During regular proactive threat hunting, the Trellix Advanced Research Center identified a fully undetected infostealer malware sample written in Rust code that targeted games.
Upon further investigation, the team at Trellix discovered that it was Myth Stealer which was being marketed on Telegram since late December 2024. Trellix put out a report dubbed “Demystifying Myth Stealer: A Rust Based InfoStealer,” written by Niranjan Hegde, Vasantha Lakshmanan Ambasankar and AdarshS.
Infostealers are a type of malware that infiltrates computer systems and has the functionality to collect passwords, cookies, credit card information, autocomplete data, browsing history, and file download history from browsers.
A sample written in Rust means that the malware has been written using a specific programming language known as “Rust” diverging from common programming languages such as C/C++ in which previous malwares have been written. It is more widely understood and analyzed by threat researchers and defenders.
The advantage of using “Rust” is maximum platform support in terms of the operating system on which this malware can be executed, potentially widening the exposure for victim organizations.
Myth Stealer is the name of the Rust-based malware that was actively promoted on Telegram, offering advanced features that make it highly appealing to cybercriminals. The group behind this malware is not setting up the gaming sites; rather, they provide a subscription to the malware. The attackers who then subscribe to this particular malware are the ones setting up gaming sites.
Initially, it was offered for free for trial, and later evolved to a subscription-based model. The investigation revealed that this infostealer is distributed through various fraudulent gaming websites. Upon execution, the malware displays a fake window to appear legitimate while simultaneously decrypting and executing malicious code in the background.
The infostealer targets both Gecko-based and Chromium-based browsers, extracting sensitive data including passwords, cookies, and autofill information. It also contains anti-analysis techniques such as string obfuscation and system checks using filenames and username.
The malware authors regularly update stealer code to evade AV detection and introduce additional functionality such as screen capture capability and clipboard hijacking.
This post was made in late December 2024. A Telegram channel was used to share updates about the Myth Stealer malware. An organized team likely developed and maintained it, based on activity in the channel.
After Telegram shut down the initial channel, the operators created a new group to continue sharing malware updates. They routinely announce new versions in this group, emphasizing zero detection rates on VirusTotal. Users need to rebuild the malware to integrate the latest updates into their builds.
Currently, the malware is offered on a weekly and monthly subscription basis. It can be purchased using crypto-currency and Razer Gold. Additionally, they maintained a separate channel titled ‘Myth Vouches & Marketplace,’ where the users of this stealer provide testimonials and advertise the sale of compromised accounts obtained using this stealer. It is currently shut down by Telegram.
Different channels and groups for Myth Stealer in Telegram Distribution of malware The malware is distributed in the wild disguised as game-related software. Figure three shows various fraudulent gaming websites used for spreading the stealer.
In another instance, we uncovered an actor who had posted a link to a malicious RAR file in an online forum under the guise of a cheat software named “ddtrace krx ultimate Crack”. To establish credibility within the forum community, the actor provided a Virustotal Link which showed zero detection at that time.
Myth Stealer presented as a crack of a game cheating software in an online forum. Capabilities As per our investigation, the malware evolved over a period of time. Initially, when distributed as a free trial version, it only stole data from applications.
When it transitioned to a subscription based model, it was sold with additional functionalities such as displaying a fake window, taking screenshots, clipboard hijacking etc. The team behind this malware keeps refactoring and updating the code to ensure that the malware has no detection in VirusTotal.
These updates include changing libraries used to display a fake window, updating the communication with the C2 server etc. In the following sections, the researchers detailed various functionalities shown by the malware across its different versions.
Currently, the malware is a 64-bit sample written in Rust containing a loader which decrypts and executes the stealer component. Loader with a fake window Once the malware is successfully downloaded and executed in the victim’s machine , the loader displays a fake window to the user.
These fake windows are used to fool the victim into thinking that a legitimate application is executed. Figure five shows a few fake windows used by the loader. It uses the Rust crate: native-windows-gui or egui or native_dailog to create and display the fake window.
Some of the fake windows displayed by the loader. While the fake window is shown to the victim, the loader decrypts the stealer component using either XOR or AES encryption, utilizing the Rust crate include-crypt. In recent versions, the loader uses a custom algorithm to decrypt the stealer component.
Conclusion
The newly emerged Rust-based infostealer, Myth Stealer, continues to evolve across its versions, making it progressively harder for endpoint solutions to detect. Its use of string obfuscation, stealthy C2 communication, and features like a fake window reflect the threat actors’ advanced evasion techniques.
The consistent development and enhancement of Myth Stealer underscore the attackers’ determination to stay ahead of security defenses, posing a serious and persistent risk to users, particularly gamers targeted through fraudulent gaming websites.