New Stealthy Python Malware Leverages Discord to Steal Data From Windows Machines

A sophisticated new Python-based information stealer has emerged in the cybersecurity landscape, demonstrating advanced capabilities for data exfiltration through Discord channels.

The malware, identified as “Inf0s3c Stealer,” represents a significant evolution in the realm of data theft tools, combining traditional system reconnaissance techniques with modern communication platforms to avoid detection while efficiently harvesting sensitive information from compromised Windows systems.

The malware operates as a comprehensive grabber designed to systematically collect host identifiers, CPU information, network configurations, and user data from infected machines.

Upon execution, it silently invokes multiple PowerShell commands through the Command Prompt to gather extensive system details, creating a detailed profile of the victim’s environment.

The stealer targets a wide range of sensitive information including Discord accounts, browser credentials, cookies, browsing history, cryptocurrency wallets, Wi-Fi passwords, and gaming platform sessions from popular services like Steam, Epic Games, and Minecraft.

Cyfirma researchers identified that the malware demonstrates sophisticated packaging and obfuscation techniques, utilizing both UPX compression and PyInstaller bundling to evade detection.

The 6.8MB executable maintains a high entropy value of 8.000, indicating heavy packing that obscures its true functionality from static analysis tools.

During execution, the malware creates temporary directories within the Windows %temp% folder, systematically organizing stolen data into categorized subdirectories such as “Credentials,” “Directories,” and “System” before compilation into password-protected archives.

The stealer’s primary innovation lies in its automated exfiltration mechanism through Discord channels, where it transmits collected data as compressed RAR archives labeled “Blank Grabber.”

This approach leverages legitimate communication infrastructure to blend malicious traffic with normal user activity, significantly reducing the likelihood of detection by network monitoring systems.

Advanced Persistence and Evasion Mechanisms

The Inf0s3c Stealer employs sophisticated persistence tactics that ensure long-term system compromise.

The malware copies itself into the Windows Startup folder, disguised with a .scr extension to appear as a screensaver file.

This technique is implemented through the PutInStartup() function, which targets the system-wide startup directory:-

def PutInStartup() -> str:
    STARTUPDIR = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"
    file, isExecutable = Utility.GetS```()
    if isExecutable:
        out = os.path.join(STARTUPDIR, "{}.scr".format(Utility.GetRandomString(invisible=True)))
        os.makedirs(STARTUPDIR, exist_ok=True)
        try: shutil.copy(file, out)
        except Exception: return None
        return out

The malware incorporates multiple anti-analysis features including anti-VM checks and the ability to block antivirus-related websites.

It can perform self-deletion after execution through a “melt” function, leaving minimal forensic traces.

Additionally, the stealer includes a “pump stub” feature designed to artificially inflate file size, potentially bypassing size-based detection heuristics employed by security solutions.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.