Skip to content
Request Your Demo
    January 23, 2023

    The Titan Stealer: Notorious Telegram Malware Campaign - Uptycs

    Research by: Karthickkumar Kathiresan and Shilpesh Trivedi


    The Uptycs threat research team recently discovered a campaign involving the Titan Stealer malware, which is being marketed and sold by a threat actor (TA) through a Telegram channel for cybercrime purposes. The stealer is capable of stealing a variety of information from infected Windows machines, including credential data from browsers and crypto wallets, FTP client details, screenshots, system information, and grabbed files. 


    The TA has posted a screenshot of the builder tool for the malware, which includes options for targeting/stealing specific types of information, such as browser data, crypto wallet information, FTP client details, and Telegram plugins. The builder also includes options for collecting specific file types from the victim's machine.

    The Uptycs threat research team discovered a Titan stealer malware campaign, which is marketed and sold by a threat actor (TA) through a Telegram channel.

    Figure 1: Titan stealer builder


    Malware Operation

    The figure illustrates the malicious operation followed by the Titan Stealer malware.

    Telegram Malware DetectedTelegram Malware Detected Figure 2 :Titan stealer workflow

    Figure 2:Titan Stealer workflow


    Technical Analysis

    Stage 1

    Telegram Malware Detected Figure 3: Initial Titan stealer binary

    Figure 3: Initial Titan Stealer binary


    The analyzed binary is a 32-bit executable compiled with GCC. Figure 3 above shows information about the different sections in the binary. The second section named ".data," has a larger raw size compared to the other sections and contains encrypted data for the Titan Stealer. 


    When the binary is executed, it decrypts the XOR-encoded payload in the same memory region, which is a Golang-compiled binary. The binary (stage 1) then uses a process-hollowing technique to inject itself into a legitimate target process called "AppLaunch.exe."


    Telegram Malware Detected Figure 4: Decryption loop and the dumped payload binary

    Figure 4: Decryption loop and the dumped payload binary


    The screenshot below shows the process chain of Titan Stealer.

    Telegram Malware Detected Figure 5: Process flow

    Figure 5: Process chain

    Stage 2

    The stage 2 binary is a 32-bit executable that starts running from the memory region of the "AppLaunch.exe" process after it has been successfully injected. The build ID of the Golang-compiled binary is also provided.


    Telegram Malware Detected Figure 6: Go build id

    Figure 6: Go build ID


    Browser info

    The malware attempts to read all the files in the "User Data" folder of various browsers using the CreateFile API, in order to steal information such as credentials, autofill states, browser metrics, crashpad data, crowd deny data, cache data, code cache data, extension state data, GPU cache data, local storage data, platform notifications data, session storage data, site characteristics database data, storage data, and sync data.


    The FindFirstFileW API is a function in the Windows operating system that allows a program to search for a file in a directory or subdirectory. It can be used to enumerate all the files in a directory, including hidden files. Malware can use the FindFirstFileW API to search for specific files or directories on the system, such as the directories where browsers are installed.


    Telegram Malware Detected Figure 7: Enumerated folder

    Figure 7: Enumerated folder shown in the Uptycs UI


    The malware targets specific browser directories on a system to identify and potentially attack the installed browsers.





    %USERPROFILE%\AppData\Roaming\Opera Software\Opera Stable\








    %USERPROFILE%\AppData\Local\Elements Browser\

    %USERPROFILE%\AppData\Local\Epic Privacy Browser\




    %USERPROFILE%\AppData\Local\QIP Surf\











    Crypto wallet

    Titan Stealer targets the following cryptocurrency wallets and collects information from them, sending it to the attacker's server.

    Edge Wallet







    Sensitive info

    Telegram -  Reading data from telegram desktop app

    Filezilla    -  Reading FTP clients details


    The malware collects various types of logs from the infected machine, including browser information such as credentials, cookies, and history, as well as data from crypto wallets and FTP clients. Titan Stealer transmits information to a command and control server using base64 encoded archive file formats as shown in Figure 8 below.


    Telegram Malware Detected Figure 8: sending data to C2

    Figure 8: Sending data to C2 


    Titan Stealer OSINT

    Threat actor is advertising and selling Titan Stealer through a Russian-based Telegram channel (https[:]// The author shares updates and bug fixes frequently as shown in Figure 9. This may be a sign that they are actively maintaining and distributing the malware.


    Telegram Malware Detected Figure 9: Telegram channel

    Figure 9: Telegram channel

    The threat actor has access to a separate panel that allows them to view the login activities and other data of a victim. This type of activity is often associated with cybercrime and can have serious consequences for both the victim and the attacker.


    Telegram Malware Detected Figure 10: Login panel of titan stealer

    Figure 10: Login panel of Titan Stealer


    Telegram Malware Detected Figure 11: Titan Stealer Dashboard

    Figure 11: Titan Stealer Dashboard


    A Shodan query could be used to identify and track the activity of the Titan Stealer as shown in Figure 12.

    Shodan Query: http.html:"Titan Stealer" 

    Telegram Malware Detected Figure 12: Shodan query

    Figure 12: Shodan query


    Conclusion: Detect and Block Titan Stealer Attacks

    To defend against malware attacks like the Titan Stealer, it is recommended to:

    • Update passwords regularly to reduce the risk of a large-scale attack

    • Avoid downloading applications from untrusted sites

    • Avoid clicking on URLs or attachments in spam emails

    Enterprises should also implement tight security controls and multi-layered visibility and security solutions to identify and detect such malware. For example, Uptycs’ EDR (Endpoint Detection and Response) correlation engine is able to detect the Titan Stealer's activity by using behavioral rules and YARA process scanning capabilities.

    Uptycs EDR Detection

    Uptycs EDR customers can easily scan for Titan Stealer since Uptycs EDR is armed with YARA process scanning and advanced detections. Additionally, Uptycs EDR contextual detection provides important details about the identified malware. Users can navigate to the toolkit data section in the detection alert and click on the name to find out the behavior as shown below (Figure 13 & 14).


    Telegram Malware Detected Figure 13: Uptycs EDR detection Flowchart

    Figure 13: Process tree for the malware in an Uptycs EDR detection

    Telegram Malware Detected Figure 14: Uptycs EDR detection screenshot

    Figure 14: Uptycs EDR detection UI showing Titan Stealer YARA rule match


    MITRE ATT&CK Techniques for Titan Stealer



    Technique ID

    Technique Name

    Defense Evasion


    Process Hollowing



    File and Directory Discovery



    System Information Discovery



    Exfiltration Over C2 Channel



    File name

    Md5 hash

    Stage 1


    Stage 2



    Related Hashes:


    Md5 hashes

    File Type



























    Karthickkumar Kathiresan

    Karthickkumar Kathiresan is a security researcher at Uptycs with 8+ years of experience in the field of cybersecurity. His area of expertise includes static and dynamic malware analysis, as well as reverse engineering on Windows platforms. Karthick has also created malware signatures, and previously worked with...

    Other posts you might be interested in