New “123 | Stealer” Advertised on Underground Hacking Forums for $120 Per Month

A new credential-stealing malware dubbed “123 | Stealer” has surfaced on underground cybercrime forums, being marketed by threat actor “koneko” for $120 per month. 

This malware-as-a-service (MaaS) offering represents the latest evolution in information stealer technology, combining sophisticated data exfiltration capabilities with a user-friendly administrative interface.

Key Takeaways
1. "123 | Stealer" marketed for $120/month by threat actor "koneko" on underground forums.
2. C++ coded, DLL-free (~700KB), supports 70+ browser extensions, requires self-hosted proxy servers.
3. Steals browser data, passwords, crypto wallets, Discord accounts, and performs file/process grabbing.
4. Professional presentation but lacks cybercriminal reviews, making effectiveness uncertain

The stealer targets a comprehensive range of sensitive data, demonstrating the increasing commercialization of cybercrime tools. 

According to the forum advertisement, the malware harvests browser data, cookies, stored passwords, cryptocurrency wallet information, and browser extensions. 

The threat actor claims the stealer can also perform process grabbing and file grabbing operations, making it a versatile tool for data theft operations.

123 | Stealer Bypasses AV, Targets Browsers and Crypto Wallets

According to the Kraken Labs report, 123 | Stealer is written in C++, a programming language choice that suggests developers prioritized performance and low-level system access. 

The malware features a DLL-free stub architecture, weighing approximately 700KB, which makes it more difficult to detect by traditional antivirus solutions that rely on dynamic link library (DLL) injection detection methods.

One notable aspect is the proxy server requirement. Users must establish their own proxy infrastructure using Ubuntu or Debian-based servers, indicating a sophisticated command and control (C2) architecture. 

This approach allows malware operators to maintain operational security (OPSEC) while distributing infrastructure burden to customers.

The administrative panel reveals extensive browser support, including compatibility with over 70 browser extensions. 

The stealer targets major Chromium-based browsers such as Google Chrome, Opera, and Chromium itself, as well as Gecko-based browsers like Firefox variants. 

Popular applications, including Discord, Battle.net, and various cryptocurrency wallets, are also within the malware’s scope.

Mid-Tier Threat, Costs $120 Monthly

The $120 monthly subscription model positions 123 | Stealer in the mid-tier market segment of information stealers. 

This pricing strategy targets both novice cybercriminals and experienced threat actors seeking reliable data exfiltration tools. The subscription model ensures recurring revenue for malware authors while providing continuous updates and support to customers.

The forum advertisement emphasizes that users are responsible for any detection or force majeure events, indicating that malware authors are attempting to limit their liability. 

Additionally, the service explicitly prohibits operations in Russia, CIS countries, and former Soviet republics, a common restriction among cybercrime services.

Currently, the malware has not received public reviews from other cybercriminals on the forum, making its actual effectiveness unverified. 

However, the professional presentation of the login interface and comprehensive administrative panel suggests significant development investment, indicating this may be a serious threat rather than a scam operation.

Security researchers and organizations should monitor for 123 | Stealer samples and update detection signatures to protect against this emerging threat.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now