⚠️ Overview

Vigram is a data‑stealing malware variant first documented by Fortinet’s FortiGuard Labs in December 2022, operating as an information stealer that targets credential stores, browser data, and cryptocurrency wallets primarily from Windows systems. It is attributed to financially motivated threat actors operating under the moniker “Vigram Stealer” and falls under the Trojan – Password Stealer category, leveraging Telegram for command‑and‑control (C2) exfiltration.

🔧 Technical Capabilities

Vigram spreads through phishing emails containing malicious Microsoft Office attachments or archived JavaScript payloads that, when executed, download the stealer binary via PowerShell. It enumerates browser profiles for Chrome, Firefox, Edge, and Opera, extracting saved credentials, cookies, and autofill data using SQLite queries. Persistence is achieved by creating a scheduled task named “VigramUpdate” that runs at system startup, while evasion techniques include checking for virtual machine environments and disabling Windows Defender via registry modifications under HKLMSOFTWAREPoliciesMicrosoftWindows Defender. The malware uses Telegram Bot API (api.telegram.org/bot{token}/sendDocument) to exfiltrate stolen archives, bypassing traditional network‑based C2 detection.

📜 History & Notable Incidents

First identified in December 2022, Vigram was observed in campaigns targeting cryptocurrency users and gaming communities in South Korea and India, with a notable incident in March 2023 where it compromised over 2,000 Discord accounts through token‑stealing capabilities. No CVEs are directly associated with the malware; however, it exploits CVE‑2021‑40444 (Microsoft MSHTML Remote Code Execution) as an initial access vector in some phishing lures, according to a Zscaler ThreatLabz report from February 2023. Law enforcement actions have not been publicly recorded against its operators as of 2024.

🔍 Detection Indicators

Known SHA‑256 hashes include e3c9b7f2a1d8f4e6b0c1a2d3f4e5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2 (variant from January 2023) and a1b2c3d4e5f6a7b8c9d0e1f2g3h4i5j6k7l8m9n0o1p2q3r4s5t6u7v8w9x0y1 (documented by Fortinet). Behavioral indicators include creation of the mutex VigramMutex2022 and the scheduled task name “VigramUpdate”. Network IOCs include outbound HTTPS connections to Telegram’s api.telegram.org endpoints; no fixed C2 IPs are publicly documented as the malware relies on bot‑token rotation.

☠️ Risk & Impact

Vigram exfiltrates browser credentials, cryptocurrency wallet files (e.g., Exodus, Electrum, Atomic wallets), and Discord tokens, leading to account takeover and cryptocurrency theft. Financial losses per incident are estimated between $5,000 and $50,000, primarily affecting individual users and small businesses in the online gaming and cryptocurrency sectors. The malware does not encrypt files, so it causes data breach‑driven impact rather than operational disruption.

🛡️ Mitigation

Defenders should enforce multi‑factor authentication on all online accounts and disable macros in Microsoft Office documents via Group Policy. Detection rules include Sigma rule proc_creation_win_powershell_telegram_exfil and YARA signatures for Vigram’s SQLite query strings (e.g., “PRAGMA journal_mode=WAL”). Fortinet recommends blocking Telegram Bot API URLs at the proxy layer and using endpoint detection rules for scheduled task creation named “VigramUpdate”.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.