Gotham Stealer

eBook

Modern Threat Hunting

Modern Threat Hunting

10 Practical Steps to Outsmart Adversaries

10 Practical Steps to Outsmart Adversaries

A Hands-On Guide Using Hunt.io’s Threat Intelligence Platform

Get the Free eBook

Get the Free eBook

Gotham Stealer

Gotham Stealer

Gotham Stealer

Gotham Stealer (formerly Pirate Stealer) is a sophisticated info stealer that dropped in September 2023. It has Discord injection, startup injection, wallet theft, browser data extraction, system info harvesting, auto-parsed cookies and can be a session stealer for Roblox, Steam and Minecraft and has process hiding. It also has screen watching and screen clicking. Meaning attackers can watch and interact with the victim’s screen in real time.

Key Insights

Key Insights

Pirate Stealer was rebranded and enhanced. The malware authors added Discord webhooks for logging, an MSI file builder, a rootkit, and a customizable file path regex. This is a step up from the previous malware design.

Technical Architecture

Gotham Stealer is packaged as a self contained Node.js executable which is 80MB in size. This is unusual as most malware are not packaged as JavaScript and are not found in desktop environment. The malware uses advanced evasion techniques like sophisticated obfuscation and anti-analysis to evade detection.

Distribution Methods

The malware is spread through malicious ads promoting game cracks, cheats and mods. The ads lead users to actor controlled websites where the malware is hosted. By targeting gaming communities the attackers increase the chance of successful infections as users are looking for unauthorized software modifications.

Known Variants

Known Variants

Gotham Stealer is a new strain of malware that evolved from Pirate Stealer. The rebranding means it’s a different malware with new features and improvements from the original Pirate Stealer.

Gotham Stealer is a new strain of malware that evolved from Pirate Stealer. The rebranding means it’s a different malware with new features and improvements from the original Pirate Stealer.

Mitigation Strategies

Mitigation Strategies

  • Install robust endpoint protection to detect and block malware execution.

  • Educate users, especially in gaming communities, not to download and execute game cracks, cheats, and mods from untrusted sources.

  • Monitor network traffic for unusual activities like unauthorized connections to external servers.

  • Keep software and security solutions up to date to have the latest threat definitions and protection mechanisms.

Targeted Industries or Sectors

Targeted Industries or Sectors

Gotham Stealer targets individual users in gaming communities. By targeting Discord, Steam and Roblox the malware is trying to compromise accounts and steal info from gamers. This is exploiting the trust and interaction within these communities to spread.The developers and distributors of Gotham Stealer are Turkish threat actors. They are selling and promoting the malware through Telegram channels. They announced they are out of business in December 2023 but we can’t rule out the possibility of resurrection or new versions emerging in the future.

Gotham Stealer targets individual users in gaming communities. By targeting Discord, Steam and Roblox the malware is trying to compromise accounts and steal info from gamers. This is exploiting the trust and interaction within these communities to spread.The developers and distributors of Gotham Stealer are Turkish threat actors. They are selling and promoting the malware through Telegram channels. They announced they are out of business in December 2023 but we can’t rule out the possibility of resurrection or new versions emerging in the future.

Associated Threat Actors

Associated Threat Actors

The core developers behind Gotham Stealer, operating under the Telegram aliases @silvaqr and @LdcSabo, are Turkish-speaking cybercriminals who publicly launched and promoted the malware, originally in September 2023, before ceasing operations in December 2023.

The core developers behind Gotham Stealer, operating under the Telegram aliases @silvaqr and @LdcSabo, are Turkish-speaking cybercriminals who publicly launched and promoted the malware, originally in September 2023, before ceasing operations in December 2023.

References

    Related Posts:

    Good Game, Gone Bad: Xeno RAT Spread Via .gg Domains and GitHub
    Jun 25, 2024

    Good Game, Gone Bad: Xeno RAT Spread Via .gg Domains and GitHub

    Good Game, Gone Bad: Xeno RAT Spread Via .gg Domains and GitHub
    Jun 25, 2024

    Good Game, Gone Bad: Xeno RAT Spread Via .gg Domains and GitHub

    Good Game, Gone Bad: Xeno RAT Spread Via .gg Domains and GitHub
    Jun 25, 2024

    Good Game, Gone Bad: Xeno RAT Spread Via .gg Domains and GitHub

    VS Code Extension Impersonating Zoom Targets Google Chrome Cookies
    Jan 21, 2025

    Malicious VS Code Extension Impersonating Zoom Steals Chrome Cookies

    VS Code Extension Impersonating Zoom Targets Google Chrome Cookies
    Jan 21, 2025

    Malicious VS Code Extension Impersonating Zoom Steals Chrome Cookies

    VS Code Extension Impersonating Zoom Targets Google Chrome Cookies
    Jan 21, 2025

    Malicious VS Code Extension Impersonating Zoom Steals Chrome Cookies

    Hunt.io Insights: Gamaredon’s Flux-Like Infrastructure and a Look at Recent ShadowPad Activity
    Apr 8, 2025

    State-Sponsored Tactics: How Gamaredon and ShadowPad Operate and Rotate Their Infrastructure

    Hunt.io Insights: Gamaredon’s Flux-Like Infrastructure and a Look at Recent ShadowPad Activity
    Apr 8, 2025

    State-Sponsored Tactics: How Gamaredon and ShadowPad Operate and Rotate Their Infrastructure

    Hunt.io Insights: Gamaredon’s Flux-Like Infrastructure and a Look at Recent ShadowPad Activity
    Apr 8, 2025

    State-Sponsored Tactics: How Gamaredon and ShadowPad Operate and Rotate Their Infrastructure