BHUNT Malware

Malicious actors have been targeting cryptocurrencies ever since they start Bitcoin Boom. They have started to tune their focus towards cryptocurrency wallets since they can easily transfer funds when they gain access. Last year statistics showed a surge in cryptocurrency stealers like WeSteal and Redline Stealer

Researchers at Bitdefender found a dropper with a hidden file that was running from the /Windows/System32/folder. The file wrote mscrlib.exe to the disk. However, after further exploring they found a new type of cryptocurrency stealer which had an execution not similar to the usual. It was named BHUNT after getting to know the main assembly’s name. 

BHUNT is a .NET modular stealer which has the ability to extract crypto-wallet contents, browser-stored passwords, and passphrases from the clipboard. It can extract contents from wallets like Bitcoin, Ethereum, Exodus, Electrum, Jaxx, Atomic, and Litecoin.

BHUNT – Stealer Malware

BHUNT was investigated by Bitdefender researchers and they found the following things.

  • Commercial packers like Themida and VMProtect are used to encrypt Binary files.
  • Digital signature was found which does not match with the binaries of digital certificates
  • wallet.dat and seed.seco files were used for stealing clipboard information, wallet files, passphrases used for account recovery
  • Encrypted configuration files were used in the malware that are downloaded from public Pastebin pages
  • Other components were specialised in password theft, cookies and other sensitive information that are stored in browsers like Chrome and Firefox
Execution Flow


BHUNT stealer is specialized in extraction information relating to cryptocurrency wallets and passwords hoping for financial gain. The delivery method of this malware is similar to that of Redline Stealer. To prevent from getting exploited,

  • Prevent app installation from untrusted sources
  • Never turn off your security software and look out for blocked installations
  • Keep your security software up-to-date

To know if your system is compromised, a full whitepaper is published by bitdefender research team.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.