- Volume One: The_PirateStealer_Saga.md
- Volume Two: The_PirateStealer_Saga_Vol2.md
This document is a follow-up to The PirateStealer Saga, detailing additional events that have occurred in the week since its writing.
This writeup is for educational and entertainment purposes. Please do not harass any of the users involved. Please do not join any Discord servers shown, or contact any users.
Moreover, please do not share this writeup outside of moderation circles. I'd prefer it not end up in the hands of these scammers.
- nwunder
Our story picks up shortly after we discovered the PirateStealer repository. A few of us had decided we wanted to make some tools that would help us extract the webhook URLs from these PirateStealer malware executables. One of us had already made a Python tool for decompiling these (you could use a hex exitor, but this malware was almost exclusively Node.js apps compiled with Nexe, so decompiling wasn't too difficult). This worked fine for a majority of the executables we had access to at the time, but looking at the PirateStealer repository we could see it had added obfuscation recently. We knew it was obfuscated with obfuscator.io, which no publicly-available JavaScript de-obfuscators were able to help us with.
We had at this point spent a few hours digging through the source code behind the project, and had come up with some ideas for extracting the webhook from obfuscated source code. We'd found a potentential vulnerability in the malware that we decided was worth pursuing. This was really what led us to actively following PirateStealer's repository/server and investigating them on GitHub. Not to mention, by this point we'd found so much fascinating information, how could we not look for more?
By this point, we'd become accustomed to keeping an eye on the PirateStealer repository on GitHub. A few days after we started the project, we noticed their Discord support server had been deleted by Trust&Safety, and that they had already updated the repository's README with the link to a new support server. Naturally, we reported this server as well.
Within a few hours, we noticed that this new server had also been deleted, and their README had another support server link. This time, they seemed to have switched to Revolt, a Discord-like chat platform. We naturally spent a short while celebrating at the idea that we'd helped drive them off of Discord. It was also pretty great that this server was deleted so quickly, it seemed that Discord's Trust&Safety team was onto them as well. Naturally, we reported this new server to Revolt.
After at most a few more hours, we noticed that their Revolt server had already been deleted. The Revolt team was clearly on top of their game! Checking the README, The Revolt link had been removed and replaced with... nothing.
What a victory. They seemed to have given up. After two Discord servers and a Revolt server, PirateStealer had finally given up. Or so it seemed.
This is mostly unrelated to the rest of the story, but it was entertaining enough that I wanted to write it down. We'd been following the PirateStealer project for a couple days, and when the Revolt server went down started browsing GitHub, looking for people associated with these projects and just general other open-source Discord malware projects. Here are some of our discoveries that I thought were worth sharing.
Wait, that's a thing?
I'm pretty sure they spent more time making it look pretty than they did making the actual tool.
Do you think he hacks at night so his parents don't catch him??
Just... why?
I genuinely almost gave up and deleted this gist when I saw this repo again.
A few days after they left revolt, the PirateStealer README was once again updated with a Discord link. This one was notable for a few reasons:
- The server's name. just... what?
- The server is completely closed, and uses a ticket bot for interactions between staff and users.
- They ADAMANTLY claim that it's not a support server for PirateStealer. Seems they're finally learning.
It's also absolutely hilarious that it says you should join to buy premium for "educational reasons". I'm no expert, but I'm pretty sure there's not much of a market for premium educational malware. I suppose they gotta cover their tracks somehow, though.
Nobody tell them I'm the one uploading their repo to VirusTotal 😳
