Threat Research

Mystic Stealer – Evolving “stealth” Malware – CYFIRMA

Securonix

Mystic Stealer is an information-stealer promoted in underground forums, with ongoing updates and a Telegram-based operation channel. CYFIRMA’s OSINT finds more than 50 active C2 servers, signaling growing prevalence and appeal among threat actors. #MysticStealer #CYFIRMA #Telegram

Keypoints

  • The threat group promotes Mystic Stealer on underground forums and engages with buyers via a Telegram channel.
  • Over 50 active C2 servers were identified through OSINT, indicating expanding reach and infrastructure.
  • Low detection rates are claimed due to code manipulation and frequent updates to evade AV products.
  • Pricing indicates a subscription model: USD 150 per month, USD 390 for three months, with plans to raise prices.
  • The toolset includes a Python-based server and a C-based client, with a Linux-only C2 panel and local log storage on the buyer’s server.
  • Collected data spans browser data (passwords, cookies, autofill, history), crypto wallet extensions, Outlook passwords, files, system information, and screenshots.

MITRE Techniques

  • [T1041] Exfiltration Over C2 Channel – Brief description of how it was used. “Once target data is identified, the malware compresses, encrypts, and transmits it.”
  • [T1555.003] Credentials in Web Browsers – Brief description of how it was used. “Passwords, cookies, autofill, credit cards, and history from popular browsers, based on Chromium and Mozilla”
  • [T1082] System Information Discovery – Brief description of how it was used. “System Information”
  • [T1113] Screen Capture – Brief description of how it was used. “Screenshot”
  • [T1547.001] Boot or Logon Autostart Execution – Brief description of how it was used. “Loader with the function of adding to autoload”
  • [T1005] Data from Local System – Brief description of how it was used. “Files according to user settings”

Indicators of Compromise

  • [IOC Type] IP – 104.21.27.68, 104.21.38.108 (Command Control)
  • [IOC Type] IP – 104.21.52.152, 104.21.60.13 (Command Control)
  • [IOC Type] SHA256 – 7c185697d3d3a544ca0cef987c27e46b20997c7ef69959c720a8d2e8a03cd5dc

Read more: https://www.cyfirma.com/outofband/mystic-stealer-evolving-stealth-malware/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint