Keypoints
- Wish Stealer is a Node.js-based Windows malware that targets Discord, browsers, and cryptocurrency wallets to harvest credentials, cookies, and payment data.
- The malware includes a crypto clipper that watches the clipboard (Get-Clipboard) and replaces copied wallet addresses with attacker-controlled addresses (Set-Clipboard), creating high financial risk.
- It can disable antivirus products, perform privilege escalation and process injection, and employs anti-VM and anti-debug checks to hinder analysis.
- Session cookie theft enables the stealer to hijack social media and Discord sessions, potentially bypassing two-factor authentication without user alerts.
- Persistence is achieved by copying the binary to AppData as WindowsSecurityHealthService.exe and adding it to the Registry Run key; stolen data is archived as wish.zip and uploaded via gofile.io with links sent to a Discord webhook.
- CYFIRMA observed the stealer appear on the surface web in October 2024 and promotion by a Discord-based threat group in late September 2024 linked to Aurita Stealer activity.
- Mitigations include endpoint protection, application whitelisting, restricting script execution, enforcing MFA, hardware wallets for crypto, and user education.
MITRE Techniques
- [T1574] Hijack Execution Flow – The malware establishes persistence by modifying execution flow and registry autorun entries (‘WindowsSecurityHealthService.exe is added to the Run key in the Registry, ensuring the program remains persistent on boot’).
- [T1574.002] DLL Side-Loading – The report lists DLL side-loading as a persistence technique used by the family (‘DLL Side-Loading’).
- [T1055] Process Injection – Wish Stealer uses process injection for privilege escalation and stealthy execution (‘Process Injection’).
- [T1027] Obfuscated Files or Information – The stealer employs obfuscation to hide its code and behavior from defenders (‘Obfuscated Files or Information’).
- [T1027.002] Software Packing – The malware may use packing to evade detection and analysis (‘Software Packing’).
- [T1082] System Information Discovery – The tool collects system details to profile infected hosts (‘System Information Discovery’).
- [T1518] Software Discovery – It enumerates installed software as part of reconnaissance (‘Software Discovery’).
- [T1518.001] Security Software Discovery – The stealer checks for security products and settings before acting (‘Security Software Discovery’).
- [T1071] Application Layer Protocol – Stolen archives are exfiltrated using application-layer services and APIs, such as uploading wish.zip via the gofile.io API (‘upload the wish.zip file — containing all the stolen credentials — to a server via the gofile.io API’).
Indicators of Compromise
- [File name] malicious binary and persistence – Node.exe, WindowsSecurityHealthService.exe
- [File hash] known malware hashes – MD5: 7ef9df7a5a4931c6f1bbc9aea0fea977, SHA256: 382e462f174ca1df40ed9fbc36b52b480f6ecb4f83f7ac2d14952288029bb22b
- [File path] persistence/location – %APPDATA%MicrosoftProtect (WindowsSecurityHealthService.exe) – also creates %TEMP%Wishwish.zip
- [Domains/APIs] exfiltration endpoints – gofile.io (used via API to upload wish.zip), Discord webhook (used to receive download links)
- [Archive name] stolen data package – wish.zip (archive stored in %TEMP% before upload)
CYFIRMA’s analysis identifies Wish Stealer as a Node.js-based information stealer that first appeared in the wild in October 2024 and was published by CYFIRMA on 2024-11-07. The malware is packaged as a Win32 executable (file name Node.exe) of approximately 51.26 MB and is unsigned; analysts extracted an MD5 hash of 7ef9df7a5a4931c6f1bbc9aea0fea977 and a SHA-256 of 382e462f174ca1df40ed9fbc36b52b480f6ecb4f83f7ac2d14952288029bb22b. On execution the program runs an index.js entry point that sequentially invokes many modules—hideConsole, Startup, antiDebug, antiDefender, killProcess, discordInjection, browser password and cookie extraction, VPN and game stealer modules, social media session grabbers, a clipper, and more—allowing it to operate silently and comprehensively on infected Windows hosts.
