VoltaStealer: New Evasion-Heavy InfoStealer Surfaces in the Underground

A newly advertised Malware-as-a-Service (MaaS) infostealer, tracked here as VoltaStealer, has appeared on underground cybercriminal forums. Based on the threat actor’s marketing material and currently available promotional screenshots on the XSS forum, the malware is being positioned as an evasion-focused competitor to established stealers such as Lumma, Vidar, StealC, and AuraStealer.

At this stage, because there is no corroborating public reporting or wild binaries indexed by threat intelligence platforms, several technical capabilities remain unverified. They should be treated strictly as unvalidated actor claims until production samples or verified victim telemetry are available for hands-on analysis.

The following is an analyst assessment separating the developer’s promotional claims from the underlying technical realities.

Technical Profile: Advertised Evasion Mechanisms

The developer’s pitch focuses heavily on low-level engineering choices designed to reduce the binary’s footprint and complicate static and behavioral analysis.

• Dependency Avoidance: The threat actor claims the binary is written from scratch in C, Assembly (ASM), and minimal C++, completely avoiding the C Runtime (CRT) library and third-party dependencies. This keeps the advertised obfuscated build size down to approximately 205–215 KB.
• Direct Syscalls: Rather than invoking high-level Windows APIs (which are heavily monitored and hooked by modern EDR agents), the binary is advertised to utilize direct system calls via custom ASM routines. While the actor claims this “eliminates standard system calls,” an analyst perspective notes that while this can bypass user-mode API hooking, it does not render modern endpoint protection blind; modern EDR platforms continue to rely on kernel telemetry, ETW (Event Tracing for Windows), memory scanning, and process lineage.
• Staging-Free Collection: The marketing material asserts that VoltaStealer operates entirely within RAM during its data collection and compression cycle, never dropping intermediate temporary files to disk (such as in the typical %TEMP% or %APPDATA% directories).
• Dynamic Resolution: For infrastructure resilience, the builder utilizes a Dead-Drop Resolver (DDR) mechanism, fetching encrypted Command and Control (C2) links hosted on public profiles across legitimate platforms like Steam, Telegram bots, or TON blockchain transactions.

A close-up look at the browser-based VoltaStealer MaaS control panel 

Deep Dive: What the Stealer Targets in the File System

While the malware is advertised as “memory-only” regarding its staging behavior, it is explicitly designed to read highly specific, sensitive database directories and configuration paths across the victim’s local file system. The actor claims an operational execution window of 5–10 seconds to scrape the following targets:

1. Web Browsers and Sessions

The malware scans local AppData pathways for over 100 Chromium and Gecko-based browsers, targeting:

• Saved Credentials: Extracting Login Data and Web Data databases.
• Session Cookies: Scoping active session cookies to facilitate cookie-theft campaigns.
• Authentication Material: The actor claims specific extraction of Google Account Authorization and Microsoft Edge tokens. From a technical stance, these claims require further validation via configuration structure or sample extraction to identify the exact local storage keys or profile databases being accessed.

2. Cryptocurrency Infrastructure

VoltaStealer implements broad targeting across both local desktop applications and browser extensions:

• Desktop Wallets: Accesses paths containing wallet.dat files, config strings, and registry keys for over 60 applications.
• Extension Wallets: Targets Local Extension Settings folders within browser profiles to clone browser-based hot wallets.
• In-Memory Scans: The panel boasts an integrated Regex grabber designed to parse open handles of text (.txt) and document (.doc) files directly in memory, matching against private keys and BIP39 seed phrase patterns.

3. Messaging and Enterprise Assets

• Telegram Session Cloning: Targets local directories to steal the tdata session structures for over 20 distinct Telegram desktop clients and custom forks (e.g., AyuGram, 64Gram).
• Connectivity Configs: Sweeps local paths for saved enterprise VPN client configuration files to gather credentials for potential lateral movement.

IP_COUNTRY_2026_04_19.zip

├── Brave/

│   ├── Cookies/

│   └── Passwords/

├── Files/

├── Games/

│   └── Steam/

├── Google Chrome/

│   ├── Cookies/

│   └── Passwords/

├── WaterFox/

│   ├── Cookies/

│   └── Passwords/

├── Microsoft Edge/

│   ├── Cookies/

│   └── Passwords/

├── Opera GX/

│   ├── Cookies/

│   └── Passwords/

├── Telegram/

│   └── tdata/

├── Tokens/

├── VPN/

└── Wallets/

MITRE ATT&CK TTPs Mapping

To help defense teams quickly build detections, here is how VoltaStealer maps to the MITRE ATT&CK framework based on its advertised capabilities:

Technical Gaps and Uncertainties

As a closed, browser-hosted MaaS platform where installation on third-party hosting is unsupported, many core assertions remain unverified due to a lack of public reverse-engineering artifacts. Security teams should maintain skepticism regarding the following claims:

• Server-Side Decryption: The marketing text indicates the binary streams “raw, encrypted blobs” directly to the C2 backend, leaving nothing decrypted in cleartext on the victim’s end. However, browser data protected by Windows DPAPI natively requires local access to cryptographic material or master keys on the endpoint. The exact mechanics of what remains encrypted in transit versus what is decrypted by the C2 require verification via an execution trace or network protocol analysis.
• The “Runtime FUD” Claim: The developers promise automatic binary morphing (leaving each build 75% unique) and immediate code cleanup every Monday to maintain zero-detection status against Windows Defender. In reality, behavioral correlation engines routinely catch newly morphed variants based on their post-execution activity rather than static file hashes.

Defensive and Hunting Recommendations

Because threats leveraging direct syscalls and memory-only staging aim to minimize traditional disk-based artifacts, enterprise defenders should focus detection engineering on behavioral indicators and access telemetry:

1. Monitor Sensitive File Access: Establish detection rules for anomalous or high-volume read operations targeting known browser credential stores, cookie databases, local wallet extension folders, Telegram data structures, and VPN configuration directories.
2. Profile Volume Anomalies: Audit and alert on unusual patterns where an unsigned or low-reputation user-space process queries multiple distinct browser profiles or application configuration directories within a narrow time window.
3. Analyze Network Lineage: Hunt for instances where a process initiates outbound connections to public web services (e.g., Steam or Telegram profile pages) and immediately follows that activity by establishing network connections to unrelated, low-reputation external infrastructure.
4. Behavioral Memory Defenses: Ensure endpoint controls are configured to detect unbacked memory allocations or unexpected thread execution states, which frequently point to fileless injection methods.
5. Session and Token Hardening: Because cookie theft successfully evades traditional multi-factor authentication check-points post-auth, reduce the blast radius by enforcing device binding, implementing risk-based re-authentication parameters, shortening sensitive application session lifespans, and securing automated token revocation capabilities upon endpoint compromise alerts.