Welcome to this week’s edition of the Threat Source newsletter. 

Recently, I was invited to sit on a panel at the CIO4Good Conference here in Washington D.C., where I talked about incident response and cyber preparedness to a room full of CIOs who help lead wonderful missions to help others. I’m incredibly fortunate to be able to volunteer for the NGO community. I’ve been involved with them for a few years now, and it has been a singular experience.  

I sit in a uniquely blessed situation. Cisco Talos is resourced to help protect our customers — we have expertise, tooling and a huge array of diverse security skillsets. A humanitarian assistance or non-governmental organization (NGO) usually has none or very few of these luxuries. If I can take some of my time and experience here at Talos and help others who provide housing to the homeless, protect refugees or feed the hungry, damn right I’m gonna do it. And NGOs? They really need help.  

In today’s global humanitarian funding climate, money and grants are very scarce to come by. This means the competition for the dollars that remain is fierce, and that things like cybersecurity can fall by the wayside. But security in an NGO is incredibly important. We’re talking about incredibly vulnerable and marginalized people who deserve aid, and the amazing volunteers who should have privacy without malicious interference. 

The hard truth is that cybersecurity can be a bleak space. We as professionals do not operate in the “good news” business. We work, and thrive, in adversarial conditions — actively searching for what the bad guys are doing and learning how they are coming after the good guys. They’re launching ransomware. They are extorting and causing real harm to others. This is day in and day out, and it can wear you down mentally. You have to endure and focus on the mission. After all, that’s the gig. 

This is why I enjoy volunteering by either giving some of my time and expertise to a mentee or to an NGO that has an outstanding mission to help others. It puts fuel in your soul and reminds you that others are fighting their own good fights. These organizations are some of the best. They have a thankless, often dangerous, mission to help others have better lives. The way I see it, volunteering is the least I could do. 

If you want to join me, there are some places that could use your help. Check out the Cyber Peace Institute, or Defcon Project Franklin.

The one big thing 

This week is bittersweet because we’re discussing the final section of Talos’ 2024 Year in Review report. Let’s jump into the abyss of AI-based threats together. 

Why do I care? 

AI may not have upended the threat landscape last year, but it’s setting the stage for 2025, where agentic AI and automated vulnerability discovery could pose serious challenges for defenders. The future may bring:

1. The use of agentic AI to conduct multi-stage attacks or find creative ways to access restricted systems 
2. Improved personalization and professionalization of social engineering 
3. Automated vulnerability discovery and exploitation 
4. Capabilities to compromise AI models, systems and infrastructure that organizations around the world are building 

So now what? 

Continue to stay informed and alert, and for more information, read Talos’ blog post about these threats or download the full Year in Review.

Top security headlines of the week 

AirPlay Vulnerabilities Expose Apple Devices to Zero-Click Takeover. The identified security defects, 23 in total, could be exploited over wireless networks and peer–to-peer connections, leading to the complete compromise of not only Apple products, but also third-party devices that use the AirPlay SDK. (SecurityWeek) 

4 Million Affected by VeriSource Data Breach. VeriSource says the stolen information belonged to employees and dependents of companies using its services. It has been working with its customers to “collect the necessary information to notify additional individuals affected by this incident.” (SecurityWeek) 

SAP NetWeaver Visual Composer Flaw Under Active Exploitation. CVE-2025-31324 is a critical vulnerability with a maximum CVSS score of 10 that affects all SAP NetWeaver 7.xx versions. It allows unauthenticated remote attackers to upload arbitrary files to Internet exposed systems without any restrictions. (DarkReading) 

FBI shares massive list of 42,000 LabHost phishing domains. The FBI has shared 42,000 phishing domains tied to the LabHost cybercrime platform, one of the largest global phishing-as-a-service (PhaaS) platforms that was dismantled in April 2024. (BleepingComputer)

Can’t get enough Talos? 

State-of-the-art phishing: MFA bypass. Cybercriminals are bypassing multi-factor authentication (MFA) using adversary-in-the-middle (AiTM) attacks via reverse proxies, intercepting credentials and authentication cookies.

