SapphireStealer [1] [2] [3] [4] [5], an open-source .NET-based information stealer malware [1] [4] [5], has gained significant attention from cybercriminals for carrying out data-theft attacks. This article provides a detailed description of SapphireStealer, including its capabilities [4], distribution methods, and recent developments.


Originally developed by Russian hacker Roman Maslov, SapphireStealer has undergone modifications and subsequent releases, resulting in a more potent malware that attracts a growing number of attackers. This malicious software is capable of stealing various types of sensitive information, including corporate credentials [2] [4], access tokens [3], usernames [3], and passwords. The stolen data can then be monetized for more impactful attacks, such as espionage or ransomware operations.

SapphireStealer is similar to other stealer malware found on the dark web and is equipped with features to gather host information [4], browser data [4], files [1] [3] [4] [5], and screenshots [4]. It can exfiltrate the stolen data in the form of a ZIP file via SMTP [4]. Recent variants of SapphireStealer have introduced enhanced functionality, such as the ability to grab files in different formats and transmit log data through the Discord webhook API or Telegram API [3].

Multiple variants of SapphireStealer are already in circulation [1] [2] [4] [5], with threat actors continuously improving its efficiency and effectiveness [1] [2] [4] [5]. It is often delivered as part of a multi-stage infection process [1], with threat actors utilizing open-source malware downloaders like FUD-Loader [1]. The malware author has also released a .NET malware downloader called FUD-Loader [2] [4], which enables the retrieval of additional binary payloads from attacker-controlled distribution servers [4]. Talos has detected the malware downloader being used to deliver remote administration tools like DCRat [4], njRAT [4], DarkComet [4], and Agent Tesla [4].

The publication of SapphireStealer’s source code in late December 2022 has allowed cybercriminals to experiment with the malware [5], making it increasingly difficult to detect. Additionally, these malicious actors have incorporated new data exfiltration methods using Discord and Telegram [5]. New versions of SapphireStealer have been consistently uploaded to public malware repositories since mid-January 2023 [1]. Some samples of SapphireStealer have the ability to alert attackers to newly acquired infections via the Telegram posting API [1].

Earlier versions of SapphireStealer had redundant code execution and inefficiencies [1], but threat actors have streamlined its operations and improved its core functionality over time [1]. SapphireStealer represents an evolution of the cybercrime-as-a-service model and allows for the monetization of stolen data through ransomware [2], data theft [2], and other malicious activities [2].


SapphireStealer poses a significant threat to organizations and individuals, as it continues to evolve and attract a growing number of attackers. Mitigating the risk of SapphireStealer requires robust cybersecurity measures, including regular software updates, strong passwords, and employee education on phishing and malware prevention. The ongoing development and distribution of SapphireStealer highlight the need for constant vigilance and proactive defense strategies in the face of evolving cyber threats.

Additionally, the emergence of Agniane Stealer, another stealer malware capable of stealing credentials and cryptocurrency-related data, further underscores the need for comprehensive cybersecurity measures. The sale of Agniane Stealer on dark web forums and Telegram channels indicates a growing market for such malicious tools. Organizations and individuals must remain vigilant and take proactive steps to protect their sensitive information from these evolving threats.