A sophisticated new credential stealer has surfaced on GitHub, masquerading as a legitimate forensic toolkit while targeting sensitive user data such as VPN configurations, browser credentials, and cryptocurrency wallet information.
Dubbed Octalyn Stealer, this malware was first detected in July 2025. Though it claims to be an educational research tool, it operates as a fully functional threat designed for large-scale data theft and exfiltration.
The malware utilizes a dual-language architecture, featuring a C++ core payload paired with a Delphi-based builder interface. This combination makes it user-friendly and accessible to threat actors across different levels of technical proficiency.
The Octalyn Stealer lowers the entry barrier for cybercriminals by requiring only a Telegram bot token and chat ID to generate fully functional payloads. Once deployed, it operates with notable stealth, establishing persistence through multiple techniques and neatly organizing stolen data into structured directories for streamlined analysis.
Cyfirma researchers uncovered the malware during routine threat hunting operations, highlighting its deceptive blend of legitimate appearance and malicious capabilities. Hosted on GitHub, Octalyn masquerades as a forensic research tool, complete with educational disclaimers, while actually containing all the components necessary for unauthorized data collection.
This strategic disguise has enabled the stealer to remain publicly accessible, potentially expanding its reach among low-skilled threat actors.
Targeted Data Types
- Financial Data: Octalyn specifically targets cryptocurrency wallets across major platforms including Bitcoin, Ethereum, Litecoin, and Monero. It creates separate subdirectories for each, systematically collecting:
- Wallet addresses
- Private keys
- Seed phrases
- Configuration files
2. Browser-Stored Data: The malware also extracts a wide range of information from popular browsers like Chrome, Edge, and Opera, including:
- Passwords
- Cookies
- Autofill entries
- Browsing history
This comprehensive data theft approach, combined with its publicly accessible façade and ease of deployment, makes Octalyn Stealer a serious emerging threat in the cybercriminal landscape.
Infection Mechanism and Data Organization
The Octalyn Stealer’s infection process begins with the execution of Build.exe, which functions as a sophisticated dropper component.
Upon execution, the malware leverages the Windows API function GetTempPathA to identify the system’s temporary directory, subsequently creating a working folder structure using the code pattern getenv("TEMP") + "\\Octalyn". This primary directory serves as the staging area for all subsequent malicious activities.
The dropper systematically extracts three embedded executables—TelegramBuild.exe, rvn.exe, and assembly.exe—into the temporary folder using a loop structure that calls ShellExecuteA in silent mode.
The main payload, TelegramBuild.exe, immediately begins creating an organized directory structure with specific folders including “Cryptowallets,” “Extensions,” “VPN,” “Games,” and “Socials.”
This methodical approach to data organization reflects the malware’s commercial-grade design, enabling efficient sorting and processing of stolen information.
The stealer leverages advanced techniques to extract browser data, with a particular focus on Chrome’s cookie storage located at:\\Google\\Chrome\\User Data\\Default\\Network\\Cookies.
It decrypts the stored cookies using Chrome’s local encryption keys, enabling access to sensitive session data. Similar decryption methods are applied to harvest data from Microsoft Edge and Opera, further broadening the malware’s reach across major web browsers.
Following data collection, the stealer compresses all harvested information into a ZIP archive using PowerShell commands, then transmits the file to attacker-controlled Telegram channels via encrypted TLS connections to api.telegram.org.
Leave A Comment