IR Trends Q1 2025: Phishing soars as identity-based attacks persist. This quarter, phishing attacks surged as the primary method for initial access. Learn how you can detect and prevent pre-ransomware attacks.

TTP Episode 11. Craig, Bill and Hazel discuss three of the biggest callouts from Cisco Talos’ latest Incident Response Quarterly Trends.

Talos Takes: Identity and MFA. Hazel and friends discuss how AI isn’t rewriting the cybercrime playbook, but it is turbo charging some of the old tricks, particularly on the social engineering side.

Upcoming events where you can find Talos 

• PIVOTcon (May 7 – 9) Malaga, Spain 
• CTA TIPS 2025 (May 14 – 15)
 Arlington, VA 
• Cisco Connect UK & Ireland (May 20) London, UK 
• BotConf (May 20 – 23) Angers, France 
• Cisco Live U.S. (June 8 – 12) San Diego, CA

Most prevalent malware files from Talos telemetry over the past week 

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507/  
Typical Filename: VID001.exe 
Detection Name: Win.Worm.Bitmin-9847045-0 

SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
MD5: 7bdbd180c081fa63ca94f9c22c457376  
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
Typical Filename: img001.exe 
Detection Name: Simple_Custom_Detection 

SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca  
MD5: 71fea034b422e4a17ebb06022532fdde  
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
Typical Filename: VID001.exe  
Detection Name: Coinminer:MBT.26mw.in14.Talos

Cisco Talos Blog – ​Read More

The flow of new information we’re bombarded with never ebbs. In 2025, you get less and less room in your head for things like the password for the email account you set up back in 2020 to sign your mom up for that online marketplace. On World Password Day, which falls on May 1 this year, we suggest putting in a little effort to combat poor memory, weak passwords, and cybercrooks.

As our experts have repeatedly proven, it’s only a matter of time — and money — before someone targeting your password cracks it. Often, it takes very little time and money, too. Our mission is to complicate cracking your password as much as possible, so hackers lose any desire to go after your data.

Our study last year found that intelligent algorithms — whether running on a powerful graphics card like the RTX 4090 or on inexpensive leased cloud hardware — can crack 59% of all passwords in the world in under an hour. We’re in the middle of that study’s phase two, and we’re about to share whether the situation has changed for the better over the year, so subscribe to our blog or Telegram channel to be among the first to know.

Today’s conversation covers more than just the most secure authentication methods and ways to make strong passwords. We’ll discuss techniques for remembering passwords, and answer the question of why using a password manager in 2025 is a really good idea.

How to sign in more securely in 2025

There are several options for signing in to online services and websites today:

• The traditional login-and-password combination
• Logging in with a third-party service like Google, Facebook, Apple, etc.
• Two-factor authentication using one of the following methods for verification:
  • SMS one-time code
  • Authenticator app like Kaspersky Password Manager, Google Authenticator, or Microsoft Authenticator
  • Hardware key like Flipper, YubiKey, or a USB token
• Passkeys and biometric authentication

Naturally, any of these methods can be compromised (for example, by leaving your hardware token sticking out of the USB port of an unattended computer in a public place), or toughened up (for example, by creating a complex password of more than 20 random characters). And so, as the era of traditional passwords isn’t over just yet, let’s try to figure out how we can improve our current standing by coming up with and memorizing an easy-to-remember password.

How do you remember a complex password?

Before answering this question, let’s recall the basic truths about passwords:

• Recommended length: 12–16 characters.
• A password should use different types of characters: numbers, lowercase and uppercase letters, and special characters.
• A password shouldn’t contain personal information easily traced back to the user.
• A password needs to be unique to each of your accounts.

Got it? Good. Now for the key issue: a complex password is easy to forget; a simple one — easy to crack. To help you achieve a balance between the two, we’ve put together some well-known, but still effective rules for creating easy-to-remember passwords.

Basic level

String together some unrelated words like the ones used in seed phrases when registering crypto wallets. And add a couple of numbers and special characters on the end that are meaningful to you but won’t be easily guessed by an attacker.

