A password-stealing trojan for Windows that harvests credentials and other sensitive data, then exfiltrates it to the attacker. See our overview for defenders for details.
Once stolen, credentials enable account takeovers, lateral movement, and fraud. One infected endpoint can compromise many services.
Browsers: saved logins, cookies, autofill, sessions
Mail/FTP/VPN clients and RDP credentials
Messengers and gaming platforms
Crypto wallets and seed phrases
System info, screenshots, clipboard
Malspam with fake invoices or delivery notices, cracked software, malicious installers, poisoned search results, and drive-by downloads via shady sites and push-notification scams.
Sudden loss of saved logins or new logins from unknown locations
Unfamiliar processes in %AppData%, %LocalAppData%, or Temp
New autoruns: Run keys, Scheduled Tasks, Startup folder
Outbound connections to paste sites, file hosts, or Telegram/Discord webhooks
AV logs flagging “Trojan-PWS,” “Stealer,” or credential-dump attempts
Disconnect from the network and isolate the host.
Collect a triage pack: running processes, autoruns, network connections, recent downloads.
Remove persistence and delete the payload; run a full anti-malware scan.
Reset all passwords from a clean device and revoke tokens/sessions.
Rotate MFA secrets where possible and invalidate remembered devices.
Review accounts for unauthorized activity and enable alerts.
Reimage if integrity is uncertain.
Many stealers are modular - payloads can fetch keyloggers or RATs later.
Cookie/session theft can bypass passwords and some MFA until tokens expire.
Post-cleanup, credentials may still circulate on forums - keep monitoring.