Approaching stealers devs: Summary & refused talks.

g0njxa
8 min readDec 15, 2023

--

Consider this the end of a series that lasted a few weeks. I tried to contact almost everyone related to the infostealer ecosystem, that I find relevant and interesting based on my thoughts. I hope this series helps people understand better what is happening on the malware threat landscape.

Everyone was “approached” the same way, and was asked common and personalized questions:

Привет
Я независимый исследователь-любитель, интересующийся ворами информации.
Я видел, что вы являетесь владельцем <XXX>, и если вы согласны, я бы хотел взять с вами небольшое интервью по этому поводу.
Я хочу знать о продукте, который вы предлагаете

Hello
I am an independent amateur researcher interested in information thieves.
I saw that you are the owner of <XXX>, and if you agree, I would like to do a short interview with you about this.
I want to know about the product you offer

These people were contacted on Telegram or Jabber.

Some people required further talks in order to accept the interview, or an “administration approval” (on projects where more than one person is involved).

Of course not everybody wanted to talk, so I didn't forget them, they just refused me.

Here is what the guys who refused to talk with me said/made:

Rhadamanthys Stealer

Не сюда

Not here

And blocked me instantly

RisePro Stealer

Hello

To be honest, we are not interested. Judging by your interviews, all these developers are trying to present themselves as the “best”, when in fact, if you try to use them, their products are quite sad. Their customers leave, they complain to us about their product. Therefore, they need at least some publicity in order for people to know about them. We don’t need this.

Good luck! Contact me if you need a great product =)

Smoke Loader

no
have a nice day, gl

after showing him the other interviews he said “glad for them”

Dark Crystal RAT

Не интересует

Not interested

PrivateLoader

I got blocked very hard by him after showing him “proofs” that relate Privateloader to their installs service. Maybe I got a little bit excited on him.

Redline

I am upset with the Redline Team.

Передам главному админу, вернется посмотрит

I’ll tell the chief admin, he’ll come back and take a look.

The support guy asked for an administration approval, then silence for days. Next day, when I asked for a reply, said:

Джем админа

Admin Jam

I still don’t understand what this means. I waited for 10 days for a real reply, and he said:

Мы не хотим давать интервью

We don’t want to give interviews

Thank you for replying, but you were ignoring my messages all these days.

Danabot

I talked a bit with them, and they didn’t refused me but I got some technical issues to finally interview them, so I gave up. My fault.

SystemBC

They never accepted the TOX friend request.

Mystic Stealer (SEE BELOW FOR FULL INTERVIEW)

I feel sorry about him, he was interviewed, but with he replied with a hilarious lack of effort, and I didn’t feel to publish it as the last interview. If you ever read this, thank you Mystic.
What is Mystic? a good stealer
Do you have anything to say to the “information security experts” who are trying to track down Mystic? Everything works out well for them without it :) so I don’t have much advice for them

Phoenix Stealer

This guy accepted to talk, I send them the questions to interview him, as he requested… He never replied back

If I didn’t contact anyone else is because I found them not relevant in the stealers market or I forgot about you for this reason. Maybe I also couldn’t get a real contact method to you. I could have gone further, but I stopped at this point. There will be no more interviews.

Let’s do a brief summary of the interviewees responses to the common questions: (Click on the name to go to the full interview.)

*Note that Amadey is not a stealer but a loader and is very related to this ecosystem; it would have been great if a similar product would have agreed to talk, like Smoke Loader*

Lumma | Raccoon | Meduza | Vidar | Amadey | StealC | Meta

How would you describe <Your product>?

Everyone else (unless Meta) said his product was the best available on the market or a perfect product… That’s what I expected from a vendor and his product.
Indeed, the best description is a malware that steals passwords and other stored data from your computer.

What makes <Your product> different from other products?

Lumma, Raccoon, Meduza, Vidar focused on the great support, because as Vidar says “the functionality is the same for everyone”. I would like to highlight what Meta says about stolen logs from customers: I’ve seen rumors of these claims on both Vidar and Raccon. Vidar was asked after his interview:

Also Amadey, who still claims his product as the best on the market.

When did the <Your product> project started?

