WallStealer: A Full-Featured Infostealer Whose Operator Put Their C2 Domain as Their Steam Display Name
TL;DR: WallStealer is a 64-bit Windows stealer with genuinely sophisticated internals -- Chrome App-Bound Encryption bypass via named pipe interception, direct NT syscall EDR evasion, process injection, and 324+ AES-encrypted runtime strings. It steals credentials from Chrome, Edge, Brave, and Firefox, captures screenshots, exfiltrates via Telegram Bot API, and provides a remote shell. The operator protected all of this behind the YONDEXCRYPT#2 crypter. Then they embedded their Steam account in the binary -- display name set to the C2 domain dinitro.buzz -- alongside their panel username ldvg113421. The server at 91.92.34.54 hosts a Russian-language phishing page impersonating Magadan State University on port 8080. Nine prior WallStealer IOC sightings on ThreatFox date back to December 2025. The technical sophistication and operational security failure exist in the same binary.
The OPSEC Failure
The binary at 6080aa379fe813634b16f7f395a2c8d16fe5540e003c8c773b8692756c74c55e contains three hardcoded identifiers that should never appear in a production stealer:
| Artifact | Value | Intelligence Value |
|---|---|---|
| Steam ID | 76561199691513242 | Operator's personal gaming account |
| Steam Display Name | dinitro.buzz | The C2 domain itself |
| Panel Username | ldvg113421 | Operator's admin credential for the stealer panel |
| Mutex | dahfghghcxsa | Instance fingerprint |
| Build ID | qkh2MkU1 | Build tracking tag |
Steam ID 76561199691513242 resolves to a Steam Community profile. The display name is dinitro.buzz -- the primary command-and-control domain for this stealer. This is not a stolen credential harvested from a victim. This is the operator's own Steam account, and they set their display name to their own malware infrastructure. The panel username ldvg113421 embedded alongside it further confirms this is operator-side configuration data baked into the build.
The contrast is striking. Everything else about this binary suggests a developer who knows what they are doing. The OPSEC suggests they do not think anyone will look.
Technical Analysis
Sample Overview
| Property | Value |
|---|---|
| SHA-256 | 6080aa379fe813634b16f7f395a2c8d16fe5540e003c8c773b8692756c74c55e |
| File Type | PE32+ (64-bit) |
| Size | 1.68 MB |
| Compile Time | 2026-03-13 09:03:50 UTC |
| Crypter | YONDEXCRYPT#2 |
| Encrypted Strings | 324+ constants, AES-decrypted at runtime via BCrypt |
String Encryption: 324+ AES Constants
WallStealer does not store operational strings in cleartext. Over 324 string constants are encrypted and decrypted at runtime using Windows BCrypt AES primitives. Function names, API calls, registry paths, browser profile locations, and C2 parameters are all resolved dynamically. This defeats static string extraction and complicates YARA rule development -- there are no plaintext IOCs to match in the binary at rest.
Chrome App-Bound Encryption Bypass
The most technically notable capability is the Chrome App-Bound Encryption (ABE) bypass. Chrome 127+ introduced ABE to protect cookies and credentials using a system-level encryption key that is bound to the Chrome application identity. The protection is designed to prevent non-Chrome processes from decrypting stored credentials even with DPAPI access.
WallStealer bypasses this by exploiting Chrome's own IPC mechanism:
- Creates a named pipe at
\\.\pipe\browser_key_pipe - Invokes Chrome's
OSCrypt.AppBoundProvider.Decryptinterface through the pipe - Chrome itself performs the decryption, believing the request originates from an authorized component
- The decrypted key material is returned over the pipe to the stealer
This is not a brute-force attack on the encryption. It is a design-level bypass that uses Chrome as an unwitting decryption oracle. The technique works because ABE validates the calling application identity at the COM level but the named pipe interface does not enforce equivalent restrictions.
EDR Evasion: Direct NT Syscalls
WallStealer bypasses userland API hooks by making direct NT system calls, avoiding the ntdll.dll functions that EDR products typically instrument:
NtOpenKey/NtQueryValueKey-- Registry access withoutadvapi32.dllNtCreateFile-- File operations withoutkernel32.dll- Additional NT-level calls for process and memory operations
This technique -- commonly called "direct syscalls" or "syscall stubs" -- renders inline hooking ineffective. EDR solutions that rely on ntdll.dll detours will not see these operations. Kernel-level ETW telemetry or minifilter drivers are required for detection.
