Threat Research

VILSA STEALER: A CYFIRMA Analysis

Securonix

Vilsa Stealer is a Python-based information stealer discovered on GitHub that targets browser credentials, cookies, and 40+ crypto wallets while using encryption and anti-analysis checks to evade detection. Stolen data is archived and uploaded to a remote dashboard (reported at hxxp://bundeskriminalamt[.]agency/) and to cloud storage via the GoFile API. #VilsaStealer #bundeskriminalamt_agency

Keypoints

  • Vilsa Stealer is a Python-developed information stealer that harvests browser data, cookies, passwords, and cryptocurrency wallet information (supports 40+ wallets).
  • The malware is packaged as a Win32 EXE (VilsaStealer.exe) and drops encrypted payloads (e.g., Gruppe.py/Grupee.py) into the user AppData folder.
  • Persistence is achieved by copying itself into the Windows Startup folder so it auto-executes at login/boot.
  • Anti-analysis and anti-VM checks include terminating known debugger tools, registry checks for VM indicators, and looking for VM-associated DLLs.
  • Exfiltration is implemented by archiving collected data (ZIP) and uploading it via the GoFile API and to an actor-controlled dashboard at hxxp://bundeskriminalamt[.]agency/ (IP 83.136.208.208).
  • An auxiliary encrypted component (hvnc.py) provides remote-control capabilities, attempts UAC bypass, and adds Defender exclusions via PowerShell.

MITRE Techniques

  • [T1059] Command and Scripting Interpreter – Used via Python code and PowerShell commands for automation and privilege actions (‘The language used is Python.’).
  • [T1129] Shared Modules – Reuses encrypted Python modules dropped into AppData for functionality (‘The file, named Grupee.py, is dropped in the App Data directory, and its entire contents are encrypted.’).
  • [T1574.002] Hijack Execution Flow: DLL Side-Loading – Identified in the analysis as a persistence/execution tactic (‘Hijack Execution Flow: DLL Side-Loading – T1574.002’).
  • [T1027.009] Obfuscated Files or Information: Embedded Payloads – Runtime encryption and embedded payloads hide behavior (‘An encryption method is used to mask the runtime behavior of the malware.’).
  • [T1036] Masquerading – The malware disguises components and filenames to blend with legitimate files (‘The file was encrypted using the Fernet symmetric encryption method…’).
  • [T1070.006] Indicator Removal on Host: Timestomp – The report lists timestomp as a technique used to remove forensic indicators (‘Indicator Removal: Timestomp – T1070.006’).
  • [T1140] Deobfuscate/Decode Files or Information – Malware decrypts its own payloads at runtime using Fernet symmetric decryption (‘The file was encrypted using the Fernet symmetric encryption method, so we developed software to decrypt it using the secret key.’).
  • [T1202] Indirect Command Execution – Uses intermediary scripts and API calls (e.g., curl uploads, GoFile API) to execute exfiltration indirectly (‘the curl command to upload the specified file’).
  • [T1497.001] Virtualization/Sandbox Evasion: System Checks – Performs registry and DLL checks to detect virtual environments and exit if found (‘if it finds one, it triggers an exit function with a message indicating that a VM is detected.’).
  • [T1057] Process Discovery – Scans open windows/processes to detect debugging tools (‘check_windows … list all open windows and check their titles against a predefined list of names associated with debugging or reverse engineering tools’).
  • [T1082] System Information Discovery – Gathers system context to support decision logic (‘System Information Discovery – T1082’).
  • [T1083] File and Directory Discovery – Enumerates directories to locate browser, wallet, and application data (‘creates folders to steal Firefox cookies and MetaMask data’).
  • [T1518.001] Software Discovery: Security Software Discovery – Looks for security/debugging tools and terminates them (‘checks their titles against a predefined list of names associated with debugging or reverse engineering tools’).
  • [T1560] Archive Collected Data – Zips copied application data (e.g., Telegram, browser profiles) before upload (‘creates a ZIP file of the copied data and uploads it to a specified URL’).
  • [T1071] Application Layer Protocol – Uses HTTP-based APIs and curl for file uploads (‘uploads a file to a remote server using the GoFile API’).
  • [T1573] Encrypted Channel – Employs encrypted payloads and channels for data protection in transit/storage (‘An encryption method is used to mask the runtime behavior of the malware.’).
  • [T1041] Exfiltration Over C2 Channel – Sends archived data to actor-controlled infrastructure and cloud storage endpoints (‘returns the link to the file’s download page’ and uploads to the actor dashboard at the listed URL).
  • [T1486] Data Encrypted for Impact – Uses symmetric encryption (Fernet) to encrypt dropped modules and stored data (‘The file was encrypted using the Fernet symmetric encryption method’).

Indicators of Compromise

  • [File Hashes] VilsaStealer sample – MD5 2b4df2bc6507f4ba7c2700739da1415d, SHA256 f5c5845e5531ed7a9f39fd665fb712baa557799b4a6bd9e92c7ef76d43eb5064.
  • [Domain] Actor-controlled upload/dashboard – http://bundeskriminalamt.agency/ (reported as the destination for stolen data).
  • [IP Address] Host associated with actor infrastructure – 83.136.208.208 (monitor; linked to the dashboard domain).
  • [File Names] Dropped/persistent components – VilsaStealer.exe (packaged EXE), hvnc.py (encrypted remote-control module), Grupee.py/Gruppe.py (dropped encrypted module).

Vilsa Stealer is implemented in Python and often packaged into a Win32 EXE; it drops encrypted Python modules into AppData (e.g., Grupee.py/Gruppe.py) and uses Fernet symmetric encryption to store payloads that are decrypted at runtime. The code checks whether it’s running as a frozen executable (PyInstaller-like), computes paths, and copies itself into the Windows Startup folder to guarantee auto-execution on boot/login.

For stealth and evasion, the stealer continuously enumerates open windows and process titles to detect and forcibly terminate debugging or analysis tools, and it performs virtualization checks by inspecting specific registry keys and searching for VM-related DLLs (vmGuestLib.dll, vboxmrxnp.dll), exiting if a VM is detected. It collects browser profiles, cookies, MetaMask and other wallet data (supports 40+ wallets), copies Telegram data by locating the app folder, zips the collected artifacts, and archives data prior to exfiltration.

Exfiltration uses HTTP/application-layer uploads: the malware uploads archives via the GoFile API (selecting an available server and using curl to push files) and also posts data to an actor-controlled dashboard hosted at hxxp://bundeskriminalamt[.]agency/ (IP 83.136.208.208). An auxiliary component (hvnc.py) provides persistence and remote-access capabilities, attempts UAC bypass methods and uses PowerShell (Add-MpPreference -ExclusionPath ‘C:’) to add Defender exclusions before attempting to download and run additional executables. Read more: https://www.cyfirma.com/research/vilsa-stealer/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint