New Python Trojan XillenStealer Targets Windows Users
The newly discovered Python trojan XillenStealer, identified by researchers at Cyfirma, poses a grave threat to Windows users. Engineered to harvest system information, stored credentials, and cryptocurrency wallets, it also bundles an array of features that enable even novice attackers to configure campaigns via a user-friendly interface. Its public availability on GitHub dramatically lowers the barrier to entry for cybercrime.
XillenStealer is distributed as XillenStealer Builder V3.0, a builder application with a Tkinter graphical front end. The control panel lets operators select targets, configure exfiltration channels, and tailor payloads without deep technical expertise. To prevent unauthorized use, the builder employs SHA-256 hash checks; for data exfiltration it supports integration with Telegram bots.
A flexible, modular architecture permits bespoke attack assemblies. Operators can opt to steal data from Discord, Steam, Telegram, gaming launchers, and cryptocurrency wallets, and can attach dedicated modules for browser-specific harvesting. Supported browsers include Chrome, Edge, Brave, Vivaldi, Opera, and Firefox. Credentials and history are extracted directly from SQLite databases (Login Data and History) and then decrypted with built-in routines to reveal plaintext passwords.
Particular attention is paid to cryptocurrencies: XillenStealer targets keys and wallet files for Exodus, AtomicWallet, Coinomi, and Electrum. Concurrently it harvests Discord tokens, Steam credentials, and Telegram session files. The final report is produced in both an HTML summary and a plain-text log; archives larger than 45 MB are split for transmission via Telegram, and files are purged from the victim’s device after successful exfiltration.
To evade detection, the trojan employs anti-analysis checks and virtual-environment detection. It probes for VMware, VirtualBox, and QEMU indicators, scans for debugger processes, and looks for drivers such as vboxguest.sys. For persistence it creates scheduled tasks disguised as “System Maintenance Task” (or equivalent cron-like jobs on Linux) and attempts process injection into Windows processes like explorer.exe, though the injection mechanism is not always reliable.
Researchers traced the project to developers operating under the Xillen Killers brand. The GitHub repository was published by a user named BengaminButton, who claims to be 15 years old yet presents himself in the community as a full-stack developer and penetration tester. The group’s site serves as a marketplace for tools ranging from DDoS platforms to exploits and network intrusion utilities.
The danger of XillenStealer lies not only in its breadth of capabilities but in its open distribution. The ability to assemble a tailored configuration makes the tool versatile: both inexperienced actors and seasoned criminals can wield it to launch targeted campaigns against individuals and organizations. Experts note that XillenStealer exemplifies the professionalization of underground services—complete with documentation, support, and a user community.
Organizations are advised to deploy EDR solutions capable of flagging suspicious access to browser databases, attempted process injections, and anomalous connections to Telegram endpoints. Equally important is user education: employees must be trained not to run software from untrusted sources. The emergence of tools like XillenStealer underscores a worrying trend—data thieves are becoming ever more sophisticated while simultaneously making their trade accessible to a far wider pool of attackers.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
