- Volume One: The_PirateStealer_Saga.md
- Volume Two: The_PirateStealer_Saga_Vol2.md
The following document chronicles my discovery of the incredibly riveting lore behind a particular open-source malware project.
This writeup is for educational and entertainment purposes. Please do not harass any of the users involved. Please do not join any Discord servers shown, or contact any users.
Moreover, please do not share this writeup outside of moderation circles. I'd prefer it not end up in the hands of these scammers.
- nwunder
Our story begins with one of my users receiving a direct message from a "try my game" scammer on Discord. Knowing it was a token stealer, the user reported the DMs to me. After banning and reporting the user, we were able to uncover the webhook url of the token stealer, and, surprisingly, find its source code on github: https://github.com/bytixo/PirateStealer
Upon inspection, the repository has a few fascinating aspects. To start, the README had Proof Of Concept && Educational Purpose Only written in giant text at the top. This was amusing, since I'd discovered this project through it being used in an actual malware attack.
Furthermore, the project is a surprisingly functional and full-fledged open-source repository, considering the fact that it's malware. This code being used for illegal activities didn't stop them from making the most of GitHub's features, it seems.
We'd discovered an open source, actively-maintained malware project on GitHub. They even had a support server and donation links! The level of effort being put into maintaining literal malware was nothing short of hilarious. Not to mention, the support server's vanity invite was racismhq, which is absolutely ridiculous even on its own.
Perhaps my favorite thing about this repository is the "Skids Hall" section of the README.
This quote in particular was absolutely hilarious:
(changing embed colour and removing PirateStealer mention doesnt make your grabber selfcoded dumbass)
Something about malware devs being salty about their code being stolen is just absolutely amazing to me.
It's also pretty amusing seeing the README with disclaimers like "This project is for educational purposes" to avoid being taken down by GitHub, despite the fact that it's obviously being supported, maintained, and used in live malware. The dev also has this disclaimer in the README:
Upon investigation, the developer's GitHub profile was similarly entertaining.
This developer's profile had
- A Discord token stealer
- Two Discord userbots
- Two anti-malware tools
...all in the same screenshot.
But the drama was only just beginning. Upon revisiting the original repository, I found something else:
Writing this, I'm still absolutely astounded. Did this developer really create a malware tool, an anti-malware tool for his own malware, and add anti-anti-malware support to the original malware? This can't be real.
Besides the server's absurd vanity invite, there's not much to tell about this. The server is intended to provide support for malware, so the info and announcement channels are full of tos-violating content. The server's already been reported, I'd request nobody reading this gist join it or get involved in any way.
One amusing thing to note about the support server is this screenshot from their suggestions channel:
And now we reach the final chapter in our saga. The project's original developer, Stanley, quit the project and passed it on to its current maintainer. At the time of writing, you can find this on his GitHub profile:
Did this guy really quit developing malware because he was tired of people stealing his code? Even writing this a day later, I'm still strugging to believe this is all real.
I hope you enjoyed this as much as I did.