Example: DryLandStandGift2015;)

Shorter words are easier to remember, and the number shouldn’t be the year you or a loved one was born. It could be any memorable combination, such as the year you first went to Disneyland, the license plate of your first car, or your wedding date.

Advanced level

Think of a favorite line from a song or a memorable quote from a movie, and then replace, say, every second or third letter with special characters that aren’t in sequential order on the keyboard. Using easily accessible special characters (those you see on your phone’s on-screen keyboard in numeric mode) is handier. This is how you can make a strong password that’s quick to type and makes your life easier.

For example, if you’re a fan of the Harry Potter saga, you may try to use the Avada Kedavra spell for a good cause. Let’s try transforming this killing curse according to the rule above while peppering it generously with capital letters: A!ad@Kd$vr%. At first glance, a password like that looks impossible to remember, but all it takes is a little typing practice. Type it up two or three times, and you’ll see your fingers reaching for the right keys by themselves.

How about entrusting password generation to neural networks?

With the recent surge of ChatGPT and other large language models (LLMs), users have started turning to them for passwords. And it’s easy to see why that would be an appealing option: instead of straining to come up with a strong password, you just ask the AI assistant to generate it — with immediate results. And you can ask to make that password mnemonic if you wish to.

Alas, the danger of using AI as a strong password generator is that it creates combinations of characters that only appear random to the human eye. Passwords generated by AI are not as reliable as they may seem at first glance…

Alexey Antonov, Data Science Team Lead at Kaspersky, who conducted the previous password strength study, has generated a thousand passwords with ChatGPT, Llama, and DeepSeek each. It turned out each model knew that a good password consisted of at least a dozen characters, including both uppercase and lowercase letters, numbers, and special characters. However, DeepSeek and Llama sometimes generated passwords consisting of dictionary words, with some letters replaced with similar-looking numbers or symbols, such as B@n@n@7 or S1mP1eL1on. Amusingly, both models seemed to have a soft spot for the Password password, providing such variations as P@ssw0rd, P@ssw0rd!23, P@ssw0rd1, or P@ssw0rdV.

Needless to say, these are not secure passwords, as intelligent brute-forcing algorithms are well aware of the letter substitution trick. ChatGPT does a better job. Here are some examples of what it came up with:

• qLUx@^9Wp#YZ
• LU#@^9WpYqxZ
• YLU@x#Wp9q^Z
• P@zq^XWLY#v9
• v#@LqYXW^9pz

These seem to be completely random sets of letters, special characters, and numbers. However, if you look closely, you can easily find some patterns. Some characters, for example, 9, W, p, x, and L, are used more often than others. We compiled a character frequency histogram for all generated passwords, and here’s what we found: ChatGPT’s favorite letters are x and p, Llama loves the character # and is partial to p too, while DeepSeek is hooked on t and w. Meanwhile, a perfectly random number generator would never favor any particular letter over others, but use every character roughly an equal number of times, making the passwords less predictable.

In addition, LLMs, like humans, often neglect to insert special characters or numbers into passwords. A lack of these symbols was found in 26% of passwords generated by ChatGPT, 32% of those generated by Llama, and 29% by DeepSeek.

Awareness of these specifics can help cybercriminals bruteforce AI-generated passwords significantly faster. We ran the entire set of AI-generated passwords through the same algorithm we used for the previous study, only to find a discouraging trend: 88% of passwords generated by DeepSeek, and 87% by Llama, proved insufficiently secure. ChatGPT came out on top — with only 33% of its passwords insecure.

Sadly, LLMs don’t create a truly random distribution, and their output is predictable. Besides, they can easily generate the same password for you as for other users. So what should we do?

Combined approach

We recommend using our Password Checker service or, better yet, Kaspersky Password Manager, to generate passwords. These two use cryptographically secure generators to make passwords that don’t contain detectable patterns, which guarantees true randomness. After generating a strong password, you can then come up with a mnemonic phrase to remember it.

Let’s say the password generator gives you the following combination: HSVpk*VR0Gkq#R

Then, a phrase to help you remember the password might look like this: In a high-speed vehicle (HSV), you go over a peak (pk) and see a star (*) in virtual reality (VR). Then you fall at zero gravity (0G) and see the king and queen (kq) behind the bars (#) in a big tower shaped like a chess rook (R).

