In recent weeks, cybersecurity experts have identified a new Python-based information stealer named XillenStealer, which has been publicly available on GitHub and swiftly adopted by cybercriminals. First reported in mid-September 2025, XillenStealer features a user-friendly graphical user interface (GUI) builder, simplifying the creation and deployment of malicious payloads. This accessibility has contributed to its rapid proliferation among threat actors.
Key Features and Functionality
XillenStealer’s modular design allows operators to customize its capabilities, enabling the targeting of various data sources, including:
– Web Browsers: Extraction of cookies and login credentials from popular browsers.
– Cryptocurrency Wallets: Access to wallet files to steal digital assets.
– Gaming Applications: Collection of sensitive information from gaming platforms.
– Messaging Platforms: Harvesting data from communication applications.
Operators can configure data exfiltration channels, such as integrating with a Telegram bot, to receive stolen information. The stealer can be delivered as a standalone executable packaged with PyInstaller or executed directly using Python, enhancing its versatility.
Technical Analysis
Upon execution, XillenStealer conducts comprehensive reconnaissance to profile the compromised system. It employs functions like `checkvmsandbox()` to detect virtualized or sandboxed environments by analyzing MAC address prefixes and known process names. Additionally, it utilizes the Windows API `IsDebuggerPresent` to evade debugging and analysis.
If the system passes these checks, XillenStealer proceeds to collect data through various modules:
– Browser Data Collection: The `getbrowserdata()` function decrypts and retrieves stored credentials from Chromium-based browsers.
– Cryptocurrency Wallet Access: The `getwallets()` function locates and exfiltrates wallet files from popular cryptocurrency applications.
The collected data is compiled into reports in both HTML and plain text formats. To manage large data volumes, the stealer segments archives and uploads them to the attacker’s Telegram chat using a pre-configured bot token.
Persistence Mechanism
XillenStealer ensures its persistence on infected systems by creating a scheduled task named WindowsSystemMaintenance, set to trigger at user logon. This task is configured to execute the stealer automatically upon each reboot, maintaining its presence on the system. The persistence function is implemented as follows:
“`python
def installpersistence():
try:
if OSTYPE == Windows:
scheduler = win32com.client.Dispatch(Schedule.Service)
scheduler.Connect()
root = scheduler.GetFolder(\\)
task = root.NewTask(0)
trigger = task.Triggers.Create(9) # At logon trigger
action = task.Actions.Create(0)
action.Path = sys.executable if hasattr(sys, frozen) else sys.argv[0]
task.RegistrationInfo.Description = System Maintenance Task
task.Settings.Enabled = True
task.Settings.Hidden = True
root.RegisterTaskDefinition(
WindowsSystemMaintenance, task, 6, None, None, 3
)
return True
except Exception:
return False
“`
This method not only ensures the stealer’s persistence but also disguises it as a legitimate maintenance task, reducing the likelihood of detection.
Threat Actor Attribution and Ecosystem
The infrastructure supporting XillenStealer operations appears to be managed by threat actors with established ties to Russian-speaking cybercriminal communities. Their operational model encompasses not only malware development but also distribution, customer support, and monetization through subscription-based services. The actors are linked to a group branding themselves as Xillen Killers, who promote their involvement in large-scale cyber operations.
XillenStealer is supported by a centralized forum accessible at (hXXps://xillenkillers[.]ru). Beyond the stealer itself, the group offers a range of offensive tools and services, including:
– Purchasing virtual numbers with automatic issuance
– A DDoS attack platform
– Exploitation frameworks targeting web vulnerabilities
– Network attack and penetration testing utilities
Mitigation Strategies
To protect against threats like XillenStealer, users and organizations should implement the following measures:
– Regular Software Updates: Ensure that all operating systems and applications are up to date to patch known vulnerabilities.
– Use of Security Software: Deploy reputable antivirus and anti-malware solutions to detect and prevent infections.
– User Education: Train users to recognize phishing attempts and avoid downloading files from untrusted sources.
– Network Monitoring: Implement network monitoring to detect unusual data exfiltration activities.
– Access Controls: Limit user permissions to reduce the potential impact of malware execution.
By adopting these strategies, individuals and organizations can enhance their defenses against XillenStealer and similar information-stealing malware.
