A new credential-harvesting malware known as “123 | Stealer” has surfaced on a prominent English-speaking cybercrime forum, with the threat actor operating under the handle koneko marketing subscriptions at US $120 per month.
According to the sales thread, the developer distributes the stealer through a traditional software-as-a-service (SaaS) model: customers pay a recurring fee for continued access, updates, and a web-based command-and-control (C2) panel.
Prospective buyers must provision their own Ubuntu or Debian VPS to host a reverse-proxy component that mediates traffic between infected hosts and the SaaS back-end.
The seller provides an installation script and claims the proxy eliminates direct ties between victim machines and the core C2 infrastructure, complicating takedown efforts while shielding both operator and customers from attribution.
Payment options include cryptocurrency only, with no escrow or guarantee mechanism mentioned—typical for lower-tier stealer offerings and a potential red flag for would-be purchasers.
The malware arrives as a DLL-free Windows executable weighing roughly 700 KB. By avoiding external libraries, the author seeks to reduce static analysis traces and eliminate common dependency checks performed by endpoint security products.
The marketing post emphasizes that all networking functions, credential parsing logic, and persistence mechanisms are implemented directly in C++, contrasting with many contemporary stealers that rely heavily on .NET or third-party packs.
Technical Feature Set
Once installed, 123 | Stealer harvests an extensive range of credential artefacts. The developer claims support for all major Chromium- and Gecko-based browsers (including Google Chrome, Microsoft Edge, Opera, Brave, Firefox, and Waterfox) by directly accessing each browser’s SQLite login data store and decryption APIs. Stolen items include:
- Saved usernames and passwords.
- Session and authentication cookies.
- Autofill form data and browsing history.
Beyond browser stores, the stealer parses local application directories to exfiltrate cryptocurrency wallets such as Electrum, Exodus, Atomic, MetaMask, and Trust Wallet.
A dedicated module sweeps popular wallet extensions—over 70 plugins are enumerated in the admin panel screenshot, ranging from mainstream DeFi add-ons to lesser-known swap utilities.
The developer also highlights built-in collection for Discord authentication tokens, enabling subsequent session hijacking directly from the C2 console.
Operators can configure optional “process-grab” and “file-grab” rules. The process-grab feature performs live memory dumps of selected applications—commonly used to loot plaintext credentials from password managers—while file-grab allows defining glob patterns for documents, databases, and source code archives.
All extracted materials are compressed, AES-encrypted, and staged for exfiltration over the customer-hosted proxy using standard HTTPS POST requests.
Early Assessment
At publication time, no third-party technical analyses or trust endorsements from established fraudster circles have appeared, leaving all performance claims unverified.
According to Report, 123 | Stealer’s reputation remains speculative, even as its aggressive marketing signals continued competition among credential-thieving malware authors seeking subscription revenue from lower-tier adversaries.
The absence of community feedback is notable; newly released stealers typically attract rapid comments—positive or negative—from competing threat actors evaluating throughput, detection rates, and server-side stability.
Analysts caution that early adopters are effectively beta-testing the malware at their own expense.
From a defensive standpoint, security teams should monitor for sudden outbound HTTPS traffic to newly registered VPS IPs hosted on budget providers, as well as unusual child process activity where browsers spawn sign-unknown binaries.
Endpoint solutions with behavior-based detection targeting credential store API access and indiscriminate file enumeration can disrupt much of the advertised functionality.
For organizations, routine cookie invalidation, enforced multi-factor authentication, and hardware-backed cryptographic key storage remain effective mitigations against stealer campaigns.
Users holding crypto assets should migrate wallets to devices isolated from daily web browsing or leverage hardware wallets that store private keys off-device.
In the cybercrime marketplace, the $120 monthly price positions 123 | Stealer between budget open-source forks (typically $20–$50) and premium, feature-rich suites exceeding $200.
Whether the tool gains traction will hinge on real-world extraction volumes and how quickly antivirus vendors incorporate new signatures.
Until empirical evidence surfaces, 123 | Stealer’s reputation remains speculative, even as its aggressive marketing signals continued competition among credential-thieving malware authors seeking subscription revenue from lower-tier adversaries.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
.webp?w=356&resize=356,220&ssl=1 "Microsoft Teams Blocking Users from Accessing Embedded Office Documents")
