[jmpqwordptr]

was good everyone i just wanted to as 1 question its basically how info stealers work on windows. ive played around with windows exploits for a bit but the only thing that has really confused me is just how exactly info stealers work (especially the ones that steal info from browsers and what not)

I dont need any sort of in-depth explanation a high-level will do just fine

[pam2s]

Info stealers on Windows follow this high-level flow:

1. Delivery: Phishing (EXE/LNK), drive-by (JS/PowerShell), or cracked software bundles.
   
2. Persistence: Registry (Run keys, HKCU\Software\Microsoft\Windows\CurrentVersion\Run), scheduled tasks, or WMI events.
   
3. Recon: Enum browsers (Chrome/SQLite), desktops (screenshot), processes (tasklist), network (ipconfig), creds (LSASS dump via Mimikatz-like).
   
4. Steal core data:
   • Browsers: Parse Chrome/Firefox SQLite DBs for cookies/passwords/history (unencrypted in memory or DPAPI).
     
   • Wallets: Scan %AppData% for MetaMask, Exodus files.
     
   • Tokens: Grab login tokens from Chrome Local State/AppData.
     
5. Exfil: HTTP POST to C2 (Discord/Telegram bots common), often split payloads, or Dropbox/FTP.
   
6. Cleanup: Self-delete, clear event logs (wevtutil cl), anti-VM checks.
   
   

They run as EXE/DLL (injected via CreateRemoteThread), often packed/obfuscated. C2 typically via HTTPS to evade firewalls.

Thinking about getting Santa?

Happy Hacking

[jmpqwordptr]

thanks for the reply, also apparently some of the Santa source code got leaked lmao. Since ive written this post I have been able to accomplish some of these things (decryption functions for DPAPI and AES, enumerate browser local appdata as well as the injector (remote mapping injection)). there is still a fuck ton more to do and ill likely add other applications/information to steal, but for right now im just focused on browsers. i was also thinking about making a payload which decrypts the DPAPI/AES blobs, but we will see.