Threat Research

The Titan Stealer: Notorious Telegram Malware Campaign – Uptycs

Securonix

Researchers from Uptycs detail a Titan Stealer campaign sold via a Telegram channel, featuring a configurable builder to tailor data theft. The malware targets browser credentials, crypto wallets, FTP client data, screenshots, system information, and other files, operating through a multi-stage chain designed to evade detection. #TitanStealer #Telegram #Uptycs #Shodan

Keypoints

  • The Titan Stealer campaign is marketed and sold through a Telegram channel, with a builder that lets attackers choose what data to steal (browser data, crypto wallets, FTP details, Telegram plugins, and specific file types).
  • Stage 1 is a 32‑bit GCC-compiled binary that decrypts a payload in memory and uses process-hollowing to inject into a legitimate process named “AppLaunch.exe”.
  • Stage 2 is a 32‑bit Go binary that runs in the memory region of AppLaunch.exe after injection, with its build ID disclosed in the analysis.
  • Browser data targeting includes enumerating multiple browser data folders and files using Windows APIs (e.g., FindFirstFileW) to harvest credentials, cookies, history, and related artifacts.
  • Crypto wallets targeted include Edge Wallet, Coinomi, Ethereum, Zcash, Armory, and Bytecoin, with data exfiltrated to the attacker’s server.
  • Exfiltration uses base64-encoded archive formats to send data to a C2 server, and Titan Stealer is advertised and maintained via a Russian-based Telegram channel with a public dashboard for operators.

MITRE Techniques

  • [T1055.012] Process Hollowing – The stage1 binary uses a process-hollowing technique to inject itself into a legitimate target process called “AppLaunch.exe”.
  • [T1083] File and Directory Discovery – The malware targets specific browser directories on a system and enumerates files using Windows APIs to locate data to steal.
  • [T1082] System Information Discovery – The malware collects system information as part of its data collection routine.
  • [T1041] Exfiltration Over C2 Channel – The malware transmits collected data to a command and control server using base64 encoded archive formats.

Indicators of Compromise

  • [Md5 hash] Stage 1 – e7f46144892fe5bdef99bdf819d1b9a6, Stage 2 – b10337ef60818440d1f4068625adfaa2, and 2 more hashes (Related Hashes: 82040e02a2c16b12957659e1356a5e19, 1af2037acbabfe804a522a5c4dd5a4ce)
  • [Domain/URL] – http://77.73.133.88:5000, http://77.73.133.88:5000/sendlog
  • [File name] – Stage 1, Stage 2

Read more: https://www.uptycs.com/blog/titan-stealer-telegram-malware-campaign

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint