
eBook
A Hands-On Guide Using Hunt.io’s Threat Intelligence Platform
Gotham Stealer (formerly Pirate Stealer) is a sophisticated info stealer that dropped in September 2023. It has Discord injection, startup injection, wallet theft, browser data extraction, system info harvesting, auto-parsed cookies and can be a session stealer for Roblox, Steam and Minecraft and has process hiding. It also has screen watching and screen clicking. Meaning attackers can watch and interact with the victim’s screen in real time.
Pirate Stealer was rebranded and enhanced. The malware authors added Discord webhooks for logging, an MSI file builder, a rootkit, and a customizable file path regex. This is a step up from the previous malware design.
Technical Architecture
Gotham Stealer is packaged as a self contained Node.js executable which is 80MB in size. This is unusual as most malware are not packaged as JavaScript and are not found in desktop environment. The malware uses advanced evasion techniques like sophisticated obfuscation and anti-analysis to evade detection.
Distribution Methods
The malware is spread through malicious ads promoting game cracks, cheats and mods. The ads lead users to actor controlled websites where the malware is hosted. By targeting gaming communities the attackers increase the chance of successful infections as users are looking for unauthorized software modifications.
Install robust endpoint protection to detect and block malware execution.
Educate users, especially in gaming communities, not to download and execute game cracks, cheats, and mods from untrusted sources.
Monitor network traffic for unusual activities like unauthorized connections to external servers.
Keep software and security solutions up to date to have the latest threat definitions and protection mechanisms.