ACCE Release Notes v2.2.20230804

Release Notes

This release consists of the following:

  • Meduza Stealer
  • DuckTail malware
  • ShortLoader Loader and Downloader
  • AppHttp Downloader
  • SmokeLoader variant
  • Edge Stealer
  • Typhon Reborn Stealer
  • Viotto Binder
  • Procrean Coinminer
  • Xanthe Coinminer
  • Abcbot implant
  • 32-bit Forest Crypter variant
  • Pikabot components: Injector, Core, and Downloader
  • ALTAS Clipper
  • Keyzetsu Clipper
  • KWN Clipper
  • DarkGate

Meduza Stealer

Author RussianPanda, @AnFam17 on X (formerly Twitter), published a write-up on Meduza Stealer including an IDAPython based string decryption script and configuration parser.

We added C2 socket address and missionid reporting, and additionally string decryption support for 32-bit and 64-bit versions Meduza Stealer leveraging DC3’s Dragodis framework and rugosa library. We have also added the Meduza module to our open-source ACCE parsers (os_acce_parsers) project.

DuckTail Malware

DuckTail has been observed since at least July 2022, being distributed using .NET ReadyToRun (R2R) compiled binaries and reported on as recently as May 2023 by TrendMicro.

We added support for the DuckTail Crypter, including a SmartAssembly obfuscated version, and DuckTail Implants, including a plaintext version, a Base64+DES-CBC version, and a Base64+RSA version to report the Telegram URL and email addresses.

Edge Stealer

Edge is a Stealer written in Go, reported on by X user @sarfraz432, which exfiltrates information using FTP. Our research identified two versions of Edge, one which stores the FTP parameters (address, username, and password) in plaintext, and one which hex-encodes the data.

Typhon Reborn Stealer

Typhon Stealer was first reported on by Cyble in August 2022, and an updated version dubbed “Typhon Reborn” was reported on by Palo Alto’s Unit42 in November 2022. Cisco Talos reported on Typhon Reborn V2 in April 2023, indicating that V2 was earlier released in January 2023.

We added ACCE support for Typhon Reborn versions, including reporting of the Telegram URL, mutex, missionid (buildid), filepaths, and various flags/lists. Our research additionally found a version which does not exfiltrate stolen information, but instead only saves it to a directory on disk. Of the Typhon versions which do exfiltrate information, one stored the configuration in plaintext, while the other encrypted some information using Base64+XOR+Base64.

Research on Typhon Reborn indicated some samples were packaged using Viotto Binder, a free binder/installer available from the authors of Remcos.


Pikabot is a rapidly evolving malware threat, reported on by Sophos, ZScaler, and Minerva Labs, which consists of 3 components: a downloader (observed to be protected using Forest Crypter), an injector, and a “Core”.

We updated our Forest Crypter support (see blog post from May 2023) for a 32-bit variant and added support for the downloader to report a PowerShell command, download URL, and a filepath.

As detailed in the referenced reporting, the Pikabot injector stores the embedded Core module as encrypted PNG chunks within its resources. As it collects the chunks, they are XOR decrypted, before being concatenated and then either AES-CBC or RC4 decrypted to load the Core module.

We observed two variants of the Core module, one which leverages ADVobfuscator for inline string encryption (as reported on by Sophos), and another which leverages inline RC4 string decryption. The variants can also be distinguished by the schemas leveraged to AES-CBC decrypt the c2 socket addresses. For both variants, the c2 socket addresses, a version, and a missionid (stream) value are reported.


At the end of June, Cyble reported on new clipper variants they had observed in the wild.

ATLAS (also reported on by X user @suyog41) is written using GO, and the observed samples were not stripped, enabling extraction of the configuration data from the variables in the “main” package. The Telegram URL, mutex, and installation parameters are reported in the module.

KWN is also written using GO, and the ACCE module is able to leverage the variables in these non-stripped samples as well for reporting of CryptoAddresses and the “senderName” (reported as a version). The Telegram URL is additionally extracted and reported.

Keyzetsu is written in C#, and the ACCE module reports decoded strings, CryptAddresses, a version, a mutex, a filepath, and possibly an exfiltration URL.


X users including @0xToxin and @JAMESWT_MHT have recently posted about DarkGate, which @CERTCyberdef noted is sold on a Russian cybercriminal marketplace and has been in development since early 2017.

We added an ACCE module to perform string decryption and report the decrypted strings, c2 URL(s), and version for the variants which leverage a custom Base64 alphabet.

  • DarkGate: 1b9e9d90136d033a52d2c282503f33b7
  • DarkGate: e0d96c0fdcd06ab07d66a11b57a0c6ce
Posted in Uncategorized and tagged , .