UNMASKING A PYTHON STEALER – “XillenStealer”

XillenStealer is an open-source, Python-based information stealer with a GUI builder that harvests system metadata, browser credentials, cryptocurrency wallet files, messaging sessions, and screenshots, then exfiltrates data via a Telegram bot. The builder lowers the barrier for abuse by enabling rapid configuration and compilation of customized builds and is linked to Russian-speaking actors and an ecosystem at xillenkillers[.]ru. #XillenStealer #Telegram

Keypoints

XillenStealer is a Python Tkinter-based stealer and builder (Builder V3.0) published on GitHub by user “BengaminButton,” offering a GUI to configure, compile, and manage customized stealer builds.
The stealer harvests extensive data: system profiling (CPU, RAM, GPU, OS, network), browser cookies and credentials, crypto wallet files (Exodus, AtomicWallet, Coinomi, Electrum), Discord/Steam/Telegram tokens, game launcher data, and screenshots.
Exfiltration is automated via a Telegram bot using configured bot token and chat ID; large archives are split into parts for Telegram upload and transmitted as report.txt and report.html files.
Anti-analysis measures include VM/sandbox detection (MAC prefixes, manufacturer/model checks, suspicious drivers/processes) and anti-debugging (IsDebuggerPresent), plus attempted process injection and persistence via Task Scheduler or cron.
The builder integrates dependencies (browser-cookie3, pycryptodome, psutil, pyTelegramBotAPI, Pillow) and automates compilation with PyInstaller and UPX, reducing technical barriers for threat actors.
Attribution links the tooling and supporting infrastructure to Russian-speaking cybercriminals branded as Xillen Killers, with forums (hXXps://xillenkillers[.]ru) and Telegram channels for distribution, support, and monetization.
Cyfirma recommends layered defenses: updated EDR/antivirus, network monitoring for Telegram-related exfiltration, user awareness, system hardening, MFA, patching, backups, and specialized removal scripts (e.g., XillenStealerAntiDot.py).

MITRE Techniques

[T1059 ] Command and Scripting Interpreter – The stealer is Python-based and uses scripting/builder scripts to configure and run payloads (“builder.py” and generated Python scripts).
[T1497 ] Virtualization/Sandbox Evasion – Performs layered checks against virtualization and sandbox environments to detect VM MAC prefixes, manufacturers, models, and suspicious drivers/processes (“check_vm_sandbox() performs layered checks against virtualization and sandbox environments”).
[T1497.001 ] Virtualization/Sandbox Evasion: System Checks – Uses system checks (MAC prefixes, manufacturer/model strings, drivers like vboxguest.sys, processes such as VBoxService.exe, and IsDebuggerPresent API) to identify analysis environments (“identifying VM MAC prefixes, manufacturer and model identifiers (eg, vmware, virtual, qemu, virtualbox, etc.), suspicious drivers (vboxguest.sys), processes (VBoxService.exe), and debugger presence”).
[T1555 ] Credentials from Password Stores – Extracts credentials and authentication artifacts from stored locations and password stores on the host (“extracts cookies, login credentials, and browsing history from Chromium- and Firefox-based browsers by accessing Login Data and History SQLite databases”).
[T1555.003 ] Credentials from Password Stores: Credentials from Web Browsers – Recovers browser encryption keys and decrypts stored credentials from browser Local State and Login Data using get_encryption_key() and decrypt_password().
[T1555.005 ] Credentials from Password Stores: Password Managers – Accesses wallet files and password manager-like stores for cryptocurrency wallets and other application-stored secrets (steals cryptocurrency wallet files, private keys, and authentication data via get_wallets()).
[T1082 ] System Information Discovery – Collects system profile data such as CPU, RAM, disk, GPU, OS, and network details via get_system_info().
[T1016 ] System Network Configuration Discovery – Gathers network configuration details during reconnaissance for profiling and potential network-based targeting (“collects … network details to profile the target system”).
[T1119 ] Automated Collection – Uses modular scripts and automated routines to aggregate and structure stolen data into reports (generate_txt_report(), generate_html_report()).
[T1113 ] Screen Capture – Captures screenshots using integrated libraries (Pillow) and a screen capture module to include visual artifacts in exfiltrated reports.
[T1071 ] Application Layer Protocol – Uses Telegram bot API as an application-layer protocol to transmit data to attacker-controlled channels (exfiltration routed via Telegram bot token and chat ID).
[T1102.002 ] Web Service: Bidirectional Communication – Leverages Telegram (a web service) for bidirectional communication and automated file upload via the telebot library (bot.send_document uploads split parts to TG_CHAT_ID).
[T1041 ] Exfiltration Over C2 Channel – Transmits collected data (report.txt and report.html) and split archive parts over the Telegram-based C2/exfiltration channel (“transmit it to the attacker … via the configured Telegram chat”).

Indicators of Compromise

[File Name ] builder and artifact names observed – builder.py, XillenStealer, XillenStealerAntiDot.py.
[File Name ] installer/dependency scripts – install_deps.bat, install_deps.sh.
[Domain ] threat infrastructure/forum – hXXps://xillenkillers[.]ru (associated centralized forum and support channels).
[File Path / Artifact ] wallet and messaging artifacts – exodus.wallet, Electrum wallet directory, Telegram Desktop tdata (Telegram session files) indicating targeted locations.
[API/Service ] exfiltration channel – Telegram bot usage with configurable TG_CHAT_ID and bot token (examples not provided in article; presence of pyTelegramBotAPI and telebot usage noted).
[YARA String ] detection signatures – “XillenStealer”, “XillenStealerAntiDot.py”, “steler.py”, and “install_deps.bat” observed in YARA rules (rule XillenStealer).