SapphireStealer is an open-source .NET-based information stealer malware that is being used by multiple entities to enhance its capabilities and create customized variants [1] [2]. This malware represents an evolution of the cybercrime-as-a-service model and allows for the monetization of stolen data through ransomware and other malicious activities [2].


SapphireStealer is capable of obtaining sensitive information, including corporate credentials [1] [2] [3], which can be resold to other threat actors for additional attacks [2] [3]. It gathers host information [1] [2], browser data [1] [2] [3] [4], files [1] [2] [3] [4], and screenshots [3] [4], and exfiltrates the data in the form of a ZIP file via SMTP [1] [2] [3]. Its source code was published for free [2], making it difficult to detect [1] [2]. Additionally, it has flexible data exfiltration methods using Discord webhooks or the Telegram API [2] [4]. Multiple variants of this threat are already in the wild [2] [3], and the malware author has also released a .NET malware downloader called FUD-Loader [1] [2] [3], which has been used to deliver remote administration tools like DCRat [1] [2], njRAT [1] [2], DarkComet [1] [2], and Agent Tesla [1] [2].

Another stealer malware called Agniane Stealer has also been recently discovered [2] [3]. It is capable of stealing credentials [3], system information [1] [2] [3] [4], session details [3], and data from cryptocurrency extensions and wallets [3]. Agniane Stealer is being sold on dark web forums and a Telegram channel [3]. Threat actors responsible for Agniane Stealer employ packers to maintain and update the malware’s functionality and evasion features [3].


SapphireStealer [1] [2] [3] [4], along with other stealer malware found on the dark web [1] [3], poses a significant threat as it collects various types of data and has multiple variants in circulation. The availability of its source code has allowed malicious actors to experiment with it [3], making it harder to detect [4]. Mitigating the risks associated with these malware requires robust security measures and continuous monitoring. The discovery of Agniane Stealer highlights the ongoing development and distribution of such malicious tools, emphasizing the need for proactive defense strategies and collaboration among security professionals.