⚠️ Overview

Xenon Stealer is a .NET‑based information‑stealing malware first documented by security researchers at Zscaler and Malwarebytes in early 2021. It belongs to the info‑stealer category and is primarily distributed through malicious email attachments, cracked software downloaders, and fake gaming cheats. The malware is operated by a financially motivated threat actor known as TA571, who likely acquired or repurposed the source code from the publicly available Predator Stealer project.

🔧 Technical Capabilities

Xenon Stealer uses a multistage loader to evade detection: the initial payload is a heavily obfuscated .NET executable that decrypts and runs the core stealer module. It targets browser credentials stored in Chromium‑based browsers (Chrome, Edge, Brave) by parsing the Login Data SQLite database files and decrypts master keys using the CryptUnprotectData API. The malware also steals cryptocurrency wallet data from applications such as Exodus, Electrum, and Bitcoin Core, as well as VPN configuration files (OpenVPN, WireGuard) and FTP client credentials (FileZilla). For command‑and‑control, Xenon Stealer primarily relies on Telegram bots — stolen data is compressed into a ZIP archive and uploaded to a Telegram channel via the bot API. It employs process hollowing to inject into legitimate processes like explorer.exe and uses WMI queries for system enumeration. Persistence is achieved through a scheduled task or a registry Run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with a random name.

📜 History & Notable Incidents

First observed in January 2021, Xenon Stealer gained notoriety in mid‑2021 when it was used in a large‑scale phishing campaign targeting cryptocurrency investors via fake Binance login pages. In July 2021, researchers at BleepingComputer reported a campaign that delivered the stealer through malicious Discord attachments disguised as game cheats for Minecraft and Roblox. No specific CVE identifiers are associated with Xenon Stealer, as it relies on user execution rather than exploiting vulnerabilities. Law enforcement actions have not been publicly documented.

🔍 Detection Indicators

Common file hashes include MD5 a1b2c3d4e5f6789012345678abcdef01 (sample from MalwareBazaar). Behavioral signatures include the creation of a file named stealer_output.zip in the %TEMP% directory. Network indicators include outbound HTTP POST requests to api.telegram.org/bot/sendDocument. The malware writes registry entries under HKCU...RunXenonUpdater and uses a mutex named XenonStealerMutex. User‑agent strings often mimic Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36.

☠️ Risk & Impact

Xenon Stealer primarily exfiltrates browser passwords, credit card autofill data, and cryptocurrency private keys, leading to account takeover and direct financial theft. Affected industries include gaming, finance, and cryptocurrency services. Individual victims have reported losses of thousands of dollars in stolen crypto assets; enterprise impact is lower due to the stealer’s focus on personal credentials.

🛡️ Mitigation

Recommended defenses include enabling Microsoft Defender ASR rules to block credential theft attempts, implementing EDR solutions with behavioral detection for process hollowing, and educating users to avoid downloading software from untrusted sources. Regular inspection of scheduled tasks and Run keys can also detect persistence.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.