Process Injection
The binary includes a standard but complete process injection toolkit:
VirtualAllocEx -- Allocate memory in remote process
WriteProcessMemory -- Write payload to allocated region
CreateRemoteThread -- Execute injected code
This is the classic VirtualAllocEx -> WriteProcessMemory -> CreateRemoteThread chain (T1055.002). Combined with the direct syscall capability, the injected code can operate in a target process while evading both process-level and API-level monitoring.
Credential Theft
WallStealer targets four browser families with tailored extraction methods:
| Browser | Extraction Method |
|---|---|
| Google Chrome | ABE bypass (named pipe) + DPAPI fallback |
| Microsoft Edge | DPAPI / BCrypt decryption |
| Brave | DPAPI / BCrypt decryption |
| Mozilla Firefox | Native credential database parsing |
DPAPI-protected credentials are decrypted using BCrypt APIs. The ABE bypass is Chrome-specific -- Edge, Brave, and Firefox do not implement App-Bound Encryption and fall back to standard DPAPI extraction.
Screenshot Capture
Screenshots are captured using the GDI BitBlt function to copy the screen buffer, then encoded to PNG via GDI+ before exfiltration. This is a lightweight, dependency-free approach that does not require any third-party libraries.
Remote Shell
The stealer includes a get_shell command handler that provides the operator with interactive command execution on the victim machine. This elevates WallStealer from a grab-and-go stealer to a persistent access tool -- the operator can issue arbitrary commands after initial credential theft.
Exfiltration
All stolen data is exfiltrated via the Telegram Bot API using sendDocument (files, screenshots, credential databases) and sendMessage (text-based loot summaries). Telegram-based exfiltration is increasingly common in commodity stealers because it requires no dedicated C2 infrastructure, encrypts data in transit by default, and is difficult to block without disrupting legitimate Telegram usage.
Infrastructure
Primary C2: dinitro.buzz
| Property | Value |
|---|---|
| Domain | dinitro.buzz |
| IP | 91.92.34.54 |
| ASN | AS207083 |
| Hosting | Euro Crypt EOOD (Bulgarian bulletproof hosting) |
| Web Server | nginx/1.24.0 (Ubuntu) |
| SSH | OpenSSH 9.6p1 |
| Open Ports | 22, 80, 443, 8080 |
| Registrar | PublicDomainRegistry.com |
| TLS | Let's Encrypt (issued within minutes of domain registration) |
Euro Crypt EOOD on AS207083 is a known bulletproof hosting provider operating out of Bulgaria. Abuse reports to this provider are unlikely to result in takedown.
Secondary Domain: bineress.shop
| Property | Value |
|---|---|
| Domain | bineress.shop |
| IP | 91.92.34.54 (same server) |
| Registrar | PublicDomainRegistry.com |
| Registration | ~20 days before dinitro.buzz |
Both domains resolve to the same IP, are registered through the same registrar, and obtained Let's Encrypt certificates shortly after registration. bineress.shop was registered approximately 20 days earlier, indicating a prior campaign phase or testing infrastructure that was repurposed.
Port 8080: Russian-Language Phishing
Port 8080 on 91.92.34.54 serves a Russian-language phishing page impersonating "Magadan State University" (Магаданский государственный университет) -- specifically an application for admission form. Magadan is a remote city in far-eastern Russia. The choice of lure is notable: university application phishing targets a demographic (prospective students) unlikely to have sophisticated security awareness, and the Russian language confirms the operator's target audience.
Server Vulnerabilities
The server is vulnerable to CVE-2023-44487 (HTTP/2 Rapid Reset) and CVE-2025-23419 (TLS session ticket resumption). These are not directly relevant to the stealer operation but indicate the server is running unpatched software -- consistent with bulletproof infrastructure where maintenance is minimal.
ThreatFox History
ThreatFox contains 9 confirmed WallStealer IOC sightings spanning December 2025 through February 2026. This is not a new operation. The operator has been active for at least three months, and the current build represents an iteration on established infrastructure.
