Uptycs Named a Leader in KuppingerCole CNAPP Leadership Compass Download →

The Titan Stealer: Infamous Telegram Malware Campaign

Blog Author
Karthickkumar Kathiresan

Research by: Karthickkumar Kathiresan and Shilpesh Trivedi


The Uptycs threat research team recently discovered a campaign involving the Titan Stealer malware, which is being marketed and sold by a threat actor (TA) through a Telegram channel for cybercrime purposes. The stealer is capable of stealing a variety of information from infected Windows machines, including credential data from browsers and crypto wallets, FTP client details, screenshots, system information, and grabbed files.


The TA has posted a screenshot of the builder tool for the malware, which includes options for targeting/stealing specific types of information, such as browser data, crypto wallet information, FTP client details, and Telegram plugins. The builder also includes options for collecting specific file types from the victim's machine.

The Uptycs threat research team discovered a Titan stealer malware campaign, which is marketed and sold by a threat actor (TA) through a Telegram channel.

Figure 1: Titan stealer builder


Malware Operation

The figure illustrates the malicious operation followed by the Titan Stealer malware.

Telegram Malware DetectedTelegram Malware Detected Figure 2 :Titan stealer workflow

Figure 2:Titan Stealer workflow


Technical Analysis

Stage 1

Telegram Malware Detected Figure 3: Initial Titan stealer binary

Figure 3: Initial Titan Stealer binary


The analyzed binary is a 32-bit executable compiled with GCC. Figure 3 above shows information about the different sections in the binary. The second section named ".data," has a larger raw size compared to the other sections and contains encrypted data for the Titan Stealer.


When the binary is executed, it decrypts the XOR-encoded payload in the same memory region, which is a Golang-compiled binary. The binary (stage 1) then uses a process-hollowing technique to inject itself into a legitimate target process called "AppLaunch.exe."


Telegram Malware Detected Figure 4: Decryption loop and the dumped payload binary

Figure 4: Decryption loop and the dumped payload binary


The screenshot below shows the process chain of Titan Stealer.

Telegram Malware Detected Figure 5: Process flow

Figure 5: Process chain


Stage 2

The stage 2 binary is a 32-bit executable that starts running from the memory region of the "AppLaunch.exe" process after it has been successfully injected. The build ID of the Golang-compiled binary is also provided.

Telegram Malware Detected Figure 6: Go build id

Figure 6: Go build ID


Browser Information

The malware attempts to read all the files in the "User Data" folder of various browsers using the CreateFile API, in order to steal information such as credentials, autofill states, browser metrics, crashpad data, crowd deny data, cache data, code cache data, extension state data, GPU cache data, local storage data, platform notifications data, session storage data, site characteristics database data, storage data, and sync data.


The FindFirstFileW API is a function in the Windows operating system that allows a program to search for a file in a directory or subdirectory. It can be used to enumerate all the files in a directory, including hidden files. Malware can use the FindFirstFileW API to search for specific files or directories on the system, such as the directories where browsers are installed.


Telegram Malware Detected Figure 7: Enumerated folder

Figure 7: Enumerated folder shown in the Uptycs UI


The malware targets specific browser directories on a system to identify and potentially attack the installed browsers.





%USERPROFILE%\AppData\Roaming\Opera Software\Opera Stable\








%USERPROFILE%\AppData\Local\Elements Browser\

%USERPROFILE%\AppData\Local\Epic Privacy Browser\




%USERPROFILE%\AppData\Local\QIP Surf\











Crypto Wallet

Titan Stealer targets the following cryptocurrency wallets and collects information from them, sending it to the attacker's server.

Edge Wallet







Sensitive Information

  • Telegram - Reading data from telegram desktop app
  • Filezilla - Reading FTP clients details

The malware collects various types of logs from the infected machine, including browser information such as credentials, cookies, and history, as well as data from crypto wallets and FTP clients. Titan Stealer transmits information to a command and control server using base64 encoded archive file formats as shown in Figure 8 below.

Telegram Malware Detected Figure 8: sending data to C2

Figure 8: Sending data to C2


Titan Stealer OSINT

Threat actor is advertising and selling Titan Stealer through a Russian-based Telegram channel (https[:]//t.me/titan_stealer). The author shares updates and bug fixes frequently as shown in Figure 9. This may be a sign that they are actively maintaining and distributing the malware.


Telegram Malware Detected Figure 9: Telegram channel

Figure 9: Telegram channel


The threat actor has access to a separate panel that allows them to view the login activities and other data of a victim. This type of activity is often associated with cybercrime and can have serious consequences for both the victim and the attacker.

Telegram Malware Detected Figure 10: Login panel of titan stealer

Figure 10: Login panel of Titan Stealer

Telegram Malware Detected Figure 11: Titan Stealer Dashboard

Figure 11: Titan Stealer Dashboard


A Shodan query could be used to identify and track the activity of the Titan Stealer as shown in Figure 12.

Shodan Query: http.html:"Titan Stealer" 

Telegram Malware Detected Figure 12: Shodan query

Figure 12: Shodan query


Conclusion: Detect & Block Titan Stealer Attacks

To defend against malware attacks like the Titan Stealer, it is recommended to:

  • Update passwords regularly to reduce the risk of a large-scale attack
  • Avoid downloading applications from untrusted sites
  • Avoid clicking on URLs or attachments in spam emails

Enterprises should also implement tight security controls and multi-layered visibility and security solutions to identify and detect such malware. For example, Uptycs’ EDR (Endpoint Detection and Response) correlation engine is able to detect the Titan Stealer's activity by using behavioral rules and YARA process scanning capabilities.


Uptycs EDR Detection

Uptycs EDR customers can easily scan for Titan Stealer since Uptycs EDR is armed with YARA process scanning and advanced detections. Additionally, Uptycs EDR contextual detection provides important details about the identified malware. Users can navigate to the toolkit data section in the detection alert and click on the name to find out the behavior as shown below (Figure 13 & 14).

Telegram Malware Detected Figure 13: Uptycs EDR detection Flowchart

Figure 13: Process tree for the malware in an Uptycs EDR detection

Telegram Malware Detected Figure 14: Uptycs EDR detection screenshot

Figure 14: Uptycs EDR detection UI showing Titan Stealer YARA rule match


MITRE ATT&CK Techniques for Titan Stealer


Technique ID

Technique Name

Defense Evasion


Process Hollowing



File and Directory Discovery



System Information Discovery



Exfiltration Over C2 Channel



File name

Md5 hash

Stage 1


Stage 2



Related Hashes:

Md5 hashes

File Type