A new malware campaign has been discovered that targets inexperienced cyber criminals using malicious OpenBullet configuration files [2]. These files are used to deliver a remote access trojan (RAT) capable of stealing sensitive information [1] [2].


OpenBullet is a legitimate open-source pen testing tool used for automating credential stuffing attacks [1]. However, criminals have exploited it by trading or selling the configurations, making it easier for script kiddies to launch their own attacks [1] [2]. The campaign [1] [2], discovered by Kasada [1] [2], uses malicious configs shared on a Telegram channel to retrieve a dropper called Ocean from a GitHub repository [1] [2]. The dropper then fetches the next-stage payload from the same repository [1] [2]. The payload is a Python-based malware called Patent [1] [2], which launches a RAT that uses Telegram as a command-and-control mechanism [1] [2].

The RAT can perform various malicious activities, including capturing screenshots [1] [2], listing directory contents [1] [2], terminating tasks [1] [2], exfiltrating crypto wallet information [1] [2], and stealing passwords and cookies from various web browsers [1] [2]. Additionally, it functions as a clipper [1] [2], monitoring the clipboard for cryptocurrency wallet addresses and substituting them with an actor-controlled address for unauthorized fund transfers [1] [2]. The campaign specifically targets browsers and crypto wallets such as Brave [1], Google Chrome [1], Microsoft Edge [1], and Opera [1], among others [1].

The distribution of the malicious OpenBullet configs within Telegram is a novel infection vector [1] [2], likely targeting criminal communities that frequently use cryptocurrencies [1] [2]. This allows attackers to shape their collection to a specific target group and gain access to funds [2], accounts [2], or other members’ information [2].


This malware campaign highlights the risks posed by the exploitation of legitimate tools for malicious purposes. Inexperienced cyber criminals are being targeted, potentially leading to an increase in unauthorized access to sensitive information. To mitigate these risks, it is crucial for individuals and organizations to stay vigilant and implement strong security measures. Additionally, the use of Telegram as an infection vector underscores the need for enhanced security measures within messaging platforms. As cyber criminals continue to evolve their tactics, it is important for security professionals to stay ahead of the game and adapt their defenses accordingly.


[1] https://thehackernews.com/2023/08/new-malware-campaign-targets.html
[2] https://vulners.com/thn/THN:885740D716CC52E5290C1AAEAFD4E2CA