Celestial Stealer Attacking Browsers

Celestial Stealer, a JavaScript-based infostealer packaged either as an Electron application, has been spotted targeting both Chromium and Gecko-based browsers to steal browser data.

The stealer is specifically targeting the system’s browsers attempting to steal the browser’s history, saved passwords, autofills, cookies, and saved credit information. Additionally, using browser data, it gathers the user’s visited URLs and the frequency of those visits.

It is a malware-as-a-service (MaaS) advertisement on the Telegram network. Users can purchase weekly, monthly, or lifetime memberships to gain access to its malicious capabilities. 

The Infection Chain

The stealer is written in JavaScript and extremely obfuscated, and it employs a variety of anti-analysis tactics, such as not executing on systems with specific usernames and machine names to avoid detection.

Free Webinar on Best Practices for API vulnerability & Penetration Testing:  Free Registration

It can target both Chromium and Gecko-based browsers, as well as inject payloads into applications such as Steam, Telegram, and cryptocurrency wallets like Atomic and Exodus.

The stealer has two C2 servers, one for transferring data and one for downloading the injection payload. The malware service provider promotes it as FUD (Fully Undetectable) by sending samples to VirusTotal as evidence of their claim. They also update the stealer on a regular basis to guarantee it remains FUD. 

Infection Chain

This sample claims to be a Discord promotion generator tool where the Start.bat file contains a base64 string that is initially written to a file in the temporary directory. It is then decrypted with the certutil tool and run. 

Once the execution is complete, the file is removed from the system. Decoded file is a bat file that downloads the stealer from the C2 server.

Researchers from Trellix detected VR Chat ERP, an NSFW Chat room in VRChat. An NSFW theme is used to entice the victim to download and execute the stealer.

Researchers discovered a url that downloads a zip package named VRChatERPSetup.zip. It contains an executable named AppSetup.exe which is the Celestial stealer.

Build process of the celestial stealer 

The stealer is capable of stealing user data, browser information and injecting payload into Exodus and Discord applications.

It also tries to find files with specific names on the Desktop, Downloads Documents, and OneDrive Folder. Stealer stops collecting files if the total size exceeds 50 MB.

On the Telegram network, a malware service provider is active. The “celestial [group]” was established on May 29, 2024, and “celestial ads” are its two public communication platforms. 

A new channel was made for exchanging updates after the group was shut down on October 30, 2024. Moreover, Celestial Stealer users can access a Telegram bot. Users can design their own version of Celestial Stealer by using the bot.

New Telegram channel created

Hence, infostealers pose a significant risk to user security since they can extract sensitive data such as passwords, cookies, and other information. 

JavaScript-based infostealers, such as Celestial Stealer, are especially difficult to detect since they employ complex obfuscation techniques and disguise themselves as standalone Electron or NodeJS applications.

Analyse Real-World Malware & Phishing Attacks With ANY.RUN - Get up to 3 Free Licenses

Guru Baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.