Threat Research

Mystic Stealer Revisited

ZScaler

Mystic Stealer evolved from a custom encrypted TCP beacon to plain HTTP POST-based C2 communications, improving reliability in restricted networks and adding loader capabilities to fetch and run secondary malware. New variants download configuration and helper libraries (e.g., sqlite3.dll), request target lists from C2, and exfiltrate browser data, wallets, screenshots, and arbitrary files. #MysticStealer #RedLine

Keypoints

  • Mystic Stealer switched from a custom encrypted binary TCP protocol to HTTP POST requests with Base64-encoded payloads to communicate with C2 servers.
  • The binary contains an expiration check; C2 decryption (custom XTEA layer) is deferred until after the time check to avoid leaking C2s in memory prematurely.
  • The malware registers with C2 via Base64 “hwid” and “build” fields and receives a 64-byte session token plus binary flags that drive actions like screenshots and theft tasks.
  • Mystic requests target lists (chromium-browsers, gecko-browsers, extensions, files) from C2, downloads a legitimate sqlite3.dll to parse browser DBs, and exfiltrates extracted files using multipart/form-data POSTs.
  • A “loader” command instructs the bot to download one or more Base64-encoded executables (second-stage payloads) which are then executed; examples of distributed families include RedLine, DarkGate, and GCleaner.
  • Strings in some debug builds reveal plaintext paths and development artifacts, indicating active, evolving development and testing of features such as file grabbers and loaders.

MITRE Techniques

  • [T1071.001] Web Protocols – C2 and command exchange moved to HTTP POST requests: (‘POST /loghub/master HTTP/1.1’)
  • [T1041] Exfiltration Over C2 Channel – Stolen files and browser data are sent in multipart/form-data POSTs with Base64-encoded content: (‘BASE64(<content of example.txt>)’)
  • [T1113] Screen Capture – Bot can capture and exfiltrate screenshots when enabled by server flags: (‘Screenshot.jpeg’)
  • [T1005] Data from Local System – Mystic collects local files including browser databases and cryptocurrency wallet files: (‘Wallets/Bitcoin Core|%appdata%Bitcoinwallets|wallet.dat’)
  • [T1105] Ingress Tool Transfer – Downloader retrieves helper components and payloads (e.g., sqlite3.dll and Base64-encoded executables) from C2: (‘BASE64(OK BASE64(<sqlite3 file>))’)
  • [T1053] Scheduled Task/Job – References to creating scheduled tasks suggest persistence capabilities: (‘/c schtasks /create /F /sc minute /mo 15 /tr “%ls” /tn “WindowsAppPool%ls”‘)

Indicators of Compromise

  • [File Hash] Mystic sample hashes observed – 6203249bebf7248535ff5ef70a7c5a57, 7eb8617d09f204dd40541a000f98810 (from Zscaler table)
  • [C2 server IP/URL] Command-and-control endpoints – hxxp://171.22.28[.]235/loghub/master, hxxp://194.87.31[.]123/loghub/master (used for POST /loghub/master)
  • [File Name] Downloaded/helper files and artefacts – sqlite3.dll (downloaded from C2 to parse DBs), SystemInformation.txt (posted to C2 with system details)
  • [File Name] Exfiltrated file examples – Cookies/Microsoft_Edge_Default.txt, Gecko/Firefox/<profile>.default/key4.db (sent in multipart/form-data)

The Mystic Stealer binary performs a date-based execution check and defers decryption of embedded C2 configuration (a custom XTEA layer) until after the expiration check to reduce in-memory exposure of C2s. After decryption the C2 list contains HTTP endpoints and an obfuscated path string scheme; communications are plain HTTP multipart/form-data POSTs where fields (e.g., hwid, build, msg, filename, file, token) carry Base64-encoded values. Initial registration sends Base64(hwid) and Base64(build) and the server responds with a session token (64-byte hex string) plus binary flags that control actions (screenshots, browser/wallet theft, files grabber, loader), and the bot reports system info in SystemInformation.txt.

Mystic queries C2 for specific target lists by sending msg values such as Base64(“chromium-browsers”), Base64(“gecko-browsers”), Base64(“extensions”), or Base64(“files”); the server returns delimited configuration strings listing browser names and local profile paths, extension names and IDs, or file/directory masks and recursion flags. To parse browser SQLite databases the bot requests a legitimate sqlite3.dll from C2 (response: Base64-encoded DLL) and uses it to extract cookies, logins, history, certificates, and other DB contents, which are exfiltrated as Base64 multipart/form-data entries (filename + file + token). If configured, Mystic captures screenshots (Screenshot.jpeg) and includes them in the same upload format.

The loader functionality allows Mystic to request additional payloads via msg=Base64(“loader”); the server replies with an OK packet containing one or more Base64-encoded executables in a delimited sequence (e.g., |1|BASE64(exe1)|…), which the bot decodes and executes. Post-execution it posts a “loadercode” message. Debug builds contain plaintext strings and absolute source paths revealing components like chromiumbrowsers.cpp, geckobrowsers.cpp, filesgrabber.cpp, and stealerloader.cpp, indicating active development and feature testing. Read more: https://www.zscaler.com/blogs/security-research/mystic-stealer-revisited