Octalyn Stealer Steals VPN Configurations, Passwords and Cookies in Structured Folders

A sophisticated new credential stealer disguised as a legitimate forensic toolkit has emerged on GitHub, targeting sensitive user data including VPN configurations, browser credentials, and cryptocurrency wallet information.

The Octalyn Stealer, first identified in July 2025, presents itself as an educational research tool while functioning as a fully operational malware designed for large-scale data theft and exfiltration.

The malware employs a dual-language architecture combining C++ for its core payload with a Delphi-based builder interface, making it accessible to threat actors with varying technical expertise.

The builder requires only a Telegram bot token and chat ID to generate functional payloads, significantly lowering the barrier to entry for cybercriminals. Once deployed, the stealer operates with remarkable stealth, establishing persistence through multiple mechanisms and organizing stolen data into clearly structured directories for efficient processing.

Cyfirma researchers identified the malware during routine threat hunting activities, noting its unusual combination of legitimate presentation and malicious functionality.

The stealer’s GitHub repository maintains the facade of a forensic research tool, complete with educational disclaimers, while containing all necessary components for unauthorized data harvesting.

This deceptive approach has allowed the malware to remain publicly accessible, potentially reaching a wider audience of malicious actors.

The financial implications of Octalyn Stealer are particularly concerning, as it specifically targets cryptocurrency wallets across multiple platforms including Bitcoin, Ethereum, Litecoin, and Monero.

The malware creates dedicated subdirectories for each cryptocurrency type, systematically harvesting wallet addresses, private keys, seed phrases, and configuration files.

Beyond financial data, the stealer comprehensively targets browser-stored information, extracting passwords, cookies, autofill data, and browsing history from Chrome, Edge, and Opera browsers.

Infection Mechanism and Data Organization

The Octalyn Stealer’s infection process begins with the execution of Build.exe, which functions as a sophisticated dropper component.

Upon execution, the malware leverages the Windows API function GetTempPathA to identify the system’s temporary directory, subsequently creating a working folder structure using the code pattern getenv("TEMP") + "\Octalyn". This primary directory serves as the staging area for all subsequent malicious activities.

The dropper systematically extracts three embedded executables—TelegramBuild.exe, rvn.exe, and assembly.exe—into the temporary folder using a loop structure that calls ShellExecuteA in silent mode.

The main payload, TelegramBuild.exe, immediately begins creating an organized directory structure with specific folders including “Cryptowallets,” “Extensions,” “VPN,” “Games,” and “Socials.”

This methodical approach to data organization reflects the malware’s commercial-grade design, enabling efficient sorting and processing of stolen information.

The stealer employs sophisticated browser data extraction techniques, particularly targeting Chrome’s cookie storage using the path "\Google\Chrome\User Data\Default\Network\Cookies".

The malware decrypts stored cookies using Chrome’s local encryption keys, while similar procedures target Microsoft Edge and Opera browsers.

Following data collection, the stealer compresses all harvested information into a ZIP archive using PowerShell commands, then transmits the file to attacker-controlled Telegram channels via encrypted TLS connections to api.telegram.org.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now