Only mnemonics can help with this, so we hope you like abstract and absurd imagery. You can also try drawing the scene that describes your password as shown above. Few would be able to understand the picture besides you. That’s an easy way to memorize one password. But what if there are hundreds of them?

How about storing passwords in a browser?

Not a good idea. To address the issue of remembering passwords, browser developers provide options to generate and save passwords right in the browsers. This is naturally very convenient: the browser itself fills in the password for you whenever needed. Unfortunately, a browser is not password manager, and storing passwords there is extremely insecure.

The problem is, cybercriminals figured out a long time ago how to use simple scripts to pull passwords stored in browsers in mere seconds. And the way browsers sync data across different devices in the cloud — such as through a Google account — is a disservice to users. All it takes is to hack or trick someone into giving up the password for that account, and all their other passwords are an open book.

Use a password manager

A real password manager stores all passwords in an encrypted vault. For example, Kaspersky Password Manager stores all your passwords in a vault encrypted with the AES-256 symmetric encryption algorithm, used by the U.S. National Security Agency to store state secrets. The algorithm uses a master password, which only you know (even we don’t know it) as the encryption key. Each time Kaspersky Password Manager is accessed, the app requests this password from you and decrypts the vault for the current session. In this same encrypted vault you can also store other important information such as bank card numbers, document scans, or notes.

Kaspersky Password Manager offers other useful features too:

• It can be used to generate unique and truly random password combinations.
• It can fill in your passwords for you both on computers and mobile devices.
• The app is provided for both major mobile platforms as well as macOS and Windows computers; there are also extensions for popular browsers.
• The password database is synchronized across all your devices in encrypted form.
• You can use it instead of Google Authenticator to generate 2FA codes for all your online accounts.
• It checks if your passwords have been leaked or compromised and alerts you if you need to change any of them.

With Kaspersky Password Manager, all you need do is use the methods described above to come up with and remember one master password, which is used to encrypt the password manager vault. Just remember: you’ll have to memorize this password extremely well, because if you lose it you’re back to square one. No one — not even Kaspersky employees — can access your encrypted vault. We don’t know your master password either.

Let’s recap

So how do you properly handle passwords in 2025?

• Follow the guidelines above to come up with a secure master password, and use our Password Checker service to test its cryptographic strength.
• Can’t think of a strong master password? Create one right there, and use mnemonic rules to memorize it.
• Install Kaspersky Password Manager on all your devices. With this app, you only need to remember the master password. The app will remember the rest for you.
• Use passkeys and various two-factor authentication methods wherever possible — preferably through the app. Combining a strong password with secure authentication methods creates a powerful synergy, which significantly enhances protection against unauthorized access to your accounts.
• Most importantly, read Kaspersky Daily to stay safe.

These posts can help you create the strongest passwords and manage them correctly:

• How to create strong passwords and where to store them
• How hackers can crack your password in an hour
• How to store passwords securely
• Passwords 101: don’t enter your passwords just anywhere they’re asked for
• Kaspersky Password Manager gets a new look

Kaspersky official blog – ​Read More

The current article provides technical analysis of an emerging malware named Pentagon Stealer. The research has been prepared by the analyst team at ANY.RUN. 

Key Takeaways 

• Variants: Exists in Python (AES-encrypted, multi-stage) and Golang (unencrypted, part of attack chains) versions. 

• Data Theft: Steals browser credentials, cookies, crypto wallet data (Atomic/Exodus), Discord/Telegram tokens, and specific files. 

• Debug Mode Exploitation: Launches Chromium-based browsers in debug mode to extract unencrypted cookies, bypassing DPAPI encryption for easier data theft. 

• Crypto Wallet Injection: Replaces app.asar files in Atomic/Exodus wallets with patched versions to steal mnemonics/passwords, using a public proof-of-concept available on GitHub. 

• Evolution and Campaigns: Spread via typosquatting, later under the names 1312, Acab, Vilsa, and BLX stealer. BLX adds clipboard, screenshot, and Steam/Epic data theft. 

