Cyble Research Labs uncovered Typhon Stealer and its updated variant Typhon Reborn, crypto-miner/stealer tools marketed for hire with wallet theft, keystroke monitoring, and anti-analysis features. Typhon Reborn adds stronger anti-analysis, expanded data collection, and a focus on crypto-wallet extensions, with actors promoting it on underground sites and Telegram. #TyphonStealer #TyphonReborn #MeltSelf #CryptoExtensionStealer #ChromeWalletExtensions #EdgeWalletExtensions
Keypoints
- Typhon Stealer evolved into Typhon Reborn with more anti-analysis capabilities and improved stealer/file grabber features.
- Advertised via underground websites and Telegram channels, with a lifetime subscription price of $100.
- New features include block-listed usernames, country checks, and a crypto-extension stealer targeting Chrome and Edge wallets.
- Anti-analysis measures include MeltSelf, VM/sandbox checks, disk size checks, and blocklisting common analysis tools.
- Data exfiltration now includes richer victim data and Wi‑Fi password collection, with exfiltration via Telegram API.
- Keylogger/clipper/miner features were removed from Reborn, possibly to reduce detections and move them to separate projects.
MITRE Techniques
- [T1082] System Information Discovery – The malware collects system details such as machine username, OS information, antivirus used, and network data, to tailor its actions. [ “gathers victim data, including the following: Machine username, Operating system information, Antivirus software used, Wireless network information, Network interface data, Language.” ]
- [T1497] Virtualization/Sandbox Evasion – Typhon Reborn implements anti-analysis checks and a MeltSelf self-deletion routine to hinder analysis. [ “All of Typhon Reborn’s new anti-analysis checks, once triggered, run the cleverly named MeltSelf method, as shown in Figure 5. This method kills the threat’s process and deletes itself from the disk.” ]
- [T1059.003] Command-Line Interface – The stealer inspects its command line arguments and melts self if –debug is present. [ “If the command line argument contains the –debug keyword, the stealer will ‘MeltSelf’.” ]
- [T1562.001] Impair Defenses – Blocklisting of well-known analysis processes (e.g., ollydbg, x32dbg) to evade defense tools. [ “Block List Processes … if detected, Typhon Reborn will ‘MeltSelf’.” ]
- [T1555.003] Credentials from Web Browsers – Crypto-extension stealer targets browser wallets in Chrome and Edge (e.g., Binance, Metamask, Yoroi). [ “The previous version … targeted Google Chrome and Microsoft Edge crypto wallet extensions.” ]
- [T1041] Exfiltration Over C2 Channel – Data exfiltration occurs via Telegram API/infrastructure. [ “the malware author is leveraging Telegram’s API and infrastructure to exfiltrate all data stolen by Typhon Reborn.” ]
Indicators of Compromise
- [Hash] Typhon-related hashes – A12933ab47993f5b6d09bec935163c7f077576a8b7b8362e397fe4f1ce4e791c, 48133d1aaf1a47f63ec73781f6a2b085b28174895b5865b8993487daec373e0a
- [File name] Malware family names – Typhon Reborn Stealer, Typhon Stealer
- [File name] Wifi Passwords.txt – Exfiltration file containing harvested Wi-Fi credentials
Read more: https://unit42.paloaltonetworks.com/typhon-reborn-stealer/