Breaking into the Bandit Stealer Malware Infrastructure

mins read time
CloudSEK's threat researchers discovered a new Bandit Stealer malware web panel on 06 July 2023, with at least 14 active instances.
Bablu Kumar
Published on
July 11, 2023
Blog Image


Malware Intelligence


Stealer Malware





Executive Summary

  • On 06 July 2023, CloudSEK’s threat researchers found a web panel of a relatively new Bandit Stealer malware.
  • The malware is written in Go programming language.
  • We found at least 14 instances of Bandit Stealer web panels which were recently active.
  • The malware is being distributed through YouTube videos.
  • The stealer collects data such as PC and user details, screenshots, geolocation and IP information, webcam images, and data from popular browsers, FTP applications, and digital wallets. 
  • The stealer targets more than 25 cryptocurrency wallets and 17 web browsers.
  • The stolen data is then sent to a secure Telegram bot, packaged in a ZIP file for easy transfer. 

Analysis and Attribution

CloudSEK’s contextual AI digital risk platform XVigil has discovered a post mentioning Bandit Stealer malware on a Russian-speaking underground forum where a threat actor vouched for it.

CloudSEK researchers recently discovered at least 14 IP addresses serving the Bandit Stealer web panel, most of which went down in a span of 24 hours. All of these IP addresses were running on port 8080.

Results from

Bandit Web Panel Analysis

Our source identified a few website endpoints that allowed access to the website’s internal system without entering the credentials due to a misconfiguration on the website.

Login page of Bandit Stealer web panel

Nothing particularly significant can be noted on the dashboard except a menu for options such as Builder and Results.

Dashboard interface of the malware panel

The Builder page shows the options for building a customized version of Bandit Stealer malware. And, in the stealer operation, threat actors utilize key elements to carry out their activities:

  • Communication Channel: ChatID, Bot Token, and Server IP are utilized to establish a secure connection with Telegram. This connection enables the threat actors to receive exfiltrated data from infected users, such as compromised credentials and screenshots.
  • Cryptocurrency Wallet Addresses: Various cryptocurrency wallet addresses are employed to transfer cryptocurrency amounts to the threat actor’s wallet.
  • Loader URL: The Loader URL serves as a mechanism for distributing the malware. For instance, in malvertising campaigns, a hidden JavaScript code operates in the background and is responsible for dropping the executable malware file onto the victim's system. This URL is a crucial component in the initial infection process.
  • FileName: The FileName refers to the name assigned to the executable malware file. This file contains the malicious code responsible for the intended actions, such as data theft and exfiltration.
Malware builder panel used for generating executable

One of the discovered endpoints was /builds that had all the Bandit Stealer builder that had been generated so far by this particular panel. Our source was able to acquire them for further analysis.

Next, another identified endpoint was /clients with multiple instances of likely exfiltrated data from multiple IP addresses in JSON. In the JSON, the file name consists of the target’s Country Code + Public IP address, followed by size and the exfiltration date and time. While our analysis confirms the data to be sent to the Telegram bot, but we assume the malware likely also keeps a copy of the exfiltrated data in its web panel.

Analysis of Stealer Logs

Our source was able to exfiltrate the stealer logs from their web panel for Analysis. One of the log files was from the test machine with lots of screenshots which they might have used for testing the malware. The screenshot shows the process of anti-reversing tools being killed using Command Prompt. The other screenshot shows the same process using PowerShell. As the malware has screen capture capabilities, it is assumed that the malware have captured these screenshots during the infection (likely on the test machine).

The process of killing anti-reversing tools

Another screenshot reveals the usages of a Telegram bot in the stealer malware as the C2 communication channel. 

Using Telegram bot for C2 servers

Malware Delivery Mechanism 

The malware is being distributed through YouTube videos which is a commonly seen malware delivery mechanism among threat actors. In our previous report, we highlighted that since November 2022, there has been a 200-300% month-on-month increase in Youtube videos containing links to stealer malware such as Vidar, RedLine, and Raccoon in their descriptions. 

Technical Analysis 

Bandit Stealer, a newly discovered form of information stealer malware, showcases advanced capabilities and evasive techniques. Written in the Go language, it employs various methods to circumvent detection by debugging tools and virtual machine environments, ensuring its covert operations remain undetected.