• C2 Communication: Uses HTTP requests with servers like pentagon[.]cy and stealer[.]cy; BLX uploads to gofile.io, sending links to C2. 

• Ongoing Threat: Simple but persistent, with new variants showing minor updates, continuing to pose risks. 

How We Discovered Pentagon Stealer 

In early March of this year, when browsing Public submissions, the ANY.RUN team came across an interesting malware sample written in Golang. 

View sandbox analysis of the sample 

The malicious program exhibited unusual behavior, first terminating and then restarting processes of popular web browsers (Image 1). 

The malware also engaged in data theft, which was flagged by ANY.RUN’s Interactive Sandbox. 

To collect more context about this malware, we used Threat Intelligence Lookup (Image 3) with queries like the following one: 

domainName:”pentagon.cy” OR domainName:”stealer.cy” 

Among the search results, we identified a sandbox analysis of a website hosted on the domain pentagon.cy that featured the admin panel of this malware. Thus, we named it Pentagon Stealer. 

Exploring the website further, we discovered that there was also a Python-based version of this malicious program, available at pentagon[.]cy/paste?userid=<n>. You can see the page in this sandbox session. 

Considering the lack of public information on the malware and its potential to pose serious threat to our clients, we decided to analyze it and collect essential intel for effective detection of Pentagon Stealer. 

Here’s what we’ve found. 

Python Version of Pentagon Stealer 

Let’s start with the Python variant which still can be found on the attackers’ infrastructure to this day. Next, we’ll compare its functionality to that of the previous versions. 

Initial Stage: Script Dropper 

As seen in the sandbox analysis, the attack begins with a script dropper. Its purpose is to launch python_setup.py encrypted via Fernet using AES in CBC mode. 

Use this decryption recipe in CyberChef for decrypting the initial and all the following stages, as the algorithm remains unchanged, only the key changes. 

Main Stealer Module 

Once we decrypt the payload, we can see the code of the stealer’s main module. 

First, it checks whether the directory “%LOCALAPPDATA%/HD Realtek Audio Player” exists on the victim’s computer. If not, it creates it and continues execution. This is a technique used by the malware to check if the machine has already been infected.  

The malware then begins to steal a variety of data, including: 

• Login credentials, cookies, and extension data from Chromium-based browsers and cookie data from Mozilla Firefox 

• Data from apps for managing cryptocurrency wallets 

• Discord tokens and Telegram authorization data 

• Files with specific names and extensions from user directories 

There are also two actions performed by the malware that stand out from the rest and are worth a more detailed analysis: 

1. To steal cookies, Pentagon launches Chromium-based browsers in debug mode.  

2. The malware also replaces app.asar files used by Exodus and Atomic wallets. 

Let’s take a closer look at them. 

Injection into Atomic and Exodus Crypto Wallets 

The stealer can inject into two popular cryptocurrency wallet management applications: Atomic and Exodus. Both use Electron, which stores JavaScript code in app.asar files.  

The injection performed by Pentagon involves replacing these files with attacker-patched versions. 

The image above shows the stealer overwriting the app.asar content of both applications with data from its command server. Additionally, a loguuid is written to the LICENSE files in both cases, which allows the attackers to identify the victim.  

But why did they overwrite app.asar and what specific changes were made?  

Since .asar files are archives containing .js files, we can unpack them with 7-Zip with a special plugin to analyze the code. As expected, the goal here is to obtain the user’s mnemonic and password. The images below illustrate how this is done. 

The images show how a packet, containing the user’s password, mnemonic, and wallet type, is formed. One of the headers includes the loguuid. 

It’s worth noting that the attacker clearly used Inject_PoC in this part of the operation, as indicated by the code similarity.  

For example, the Atomic Wallet section from the PoC repository looks like this: 

The similarity is evident. The attacker just simplified the packet. In the case of Atomic, even the application version matches.  

For Exodus, the code segment from the repository looks like this: 

Launching Browsers in Debug Mode 

This is a common technique for obtaining cookies in unencrypted form. 

In short, this method causes some Chromium-based browsers to provide cookies in plaintext. If the standard method of extracting cookies from files were used, they would need to be decrypted, which can be problematic. 

