Threat Research

CharlieKirk GRABBER : A PYTHON-BASED INFOSTEALER

Cyfirma
CharlieKirk GRABBER : A PYTHON-BASED INFOSTEALER

CharlieKirk Grabber is a Python-based Windows infostealer that performs rapid “smash-and-grab” credential harvesting, system reconnaissance, and immediate exfiltration using legitimate Windows utilities and multithreading to minimize runtime. It stages browser credentials, Discord tokens, Wi‑Fi and game session artifacts, compresses them, uploads the archive to GoFile, and sends the download link via Discord or Telegram for attacker retrieval. #CharlieKirk #GoFile

Keypoints

  • CharlieKirk is a PyInstaller-packaged Python infostealer that focuses on rapid credential collection and immediate exfiltration rather than long-term persistence.
  • The malware performs system reconnaissance (username, hostname, hardware UUID, external IP) and stages all artifacts in a temporary directory before compression.
  • It forcibly terminates browser processes to unlock and extract Chromium and Firefox credentials, cookies, autofill data, and session tokens (including Discord tokens).
  • Exfiltration is performed by uploading a ZIP archive to GoFile and notifying the attacker via Discord webhooks or the Telegram Bot API over HTTPS.
  • The builder component allows operators to configure C2 settings and enable/disable modules, indicating a modular, evolving threat framework.
  • The sample leverages living‑off‑the‑land binaries (TASKKILL, NETSH, SYSTEMINFO, PowerShell) and attempts to add Microsoft Defender exclusions when privileged.

MITRE Techniques

  • [T1082 ] System Information Discovery – Gathers OS and hardware details using native system commands (‘executes the Windows systeminfo command to gather operating system and hardware details’)
  • [T1033 ] System Owner/User Discovery – Collects username and user context to fingerprint the host (‘collects host and network information … including username’)
  • [T1555.003 ] Credentials from Password Stores (Web Browsers) – Extracts saved passwords and browser data from Chromium-based browsers using the Local State master key and AES-GCM decryption (‘extracts saved passwords (Login Data), cookies (Cookies), autofill entries (Web Data), and browsing history (History)’)
  • [T1552.001 ] Unsecured Credentials: Credentials in Files – Retrieves stored credentials such as Wi‑Fi plaintext passwords by parsing native utility output (‘extracts saved Wi-Fi credentials using native Windows networking utilities … parsing the Key Content field’)
  • [T1560 ] Archive Collected Data – Stages collected artifacts in a temporary folder and compresses them into a ZIP archive prior to exfiltration (‘All harvested data is written to a temporary directory … Data is compressed into a ZIP archive’)
  • [T1202 ] Indirect Command Execution (LOLBins) – Invokes built-in Windows utilities (TASKKILL, NETSH, PowerShell, CMD) to perform malicious actions while blending with legitimate activity (‘leverages legitimate Windows command-line utilities (e.g., TASKKILL, NETSH, PowerShell, CMD)’)
  • [T1562.001 ] Impair Defenses: Disable or Modify Security Tools – Attempts to add Microsoft Defender exclusion paths via PowerShell when running with elevated privileges (‘attempts to evade detection by adding a path-based exclusion in Microsoft Defender … Add-MpPreference -ExclusionPath’)
  • [T1053.005 ] Scheduled Task/Job: Scheduled Task – Tries to establish persistence by copying the executable and creating a scheduled task to run at logon (‘creating a scheduled task configured to execute at user logon … schtasks … /sc onlogon’)
  • [T1548.002 ] Abuse Elevation Control Mechanism: UAC Bypass (Conditional) – Checks for administrative privileges via IsUserAnAdmin() to determine potential privilege escalation or privileged operations (‘performs a privilege check … by calling the Windows API function IsUserAnAdmin()’)
  • [T1041 ] Exfiltration Over C2 Channel – Sends data exfiltration notifications and links to attacker-controlled infrastructure over HTTPS (Discord/Telegram) (‘sends a notification message containing the download link to attacker-controlled infrastructure (Discord webhook or Telegram bot API)’)
  • [T1567.002 ] Exfiltration to Cloud Storage – Uploads compressed archives to a third-party file hosting service (GoFile) prior to notifying operators (‘uploads the archive to GoFile: This returns a public download link.’)

Indicators of Compromise

  • [File Hash ] Sample executable hashes – MD5: 598adf7491ff46f6b88d83841609b5cc, SHA-256: f56afcdfd07386ecc127aa237c1a045332e4cc5822a9bcc77994d8882f074dd1
  • [File Name ] Observed binary and staging directory – CharlieKirk.exe; staging folder KIRK_administrator under %LOCALAPPDATA%Temp
  • [Artifact File ] Browser and application artifact filenames targeted – Login Data, Cookies (Chromium), logins.json (Firefox) and other profile files
  • [Service / Domain ] Exfiltration and C2 services used – GoFile (file hosting) and messaging endpoints via Discord webhook, Telegram Bot API

Read more: https://www.cyfirma.com/research/charliekirk-grabber-a-python-based-infostealer/