Threat Research

Mystic Stealer

ZScaler

Mystic Stealer is an information-stealing trojan that harvests credentials, browser data, cryptocurrency wallets, Steam, and Telegram secrets while using heavy obfuscation and anti-analysis techniques. Its client implements an RC4-encrypted custom binary protocol over TCP and uses hashed API resolution, polymorphic string obfuscation, and runtime constant calculation to evade detection. #MysticStealer #Zscaler

Keypoints

  • Mystic Stealer exfiltrates credentials and browser data from nearly 40 browsers and over 70 browser extensions, plus cryptocurrency wallets, Steam, and Telegram accounts.
  • The client is written in C and the control panel in Python (Django); it communicates with C2 via a custom RC4-encrypted binary protocol over TCP.
  • Mystic performs on-the-fly exfiltration (sends stolen data immediately to C2 without writing to disk) and can capture desktop screenshots based on C2 configuration.
  • Anti-analysis and evasion include binary expiration (time-based kill), anti-virtualization via CPUID checks, polymorphic string obfuscation, and dynamic constant calculation.
  • The loader functionality allows downloading and executing additional payloads; the builder supports up to four encrypted C2 endpoints stored with a modified XTEA scheme.
  • Windows API functions are resolved by hashing export names (XOR-based algorithm) rather than static imports, complicating static analysis and signature detection.

MITRE Techniques

  • [T1555.003] Credentials from Web Browsers – Steals stored credentials and browser data from many browsers and extensions (‘Mystic steals credentials from nearly 40 web browsers and more than 70 browser extensions’).
  • [T1082] System Information Discovery – Collects system hostname, username, GUID, CPU info, screen dimensions, running processes, and locale (‘collect computer information such as the system hostname, user name, and GUID’).
  • [T1113] Screen Capture – Captures desktop screenshots when enabled by C2 configuration (‘Depending on a configuration provided by the C2 server, the malware will capture a screenshot of the desktop’).
  • [T1041] Exfiltration Over C2 Channel – Sends stolen data to C2 using a custom RC4-encrypted binary protocol and transmits items on-the-fly without writing to disk (‘the client communicates with the C2 server using a custom protocol over TCP’ and ‘immediately send the data to a C2 server on-the-fly without storing or writing data to the disk’).
  • [T1105] Ingress Tool Transfer – Loader capability to download and execute additional payloads (‘Loader refers to the ability to download and execute additional malware payloads’).
  • [T1497.001] Virtualization/Sandbox Evasion – Detects virtualized environments via CPUID hypervisor vendor string checks to avoid sandbox execution (‘uses the CPUID assembly instruction to detect virtual environments… checks for the manufacturer ID string’).
  • [T1027] Obfuscated Files or Information – Uses polymorphic string obfuscation, hash-based import resolution, and runtime-calculated constants to hinder static analysis (‘polymorphic string obfuscation… resolves and dynamically loads Windows APIs using a custom XOR based hashing algorithm’).
  • [T1012] Query Registry – Reads the machine GUID from the registry to identify the host (‘The client obtains the machine GUID from the registry value SOFTWAREMicrosoftCryptographyMachineGuid’).

Indicators of Compromise

  • [IP address / C2] observed C2 endpoints – 185.252.179[.]18:13219, 135.181.47[.]95:13219, and 5 more IPs (e.g., 194.169.175[.]123:13219).
  • [Domains] Grand cluster / control panel domains – gujaratstudy[.]in, bhandarapolice[.]org, alchemistwallet[.]io, and other Grand-cluster domains.
  • [File hashes] sample binaries (SHA256) – 47439044a81b96be0bb34e544da881a393a30f0272616f52f54405b4bf288c7c, 5c0987d0ee43f2d149a38fc7320d9ffd02542b2b71ac6b5ea5975f907f9b9bf8, and 9 more hashes.
  • [File names] observed sample names – 1367.exe, update.exe, qawsed.exe (used in C2-associated samples).
  • [Network signatures / ports] C2 handshake and ports – initial 4-byte client hello |b5 19 6f 94| (Suricata rule), 256-byte RC4 key response, ports 13219 / 15555 / 15556 observed.

Mystic Stealer’s client is a C-based information stealer that harvests extensive system and user data (hostname, username, GUID, CPU details, running processes, locale) and targets credential stores across ~40 browsers, 70+ browser extensions, cryptocurrency wallets, Steam, and Telegram. The client can take screenshots and performs immediate, on-the-fly exfiltration of collected items to a C2 without writing data to disk; it reads the machine GUID from SOFTWAREMicrosoftCryptographyMachineGuid to identify hosts.

The malware is designed to evade analysis: builds can expire by date, samples may detect virtualized/sandbox environments using CPUID vendor string checks, and code is heavily obfuscated via polymorphic string obfuscation, runtime-calculated constants (e.g., XOR-adjusted constants), and hash-based Windows API resolution (custom XOR hashing over DLL export names). These techniques, combined with packed samples in some builds, complicate static detection and reverse engineering.

Network and control infrastructure use a custom binary protocol over TCP: the client sends a 4-byte hello (0x946F19B5), receives 256 bytes used as an RC4 session key, then encrypts the machine GUID and subsequent packets with RC4. The server sends a binary configuration mask enabling features (1/0 flags). The builder allows up to four C2 endpoints stored in two 4-DWORD arrays encrypted with a modified XTEA routine, and a loader option enables downloading and executing additional payloads. Observed control panels use a Django web admin (commonly on 443/tcp or earlier on 8005/tcp), and common C2 ports in samples include 13219 and variants around 15555/15556.

Read more: https://www.zscaler.com/blogs/security-research/mystic-stealer