Go-based malware targeting Windows systems, exfiltrating user data—including information from Discord, web browsers, cryptocurrency wallets, and more—from every user profile across all disks. (PoC. For educational purposes only.)
This Proof-of-Concept project demonstrates a "stealer" (data-theft) malware variant focused on Discord, implemented in Go—rather than Python, as is common among most Discord stealers. The malware operates on Windows systems and utilizes the fodhelper.exe technique for privilege escalation. By elevating its privileges, the malware gains access to all user sessions present on every disk. Features:
Anti-Debug: Terminates the execution of debugging tools. Anti-Virus: Disables Windows Defender and blocks access to antivirus websites. Anti-VM: Detects virtual machine (VM) environments and terminates execution if run within one. Browsers: Steals login credentials, cookies, credit card details, browsing history, and download lists from 37 Chromium-based browsers. Also steals credentials, cookies, history, and download lists from 10 Gecko-based browsers. Clipper: Replaces the user's clipboard content with a specific cryptocurrency address whenever another cryptocurrency address is copied.
Common Files: Steals sensitive files located in standard system directories. Discord Codes: Captures Discord Two-Factor Authentication (2FA) recovery codes. Discord Injection: Intercepts login, registration, and 2FA login requests. Captures requests related to recovery codes. Monitors requests for email address or password changes.
Intercepts requests to add credit cards or PayPal accounts. Blocks the use of QR codes for logging in. Blocks requests attempting to view the list of connected devices. fakerror: Misleads the user into believing that the program has terminated due to an error. games: Extracts gaming sessions from Epic Games, Uplay, Minecraft (14 different launchers), and Riot Games. hideconsole: A module that hides the console window. startup: Ensures that the program runs automatically at system startup.
system: Collects information regarding the CPU, GPU, RAM, IP address, location, saved Wi-Fi networks, and much more. tokens: Extracts authentication tokens from 4 Discord applications, as well as from Chromium- and Gecko-based browsers. uacbypass: Obtains the necessary privileges to steal data from other system users. wallets: Steals data from 10 local cryptocurrency wallets and 55 wallet extensions. walletsinjection: Captures mnemonic phrases and passwords from 2 specific cryptocurrency wallets.
Download link 1
Download link 2
Download link 3
