Demystifying Myth Stealer: A Rust Based InfoStealer

Date: 06/06/2025

Severity: Medium

Summary

Myth Stealer is a Rust-based infostealer marketed on Telegram since late December 2024. Distributed through fraudulent gaming websites, it tricks users with a fake window while secretly stealing passwords, cookies, and autofill data from Gecko- and Chromium-based browsers. The malware uses anti-analysis techniques and is regularly updated to evade detection, adding features like screen capture and clipboard hijacking.

Indicators of Compromise (IOC) List

URL/Domain

https://cheatglobal.com/konu/ddrace-krx-ultimate-crack.72186/page-1

https://gofile.io/d/tr1WIK

http://everlight-beta.netlify.app/

https://yomiragame.blogspot.com/2025/03/yomiragame.html

https://luraka-game.github.io/luraka/

https://www.plaquist-simulator.com/

myth.cocukporno.lol

https://185.224.3.219/screen

https://discord.com/api/webhooks/1324002441498202153/0KSAK6Fw00eryKz4BpysAJbo4jCxaJY3bRlcZGdmFhx03854FFdFvic1hQZDaZ2fmUIr

http://82.153.138.221:7340/post

https://185.224.3.219:8080/api/send

Hash

1847288195fcfc03fc186bf4eead4268048ef5e082dedb963b3450ee07c23883

65a84024daf30c12fd2e76db661bf6e85f3da30bb3aaa7e774152855d718b0c4

e5d09da6648add4776de8091b0182b935405791bf41476465b0e7dcb066fc0dc

f7cb6626e311181d9ded9536b1fbdf709b8254abd8d0810e04cebefea2fed131

acd66cb5f1447b803245c495400ad0886352920e35defcca6c45519fb7d33693

c7ae9d808e97fe6d6bf97aaf0775b9b6e68449f10bcc933bf07ba9d34d75a379

6c54e6648a6a33583d7707a9f7c5e83dd08ed481df6354c52e8f81e729d74a82

7e2bed39eea850960a0d043e6e671154f413f5fe2cc7cafe6d92c903b3a2e8d1

b180f6f9f7eb0bb1a12a7e7c8216499366419b1083c84c4af5b0ee69b3016186

0631a62a173833c7c821989e63f77632ecce30ca5a7049db4898ff0505abf32e

565863cf176e5d094e75e31844eb542ca07c516673ed245a424d7326bd474e0b

2e2cf06b6c7949b139356fb95c7ac0246c94f769d85dfa85122c004b9a2989e7

858ec188573e8989c9be47263c8520fe8546a583dfd35e62241dc26f4ba90491

55a418f8562684607ee0acd745595e297ab7e586d0a5d3f8328643b29c72dfa2

100a36c2c6934b93f00dc7432bb1c6c4d849586d851fd6358d062435d1e3dae7

4caa37c208ce1bb54791c0b13af2bd45bf90ea456098aaca37a0a9c53ebdccff

d147b9bde49b53e83b9c0b37d2001ccf7d195371672e782d58a12ef639efa95c

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Detection Query 1 :

domainname like "http://everlight-beta.netlify.app/" or siteurl like "http://everlight-beta.netlify.app/" or url like "http://everlight-beta.netlify.app/" or domainname like "http://82.153.138.221:7340/post" or siteurl like "http://82.153.138.221:7340/post" or url like "http://82.153.138.221:7340/post" or domainname like "https://cheatglobal.com/konu/ddrace-krx-ultimate-crack.72186/page-1" or siteurl like "https://cheatglobal.com/konu/ddrace-krx-ultimate-crack.72186/page-1" or url like "https://cheatglobal.com/konu/ddrace-krx-ultimate-crack.72186/page-1" or domainname like "https://gofile.io/d/tr1WIK" or siteurl like "https://gofile.io/d/tr1WIK" or url like "https://gofile.io/d/tr1WIK" or domainname like "https://yomiragame.blogspot.com/2025/03/yomiragame.html" or siteurl like "https://yomiragame.blogspot.com/2025/03/yomiragame.html" or url like "https://yomiragame.blogspot.com/2025/03/yomiragame.html" or domainname like "https://luraka-game.github.io/luraka/" or siteurl like "https://luraka-game.github.io/luraka/" or url like "https://luraka-game.github.io/luraka/" or domainname like "https://www.plaquist-simulator.com/" or siteurl like "https://www.plaquist-simulator.com/" or url like "https://www.plaquist-simulator.com/" or domainname like "myth.cocukporno.lol" or siteurl like "myth.cocukporno.lol" or url like "myth.cocukporno.lol" or domainname like "https://185.224.3.219/screen" or siteurl like "https://185.224.3.219/screen" or url like "https://185.224.3.219/screen" or domainname like "https://discord.com/api/webhooks/1324002441498202153/0KSAK6Fw00eryKz4BpysAJbo4jCxaJY3bRlcZGdmFhx03854FFdFvic1hQZDaZ2fmUIr" or siteurl like "https://discord.com/api/webhooks/1324002441498202153/0KSAK6Fw00eryKz4BpysAJbo4jCxaJY3bRlcZGdmFhx03854FFdFvic1hQZDaZ2fmUIr" or url like "https://discord.com/api/webhooks/1324002441498202153/0KSAK6Fw00eryKz4BpysAJbo4jCxaJY3bRlcZGdmFhx03854FFdFvic1hQZDaZ2fmUIr" or domainname like "https://185.224.3.219:8080/api/send" or siteurl like "https://185.224.3.219:8080/api/send" or url like "https://185.224.3.219:8080/api/send"

Detection Query 2 :

sha256hash IN ("e5d09da6648add4776de8091b0182b935405791bf41476465b0e7dcb066fc0dc","1847288195fcfc03fc186bf4eead4268048ef5e082dedb963b3450ee07c23883","0631a62a173833c7c821989e63f77632ecce30ca5a7049db4898ff0505abf32e","4caa37c208ce1bb54791c0b13af2bd45bf90ea456098aaca37a0a9c53ebdccff","d147b9bde49b53e83b9c0b37d2001ccf7d195371672e782d58a12ef639efa95c","65a84024daf30c12fd2e76db661bf6e85f3da30bb3aaa7e774152855d718b0c4","f7cb6626e311181d9ded9536b1fbdf709b8254abd8d0810e04cebefea2fed131","565863cf176e5d094e75e31844eb542ca07c516673ed245a424d7326bd474e0b","100a36c2c6934b93f00dc7432bb1c6c4d849586d851fd6358d062435d1e3dae7","c7ae9d808e97fe6d6bf97aaf0775b9b6e68449f10bcc933bf07ba9d34d75a379","acd66cb5f1447b803245c495400ad0886352920e35defcca6c45519fb7d33693","2e2cf06b6c7949b139356fb95c7ac0246c94f769d85dfa85122c004b9a2989e7","b180f6f9f7eb0bb1a12a7e7c8216499366419b1083c84c4af5b0ee69b3016186","55a418f8562684607ee0acd745595e297ab7e586d0a5d3f8328643b29c72dfa2","6c54e6648a6a33583d7707a9f7c5e83dd08ed481df6354c52e8f81e729d74a82","7e2bed39eea850960a0d043e6e671154f413f5fe2cc7cafe6d92c903b3a2e8d1","858ec188573e8989c9be47263c8520fe8546a583dfd35e62241dc26f4ba90491")

Reference:

https://www.trellix.com/blogs/research/demystifying-myth-stealer-a-rust-based-infostealer/

Demystifying Myth Stealer: A Rust Based InfoStealer

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Comments

Demystifying Myth Stealer: A Rust Based InfoStealer

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Share This

Comments