Threat Research

YUNIT STEALER – CYFIRMA Overview

Securonix

Yunit Stealer is a JavaScript-based info-stealer that harvests browser credentials, cookies, autofill data, and cryptocurrency wallets, then persists via registry Run keys, scheduled tasks, and Windows Defender exclusions while hiding execution. It exfiltrates collected data through Discord and Telegram webhooks and uploads to remote servers; analysis links the builder to prior projects like Piro Sentinel. #YunitStealer #PiroSentinel

Keypoints

  • Targets system information, browser credentials, cookies, autofill entries, and cryptocurrency wallet directories for comprehensive data extraction.
  • Establishes persistence by adding Registry Run keys, creating startup files, and scheduling periodic tasks (schtasks) that run VBScript/Batch payloads.
  • Modifies Windows Defender settings using PowerShell (Add-MpPreference) to exclude malicious folders and file types from scanning.
  • Exfiltrates stolen data via Discord and Telegram webhooks and uploads archives to remote servers, providing download links to the attacker.
  • Implements anti-analysis checks (blacklisted usernames/hostnames, BIOS checks for Hyper-V, minimum RAM checks) and geofencing based on system country code.
  • Uses obfuscation, hidden windows, and DPAPI-based decryption routines to avoid detection and to decrypt stored browser credentials.

MITRE Techniques

  • [T1059.001] Command and Scripting Interpreter – Executes PowerShell and shell commands for installation, Defender modification, and runtime tasks. (‘PowerShell is used to modify Windows Defender settings by adding exclusions…’)
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Adds Registry Run key or places files in Startup to persist across reboots. (‘Adds an entry to the Registry Run Keys or places a file in the Startup Folder to ensure that a malicious application automatically starts…’)
  • [T1053.005] Scheduled Task/Job: Scheduled Task – Creates schtasks to run VBScript/Batch periodically with SYSTEM privileges for persistent execution. (‘The scheduled task named GoogleUpdateTaskMachineUAC runs a VBScript file… every 10 minutes with SYSTEM privileges’)
  • [T1564.003] Hide Artifacts: Hidden Window – Conceals console windows and uses VBS to run batch files invisibly to avoid user detection. (‘windows or prompts that are typically displayed … are concealed from the user’)
  • [T1112] Modify Registry – Writes values under HKCUSoftwareMicrosoftWindowsCurrentVersionRun to launch Yunit on user logon. (‘The command adds a new entry to the Windows registry under HKCUSoftwareMicrosoftWindowsCurrentVersionRun…’)
  • [T1082] System Information Discovery – Queries system configuration and computer location settings for geofencing decisions. (‘checking computer location settings and looking up the country code configured in the system registry allows the attacker to determine the machine’s geographic location’)
  • [T1005] Data from Local System – Extracts local browser databases, wallet files, cookies, autofill, and other sensitive files for collection. (‘gathers system information, including passwords, cookies, autofill data, and cryptocurrency wallets’)
  • [T1041] Exfiltration Over C2 Channel – Sends harvested data and archives via Discord/Telegram webhooks and uploads to remote servers to retrieve via generated links. (‘stolen data is sent as messages or files via bots… uploaded to a remote server, generating a download link’)

Indicators of Compromise

  • [SHA256 Hash] Sample malware binary – f1f4176c1cfb6eedbdc025510b1fcdbfeaee857e2bbb5db63c1e0ebf2d71d077 (identified as Yunit Stealer)
  • [File name / Path] Persistence and execution artifacts – Yunit.exe (C:UsersAppDataLocalTempYunit.exe), C:ProgramDataedgeUpdater*.vbs
  • [Registry Key] Autostart entry – HKCUSoftwareMicrosoftWindowsCurrentVersionRun (example value name ‘Steam’ pointing to Yunit executable)
  • [Scheduled Task] Task name and location – GoogleUpdateTaskMachineUAC configured to run C:ProgramDataedgeUpdater*.vbs every 10 minutes
  • [C2 / Webhooks] Exfiltration endpoints (context: data exfiltration via messaging bots) – Discord webhook (used to post stolen data), Telegram bot/chat (used to send summaries and files)

Yunit Stealer’s runtime begins with privilege and environment checks: the JavaScript code verifies administrative rights (relaunching with sudo if necessary) and runs anti-analysis filters (blacklisted usernames/hostnames, BIOS checks for Hyper‑V, and RAM minimums). If checks pass, it hides its console via a temporary PowerShell script, then enumerates common user and application paths (browser profiles, Discord, Steam, Epic Games, wallet directories) to locate credential stores, cookies, autofill databases, backup codes, and wallet files.

Collected artifacts are decrypted where necessary using DPAPI routines invoked via obfuscated cmd/PowerShell commands and System.Security unprotect calls, consolidated into temporary folders, compressed into zip archives, and then removed from staging. The stealer also injects payloads into specific wallet applications (Atomic, Exodus) and extracts browser-stored cards, cookies, and passwords by reading browser SQLite databases and decrypting values using local keys.

For persistence and stealth, the malware writes Registry Run entries and creates scheduled tasks (via .bat and .vbs scripts deployed to C:ProgramDataedgeUpdater) that execute periodically with high privileges; it also modifies Windows Defender exclusions using Add-MpPreference to prevent scanning of its directories. Exfiltration is performed immediately and continuously: formatted summaries and files are sent to Discord and Telegram webhooks and uploaded to remote servers, with generated download links and screenshots provided to the operator.

Read more: https://www.cyfirma.com/research/yunit-stealer/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint