Skuld Infostealer Malware Used Against Targets Across the World

computer malware

Skuld, a newly discovered information stealer written in Golang, has successfully compromised Windows systems in Europe, Southeast Asia, and the United States.

According to an analysis by Trellix researcher Ernesto Fernández Provecho, this fresh strain of malware has a primary objective of pilfering sensitive data from its victims. It achieves this by searching for valuable information stored in applications like Discord and web browsers, as well as system data and files within the victim's folders.

Skuld bears similarities to other known stealers such as Creal Stealer, Luna Grabber, and BlackCap Grabber. Its creator, who is known online as Deathined on platforms like GitHub, Twitter, Reddit, and Tumblr, appears to be actively promoting this malware through a Telegram group named deathinews.

To impede analysis efforts, Skuld checks if it's operating within a virtual environment upon execution. It then compiles a list of running processes and compares it to a predefined blocklist. If any process matches those on the blocklist, Skuld terminates the matched process instead of self-terminating.

Skuld's Full List of Capabilities

In addition to gathering system metadata, Skuld is capable of harvesting cookies, credentials, and files from various Windows user profile folders, including Desktop, Documents, Downloads, Pictures, Music, Videos, and OneDrive.

Trellix's investigation into the malware revealed that Skuld is designed to tamper with legitimate files associated with Better Discord and Discord Token Protector. By injecting JavaScript code into the Discord app, it can extract backup codes, employing a technique reminiscent of a recently documented Rust-based infostealer analyzed by Trend Micro.

Certain samples of Skuld also include a clipper module, which modifies clipboard content and facilitates the theft of cryptocurrency assets by replacing wallet addresses. Trellix speculates that this module is still under development.

Data stolen by Skuld is exfiltrated using an actor-controlled Discord webhook or the Gofile upload service. In the case of the latter, the attacker receives a reference URL containing the stolen data in a ZIP file, which is sent through the same Discord webhook functionality.

This development showcases the growing popularity of the Go programming language among threat actors. Its simplicity, efficiency, and cross-platform compatibility make it an appealing choice for targeting multiple operating systems and expanding the pool of potential victims.

Fernández Provecho further emphasized that Golang's compiled nature makes it challenging for security researchers and traditional anti-malware solutions to detect and mitigate these threats effectively, as malware authors can produce binary executables that are difficult to analyze and reverse engineer.

By Zaib
June 15, 2023
Computer Security
English
June 15, 2023
Computer Security

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

5 years ago

What is the OperaGXSetup.exe File and is it Malicious?

11 months ago

Eporner.com And Why Its Excessive Pop-Ups Are Risky

11 days ago

HackTool:Win32/Crack: a Malicious Threat That Can Seriously...

7 months ago

Take Note: Someone Added You As Their Recovery Email Scam

10 months ago

A Potentially Serious Threat: Trojan:Win32/Suschil!rfn

18 days ago

Related Posts

Android Malware

IcSpy Mobile Malware Targets Bank Customers

IcSpy is the name of a strain of mobile malware that can infect Android devices. The malware was used in a campaign targeting victims located in India and customers of Indian banking institutions. There have been... Read more

November 25, 2022
Mac Malware

RShell Malware Targets MacOS Users

RShell is the name of a piece of malware that is attributed to a Chinese advanced persistent threat actor known by several aliases, most notably APT27 and LuckyMouse. RShell was discovered by a research team with... Read more

August 15, 2022
Malware

Stealerium Infostealer

Stealerium is the name of an infostealer malware. The malicious application is written and compiled using C#. When it deploys on a victim system, Stealerium starts recording logs and exfiltrating information from the... Read more

May 9, 2022
English
Loading...

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2025 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.