Krypton Stealer is a credential stealing spyware tool sold through a number of hacking forums and dark web sites.
As Krypton is sold directly to attackers it is likely that multiple methods are used to distribute it; however, as of the time of publication it has only been observed as a payload in spam campaigns.
Once installed, Krypton will collect system and user information before sending it to a command and control (C2) server. It will then attempt to extract credentials from the following applications:
- Multiple web browsers including Google Chrome, Mozilla Firefox, and Microsoft Edge and Internet Explorer.
- The ProtonVPN and NordVPN VPNapplications.
- Messaging applications including WhatsApp and Telegram.
- FTP clients such as FileZilla, Total Command and WinSCP.
Any extracted credentials are stored within TXT files and sent to the C2 server. You can read the full report on this malware here.
Indicators of Compromise
a84f1fe984e6fb04af0e029b67245f2167bcec766959f5033bfbf5ac00f0d396 – kryp_XoxoxolUa_6.8_22.59.exe – krypton stealer binary
c5bc8c7d3b78d7e7b1ffa25130983e8498e127bb5fe2e2a05adb0838c7f6fb4a – kryp_XoxoxolUa_6.8_22.59.rar – krypton stealer archive
Command & Control Server