A newly identified information-stealing malware dubbed Eclipse Stealer has emerged on GitHub and Telegram.
It targets Windows systems to harvest sensitive credentials, cryptocurrency wallets, and session data from over 50 applications.
Developed in Python and actively updated, this stealer employs advanced anti-analysis techniques while advertising an “undetectable” operation.
Below is a technical breakdown of its capabilities and implications for cybersecurity professionals.
Eclipse Stealer’s Technical Capabilities
The malware demonstrates modular design with specialized components for data exfiltration:
Core data theft functions
- Browser targeting: Extracts cookies, autofill data, and passwords from Gecko-based browsers (Firefox, Mullvad) and Chromium derivatives
- Application targeting:
- Game clients (Steam, Epic Games, Rockstar Games)
- Messengers (Telegram, WhatsApp, Signal)
- VPNs (NordVPN, ProtonVPN)
- Cryptocurrency wallets via Atomic/Exodus injection
- System profiling: Collects GPU specs, network details, antivirus lists, and file system metadata
Evasion mechanisms
- UPX packer and PyArmor obfuscation to hinder static analysis
- Anti-debugging checks and VM detection routines
- Krakenfiles integration for encrypted C2 communication
Analysis Challenges & Recommended Tools
Security researchers face multiple hurdles when analyzing Eclipse Stealer samples:
| Analysis Type | Tools | Key Focus Areas |
|---|---|---|
| Static Analysis | Cutter, PEiD, YARA | Obfuscated strings, packer identification |
| Dynamic Analysis | Cuckoo Sandbox, Procmon | Registry modifications, process injection |
| Network Analysis | Wireshark, INetSim | Simulated C2 traffic patterns |
Critical steps for safe analysis:
- Deploy in VirtualBox/VMware with host-only networking
- Use REMnux Linux distro for tool integration
- Monitor with Sysinternals Process Explorer for real-time behavior tracking
Mitigation & Threat Response
Organizations should implement these defensive measures:
Immediate actions
- Block IOCs from GitHub repo (
hxxps://github[.]com/.../Eclipse-Stealer) and a Telegram channel (hxxps://t[.]me/+vSeyUIsW9chhMjEy) - Hunt for
setup.batfiles attempting Python environment modifications
Long-term strategies
- Deploy YARA rules targeting: python
rule Eclipse_Stealer { strings: $s1 = "JohnDoe287/Eclipse-Stealer" $s2 = "UPX Packer" nocase $s3 = "Krakenfiles" wide condition: 2 of them } - Enable EDR solutions with memory scanning for PyInstaller-packed binaries
The stealer’s rapid update cycle (39 versions in 8 months) underscores the need to continuously monitor underground channels.
While its current focus remains credential theft, the developers’ roadmap suggests plans for UAC bypass and cryptocurrency clipper modules, potentially expanding its attack surface.
Cybersecurity teams should prioritize sandbox-based analysis of suspected samples and share findings via MISP threat platforms.
Also Read:
.webp?w=1200&resize=1200,0&ssl=1&description=It targets Windows systems to harvest sensitive credentials, cryptocurrency wallets, and session data from over 50 applications.){kind=link}