Threat Research

New Java-Based Rude Stealer Abuses DirectX Diagnostic Tool – Cyble

Securonix

Cyble Research and Intelligence Labs uncovered a new Java-based stealer called Rude that secretly harvests data from Windows machines, including browser data, Discord tokens, Steam IDs, game information, and screenshots, and it communicates exfiltrated data via Telegram. The report also describes a Sayler RAT packaged in a JAR with multiple capabilities and attribution suggesting a Turkish TA; these tools rely on command-line activation and Telegram channels to operate.
#RudeStealer #Sayler #dxdiag #Telegram #Discord #Steam #Turkey

Keypoints

  • Rude Stealer is a Java-based infostealer for Windows that targets browsers, Discord tokens, Steam IDs, installed games, and can capture screenshots.
  • Sayler is a mapped Remote Access Trojan (RAT) packaged in a JAR with Keylogger, Information Stealer, Screen Capture, Ransomware, and additional features.
  • The stealer is activated by threat actors via command-line arguments (chat_id and bot_token) to enable data collection and Telegram-based exfiltration.
  • It exports stolen data to a Telegram channel and logs data locally in user directories (e.g., Log_Info.txt, Properties.txt, Process.txt).
  • Rude Stealer decrypts data from multiple browsers (AutoFill, Cookies, History, Passwords) across Brave, Edge, Chrome, Opera, etc., storing results in per-browser logs.
  • It enumerates Steam data (Steam directory, loginusers, appmanifest_ files) and Discord tokens from Local Storage, saving tokens to DiscordAuth_Keys.txt.
  • The malware collects system information via dxdiag, captures screenshots with Java Robot, and bundles data into a ZIP before exfiltration; attribution points to a Turkish-speaking TA.

MITRE Techniques

  • [T1204] User Execution – Manual execution required. “Manual execution required”
  • [T1003] OS Credential Dumping – “Tries to harvest and steal browser information”
  • [T1528] Steal Application Access Token – “Steal Application Access Token”
  • [T1555] Credentials from Web Browsers – “Steals credentials from Web Browsers”
  • [T1082] System Information Discovery – “The stealer gathers system information through various methods”
  • [T1113] Screen Capture – “Takes a screenshot of the victim’s screen”
  • [T1005] Data from Local System – “The malware collects sensitive data from victim’s system.”
  • [T1567] Exfiltration Over Web Service – “Uses Telegram channel to exfiltrate data”

Indicators of Compromise

  • [Hash] SHA256 – 05b932d3306fb06ee961fd533d2faab92ed01f7f0ee2b7bea5a6a1f521154a94 – Rude Stealer sample
  • [Hash] SHA1 – 7fd1fea4f939b5350a5699a69866e7714767a68f – Rude Stealer sample
  • [Hash] MD5 – 92aa4673f7885c6f6b4ea39cb2f1b643 – Rude Stealer sample

Read more: https://cyble.com/blog/new-java-based-rude-stealer-abuses-directx-diagnostic-tool/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint