The stealer employs a broad data-theft toolkit: The researchers noted that the Python implementation acts as a wide-net data harvester. It collects system information, extracts browser-stored data, and pulls details from communication platforms, including Telegram and Discord. Additional modules target VPN configurations, retrieve selected files from the host, and can deliver other payloads, suggesting the Python build is designed to gather a comprehensive snapshot of a victim machine while enabling flexible follow-up actions.By contrast, the C++ variant concentrates on assets that enable persistence, lateral movement, or monetization beyond simple credential theft. The researchers found capabilities related to remote desktop protocol (RDP) connections, the collection of gaming-related files, and screen capture functionality. It also includes a post-exploitation browser data extractor, “ChromElevator.”While the Python version aligns with the researchers’ theory of a grab-and-run approach, the C++ version does hint at plans for persistence. The disclosure added a list of indicators of compromise (IOCs), including file hashes, IPs, and domains, to support detection efforts.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4135843/new-arkanix-stealer-blends-rapid-python-harvesting-with-stealthier-c-payloads.html
