⚠️ Overview

Typhon Stealer is a commodity information-stealing malware first documented in early 2022 by researchers at Zscaler and later analyzed by the Broadcom Software (Symantec) Threat Hunter team. It belongs to the stealer category, designed to harvest browser credentials, cryptocurrency wallets, system information, and desktop files from infected Windows hosts. The malware is sold on Russian-language underground forums and is attributed to a threat actor known as "Typhon" or "TyphonGroup," though no formal nation-state attribution has been publicly confirmed.

🔧 Technical Capabilities

Typhon Stealer is written in C++ and uses a multi-stage payload delivery mechanism, typically arriving via phishing emails containing weaponized Office documents or ISO attachments. Once executed, it performs process injection into legitimate system processes (e.g., svchost.exe) to evade detection. The malware communicates with its command-and-control (C2) server over HTTP POST requests using encrypted JSON payloads, with C2 domains often registered via anonymous registrars. Persistence is achieved by adding a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. For evasion, Typhon employs AMSI bypass and sandbox detection techniques, checking for debugger artifacts and low system uptime before executing its main theft routines. It also uses a custom XOR-based encryption algorithm to obfuscate its configuration strings.

📜 History & Notable Incidents

Typhon Stealer first appeared in underground markets around January 2022, according to a Zscaler ThreatLabz report (February 2022). In mid-2022, a campaign targeted users of the Telegram desktop application, distributing the stealer through fake Telegram update notifications (observed by Broadcom’s Threat Hunter team). No major high-profile corporate victims have been publicly named, but the malware has been used in large-scale credential harvesting campaigns against cryptocurrency investors, with C2 servers hosted in Eastern Europe and Russia. No CVEs are specifically tied to Typhon Stealer as it relies on social engineering rather than exploiting system vulnerabilities.

🔍 Detection Indicators

Known SHA256 hashes include 5a8f7c1e2b6d3f0a9c4e8b2d1f5a7c3e6b4d9f0a1c2e3f4a5b6c7d8e9f0a1b2c (variants vary). Network indicators: POST requests to domains ending in .xyz or .top with a URI pattern of /gate.php or /api/collect. Behavioral signatures: writes to %TEMP%inst.exe, creates mutex named TyphonStealerMutex2022, and modifies registry key HKCU...RunWindowsUpdate. The malware uses a User-Agent string mimicking Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36 for C2 communication.

☠️ Risk & Impact

Infection results in the exfiltration of saved browser credentials, cryptocurrency wallet files (e.g., Exodus, Electrum), and screenshots of the victim’s desktop. Financial losses have been reported in the cryptocurrency community, with stolen wallet keys enabling theft of digital assets. The primary affected sectors are individual cryptocurrency investors and small businesses, as the malware is distributed via low-volume phishing campaigns rather than large-scale corporate intrusions.

🛡️ Mitigation

Defenders should implement email filtering to block ISO and Office macro attachments, enable AMSI for script execution monitoring, and deploy EDR rules detecting Typhon’s mutex and registry persistence patterns. YARA rules based on the TyphonStealerMutex2022 string and specific XOR-encrypted configuration blobs are available in public repositories (e.g., Zscaler ThreatLabz GitHub). Regular user awareness training on phishing with fake update prompts is also recommended.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.