These browsers use the DPAPI mechanism to protect sensitive data. If the malware is executed in the session of a user whose password was used in the encryption process, a call to the UnProtect() function may be enough to decrypt the data. Otherwise, decryption can be extremely difficult. In addition, the task may be complicated, for example, by the Application-Bound (App-Bound) Encryption method used in the latest versions of Chrome. 

Here’s how debugging helps to get cookies in an easier way:  

1. The browser is launched with a specified debugging port (default 9222). 

2. A GET request is made to http://localhost:9222/json, which returns a JSON response containing webSocketDebuggerUrl. 

3. Commands can be sent to this URL using the WebSocket protocol. 

4. Using the Network.getAllCookies command, the desired cookies are obtained, already decrypted by the browser. 

This method explains the unusual behavior of relaunching browser, which piqued our interest when we first came across Pentagon’s sample. 

Decryption and Transition to the Next Stage: runpython.py 

The final part of the stealer module is the decryption and launch of the next stage, runpython.py. 

Once we decrypt the payload, we can see the command used. 

Following the URL inside the command reveals the dropper script used for launching runpython.py. 

Yet Another Stage: Functionality of runpython.py 

Inside runpython.py, we can see the following bat-file: 

It follows this algorithm: 

1. Checks if it has access to system files, indicating admin rights. 

2. If not, creates a temporary VBS script to relaunch the current BAT script with admin rights. 

3. Creates the directory C:WindowsWinEmptyfold as an infection indicator. 

4. Runs PowerShell to add a Windows Defender exclusion, preventing it from scanning the C:/ drive. 

5. Downloads the next stage from a remote resource and executes it as RuntimeBroker.exe. 

6. Deletes files and directories used by the stealer. 

In all samples we have analyzed (example), Pentagon Stealer exclusively dropped Purecrypter which then deployed a miner. However, it is possible that there can be alternative payloads. 

Attack Chain and Timeline of Python-based Pentagon Stealer 

Pentagon Stealer’s chain of attack can be represented in the following way: 

Let’s now take a look at Pentagon’s development timeline and see what methods the attackers used for delivering it to victims. 

March 2024: Typosquatting Campaign 

One of the earliest campaigns we came across in our research involved masking Pentagon as popular PyPI Python packages using a technique called “typosquatting”. 

In this version, the malware couldn’t steal Web Data from Chromium browsers, unencrypted cookies via browser debugging, or Telegram data. Additionally, the protocol for interacting with the C2 server was more primitive: all information was written to files, which were then sent to funcaptcha[.]ru/delivery. 

September 2024: 1312 Stealer 

In another campaign, the stealer was available under the name 1312 Stealer. ANY.RUN’s Public submissions help us track changes in the admin panel.  

On September 2 2024, it appeared as follows: 

By September 23, it looked like this: 

A Telegram account is listed for contact, previously seen in Pentagon Stealer Admin Panel.  

This campaign used two domains: 1312services[.]ru and 1312stealing[.]ru.  

The code for this version can be viewed here. 

1312’s new functionality included stealing Web Data from Chromium-based browsers and Telegram tdata. Communication with the C2 server changed: passwords were sent to 1312services[.]ru/pw, Web Data to 1312services[.]ru/webdata, and everything else to 1312services[.]ru/delivery. 

Other Campaigns 

There are also versions of 1312 Stealer, which include Acab Stealer and Vilsa Stealer.  

Golang Version of Pentagon Stealer 

Now, it’s time to dissect the latest version of the stealer, which is currently being actively distributed. It kept the functionality of the Python version, but with some improvements described below. 

View sandbox analysis of the Golang version 

Unlike its Python counterpart, this variant does not download subsequent stages independently. Instead, it is used as one of the modules in the attack chain, as shown by sandbox analysis. Learn more about this in the ‘Infection Methods’ section. 

Upon launch, the stealer hides its console window and checks for the directory %LOCALAPPDATA%Realtek HD Audio Service on the victim’s computer, indicating previous execution.  

