CharlieKirk Grabber Stealer Attacking Windows Systems to Exfiltrate Login Credentials

A new Python-based infostealer called CharlieKirk Grabber has been identified targeting Windows systems, with a focused goal of stealing stored login credentials, browser cookies, and session data.

The malware is built to work as a “smash-and-grab” threat — it launches quickly, collects whatever sensitive data it can find, and disappears before the user notices anything unusual.

The malware arrives as a Windows executable, packaged through a tool called PyInstaller, which bundles all its Python code into a single self-contained file that runs without requiring Python to be installed on the target machine.

It borrows its name and political imagery from Turning Point USA to exploit social engineering. The malware is typically delivered through phishing emails, cracked software packages, game cheat downloads, or social media-based lures.

Cyfirma researchers identified the malware and noted that it uses a builder-style structure, which makes it modular.

This means that whoever operates it can freely configure the command-and-control (C2) settings — such as a Discord webhook or a Telegram bot — and switch specific collection modules on or off before deploying the final executable.

Once active on a system, CharlieKirk Grabber profiles the host by collecting the username, hostname, hardware UUID, and the external IP address.

It forcibly kills running browser processes using the Windows TASKKILL tool, unlocking access to saved password databases.

The stolen data — covering passwords, cookies, autofill entries, browsing history, and Wi-Fi credentials — is then bundled into a ZIP archive and uploaded to the GoFile file-hosting platform.

A download link is immediately sent to the attacker over HTTPS through either a Discord webhook or a Telegram bot, keeping all communications encrypted.

Living Off the Land: How CharlieKirk Stays Hidden

What makes this stealer particularly difficult to detect is its heavy use of legitimate Windows tools that are already part of every installation.

Instead of deploying suspicious third-party files, the malware uses NETSH.EXE to retrieve saved Wi-Fi passwords, SYSTEMINFO.EXE to map hardware and OS details, and PowerShell to silently add itself to Microsoft Defender’s exclusion list.

This method, known as “living off the land,” lets malicious actions blend in with normal administrative behavior, helping it avoid signature-based detection.

Organizations should enforce Multi-Factor Authentication across all critical services and restrict browser-based password storage through enterprise policy.

Security teams should monitor for unusual browser process termination events, outbound HTTPS traffic to Discord, Telegram, or GoFile, and any PowerShell activity in user-writable directories.

Execution from temporary paths such as %TEMP% and %APPDATA% should be blocked using AppLocker or Windows Defender Application Control (WDAC).

Indicators of Compromise (IOC):-

MITRE ATT&CK Mapping:-

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.