RussianPanda95

Parameter	Type	Description	Purpose
csidl	Integer	Windows CSIDL folder identifier	Specifies which system folder to target
start_path	String	Starting directory path for search	Base path to begin file scanning
masks	Array/String	File masks or patterns to match	Determines which files to target
recursive	Boolean	Whether to scan subdirectories	Controls the depth of file system traversal
max_size	Integer	Maximum file size to collect (KB)	Prevents collection of overly large files
iterations	Integer	Number of scan iterations or depth	Controls breadth of scanning operation

RussianPanda95

Parameter	Type	Description
name	String	Wallet extension name
token	String	Extension ID in the browser
from_local	Boolean	Extract data from local storage
from_sync	Boolean	Extract data from sync storage
from_IndexedDB	Boolean	Extract data from IndexedDB storage

RussianPanda95

Parameter	Type	Description
name	String	Browser name identifier
path	String	Relative path to the browser's data directory
type	Integer	Browser engine type (1=Chromium, 2=Opera, 3=Firefox)
soft_path	String	Absolute path to the browser executable
use_v80	Boolean	Flag for Chrome v80+ special handling
parse_cookies	Boolean	Enable extraction of browser cookies
parse_logins	Boolean	Enable extraction of saved passwords
parse_history	Boolean	Enable extraction of browsing history

RussianPanda95

Category	Parameter	Type	Description
Response Validation	opcode	String	Verifies response validity
Response Validation	success/blocked	String	Determines if stealer continues execution
Authentication	access token	String	Authentication token for future C2 communications
Execution Control	self-delete	Boolean	Controls whether stealer deletes itself after execution
Execution Control	loader	Boolean	Controls downloading and executing additional payloads
Data Collection	take_screenshot	Boolean	Enables screen capture functionality
Data Theft Targets	steal_steam	Boolean	Targets Steam platform data (credentials, game info)

RussianPanda95

{
    "70dac1867cc": "0a086e0b45295b8",
    "opcode": "success",
    "access_token": "b6de4c8e85bb0ddbc6778a9e5555281e15720a5126c4f8a828ac8b34df7f6b376da04f93",
    "self_delete": 1,
    "take_screenshot": 1,
    "loader": 0,
    "steal_steam": 0,
    "steal_outlook": 1,
    "browsers": [

RussianPanda95

SmartApeSG domains:

aionrevenge.com
46.17.43.112
3pline.com
tqshoes.shop
testmotodart.pro
raptwinter.shop
10086623.top
internationalcricketboard.com

RussianPanda95

URLs serving malicious Chrome extension:

tchk-1.com/v3.bs64
ps1-local.com/obfs3ip2.bs64
root-head.com/2708.bs64
root-head.com/25082.bs64
root-head.com/2508.bs64
root-head.com/2408new3.bs64
opensun.monster/25053.bs64
root-head.com/1408new3.bs64

RussianPanda95

SHA-256: 0a5c087ebc6df5cd251128903ecf1f46e13b020bc9b36d8ba4c097c067fb249d
Config: {
    "uuid": "7b2a34ce27374b1ba3440bd5ef1515d9",
    "user": "gogotest",
    "buildid": "1",
    "C2": "http://79.137.192.4/p2p",
    "staging_folder": "/tmp/out.zip"
}
SHA-256: 0c11f43e9c111397fec3524feb17bf146232b11be1b4256f7f2ebf1322f01cb5
Config: {

RussianPanda95

{
    "v": 4,
    "se": true,
    "ad": false,
    "ex": [
      {
        "en": "ejbalbakoplchlghecdalmeeeajnimhm",
        "ez": "MetaMask"
      },
      {

RussianPanda95

gecko;discord;chromium;download;grabbers;extensions;processGrabber;dll;ebaltvoumamashuazazazaza




Firefox
%USERPROFILE%/AppData/Roaming/Mozilla/Firefox
Waterfox
%USERPROFILE%/AppData/Roaming/Waterfox
K-Meleon