Python Based XillenStealer Attacking Windows Users to Steal Sensitive Data

In recent weeks, cybersecurity researchers have observed the emergence of XillenStealer, a Python-based information stealer publicly hosted on GitHub and rapidly adopted by threat actors.

First reported in mid-September 2025, the stealer leverages a user-friendly builder GUI to lower the bar for malicious deployment.

Operators can configure exfiltration channels, such as a Telegram bot, and enable modules targeting browsers, cryptocurrency wallets, gaming applications, and messaging platforms.

Delivered as a PyInstaller-packaged executable or run directly with Python, XillenStealer has quickly become a commodity tool in underground markets, underscoring the ongoing professionalization of cybercrime.

Following its initial appearance, Cyfirma analysts noted that the builder interface (builder.py) is protected by a SHA-256 password hash, granting access only to authorized operators.

This design choice not only streamlines stealer customization but also embeds basic access control to prevent casual misuse.

The stealer’s modular architecture allows operators to toggle specific data harvesting capabilities, such as browser cookies, login credentials, system profiling, and screenshot capture.

By integrating native Windows APIs and Python libraries like psutil, browser-cookie3, and pyTelegramBotAPI, XillenStealer assembles a comprehensive snapshot of the compromised host before packaging data for exfiltration.

Upon execution, XillenStealer performs extensive reconnaissance to fingerprint the environment.

It invokes functions such as checkvmsandbox() to detect virtualization or sandbox environments through MAC address prefixes and known process names, invoking the Windows API IsDebuggerPresent to thwart analysis.

Systems that pass these checks proceed to data collection routines, including getbrowserdata(), which decrypts stored credentials from Chromium-based browsers, and getwallets(), which locates and exfiltrates cryptocurrency wallet files.

Once data is consolidated into reports (both HTML and plain text), the stealer segments large archives and uploads them to the attacker’s Telegram chat using the configured bot token.

Infection Mechanism Deep Dive

XillenStealer’s infection mechanism hinges on its integrated builder and persistence setup.

Operators use the GUI to compile malicious payloads into standalone executables via PyInstaller and UPX compression.

After initial execution, the stealer invokes the installpersistence() function to ensure survival across reboots:-

def installpersistence():
    try:
        if OSTYPE == "Windows":
            scheduler = win32com.client.Dispatch("Schedule.Service")
            scheduler. Connect()
            root = scheduler.GetFolder("\")
            task = root.NewTask(0)
            trigger = task.Triggers.Create(9)  # At logon trigger
            action = task.Actions.Create(0)
            action. Path = sys.executable if hasattr(sys, "frozen") else sys.argv[0]
            task.RegistrationInfo.Description = "System Maintenance Task"
            task.Settings.Enabled = True
            task.Settings.Hidden = True
            root.RegisterTaskDefinition(
                "WindowsSystemMaintenance", task, 6, None, None, 3
            )
        return True
    except Exception:
        return False

This persistence mechanism ensures that the stealer automatically executes at every user logon, reinforcing stealth by masquerading as a benign maintenance task.

By combining builder-driven payload creation with robust persistence tactics, XillenStealer maintains long-term presence on compromised systems and continues to siphon valuable data until eradicated.

Free live webinar on new malware tactics from our analysts! Learn advanced detection techniques -> Register for Free