To avoid analysis and hinder reverse engineering efforts, Bandit Stealer employs clever tactics. It actively checks for the presence of debuggers using techniques like IsDebuggerPresent and CheckRemoteDebuggerPresent. Furthermore, it possesses the ability to detect sandbox environments, swiftly shutting itself down if such environments are detected, thereby eluding analysis attempts. The malware even terminates reverse engineering tools that could potentially interfere with its functionality.

Notably, Bandit Stealer has been observed spreading through YouTube videos to reach mass users.

In order to establish persistence on infected systems, the malware creates an autorun registry entry, named "Bandit Stealer." By doing so, it ensures that the malicious code runs each time the machine is booted up.

Collected PC, User, and IP Information 

The stealer is designed to obtain valuable information from PCs and users. It discreetly collects data such as PC and user details, screenshots, geolocation and IP information, webcam images, and data from popular browsers, FTP applications, and digital wallets. The stolen data is then sent to a secure Telegram bot, packaged in a ZIP file for easy transfer. 

The Stealer employs a curated blacklist obtained from an external URL, in some instances a Pastebin URL, and stores it in C:\Users\USERNAME\AppData\Roaming\blacklist.txt and the file gets deleted once the stealer finishes execution. This blacklist serves a crucial role in determining whether the Stealer is running within a sandbox/virtual environment or on an actual system. Additionally, it aids in identifying specific processes and reversing tools that the Stealer aims to terminate in order to thwart any potential analysis or reverse engineering attempts.

Blacklisted IP Addresses:

Blacklisted Mac Addresses:

The list of blacklisted HWIDs:

Blacklisted PC User and Names:

Reversing Tools Termination

Blacklisted Processes































According to our open-source research, it appears that the Bandit Stealer uses an identical replica of the "blacklist.txt" file from an open-source stealer malware project called EMPYREAN available on Github.

Identical blacklist.txt part of a open-source stealer malware on Github

Information Stealing & C2 Server Communication

Bandit steals web browser data that includes the theft of saved login information, crucial cookies, browsing history and sensitive credit card details stored within the browser's user profile.

List of Target Browsers

Chrome Browser

Iridium Browser

7Star Browser

Vivaldi Browser

Yandex Chrome




Microsoft Edge

Torch Web Browser

Kometa Browser



Amigo Browser

Epic Privacy Browser

SeaMonkey browser


The malware also targets a large list of digital cryptocurrency wallets.

List of Cryptocurrency Wallets

Coinbase wallet extension

Saturn Wallet extension

MetaMask extension

Bither Bitcoin wallet

Binance chain wallet extension

Coin98 Wallet

ronin wallet extension

multidoge coin

TronLink Wallet

multibit Bitcoin

Kardiachain wallet extension


Terra Station

Electron Cash

Jaxx liberty Wallet

Dash Wallet

Guildwallet extension


Math Wallet extension


Bitpay wallet extension


Nifty Wallet extension



Bytecoin Wallet

Coinomi wallet

Monero wallet


Here is an example of captured Firefox cookies by the Bandit Stealer.

Theft of browser cookies by Bandit Stealer

The collected data is then packaged up into a ZIP file and then exfiltrated to the C2 server which points to the Telegram server (

Data exfiltration to the C2 server belonging to Telegram (


  • Exposed credentials can be used by threat actors to access the user’s personal information, internal networks and steal sensitive files and information.
  • The stolen credentials can be sold on underground forums, thus making them available to the public, competitors, and other threat actors. 
  • The attacks and the exfiltration of sensitive information can lead to the victim's loss of data, revenue, and reputation.

Indicators of Compromise (IoCs)

MD5 Hash








Screenshot of the stealer logs gathered by Bandit

Empyrean - an open source stealer malware written in Python

Related Posts
Blog Image
September 8, 2023

Understanding Knight Ransomware: Advisory, Analysis

Cyclops, now renamed as Knight also known as Cyclops 2.0, debuted in May 2023. The Cyclops group has successfully developed ransomware that can infect all three major platforms: Windows, Linux, macOS, ESXi and Android.

Blog Image
July 28, 2023

Amadey Equipped with AV Disabler drops Redline Stealer

Our researchers have found out The Amadey botnet is now using a new Healer AV disabler to disable Microsoft Defender and infect target systems with Redline stealer.

KYC Verification Evasions Leads to Exploitation of Virtual Cameras & App Emulators

CloudSEK's Threat Intelligence Team recently uncovered a comprehensive tutorial on bypassing selfie verification in a Russian-speaking Cybercrime Forum.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.