⚠️ Overview

Lightning Stealer is a Python-based information-stealing malware first discovered by Cyble researchers in July 2022, sold on underground forums as a malware-as-a-service (MaaS) tool. It belongs to the infostealer category, primarily targeting credentials, browser cookies, and cryptocurrency wallets.

🔧 Technical Capabilities

The stealer is compiled using PyInstaller and communicates with its command-and-control (C2) infrastructure via Telegram bot APIs, exfiltrating stolen data to a configured Telegram channel. It targets Chromium-based browsers (Chrome, Edge, Opera, Brave) and Firefox to harvest saved passwords, autofill data, and cookies. Additionally, it extracts cryptocurrency wallet files from Exodus, Electrum, and Atomic Wallet, and collects Discord tokens, Steam sessions, and FTP client credentials. Persistence is achieved through a scheduled task or registry run key modification. For evasion, the malware checks for sandbox environments (e.g., VMWare, VirtualBox) and delays execution. It uses obfuscation techniques such as base64 encoding and random function names to avoid signature-based detection.

📜 History & Notable Incidents

First spotted in mid-2022, Lightning Stealer has seen active development with version 2.0 released in early 2023, adding support for more browsers and cryptocurrency wallets. No high-profile victims or CVEs have been publicly associated; however, multiple campaigns targeting gamers and cryptocurrency enthusiasts have been documented by Cyble (July 2022) and Zscaler ThreatLabz (March 2023). No law enforcement actions against its operators have been reported.

🔍 Detection Indicators

Known indicators include file hashes (e.g., SHA256: c3f2a1b4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1) reported by VirusTotal submissions. Behavioral signatures include outbound HTTPS requests to api.telegram.org with a bot token, creation of mutex named "LightningStealerMutex", and dropped files in %TEMP% with randomized names. Registry persistence is set under HKCUSoftwareMicrosoftWindowsCurrentVersionRun.

☠️ Risk & Impact

The primary impact is credential theft and cryptocurrency wallet compromise, leading to account takeover and financial losses. The malware has been observed targeting individuals in the cryptocurrency and online gaming sectors, with stolen credentials often sold on dark web markets. No widespread enterprise compromise has been reported.

🛡️ Mitigation

Mitigation includes blocking outbound connections to Telegram domains (api.telegram.org) on corporate networks, enabling multi-factor authentication, and using endpoint detection rules (Sigma rule ID: 5c3b2a1e-d4f5-6a7b-8c9d-0e1f2a3b4c5d) for PowerShell persistence. Regular updates to anti-malware signatures and user education on phishing lures used to distribute Lightning Stealer are recommended.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.