Gotham Stealer

Gotham Stealer (formerly Pirate Stealer) is a sophisticated info stealer that dropped in September 2023. It has Discord injection, startup injection, wallet theft, browser data extraction, system info harvesting, auto-parsed cookies and can be a session stealer for Roblox, Steam and Minecraft and has process hiding. It also has screen watching and screen clicking. Meaning attackers can watch and interact with the victim’s screen in real time.

Key Insights

Pirate Stealer was rebranded and enhanced. The malware authors added Discord webhooks for logging, an MSI file builder, a rootkit, and a customizable file path regex. This is a step up from the previous malware design.

Technical Architecture

Gotham Stealer is packaged as a self contained Node.js executable which is 80MB in size. This is unusual as most malware are not packaged as JavaScript and are not found in desktop environment. The malware uses advanced evasion techniques like sophisticated obfuscation and anti-analysis to evade detection.

Distribution Methods

The malware is spread through malicious ads promoting game cracks, cheats and mods. The ads lead users to actor controlled websites where the malware is hosted. By targeting gaming communities the attackers increase the chance of successful infections as users are looking for unauthorized software modifications.

Known Variants

Gotham Stealer is a new strain of malware that evolved from Pirate Stealer. The rebranding means it’s a different malware with new features and improvements from the original Pirate Stealer.

Mitigation Strategies

Install robust endpoint protection to detect and block malware execution.
Educate users, especially in gaming communities, not to download and execute game cracks, cheats, and mods from untrusted sources.
Monitor network traffic for unusual activities like unauthorized connections to external servers.
Keep software and security solutions up to date to have the latest threat definitions and protection mechanisms.

Targeted Industries or Sectors

Gotham Stealer targets individual users in gaming communities. By targeting Discord, Steam and Roblox the malware is trying to compromise accounts and steal info from gamers. This is exploiting the trust and interaction within these communities to spread.The developers and distributors of Gotham Stealer are Turkish threat actors. They are selling and promoting the malware through Telegram channels. They announced they are out of business in December 2023 but we can’t rule out the possibility of resurrection or new versions emerging in the future.

Associated Threat Actors

The core developers behind Gotham Stealer, operating under the Telegram aliases @silvaqr and @LdcSabo, are Turkish-speaking cybercriminals who publicly launched and promoted the malware, originally in September 2023, before ceasing operations in December 2023.