Krypton Stealer – Credential Stealer

Krypton Stealer is a credential stealing spyware tool sold through a number of hacking forums and dark web sites.

As Krypton is sold directly to attackers it is likely that multiple methods are used to distribute it; however, as of the time of publication it has only been observed as a payload in spam campaigns.

Once installed, Krypton will collect system and user information before sending it to a command and control (C2) server. It will then attempt to extract credentials from the following applications:

  • Multiple web browsers including Google Chrome, Mozilla Firefox, and Microsoft Edge and Internet Explorer.
  • The ProtonVPN and NordVPN VPNapplications.
  • Messaging applications including WhatsApp and Telegram.
  • FTP clients such as FileZilla, Total Command and WinSCP.

Any extracted credentials are stored within TXT files and sent to the C2 server. You can read the full report on this malware here.

f0304768[.]xsph[.]ru – Detected as malicious

Indicators of Compromise


a84f1fe984e6fb04af0e029b67245f2167bcec766959f5033bfbf5ac00f0d396 – kryp_XoxoxolUa_6.8_22.59.exe – krypton stealer binary

c5bc8c7d3b78d7e7b1ffa25130983e8498e127bb5fe2e2a05adb0838c7f6fb4a – kryp_XoxoxolUa_6.8_22.59.rar – krypton stealer archive

Command & Control Server


PDB File


Jason Davies

UK based technology professional, with an interest in computer security and telecoms.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: