Emerging info-stealers not to be missed.

May 17 2023

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that does for cybersecurity what the movie Air is doing for Nike Air Jordan trainers.

Today’s hottest cyber security stories:

  • KELA Research unveils 2023 report into ‘emerging info-stealers’
  • RaaS (ransomware-as-a-service) is now officially a thing
  • Water Orthrus’ ‘CopperStealer’ malware bursts back


Info-stealers are the latest up and coming trend in the shady underworld of cybercrime, according to a new report by KELA, an ‘award-winning’ (their words) cybercrime threat intelligence firm.

They’re a specific kind of malware that specialises in, you guessed it, stealing your information.

So, using the report as a reference, let us give you a rundown of the most dangerous info-stealers to watch out for in 2023.

Knowledge is power, people!

DIY scamming

First off, probably the most disconcerting thing the report reveals is the growing popularity of DIY scamming, if you will. Business is booming when it comes to selling info-stealers, and indeed the stolen information on platforms like Telegram.

It’s like the old adage, give a man a phish, feed him for a day, teach him how to phish for his own info, feed him for a lifetime.

And the attraction for the criminals who sell these phishing kits is they can build up a sizable stream of monthly revenue from leasing these tools out without getting their hands dirty. Well, not as dirty as if they were launching the phishing attacks themselves.                          

It’s a win, win for them and a lose, lose for us law-abiding web surfers who have to contend with an ever-surging number of phishing attacks. But don’t abandon all hope just yet because, as always, Gone Phishing is here to educate you.

KELA’s report highlights the following four information-stealing operations that launched over the past year:

1.         Titan:

Titan first appeared on Russian-speaking hacker forums in November 2022, promoted as a Go-based info-stealer targeting data stored in 20 web browsers.

Its Telegram channel counts over 600 subscribers. On March 1, 2023, its authors released version 1.5, and on April 14, and teased an upcoming new version, indicating that this is a very active project.

2.         LummaC2: 

LummaC2 targets over 70 browsers, cryptocurrency wallets, and two-factor authentication extensions.

In January 2023, the project had a reboot on Telegram, which currently has over a thousand subscribers, and since February 2023, it has been offered for purchase through ‘RussianMarket.’

LummaC2 sells for $250 to $1000 per month, depending on the selected features, and KELA says the malware enjoys a very good reputation in the cybercrime underground.

3.         WhiteSnake: 

Here I go again on my own. This strain was first promoted on hacker forums in February 2023 as an email, Telegram, Steam, and cryptocurrency wallet stealer.

It can target both Windows and Linux systems, which is rare in this field.

WhiteSnake has over 750 subscribers on Telegram, selling for $140/month or $1,950 for lifetime access.

4.         The Cloud of Logs

KELA’s report also highlights a new product type that has emerged lately, named “Clouds of Logs,” which is to sell subscriptions to access private cloud-hosted log collections created by threat actors distributing info-stealer malware.

Cloud of logs is a more private and, presumably, safer alternative to automated log markets, created to give data sellers a simpler way to monetize their activity without the involvement of middlemen.

Never mind the bollocks, though. Keep your wits about you and you’ll be just fine. After all, haters gon’ hate, and scammers gon’ scam.


The cybersecurity world witnessed the emergence of a comically named ransomware-as-service (RaaS) venture dubbed MichaelKors. This mischievous operation has taken a liking to Linux and VMware ESXi systems, causing quite a stir in April 2023.

It seems that cybercriminals have now expanded their horizons to target ESXi, according to a report shared by cybersecurity firm CrowdStrike. It appears they just can’t resist the allure of this virtual infrastructure, much to the bemusement of security professionals.

“This trend is especially noteworthy given the fact that ESXi, by design, does not support third-party agents or AV software,” the company said.

“In fact, VMware goes as far as to claim it’s not required. This, combined with the popularity of ESXi as a widespread and popular virtualization and management system, makes the hypervisor a highly attractive target for modern adversaries.”

Scary stuff!


The infamous threat actors behind the CopperStealer malware have returned, and boy, did they come back with a bang! Picture this: two brand-spankin’-new campaigns that’ll make your head spin. They’ve got their hands on some fancy payloads they’ve aptly named CopperStealth and CopperPhish.

Now, these tech-savvy troublemakers go by the name Water Orthrus, according to the folks at Trend Micro who are trying to keep up with their shenanigans.

And get this, they’re not just responsible for these recent campaigns; oh no, they’ve got quite the CV. Remember that campaign called Scranos that had Bitdefender on their toes back in 2019? It turns out Water Orthrus is the mastermind behind that one too!

This crew has been causing mayhem since at least 2021. They’ve got a knack for using sneaky pay-per-install networks.

So, folks, keep an eye out for Water Orthrus and their CopperStealer creations. And remember, be vigilant when you stumble upon those shady software download sites

Stay safe!

So long and thanks for reading all the phish!

Recent articles