๐๐๐ง๐ญ๐๐ ๐จ๐ง ๐๐ญ๐๐๐ฅ๐๐ซ: ๐๐๐ฒ ๐๐ก๐ซ๐๐๐ญ๐ฌ
Pentagon Stealer, in Python and Golang variants, steals sensitive data with advanced techniques:
ยท ๐๐ฎ๐๐ฎ ๐ง๐ต๐ฒ๐ณ๐: Extracts browser credentials, cookies, Atomic/Exodus wallet data, Discord/Telegram tokens, and files from Chromium- and Gecko-based browsers (Firefox, Zen, Waterfox).
ยท ๐ ๐๐น๐๐ถ๐ฝ๐น๐ฒ ๐ฉ๐ฒ๐ฟ๐๐ถ๐ผ๐ป๐: The malware is extensively utilized under different names 1312, Acab, Vilsa, and BLX stealer.
ยท ๐๐ฟ๐๐ฝ๐๐ผ ๐ช๐ฎ๐น๐น๐ฒ๐ ๐๐ป๐ท๐ฒ๐ฐ๐๐ถ๐ผ๐ป: Replaces app.asar files in Atomic/Exodus wallets to steal mnemonics/passwords.
ยท ๐๐ฒ๐ฏ๐๐ด ๐ ๐ผ๐ฑ๐ฒ: Launches Chromium browsers in debug mode to bypass DPAPI encryption, stealing unencrypted cookies.
ยท ๐๐ฎ ๐๐ผ๐บ๐บ๐๐ป๐ถ๐ฐ๐ฎ๐๐ถ๐ผ๐ป: Uses HTTP with pentagon[.]cy/stealer[.]cy servers; BLX uploads to gofile.io, sending links to C2.
Its evolution and integration into attack chains with droppers/miners amplify its risk.
Read the analysis on ANY.RUNโs blog.
๐๐จ๐ฐ ๐๐๐.๐๐๐ ๐๐๐ฅ๐ฉ๐ฌ ๐๐ฎ๐ฌ๐ข๐ง๐๐ฌ๐ฌ๐๐ฌ ๐๐จ๐ฎ๐ง๐ญ๐๐ซ ๐๐๐ง๐ญ๐๐ ๐จ๐ง ๐๐ญ๐๐๐ฅ๐๐ซ ๐๐ญ๐ญ๐๐๐ค๐ฌ
ANY.RUNโs Interactive Sandbox provides companies and SOC teams with the ability to detect and analyze Pentagon Stealer attacks.
Businesses can leverage its real-time insights to extract Indicators of Compromise (IOCs), monitor C2 communications, and trace infection chains, enabling fast detection and mitigation.
๐๐๐จ๐ฎ๐ญ ๐๐๐.๐๐๐
ANY.RUN is a trusted partner for over 15,000 organizations in finance, healthcare, retail, technology, and beyond, delivering advanced malware analysis and threat intelligence products. Its cloud-based Interactive Sandbox, Threat Intelligence Lookup, and TI Feeds enable businesses to detect, analyze, and investigate the latest malware and phishing campaigns to streamline triage, response, and proactive security.
The ANY.RUN team
ANYRUN FZCO
+1 657-366-5050
email us here
Visit us on social media:
LinkedIn
Twitter