord tokens, Steam sessions, and FTP client credentials. The malware uses Telegram Bot API as its primary C2 channel, sending exfiltrated data via HTTPS POST requests to a Telegram chat. Persistence is achieved by adding a registry Run key; evasion includes anti-VM checks via WMI queries and obfuscation of strings using Base64 and AES encryption. A recent variant (v4.4) added a keylogger and screen capture capability.

📜 History & Notable Incidents

First observed in December 2021, the stealer underwent rapid development with version 4.0 released in mid-2022. In October 2022, the Eternity infrastructure was disrupted when Telegram channels used for C2 were taken down, but the group rebounded by shifting to new bots. No high-profile corporate breaches have been publicly attributed solely to this stealer, but it has been widely used against individual victims via spear-phishing emails and fake software downloads. No specific CVEs are associated with the malware itself—it exploits user behavior, not system vulnerabilities.

🔍 Detection Indicators

Known SHA256 hashes include f4a5c8d6e9b2a1c3f7e8d9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9 (from Cyble report) and 2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3 (VT sample). Behavioral indicators include Python runtime spawning cmd.exe with obfuscated base64 commands, outbound connections to api.telegram.org on port 443, and creation of run key "EternityStealer" under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Mutex names like "EternityMutex" have been observed.

☠️ Risk & Impact

The primary risk is credential theft and cryptocurrency wallet compromise, leading to account takeover and financial loss. Victims range from individual gamers to small businesses; the malware is commodity-level and sold cheaply (around $50/month for the stealer module). Financial losses per incident are typically under $10,000 but can accumulate in large-scale campaigns. The stealer can also open a secondary shell via the clipper module, allowing ransomware deployment by the same threat group.

🛡️ Mitigation

Defenders should block domains associated with Telegram API (api.telegram.org) for non-essential workstations, deploy EDR solutions with behavioral detection for Python-based executables, and enforce application whitelisting. The MITRE ATT&CK techniques used include T1055 (Process Injection) for keylogging and T1071.001 (Application Layer Protocol: Web Protocols) for C2 via Telegram. A free YARA rule from Cyble (eternity_stealer_rule.yar) can detect samples in hybrid analysis pipelines.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.