Threat Research

Exploring The Will of D: An In-Depth Analysis of Divulge Stealer, Dedsec Stealer, and Duck Stealer – CYFIRMA

Cyfirma

CYFIRMA analyzes the rise of info stealers—Divulge Stealer, DedSec Stealer (Doenerium), and Duck Stealer (AZStealer)—promoted on GitHub, Discord, and Telegram, and details their evasion, data targets (browsers, crypto wallets), and operational methods. The report also maps observed behaviors to MITRE-like techniques and provides IOC hashes and defensive recommendations. #DivulgeStealer #DedSecStealer #DuckStealer #AZStealer #Doenerium #UmbralStealer #GitHub #Discord #Telegram #BrowserCredentials #CryptoWallets

Keypoints

  • New stealer variants are emerging daily, many built with Electron, C, or C++.
  • Stealers are promoted on GitHub, Discord, and Telegram as marketplaces for distribution and subscriptions.
  • Divulge Stealer positions itself as a successor to Umbral Stealer and targets browser cookies/credentials, with extended wallet support.
  • DedSec Stealer mirrors Doenerium (dual-hook variant) and adds itself to Windows Defender exclusions to avoid detection.
  • Duck Stealer, aka AZStealer, captures cookies, credentials, crypto wallet data, and more, across 30+ wallets, with anti-VM features.
  • All three employ anti-VM/anti-analysis techniques and often ship as dual-hook variants, sometimes offered as free versions to attract users.
  • Promotion and distribution leverage surface and dark web channels, fostering a community that facilitates malware distribution and data collection.

MITRE Techniques

  • [T1047] Windows Management Instrumentation – Used for executing commands and scripts on target systems. ‘Used for executing commands and scripts on target systems.’
  • [T1059] Command and Scripting Interpreter – Utilized for executing scripts and commands to perform malicious actions. ‘Utilized for executing scripts and commands to perform malicious actions.’
  • [T1547.001] Registry Run Keys / Startup Folder – Ensures persistence by adding entries to the registry or startup folder. ‘Ensures persistence by adding entries to the registry or startup folder.’
  • [T1574.002] DLL Side-Loading – Involves loading malicious DLLs to execute payloads stealthily. ‘Involves loading malicious DLLs to execute payloads stealthily.’
  • [T1055] Process Injection – Allows malware to inject code into other processes to evade detection. ‘Allows malware to inject code into other processes to evade detection.’
  • [T1036] Masquerading – Involves disguising malicious files or processes as legitimate ones. ‘Involves disguising malicious files or processes as legitimate ones.’
  • [T1003] OS Credential Dumping – Technique used to extract credentials from the operating system. ‘Technique used to extract credentials from the operating system.’
  • [T1012] Query Registry – Used to gather information from the Windows registry. ‘Used to gather information from the Windows registry.’
  • [T1057] Process Discovery – Technique to identify running processes on a system. ‘Technique to identify running processes on a system.’
  • [T1018] Remote System Discovery – Used to identify systems on a network. ‘Used to identify systems on a network.’
  • [T1082] System Information Discovery – Technique to gather system information such as OS version and architecture. ‘Technique to gather system information such as OS version and architecture.’
  • [T1005] Data from Local System – Technique for collecting data from local systems. ‘Technique for collecting data from local systems.’
  • [T1573] Encrypted Channel – Used to establish secure communications for command and control. ‘Used to establish secure communications for command and control.’
  • [T1071] Application Layer Protocol – Utilizes common application protocols for command and control communications. ‘Utilizes common application protocols for command and control communications.’

Indicators of Compromise

  • [SHA-256] – Divulge Stealer Payload: 5dd0d74ce7e044c93ae79a7d5a66e1a1cd2a8c838c89e19f67279ab91dc19bd9, and other IOCs include 051829813ea3c66e37f184bbfaa2fa3d8752abbfa4828fa5847f1986ae461e3c, a2b284d185326ef5a6031fd2278302a715181989230b54f9e4e4d79545a0dde7
  • [SHA-256] – Dedsec Stealer: 051829813ea3c66e37f184bbfaa2fa3d8752abbfa4828fa5847f1986ae461e3c
  • [SHA-256] – Duck Stealer: a2b284d185326ef5a6031fd2278302a715181989230b54f9e4e4d79545a0dde7

Read more: https://www.cyfirma.com/research/the-will-of-d-a-deep-dive-into-divulge-stealer-dedsec-stealer-and-duck-stealer/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint