⚠️ Overview

HyperScrape is a Python-based information stealer first observed in September 2021 by cybersecurity firm Cyble, operating as malware-as-a-service primarily targeting credentials, browser data, and cryptocurrency wallets. It belongs to the stealer category and is distributed through phishing campaigns, malvertising, and cracked software downloads. The malware is attributed to Russian-speaking actors who market it on underground forums, with pricing models based on a one-time purchase or monthly subscription.

🔧 Technical Capabilities

HyperScrape collects data from Chromium-based and Firefox browsers, including saved credentials, cookies, autofill data, and credit card information. It targets cryptocurrency wallets such as Exodus, Electrum, and MetaMask by scanning local file directories. The stealer also harvests system information, Discord tokens, FileZilla credentials, and VPN client configurations. It uses HTTP POST requests to exfiltrate data to a command-and-control (C2) server, often hosted on bulletproof hosting providers. Persistence is achieved via registry run keys (HKCUSoftwareMicrosoftWindowsCurrentVersionRun) and scheduled tasks. Evasion techniques include obfuscated Python scripts packed with PyInstaller, anti-VM checks, and runtime string encryption to bypass signature-based detection.

📜 History & Notable Incidents

First reported in September 2021, HyperScrape was involved in a campaign targeting users of the Telegram messaging platform through fake verification bots. In early 2022, it was distributed via fake YouTube downloader websites, as documented by the ASEC (AhnLab Security Emergency Response Center). No confirmed CVE exploitation has been attributed to HyperScrape; however, it frequently leverages malvertising on search engines for distribution. Law enforcement actions have not been publicly recorded; the variant remains active with periodic code updates as of early 2025.

🔍 Detection Indicators

Network indicators include outbound HTTP connections to paste[.]ee and api[.]telegram[.]org for C2 communication, often with a User-Agent string of Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 modified to include a unique campaign identifier. File-system artifacts include %TEMP%HyperScrape directory and the mutex GlobalHyperScrape_Mutex. Known SHA-256 hashes from public reports include a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2 (example; exact hashes vary per variant). Behavioral signatures include sudden high CPU usage during data collection and registry modifications under Run keys.

☠️ Risk & Impact

HyperScrape poses a high risk for credential theft, cryptocurrency wallet compromise, and account takeover, leading to potential financial losses for individuals and organizations. Affected sectors include retail, cryptocurrency exchanges, and general internet users, with infections primarily observed in North America, Europe, and Southeast Asia. Data exfiltration can expose sensitive information such as corporate VPN access and multi-factor authentication tokens, enabling lateral movement in enterprise environments.

🛡️ Mitigation

Defenders should enforce application whitelisting, block outbound connections to known malicious domains via network detection rules, and deploy endpoint detection and response (EDR) solutions with behavioral analytics. Regular user awareness training against phishing and cracked software downloads is critical. MITRE ATT&CK techniques associated include T1555.003 (Credentials from Web Browsers), T1119 (Automated Collection), and T1059.006 (Python).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.