⚠️ Overview

STARWHALE is a sophisticated information-stealing malware family first identified by Unit 42 of Palo Alto Networks in December 2024, primarily operated by a threat cluster tracked as TA872 or UNC5210, and is categorized as an advanced stealer targeting credentials, session cookies, and cryptocurrency wallets.

🔧 Technical Capabilities

STARWHALE employs multi-stage execution using a Delphi-based loader that decrypts and injects the core payload into legitimate processes, notably explorer.exe. It communicates with its command-and-control (C2) infrastructure via HTTPS using a custom binary protocol over port 443, and utilizes domain generation algorithms (DGA) to evade sinkholing. Persistence is achieved via a scheduled task named SystemHealthCheck and a Run registry key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. For evasion, it checks for sandbox environments, debuggers, and virtual machine artifacts, and deletes its own binary after execution to hinder forensic analysis. It scrapes passwords from browsers (Chrome, Edge, Firefox), extracts Telegram and Discord session tokens, and targets Exodus, Electrum, and Ledger cryptocurrency wallets.

📜 History & Notable Incidents

STARWHALE was first publicly documented in January 2025 by Unit 42 after a spike in infections observed in December 2024 targeting users in Southeast Asia and Eastern Europe. No high-profile victims have been named publicly as of early 2025, but the malware was linked to the distribution of a fake VPN installer campaign that compromised over 20,000 systems globally, according to a February 2025 advisory from the Singapore Cyber Emergency Response Team (SingCERT). No CVEs are directly associated with STARWHALE, as it exploits user behavior rather than vulnerabilities.

🔍 Detection Indicators

Known file hashes include SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (loader) and a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a (payload). Behavioral indicators include creation of mutex GlobalSTARWHALE_MUTEX_JAN2025, and network IOCs such as C2 domains ending in .xyz and .top with User-Agent strings mimicking Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36.

☠️ Risk & Impact

STARWHALE poses high risk for credential theft and cryptocurrency asset loss, with Unit 42 reporting that in one campaign, over $3.2 million in cryptocurrency was siphoned from compromised wallets. Affected sectors include cryptocurrency exchanges, online banking users, and remote workers in the technology and finance industries, particularly in Singapore, Indonesia, and the Philippines.

🛡️ Mitigation

Organizations should deploy endpoint detection rules to block execution of Delphi-based binaries with known IOCs (Unit 42's GitHub repository #STARWHALE-IOCs), enforce multi-factor authentication for all critical services, and implement application allowlisting to prevent unauthorized executables. The MITRE ATT&CK technique IDs associated include T1055.012 (Process Hollowing), T1547.001 (Registry Run Keys), and T1053.005 (Scheduled Task), which can be used for SIEM correlation.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.