MITRE ATT&CK Mapping
| Technique | ID | Implementation |
|---|---|---|
| Credentials from Password Stores: Browser | T1555.003 | Chrome ABE bypass, DPAPI/BCrypt decryption, Firefox DB parsing |
| OS Credential Dumping | T1003 | DPAPI master key extraction |
| Process Injection: Portable Executable Injection | T1055.002 | VirtualAllocEx / WriteProcessMemory / CreateRemoteThread |
| Screen Capture | T1113 | GDI BitBlt + GDI+ PNG encoding |
| Exfiltration Over Web Service | T1567 | Telegram Bot API (sendDocument/sendMessage) |
| Command and Scripting Interpreter | T1059 | Remote shell via get_shell command |
| Obfuscated Files or Information | T1027 | 324+ AES-encrypted string constants |
| Deobfuscate/Decode Files or Information | T1140 | Runtime BCrypt AES decryption |
| System Binary Proxy Execution | T1218 | Chrome process used as decryption oracle for ABE bypass |
| Subvert Trust Controls | T1553 | Named pipe impersonation of Chrome IPC |
| Software Packing | T1027.002 | YONDEXCRYPT#2 crypter |
| Direct System Calls | T1106 | NtOpenKey, NtQueryValueKey, NtCreateFile bypassing ntdll hooks |
| Acquire Infrastructure: Domains | T1583.001 | dinitro.buzz, bineress.shop via PublicDomainRegistry |
| Acquire Infrastructure: Server | T1583.004 | Euro Crypt EOOD bulletproof hosting |
Indicators of Compromise
Network Indicators
| Type | Indicator | Context |
|---|---|---|
| Domain | dinitro[.]buzz | Primary C2 |
| Domain | bineress[.]shop | Secondary C2 (earlier campaign) |
| IP | 91.92.34.54 | Shared server for both domains |
| Named Pipe | \\.\pipe\browser_key_pipe | Chrome ABE bypass |
Host Indicators
| Type | Indicator | Context |
|---|---|---|
| Mutex | dahfghghcxsa | WallStealer instance lock |
| Build ID | qkh2MkU1 | Build tracking identifier |
| Steam ID | 76561199691513242 | Operator account |
| Panel User | ldvg113421 | Panel admin credential |
File Indicators
| Type | Value |
|---|---|
| SHA-256 | 6080aa379fe813634b16f7f395a2c8d16fe5540e003c8c773b8692756c74c55e |
Infrastructure Fingerprints
# Server banner
nginx/1.24.0 (Ubuntu)
OpenSSH 9.6p1
# Ports
22, 80, 443, 8080
# TLS
Let's Encrypt certificates
CVE-2023-44487, CVE-2025-23419 present
# Phishing lure (port 8080)
Магаданский государственный университет — Заявление на поступление
Detection Recommendations
Immediate: Block dinitro[.]buzz, bineress[.]shop, and 91.92.34.54 at the perimeter. Monitor for named pipe creation at \\.\pipe\browser_key_pipe -- this is a high-fidelity indicator of the ABE bypass technique.
Detection engineering: Alert on processes creating named pipes with browser_key_pipe in the name, followed by Chrome child process activity. Hunt for direct NT syscall patterns (NtOpenKey, NtCreateFile) originating from non-system binaries. Monitor Telegram Bot API traffic (api.telegram.org/bot*/sendDocument) from endpoints where Telegram Desktop is not installed.
Threat hunting: Search for the mutex dahfghghcxsa and build ID qkh2MkU1 across endpoint telemetry. The Steam ID 76561199691513242 and panel username ldvg113421 are cross-referenceable across underground forums, Telegram channels, and gaming platform databases for further attribution.
Conclusion
WallStealer is a technically competent stealer. The Chrome ABE bypass via named pipe interception is a real technique that defeats a meaningful security control. The direct NT syscalls bypass standard EDR instrumentation. The 324+ encrypted strings make static analysis painful. The YONDEXCRYPT#2 packer adds another layer. None of this is amateur work.
And then the operator embedded their Steam account -- display name set to their own C2 domain -- directly in the binary. Alongside their panel admin username. On a server that also hosts a Russian-language university phishing page on port 8080.
The technical investment in evasion becomes irrelevant when the binary itself is an attribution dossier. The ABE bypass will survive this operator's inevitable takedown and reappear in other stealers. The operator behind Steam ID 76561199691513242 probably will not.
Published 2026-03-14 | BGI Autonomous Threat Hunting | Breakglass Intelligence Reported via @abuse_ch MalwareBazaar. ThreatFox tracking: 9 confirmed WallStealer IOC sightings (Dec 2025 -- Feb 2026). IOCs are provided for defensive use. Handle responsibly.