It then begins collecting information as described. The main improvement, unique to the Golang version, is the ability to steal data not only from Firefox but also from other Gecko-based browsers, including: 

The malware now can steal passwords from these browsers, in addition to cookies. The rest of the functionality remains unchanged, though the programming language has been altered. 

C2 Communication Protocol 

Regarding interaction with the C2 server, recent malware versions use two domains: stealer[.]cy and pentagon[.]cy. The communication method is identical in both the latest Python and Golang versions. 

The stealer and command server communicate via HTTP requests. Upon log creation (create_log()), the victim sends the number of collected passwords, cookies, Discord tokens, and names of all collected files. The server responds with either a rejection or a log_uuid, which is subsequently used as the victim’s identifier, replacing the previously hardcoded uuid. 

Infection Methods 

Notably, the Golang version of the stealer lacks any encryption of its code and strings, which is unusual since each subsequent stage of its Python counterpart is encrypted using AES. This suggests the possible existence of a dropper or loader.  

A search in TI Lookup involving the stealer yielded the following analysis. 

Here is the sample’s execution chain: 

The initial attack stage involved running an NSIS installer named BlumBot.exe. This installer executed a VBS script that displayed a familiar message, “vcruntime140.dll is missing from your computer”. It then proceeds to launch the next stage, Installer.exe. 

Notably, reverse-engineering BlumBot.exe was not necessary to uncover this. A tool capable of unpacking NSIS installers and extracting the .nsi script was enough. In our investigation, we used NanaZip.  

NSIS installer in NanaZip: 

Fragment of the .nsi script: 

Installer.exe is a loader written in Golang. Its sole purpose is to download and execute two files, ByPass.exe and Main.exe, from biteblob[.]com, and then send a Telegram message confirming successful execution. 

Following this, the stealer and a second module, which is actually a miner, are executed. 

This is just one example of how Pentagon Stealer is used. In Public Submissions, you can frequently observe samples of various malware using this stealer as one stage in an attack chain. 

Further Evolution of Pentagon Stealer 

As mentioned, this malware has appeared under various names, although its core functionality remains unchanged, with only minor logical modifications. This trend continues today.  

For instance, we recently discovered samples of a stealer with identical code but named BLX Stealer, as indicated by code strings and description in this article.  

View sandbox analysis of BLX Stealer 

The attack consists of multiple stages, but we focus on the stealer itself.  

This version is written in Python, like its predecessors, but is packaged into an executable using PyInstaller. With pyinstxtractor and pylingual.io, we successfully reconstructed the stealer’s source code for analysis. 

Regarding functionality, this version did not branch out from the latest Pentagon Stealer, as it lacks crypto-wallet injection and data theft from Gecko-based browsers other than Mozilla Firefox.  

Yet, it has unique features not previously observed: 

• Extracts clipboard content 

• Captures screenshots 

• Reads system information 

• Retrieves additional Discord user information, including two-factor authentication status, Nitro subscription type, and user badges 

• Steals Steam and Epic Games account data 

The communication protocol with the C2 server is also noteworthy. The stealer does not send files directly; instead, it uploads them to gofile.io and then sends the access link to http[:]//<ip>/tgproxy/{USERID}/.

We also discovered a sample with the capability to steal NordVPN configuration files (user.config). 

Conclusion 

Pentagon Stealer cannot be considered malware capable of complex targeted attacks due to its simplicity. Its development history shows that authors often merely changed the domain, leaving the functionality intact. However, a year has passed since its first mention, and it has undergone modifications, with the most significant changes occurring this year. The story is far from over, as new, more complex versions continue to emerge, albeit from different authors. 

IOCs and TTPs

MITRE ATT&CK 

IOCs

DNS requests

• pentagon[.]cy 

• stealer[.]cy 

HTTP/HTTPS requests

• https://pentagon[.]cy/create_log 

• https://pentagon[.]cy/log_data 

• https://pentagon[.]cy/log_files 

• https://pentagon[.]cy/exodus 

• https://pentagon[.]cy/atomic  

• https://pentagon[.]cy/wallet_injection 

The post Pentagon Stealer: Go and Python Malware with Crypto Theft Capabilities  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More