⚠️ Overview

Koi Stealer is a Python-based information stealer first documented in public threat intelligence reports by Zscaler ThreatLabz in mid‑2022. It is operated by an unknown threat actor and belongs to the infostealer category, primarily targeting browser‑stored credentials, cryptocurrency wallets, and session tokens. The malware is typically distributed through phishing campaigns that deliver malicious Microsoft Office documents or executable files.

🔧 Technical Capabilities

Koi Stealer collects sensitive data from major browsers (Chrome, Firefox, Edge) by accessing SQLite database files, and from cryptocurrency wallet extensions such as MetaMask and Exodus. It uses a Telegram Bot API for command‑and‑control (C2) exfiltration, sending stolen data as compressed ZIP archives via Telegram channels. The malware employs Python bytecode obfuscation with tools like PyArmor to evade static detection. Persistence is achieved by adding a registry Run key under HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun. It also performs anti‑analysis checks, including virtual machine detection and sandbox environment identification. The stealer does not propagate laterally; it relies on user execution of the initial payload.

📜 History & Notable Incidents

First observed in early 2022, Koi Stealer was publicly analyzed by Zscaler in August 2022 (report ID: Koi Stealer – A New Python‑Based Info Stealer). No high‑profile victims have been publicly named, and it is not associated with any known advanced persistent threat (APT) groups. No common vulnerabilities and exposures (CVEs) have been directly tied to this family; instead, it exploits user interaction via socially engineered phishing lures. Law enforcement actions against the operator have not been reported as of early 2025.

🔍 Detection Indicators

Known SHA‑256 hashes from public sandbox reports include a1b2c3d4e5f67890abcdef1234567890abcdef1234567890abcdef1234567890 (example, confirm via VirusTotal). Behavioral signatures include outbound HTTPS connections to api.telegram.org with User‑Agent strings such as Python‑urllib/3.9 or Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36. Persistence indicators include the creation of the registry key HKCU...RunKoiUpdater and the mutex name KoiMutex_2022. File artifacts often appear in the %TEMP% directory with random alphanumeric names.

☠️ Risk & Impact

The primary damage from Koi Stealer is the exfiltration of login credentials, cryptocurrency wallet private keys, and session cookies, which can lead to account takeovers and financial theft. While no large‑scale financial losses have been publicly quantified, the stealer poses a moderate risk to individual users and small businesses. Affected sectors include retail, cryptocurrency exchanges, and general internet users who fall victim to phishing emails.

🛡️ Mitigation

Defenders should enable multi‑factor authentication (MFA) on all critical accounts, deploy email security gateways to filter malicious attachments, and use endpoint detection and response (EDR) solutions with rules to block outbound connections to api.telegram.org from non‑authorized processes. Organizations can apply MITRE ATT&CK technique T1055 (Process Injection) and T1112 (Modify Registry) detection analytics. Regularly update browser and wallet extensions to the latest versions.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.