Exela Stealer Attacking Discord Users to Steal Login Credentials

Open-source data stealers are rapidly gaining popularity due to their versatility, giving threat actors useful reconnaissance tools for malicious objectives.

Open-source data stealers can be stealthy if designed and configured effectively, making them difficult to detect. 

It can be difficult for security systems to detect their harmful actions since they frequently operate quietly, rely on legitimate operations, and mix in with regular network traffic.

Cybersecurity researchers at Cyble Research and Intelligence (CRIL) discovered the ‘Exela-V2.0-main.rar’ zip file on September 14th, revealing a new ‘Exela’ stealer.

On August 17th, 2023, the source code was traced to a GitHub repository, and researcher Yogesh Londhe initially noticed it.

exela stealer
GitHub page (Source – Cyble)

Exela Stealer Attacking Discord Users

Using Discord webhook URLs, the Python utility Exela Stealer secretly collects private information, arousing interest in thoroughly analyzing its workings and effects.

The builder runs on Python 3.10.0 or 3.11.0 and creates the stealer per the threat actor’s preferences.

Tech Analysis
Builder console of Exela Stealer (Source – Cyble)

Here below we have mentioned features:-

  • PumpFile
  • GetIcon
  • AntiVM
  • Discord Injection
  • Keylogger
  • Startup
  • Fake Error Message
  • Obfuscation

The stealer checks for an existing mutex named ‘Exela | Stealer | on | Top.’ If found, it stops and prints ‘mutex already exists.’ Otherwise, it proceeds with data theft, using a fake error message as a diversion.

system error
Fake error message (Source – Cyble)

The stealer checks for debugging or virtualization by gathering UUID and computer name, then compares them to a hardcoded list, terminating if there’s a match.

debug check
Anti-debug check (Source – Cyble)

Apart from this, a diverse range of methods was employed by the stealer to do the following things:- 

  • Detect virtual environments
  • Examine files
  • Examine strings
  • Examine processes
  • Loading modules linked to virtualization platforms

Anti VM Functions

Here below we have mentioned all the Anti VM functions that are used:-

  • Vmcik
  • check_hostname
  • check_processes
  • CheckFiles
  • check_gdb
  • CheckHypervisor
  • Sandboxie()

Exela Stealer attains persistence by hiding itself in ‘C:\appdata\local\ExelaUpdateService’ as ‘Exela.exe’ with hidden and system attributes.

After copying, the stealer creates startup entry as chosen by the user, using Windows Registry (regedit) or Task Scheduler (schtasks) for persistence.

The stealer modifies Discord client files to enable unauthorized access and data collection, after which it replaces the code with custom injections from a GitHub repository and sends data to the attacker’s webhook URL.

Moreover, it targets the following types of web browsers:-

  • Chromium-based browsers
  • Firefox Browser

The stealer saves the harvested data in a unique folder, assembles a detailed report message with custom elements, sends it via Discord webhook, and then deletes the ZIP file and temporary directory.


Here below we have mentioned all the recommendations:-

  • Make sure always to download software from reputable sources to avoid risks.
  • To block data exfiltration, always keep monitoring the network communication.
  • Always use a robust security system and AV tool.
  • Ensure to keep your system and installed software updated with the latest updates and security patches.

Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.