Code-level review shows the malware contains a clipboard-based crypto clipper that polls the system clipboard every three seconds using PowerShell’s Get-Clipboard and, upon detecting a cryptocurrency address, overwrites it with an attacker-controlled address via Set-Clipboard. The operator interface includes input fields for Bitcoin, Ethereum, Bitcoin Cash, Tron, and Litecoin addresses, enabling the clipper to swap a victim’s copied address for the appropriate malicious address and thereby redirect funds. The source is modular, with separate folders for anti-debugging, anti-defender, anti-VM, browser extraction, and clipboard manipulation functions, which together improve maintainability for threat actors and complicate analysis.
Anti-VM checks are implemented to abort execution when common virtualization indicators are detected; the stealer inspects usernames, hostnames, hardware IDs, product keys, IP addresses, and the Windows OS to determine whether it is running in an analyst environment. Browser credential theft is achieved by locating Chromium-family Default Data folders—covering Chrome, Edge, Centbrowser, Thorium, and others—decrypting stored cookies, passwords, and bookmarks, and preparing that material for exfiltration to a configured Discord webhook. Beyond browser data, Wish Stealer searches file systems for keyword-linked sensitive documents (banking, backup codes, phone numbers, PayPal) and targeted file types such as .doc, .pdf, .png, .db, and .xls to capture confidential files.
Session theft is a central capability: the malware inspects AppData locations for social media and communication apps to extract session cookies, which can enable account access without passwords and often bypass two-factor authentication protections without triggering user notifications. For persistence and stealth, the program copies itself into an AppData path as WindowsSecurityHealthService.exe and sets a Registry Run key so the binary executes at startup; it also sets file attributes to hidden and system to make discovery more difficult. Cryptocurrency wallets are enumerated through getWallets() and getExtension() routines that target both desktop wallet data folders and extension-based wallets, including Trust Wallet, MetaMask, Exodus, Binance, Coinbase, Tron, and TokenPocket, where private keys or seed phrases may be recovered if stored locally.
After collecting credentials, session data, documents, and system information, the stealer packages the results into a wish.zip archive under %TEMP%Wish and uses an uploadGofile function to transmit the archive to a remote server via the gofile.io API. The resulting download link is then forwarded to the attacker’s Discord server or webhook for retrieval. In testing, analysts ran the Node.js server locally and confirmed creation of a ZIP containing sensitive data and plain-text system information; injected JavaScript can also harvest personal details such as phone numbers and email addresses tied to Discord accounts.
From a threat landscape perspective, CYFIRMA observed Wish Stealer surfaced on the open web in October 2024 and noted promotional activity by a Discord-based threat actor group connected to Aurita Stealer, with channel activity beginning in the final week of September 2024; related YouTube profiles were also identified from the group’s Discord presence. The attack chain and tooling map to multiple MITRE ATT&CK techniques, including persistence through hijacked execution flow and DLL side-loading, process injection for privilege escalation, obfuscation and packing to evade detection, discovery of system and security software, and application-layer exfiltration via APIs and web services.
Wish Stealer poses significant risks because it combines session hijacking, clipboard manipulation, and the ability to neutralize or evade security products with broad data collection across browsers, social apps, and cryptocurrency wallets. Organizations and users should respond by hardening endpoints, deploying and maintaining endpoint detection and response (EDR) and up-to-date antivirus solutions, and applying application whitelisting to prevent unauthorized Node.js scripts and unknown executables from running. Enforcing multi-factor authentication is advised, though defenders should recognize that session-cookie theft may still bypass some MFA implementations; therefore, monitoring for anomalous logins and session activity is critical. Restricting or tightly controlling script execution—particularly PowerShell and untrusted JavaScript—patching browsers and wallet software, using hardware wallets for cryptocurrency where feasible, isolating sensitive data in encrypted environments, and training users to recognize social engineering and phishing attempts will all reduce exposure. Finally, maintain regular secure backups and an incident response capability that can detect unusual outbound connections such as uploads to third-party file services or unexpected webhook usage.