Pentagon Stealer: Go and Python Malware Targeting Crypto
April 30, 2025, 9 a.m.
Description
Pentagon Stealer is an evolving malware threat that exists in both Python and Golang versions. It primarily targets browser credentials, cookies, crypto wallet data, and messaging app tokens. The malware exploits browser debug modes to bypass encryption and injects into crypto wallets to steal sensitive information. Initially spread through typosquatting, it has appeared under various names like 1312, Acab, Vilsa, and BLX stealer. The Golang version expanded its capabilities to target more browsers. Pentagon Stealer uses HTTP requests for C2 communication and is often part of larger attack chains. While relatively simple, its persistent development and integration into various campaigns make it an ongoing threat to users' financial and personal data.
Tags
Date
- Created: April 30, 2025, 8:17 a.m.
- Published: April 30, 2025, 8:17 a.m.
- Modified: April 30, 2025, 9 a.m.
Indicators
- 0411589551ab684892e3cc776674df0f07bcdbb931c29da93c2afd08fe077336
- https://pentagon.cy/wallet_injection
- https://pentagon.cy/log_files
- https://pentagon.cy/log_data
- https://pentagon.cy/exodus
- https://pentagon.cy/create_log
- http://pentagon.cy/paste?userid=
- http://pentagon.cy/create_log
- http://funcaptcha.ru/delivery.
- http://1312services.ru/pw
- http://1312services.ru/webdata
- http://1312services.ru/delivery.
- https://pentagon.cy/atomic
- stealer.cy
- pentagon.cy
- biteblob.com
- 1312stealing.ru
- 1312services.ru
- funcaptcha.ru
Attack Patterns
- Acab Stealer
- 1312 Stealer
- Pentagon Stealer
- Vilsa Stealer
- BLX Stealer
- PureCrypter