I set up a timeline:

Amadey — October 8th, 2018
Vidar — November 19th, 2018
Meta — 2021
Raccoon — May, 2022
StealC — Summer 2022
Lumma — December 21st, 2022
Meduza — June 12th, 2023

How many people have tried <Your product>? Approximately

Amadey — “Quite a lot”, not disclosed but less than a thousand
Vidar — Not disclosed
Meta —100 to 150
Raccoon — Around 4000
StealC — Several hundred now, 40 in beta testing
Lumma — 400 active clients
Meduza — Not disclosed

Does <Your product> allows working on CIS countries? What is your opinion of people working with russians with other product?

From the above 7 only Meta (although they don’t encourage fraud among the poor) allows to get logs from the CIS countries, or at least in some of them.

The reality is that stealers are a big problem that is leading to huge financial losses, as well as a huge threat to privacy and security around the globe. Nobody is safe.

How do you see the market, is now a good time to work?

There is an overall opinion on the infostealers market: it has a huge popularity (says Meta) and has called for work to a lot newcomers that are “amateur” and doesn’t know to work at all (says StealC). Also bringing too much attention to the malware projects (says Raccoon). Al in all, there is still a huge demand and unfortunately there will be more market in the next years (says Lumma).

What would you say to those “information security experts” who are trying to track <Your Product>?

Remember what these guys said to us:

Amadey

“If you want — a weapon in some sense.
But by itself, it is harmless and is used by many system administrators completely legally and voluntarily.
Then Mikhail Kalashnikov must be recognized as an outlaw, because he invented something that killed thousands of people — the Kalashnikov assault rifle.”

Vidar

“We would like to say that there is no need to hold a grudge against us. We think that our data is already known to such structures as the CIA, FBI and other structures, just as we know their data, because they also launch our product, sometimes completely by accident! :)
Everyone does their job”

Meta

There are much more dangerous people in the world than we are. Lone hackers and ART groups capable of organizing a nuclear catastrophe or logistical collabs. Moreover, their goals are very pragmatic.
Don’t look for us. It is better to devote more time to studying and suppressing those who, at the push of a button, can paralyze a nuclear reactor or a medical bay during a patient’s operation.

Raccoon

He skipped this question. We can get some words from him to this question, “this hype is not justified, too much attention is bad”

StealC

We can wish you good luck, finally understand that viruses are almost always “encrypted” in the wild, and if you come across a stealc sample weighing 5 megabytes, this does not mean that in the original it weighs 5 megabytes) various anti-emulation techniques that are used by cryptors are often attributed to to our and other software, although this is incorrect on their part

Lumma

I say hello to them. I don’t mind being tracked. On the contrary, this gives popularity to Lumma.

Meduza

Interesting question, I’d probably want to advise them not to miss the little things, the little things make up the whole picture

EXTRA

MYSTIC STEALER (December 2023)

The interview was made in English. Original text is provided below.

What is Mystic?

a mystic is a good stealer who shows himself
not bad in our market

What is the history of the name Mystic?

There is no story as such, initially it was a product for myself, nothing more. But then it seemed like a good idea to try to make it for sale

How is Mystic different from other products?

At the moment it is no different from many other products, but we are working on improvements and major updates are being prepared soon

When did Mystic start working?

Mystic started working in April 2023

How many people have tried Mystic? approximately

in total there were more than 200 users

In my opinion, Mystic has dropped its usage a few months ago. We have seen a lot of mystic panels in the past but now is a little bit less. What is your opinion on this matter?

Has not ceased to exist, major updates are being prepared, so at the moment there is no information about updates on the forums, only information about what is being cleared from detection

Does Mystic communication between panel-build been rewritten in an update a few months ago? I am talking about sending the log in parts to /loghub/master

Yes, we are constantly working on updates and constantly rewriting and improving, just soon there will be new updates and improvements as I wrote above

Does Mystic allow us to work on people from CIS countries?

our software does not work in Russia and the CIS and we do not approve of those who work in these countries

What are Mystic plans for the future?

Plans for the future are only development, providing a good and stable product

How do you see the market, is now a good time to work?

Since we are relatively new to the market, it is impossible to say exactly how good a time it is to work, but given the fact that people write and buy subscriptions every day, I think that these services are in demand

Do you have anything to say to the “information security experts” who are trying to track down Mystic?

Everything works out well for them without it :) so I don’t have much advice for them

The end.

Don’t forget to check every one of the interviews to read everything about the past, present, and future of the stealer projects interviewed:

List: Approaching stealers devs | Curated by g0njxa | Medium

Best regards.
@g0njxa

--

--