HANNIBAL Stealer: A Rebranded Threat Born from Sharp and TX Lineage

April 30, 2025, 8:58 a.m.

Description

The Hannibal Stealer is a sophisticated information stealer targeting Chromium and Gecko-based browsers, developed in C# and operating on the .NET Framework. It bypasses Chrome Cookie V20 protection and steals data from cryptocurrency wallets, FTP clients, VPNs, and messaging apps. The malware performs system profiling, captures screenshots, and exfiltrates targeted files. It includes a crypto clipper module and is controlled via a dedicated C2 user panel. Advertised on various forums, it employs geofencing, domain-matching, and comprehensive data theft techniques. The stealer is likely a rebranded version of earlier SHARP and TX Stealers, with minimal innovation beyond updated communication methods.

External References

https://www.cyfirma.com/research/hannibal-stealer-a-rebranded-threat-born-from-sharp-and-tx-lineage/
https://otx.alienvault.com/pulse/6811dd434197b551215abaf3
Tags
cryptocurrency
sharp stealer
data exfiltration
information stealer
browser data theft
geofencing
2025-04-26
hannibal stealer
tx stealer
vpn credentials
c2 panel
telegram channels
2025-04-30
rebranded malware
vpn credential theft

Date

  • Created: April 30, 2025, 8:20 a.m.
  • Published: April 30, 2025, 8:20 a.m.
  • Modified: April 30, 2025, 8:58 a.m.

Indicators

  • f69330c83662ef3dd691f730cc05d9c4439666ef363531417901a86e7c4d31c8
  • 251d313029b900f1060b5aef7914cc258f937b7b4de9aa6c83b1d6c02b36863e
  • 45.61.141.160
  • www.hannibal.dev
Download all indicators here!

Attack Patterns

  • TX Stealer
  • Hannibal Stealer
  • SHARP Stealer
  • Hannibal Stealer